Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Facebook Draws Ire of Privacy and Freedom of Choice Advocates

Facebook is being criticized for surrendering the private messages of a teenager and her mother who were planning to use (and did use) a pharmaceutical product to terminate a pregnancy. The teenager, her mother and a man who assisted with disposal of the fetus have been charged with a number of offences, following investigations by police in Madison County, Nebraska, who had obtained a warrant requiring disclosure of the contents of an electronic communication.

Police subsequently seized the girl's phone and computer and retrieved the body of the fetus, which had been stillborn. The circumstances of the case are not as clear-cut as pro-choice advocates might like - the abortion was performed at 28 weeks gestation, which could be a crime prior to the contentious recent changes brought about by the US Supreme Court - but it does illustrate the way in which more recent cases will be prosecuted, with the cooperation of tech service providers.

The problem here is not Facebook; no US-based company, or company that operates in the US, be it a social media company, an email service provider, a messaging company or a telco, has the power to resist a warrant or court order issued by a US court. Those who seek privacy protections are going to have to use international service providers and also make use of encryption.

Koebler, Jason and Anna Merlan, This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion, Vice Motherboard, 9 August 2022. Available online at https://www.vice.com/amp/en/article/n7zevd/this-is-the-data-facebook-gave-police-to-prosecute-a-teenager-for-abortion.

Snort Rule Snafu Snookers Office 365

A Snort rule update pushed to Cisco Meraki firewalls accidentally blocked access to Microsoft Office 365. The Snort rule, 1-60381, is commented, "Microsoft Windows IIS denial-of-service attempt" and blocked a number of IP addresses belonging to Microsoft. Disabling the rule restored access, and Cisco has now pushed out an update.

What can we say, but: measure twice and cut once.

GiacomoS, [RESOLVED] Microsoft vulnerability and IPS/SNORT, Meraki Community forum, 11 August 2022. Available online at https://community.meraki.com/t5/Meraki-Service-Notices/RESOLVED-Microsoft-vulnerability-and-IPS-SNORT/ba-p/156649.

Microsoft 365 Status, We're working with our firewall partners to investigate snort rule 1-60381, Twitter thread, 11 August 2022. Available online at https://twitter.com/MSFT365Status/status/1557435310874587136.

SIM Box Used to Blast Smishes

The Australian Federal Police arrested two men who had allegedly used a SIM box to send out hundreds of thousands of SMS phishing messages which linked to fake bank and telco sites in order to capture the victims credentials. The AFP allege the pair had been targeting customers of the Commonwealth Bank of Australia, National Australia Bank and Telstra since 2018.

A SIIM box can hold hundred of SIM cards and can send hundreds of thousands of SMS messages per day.

Noyes, Jenny, Phishing fraudsters used SIM box to fleece hundreds of victims, police allege, Sydney Morning Herald, 11 August 2022. Available online at https://www.smh.com.au/national/nsw/phishing-fraudsters-used-sim-box-to-fleece-hundreds-of-victims-police-allege-20220811-p5b8xv.html.

Ethical Question: Should We Build Quantum Computers?

Quantum physicist Emma McKay, a PhD student at McGill University, is concerned about how people practice science and develop technology. In an interview with the American Physical Society, she expresses the controversial view that perhaps we should not build quantum computers at all. McKay points out that one of the main applications of quantum computers is the optimization of financial market trades - essentially, making the rich richer. Then there are the possible military applications of quantum computers.

On the other hand, quantum annealing - the type of quantum computer currently sold by Canadian company D-Wave - might have wide application in optimization problems. But, says McKay, this might simply be used to optimize traffic flows for single-occupant vehicles, when a better approach from an environmental and economic point of view might be to promote public transport as well as bicycling infrastructure.

Do you remember the Ten Commandments of the Computer Professionals for Social Responsibility? The 9th Commandment says, "Thou shalt think about the social consequences of the program you are writing or the system you are designing". And then remember Shakespeare: it is "more honoured in the breach than in the observance". A timely reminder.

Chen, Sophia, Should We Build Quantum Computers at All?, American Physical Society News, 8 August 2022. Available online at https://www.aps.org/publications/apsnews/202209/build-quantum.cfm.

Ransomware Gang More Trouble Than Ever

The remnants of the Conti ransomware gang have continued to cause more trouble for enterprises all over the world. Several groups have spun off and are operating independently, using the BazarCall tactic pioneered by Conti to gain access to victims' networks.

BazarCall, also known as call-back phishing, starts with an email telling the recipient that a subscription is about to renew, but the payment can be cancelled by calling a particular number. The number is answered by a social engineer, who convinces the caller to start a remote access session, which will be used by a network intruder to scout the network defences and deploy tools which will not be detected.

At least three groups - called Silent Ransom Group, Quantum and Roy/Zeon - are using this technique, which allows them to defeat sophisticated automated defences.

So damaging have these attacks become that the US State Department is offering a $US10 million reward for information on five of the ransomware gang members. Posting a photo of the hacker known as 'Target', the State Department is asking for information about him and four other members known as 'Tramp', 'Dandis', 'Professor' and 'Reshaev' - the information to be provided via a Tor anonymizing network link.

The success of the BazarCall technique's social engineering carries a message: we cannot pin all our hopes on technical controls; when the human becomes the weakest link, we must ramp up our efforts in security education, training and awareness.

Abrams, Lawrence, US govt will pay you $10 million for info on Conti ransomware members, Bleeping Computer, 11 August 2022. Available online at https://www.bleepingcomputer.com/news/security/us-govt-will-pay-you-10-million-for-info-on-conti-ransomware-members/.

Ilascu, Ionut, Conti extortion gangs behind surge of BazarCall phishing attacks, Bleeping Computer, 10 August 2022. Available online at https://www.bleepingcomputer.com/news/security/conti-extortion-gangs-behind-surge-of-bazarcall-phishing-attacks/.

HTTP Request Smuggling Attacks

In a paper released via a Black Hat talk today, PostSwigger Director of Research James Kettle has expanded his previous work on attacks against web servers to show how the same techniques can be used to exploit vulnerabilities in the HTTP/2 request handling of browsers.

The techniques utilized are somewhat too involved to detail here, and rely on interactions between the HTTP/1.1 and /2 and TCP protocols, along with the behaviour of reverse proxies and web content accelerators. For those interested, there's lots of good reading in the references below, while for everyone else, expect updates to popular web server software and browsers as the Bad Guys enjoy reading the same references and develop related exploits.

Kettle, James, Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling, white paper, 10 August 2022. Available online at https://portswigger.net/research/browser-powered-desync-attacks.

Vijayan, Jai, New HTTP Request Smuggling Attacks Target Web Browser, Dark Reading, 11 August 2022. Available online at https://www.darkreading.com/application-security/researcher-at-black-hat-describes-new-htpp-request-smuggling-attack.

Open Source Threat Intelligence - Not As Open As You'd Think

An article by three security researchers from Samsung Research in IEEE Security & Privacy points out that we should be wary of licensing conditions on open-source threat intelligence feeds. In many cases, the information is provided for personal, informational and research purposes only, and in some cases, the site or feed has no licence information or terms of service at all - in which case, no-one can use, copy, modify or distribute the information. In other cases, the meaning of terms like commercial use is unclear, making use risky.

Shim, WooChul, Hyejin Shin and Yong Ho Hwang, On Data Licenses for Open Source Threat Intelligence, IEEE Security & Privacy, Vol 20 No. 4, July/August 2022, pp. 8 - 22. Digital Object Identifier 10.1109/MSEC.2021.3127218.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.