securitywithoutborders/newsletter

Newsletter #2

botherder opened this issue · 30 comments

Here we collect topics for the Newsletter #2.

Maybe something about WebEx plugin, and a general reminder to check plugins one doesn't need

I've had journalists asking about PGP. Basic intro + links to resources may be good.

I agree that it would be good to add something about PGP. Happy to write a short into and then find links to specific HowTos about various operating systems and mail providers.

In the meantime, it looks like we may want to make WordPress a regular feature. Another update has been released: https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/

Te-k commented

It may be interesting to focus on one security tip for each newsletter even if it is not related to news. Like this month PGP, next month Signal and chat app etc.

Will do a PR when I have some spare time:

  • Many Netgear routers were found to disclose the admin password for the web admin panel by just making a request, may be exploitable remotely:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/

  • Tons of printers that support PS can be taken over, and in combination with other attacks may allow remote attackers to exploit it:

http://seclists.org/fulldisclosure/2017/Jan/89

  • WebEx (#8 (comment)),
    From previous PR (#6):

  • Cisco WebEx: A vulnerability in Cisco WebEx browser extensions was disclosed on the 24th of January. This flaw would allow an attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. Cisco has released software updates for Google Chrome, Firefox, and Internet Explorer that address this vulnerability. For more details please refer to the following link: Cisco

mkind commented

In rough times with a lot of demonstrations, it might be of interest to give an introduction about GSM-like security issues, in particular how IMSI catcher work.

Security First Umbrella App:
http://www.secfirst.org/

What about hardend live Systems like TAILS or SubgraphOS?
I could drop a few lines for that.

I support the Idea of having a monthly Security tip or tutorial on topics like GPG or Signal etc.

Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society - https://citizenlab.org/2017/02/nilephish-report/

I had said I'd write something about PGP - here is a first go at it. Feel free to use, take apart or completely ignore.

Though it is certainly not the case that any email sent over the internet can be read by anyone who wants to, email is not secure enough to send messages of which it is important the the content is not read by anyone but the sender and the recipient. A common way to protect this information is to use PGP.
PGP can be integrated in many email clients, making its use relatively straightforward. However, before using PGP it is important to understand a few things:

  • you do not need to know anything about encryption to use PGP, except for the fact that to use PGP, you generate what is called a "key pair", consisting of a public and a private key. The private key is kept private and secured with a strong password, while the public key can be shared with anyone. Someone needs your public key to send you encrypted emails.

  • PGP encrypts the content of the emails, but it does not protect so-called "metadata" including the Subject line and the sender and recipient of the email. You can use generic subject lines such as "subject" or "encrypted content" but you cannot hide sender or recipient. If the fact that you are exchanging messages with something needs to remain secret, you ought to use another communication channel, or use a separate anonymous email account

  • PGP doesn't offer "forward secrecy". This means that someone who is able to get hold of your private key and its password, for example by (legal) force or by malware running on your device, is able to read all messages sent to you while you were using this key pair.

  • "bad people" can use PGP too and it's all too easy to send an encrypted message to someone who pretends to be someone else. Before sending someone an encrypted email, make sure you have confirmed the public key you use is indeed theirs through a channel other than email, for instance a Twitter message, a common friend or a service such as keybase.io.

  • it is easy to make basic mistakes when using PGP, for example storing the unencrypted email in a file, or forgetting to encrypt a reply. If the confidentiality of your messages is very important, do teach yourself good habits to minimize the risk of making such mistakes

  • cryptography experts like to point out that the cryptography used in PGP is somewhat outdated. While this is true, this isn't something you as a user should be concerned about.

If you are convinced that PGP is what you need, you may want to follow the guides on using PGP the Electronic Frontier Foundation (EFF) has written as part of its Security Self-Defense series. There are guides for Windows [https://ssd.eff.org/en/module/how-use-pgp-windows] Mac OS X [https://ssd.eff.org/en/module/how-use-pgp-mac-os-x] and Linux [https://ssd.eff.org/en/module/how-use-pgp-linux].

And two pieces that can be used for the newsletter (or can be safely ignored)

Citizen Lab writes about an ongoing phishing campaign against various Egyptian NGOs. Phishing is a technique where users are lured into entering their credentials of for example email, banking or social media accounts. It affects any internet user, but is of particular concern to those targeted by powerful adversaries such as governments. In this case, as was seen in Egypt, the senders already know quite a lot about their target and use this to make the emails that contained the phishing link look very credible.
Those who are likely targets of such attacks should be very wary of clicking links in emails they receive; in case of the slightest doubt, they should consult a trusted security expert. To seriously increase the bar for the adversary, two factor authentication should be used for all accounts that give access to important information.
https://citizenlab.org/2017/02/nilephish-report/

The Iran Threats project writes about new malware that targets Apple's Mac OS X operating system and that is written by an Iranian threat actor. For everyone, even those not particularly concerned about Iranian actors, this serves as an important reminder that malware on OS X is a real thing. Though malware targeting Windows is far more prevalent, Mac users should not consider themselves invincible and apply the same security hygiene as users of other operating systems. This especially applies to those with powerful adversaries.
https://iranthreats.github.io/resources/macdownloader-macos-malware/
Another example of this was seen when security researchers found a piece of malware, of unknown origin, that was hidden inside a Word for Mac file. The malware would be activated when the user enabled macros. It is thus important, in Mac as much as in Windows, to never enable macros in Office files, no matter how much the document says it is needed to view hidden content.
https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory

These are two separate things. The Verge link talks about the fact that when you apply for an ESTA visa waiver (most - not all - Europeans can do this) you can fill in your social media accounts. This has been in place since December, before the current government took over, and is clearly marked as "optional". I find it very dubious, especially since the whole process is rather opaque, but so far I've not heard any reports of people being refused a visa because they didn't provide the information, or because their social media activity was deemed unsuitable.

The Guardian link talks about a suggestion made by gen. Kelly (the head of DHS) that customers from some countries (the now famous seven countries) may be asked to provide their social media credentials if they apply for a visa. I think this policy would be wrong on so many levels, but so far it's not a policy, nor even an official proposal. I don't think it would be helpful to suggest otherwise.

New ooniprobe Mobile App: Measure Internet Censorship & Performance:
https://ooni.torproject.org/post/ooni-mobile-app/

Newsletter stories about the ASLR bypass and the Bittersweet campaign:

A group of academic researchers has found a way to use JavaScript to bypass ASLR, a technique that makes it much harder for malicious websites to install malware. As this bypass uses properties of modern computers that are hard to change, this isn't something that can be patched easily, if at all. It is important to note that an attacker would still need to find a vulnerability in a browser or a browser plugin (such as Flash Player) before being able to install malware; this new discovery only makes it easier to install malware given such a vulnerability. It is thus even more important to keep your browser and its plugins up-to-date (and, ideally, uninstall plugins such as Flash Player and Java, as these are often exploited).
Those who think they may be targeted by very powerful adversaries, would do best to use the NoScript browser plugin (which by default blocks all JavaScript) or even the Tor browser and should consider the fact that this makes browsing the web a less pleasant experience a price worth paying.
https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

CitizenLab wrote about the use of NSO Group exploits to target the mobile devices of a number of Mexican individuals all of whom have campaigned for a tax on sugary drinks ("soda tax"). NSO Group malware had previously been used to target UAE-based human rights defender Ahmed Mansoor. This malware, which is exclusively sold to governments, is known to be both very powerful and very stealthy; in practice this means that the usual advice about keeping your devices and software up to date, while still important, is not always good enough. Those who suspect they could be the target of these kinds of attacks are adviced to take extreme caution and look for help locking down their devices.
Advanced though the malware was, the infection techniques weren't. The targets recevied a number of SMS messages, each of which contained a link clicking on which would have infected their phone with the malware. Given the targeted nature of the campain, the messages appeared very relevant to the targets. The same technique has been used in many less sophisticated malware and phishing campaigns. It is important to err on the side of caution before opening links sent in messages. In case of doubt, contact the apparent sender of the messages through a different channel. Matters of life and death are rarely, if ever, solved by clicking on a link.
https://citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/

I may find time to write something about Operation Kingpin later today, not 100% sure though

Quick one about Kingphisher (that I accidentally called Kingpin above)

Researchers at Amnesty International discovered a campaign of phishing attacks against a group of people most of whom were involved in the issue of migrants’ rights in Qatar and Nepal. Though technically not very sophisticated, the attack was well planned and involved carefully crafted fake social media profiles that connected to the targets and used this trust to learn about them and deliver phishing messages. Social media can be really great to meet people who care about the same cause as you do, but if you handle sensitive information you should be wary of fake profiles trying to connect. As the article puts it: if you wouldn’t share it on Twitter, don’t share information with someone you don’t know, even if it is someone who appears to have friends on social media in common with you.
https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852

Three short suggested entries - the former two are gaps in the current newsletter, the latter is the Signal+Tor post above.

There are many great sources on the internet about improving your (digital) security, but for many people, especially the less tech-savvy among us, face to face trainings are the best way to learn about digital safety and security. Four people with experience giving such trainings have written a brief document on how to give such security trainings.
https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40

Security tip: no matter how secure your password is, it takes one convincing phishing email for an attacker to steal it. It is therefore vital that you protect all your important online accounts with two-factor authentication. The Electronic Frontier Foundation (EFF) has published a series of blog posts about how to do that for various popular services, including Facebook, Twitter and Gmail.
https://www.eff.org/deeplinks/2016/12/12-days-2fa-how-enable-two-factor-authentication-your-online-accounts

The Signal messaging app is widely praised for its security and privacy properties. Using it should be sufficient for almost everyone who needs to care about their online security. However, a very small group of users could have reasons to be worried about the (small amount of) Metadata stored on Signal's servers. For those users, security researcher 'x0rz' published a simple guide on how to use Tor to use Signal pseudonymously.
https://blog.0day.rocks/operational-signal-d41d2c457d8d

(Again, feel free to edit/ignore everything I write - they're all suggestions which I hope are helpful.)

Thanks for all those, I'm incorporating all of them.

We don't seem to have any urgent security alerts. I'm not sure how relevant the router and printers ones would be. I would much rather keep it concise to things that are relevant and are more likely to be a serious threat.

Thoughts?

I agree, that's why I didn't write anything about them. Router insecurity is an issue in general, and it may be worth mentioning in a future newsletter, but listing every individual vulnerability is likely going to be confusing.

How useful would such a tool be for those being directly targeted by malware? As I read it, it's looking for "known indicators" which sounds like AV. I'm all for people using that, but one property of small scale attacks, even if not particularly advanced, is that there are no known indicators yet.

That is a very good story on a very important issue that I'm glad is getting more attention, but it mostly says: this is really bad. It doesn't really say anything about what can be done to prevent these kind of things (and such advice would be pretty complicated too). So I wasn't sure if it was worth including. But then, ultimately that's not for me to say.