Daily Archives: November 16, 2021

EU’s Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework

Posted on by

The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, which, in theory, is supposed to do some useful things regarding interoperability and digital identities. This could be really useful in enabling more end user control over identity and information (a key part of my whole Protocols, Not Platforms concept). But the devil is in the details, and the details are a mess.

It would force browsers to support a specific kind of authentication certificate — Qualified Web Authentication Certificates (QWACs) — but as Mozilla points out, that would be disastrous for security:

At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired – namely, extended validation certificates – lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.

As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla’s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community’s ability to push back against authoritarian regimes’ interference with fundamental rights (see here and here for two recent examples).

As Mozilla notes, the EU can still fix this. Whether or not it does is an open question.

Source: EU’s Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework | Techdirt

Why You Should Encrypt Your WhatsApp Backups in iCloud

Posted on by

it’s also one of the few apps that offer end-to-end encryption by default. This means that no one other than you the other party can read your conversations. Even WhatsApp can’t read your conversations because it doesn’t have the key to un-encrypt your chats.

This was all true, except for one scenario: WhatsApp chats backed up to iCloud were all unencrypted, so if anyone got their hands on your iCloud backup, they could read all your messages pretty easily. But now, WhatsApp has an optional feature to protect your WhatsApp backups with the same two-factor authentication using a password or a secure key.

How to enable end-to-end encryption for WhatsApp backups over iCloud

Before we begin, you should know that WhatsApp end-to-end encryption depends on a password or a 64-digit secure key. If you lose your password, you won’t be able to restore your chats, so make sure you use a secure yet recognizable password. If you use something complicated, make sure to save it on your password manager (it can be iCloud Keychain or a third-party service like Bitwarden).

To get started, first update your WhatsApp application to the latest version. WhatsApp is slowly rolling this feature out to its two billion users, so if you don’t see it yet, try again in a couple of days.

Open WhatsApp, and from the “Settings” tab, go to “Chats.” Here, select “Chat Backups” and tap the “End-to-End Encrypted Backup” button. Tap the “Turn on” button and from the next screen, choose the “Create Password” option.

Source: Why You Should Encrypt Your WhatsApp Backups in iCloud

Google Cloud partially fixes load balancer issues that killed Snapchat, spotify, etsy, discord and many many more

Posted on by

Google Cloud suffered a brief outage, seemingly bringing down or disrupting a whole bunch of websites relying on its systems.

If you’ve had trouble accessing Snapchat, Discord, Spotify, Etsy, retailers like Home Depot, and others today, this is likely why: a fault developed in Google Cloud’s networking infrastructure, resulting in websites throwing up 404 errors. Netizens found themselves unable to log into or use certain services properly.

The good news is that, by now, the IT breakdown has been resolved in that sites using Google’s cloud-based load balancers should work again.

The bad news is that Google’s customers can’t update their load balancing configurations until the web giant gives the word, and when that will be isn’t known.

The outage was acknowledged by Google at 1010 PST, about 35 minutes minutes after websites apparently started going wrong, and a fix was deployed within a few minutes to stop the “page not found” errors. Since that update, though, changes by customers to their external proxy load balancers are being ignored.

[…]

Source: Google Cloud partially fixes load balancer issues • The Register

Does Copyright Give Companies The Right To Search Your Home And Computer?

Posted on by

One reason why copyright has become so important in the digital age is that it applies to the software that many of us use routinely on our smartphones, tablets and computers. In order to run those programs, you must have a license of some kind (unless the software is in the public domain, which rarely applies to modern code). The need for a license is why we must agree to terms and conditions when we install new software. On Twitter, Alvar C.H. Freude noticed something interesting in the software licence agreement for Capture One: “world-class tools for editing, organizing and working with photos” according to the Danish company that makes it (found via Wolfie Christl). The license begins by warning:

if you do not agree to the terms of this license, you may not install or use the software but should promptly return the software to the place where you obtained it for a refund.

That’s normal enough, and merely reflects the power of copyright holders to impose “take it or leave it” conditions on users. Less common is the following:

Capture One or a third-party designated by Capture One in its sole discretion has the right to verify your compliance with this License at any time upon request including without limitation to request information regarding your installation and/or use of the Software and/or to perform on-site investigations of your installation and use of the Software.

If you use Capture One, you must provide “without limitation access to your premises, IT systems on which the Software is installed”, and “Capture One or an Auditor may decide in their sole discretion to apply software search tools in accordance with audits.”

That is, thanks to copyright, a company is perfectly able to demand the right to access a user’s premises, the computer systems they use, and to run search tools on that system as part of an audit. Although this applies to business premises, there’s no reason a software license could not demand the same right to access somebody’s home. In fact, there are really no limits on what may be required. You’re not obliged to agree to such terms, but most people do, often without even checking the details.

The fact that such requirements are possible shows how far copyright has strayed from the claimed purpose of protecting creators and promoting creativity. Copyright has mutated into a monster because it was never designed to regulate activities, as it does with software, just static objects like books and drawings.

Source: Does Copyright Give Companies The Right To Search Your Home And Computer? | Techdirt

Blizzard started with this with World of Warcraft, allowing itself to search your hard drive and memory. Many games since then have given themselves this ability, which they make use of.

Microsoft blocks workaround that let Windows 11 users avoid its Edge browser – browser wars are on again

Posted on by

Microsoft plans to update Windows 11 to block a workaround that has allowed users to open Start menu search results in a browser other than Edge. The loophole was popularized by EdgeDeflector, an app that allows you to bypass some of the built-in browser restrictions found in Windows 10 and 11. Before this week, companies like Mozilla and Brave had planned to implement similar workarounds to allow users to open Start menu results in their respective browsers, but now won’t be able to do so.

When the block first appeared in an early preview build of Windows 11 last week, it looked like it was added by mistake. However, on Monday, the company confirmed it intentionally closed the loophole.

“Windows openly enables applications and services on its platform, including various web browsers,” a spokesperson for Microsoft told The Verge. “At the same time, Windows also offers certain end-to-end customer experiences in both Windows 10 and Windows 11, the search experience from the taskbar is one such example of an end-to-end experience that is not designed to be redirected. When we become aware of improper redirection, we issue a fix.”

Daniel Aleksandersen, the developer of EdgeDeflector, was quick to criticize the move. “These aren’t the actions of an attentive company that cares about its product anymore,” he said in a blog post. “Microsoft isn’t a good steward of the Windows operating system. They’re prioritizing ads, bundleware, and service subscriptions over their users’ productivity.”

Mozilla was similarly critical of Microsoft. “People deserve choice. They should have the ability to simply and easily set defaults and their choice of default browser should be respected,” a spokesperson for the company told The Verge. “We have worked on code that launches Firefox when the microsoft-edge protocol is used for those users that have already chosen Firefox as their default browser. Following the recent change to Windows 11, this planned implementation will no longer be possible.”

[…]

Source: Microsoft blocks workaround that let Windows 11 users avoid its Edge browser | Engadget

Portugal: Proposed law tries to sneak in biometric mass surveillance.

Posted on by

Whilst the European Parliament has been fighting bravely for the rights of everyone in the EU to exist freely and with dignity in publicly accessible spaces, the government of Portugal is attempting to push their country in the opposite direction: one of digital authoritarianism.

[…]

Eerily reminiscent of the failed attempts by the Serbian government just two months ago to rush in a biometric mass surveillance law, Portugal now asked its Parliament to approve a law in a shocking absence of democratic scrutiny. Just two weeks before the national Assembly will be dissolved, the government wants Parliamentarians to quickly approve a law, without public consultation or evidence. The law would enable and encourage widespread biometric mass surveillance – even though we have repeatedly shown just how harmful these practices are.

[…]

Source: Portugal: Proposed law tries to sneak in biometric mass surveillance. – Reclaim Your Face

DDR4 memory protections are broken wide open by new Rowhammer technique

Posted on by

Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks.

Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.

Further Reading

Once thought safe, DDR4 memory shown to be vulnerable to “Rowhammer”

All previous Rowhammer attacks have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these “aggressor” rows—meaning those that cause bitflips in nearby “victim” rows—are accessed the same number of times.

Rowhammer access patterns from previous work, showing spatial arrangement of aggressor rows (in black) and victim rows (in orange and cream) in DRAM memory.
Rowhammer access patterns from previous work, showing spatial arrangement of aggressor rows (in black) and victim rows (in orange and cream) in DRAM memory.
Jattke et al.
Relative activation frequency, i.e., number of ACTIVATEs per aggressor row in a Rowhammer pattern. Notice how they hammer aggressors uniformly.
Relative activation frequency, i.e., number of ACTIVATEs per aggressor row in a Rowhammer pattern. Notice how they hammer aggressors uniformly.
Jattke et al.

Bypassing all in-DRAM mitigations

Research published on Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work from the same researchers.

[…]

The effects of previous Rowhammer demonstrations have been serious. In one case, researchers were able to gain unrestricted access to all physical memory by flipping bits in the page table entry, which maps the memory address locations. The same research also demonstrated how untrusted applications could gain root privileges. In another case, researchers used Rowhammer to pluck a 2048-bit encryption key out of memory.

[…]

Source: DDR4 memory protections are broken wide open by new Rowhammer technique | Ars Technica

High severity BIOS flaws affect numerous Intel processors

Posted on by

Intel has disclosed two high-severity vulnerabilities that affect a wide range of Intel processor families, allowing threat actors and malware to gain higher privilege levels on the device.

The flaws were discovered by SentinelOne and are tracked as CVE-2021-0157 and CVE-2021-0158, and both have a CVSS v3 score of 8.2 (high).

The former concerns the insufficient control flow management in the BIOS firmware for some Intel processors, while the latter relies on the improper input validation on the same component.

These vulnerabilities could lead to escalation of privilege on the machine, but only if the attacker had physical access to vulnerable devices.

The affected products, according to Intel’s advisory, are the following:

  • Intel® Xeon® Processor E Family
  • Intel® Xeon® Processor E3 v6 Family
  • Intel® Xeon® Processor W Family
  • 3rd Generation Intel® Xeon® Scalable Processors
  • 11th Generation Intel® Core™ Processors
  • 10th Generation Intel® Core™ Processors
  • 7th Generation Intel® Core™ Processors
  • Intel® Core™ X-series Processors
  • Intel® Celeron® Processor N Series
  • Intel® Pentium® Silver Processor Series

Intel hasn’t shared many technical details around these two flaws, but they advise users to patch the vulnerabilities by applying the available BIOS updates.

This is particularly problematic because motherboard vendors do not release BIOS updates often and don’t support their products with security updates for long.

Considering that 7th gen Intel Core processors came out five years ago, it’s doubtful that MB vendors are still releasing security BIOS updates for them.

As such, some users will be left with no practical way to fix the above flaws. In these cases, we would suggest that you set up a strong password for accessing the BIOS settings.

A third vulnerability affects cars

A third flaw for which Intel released a separate advisory on the same day is CVE-2021-0146, also a high-severity (CVSS 7.2) elevation of privilege flaw.

“Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.” – Intel’s advisory

This bug affects the following products:

Affected Intel products
Affected Intel products
Source: Intel

Intel has released a firmware update to mitigate this flaw, and users will get it through patches supplied by the system manufacturer.

Positive Technologies, who discovered and reported the bug to Intel, says that the flaw could allow threat actors to gain access to highly sensitive information.

“One example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,” says Mark Ermolov.

“Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain.”

“For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect.”

Positive Technologies says that the flaw also affects several car models that use the Intel Atom E3900, including the Tesla Model 3.

Users should apply a BIOS update from the device vendor to address this flaw, so check your manufacturer’s website regularly.

[…]

Source: High severity BIOS flaws affect numerous Intel processors

ISS crew shelters from debris after Russia blows up old sat – US angry

Posted on by

In a test of its missile technology, Russia destroyed an old space satellite on Monday, littering Earth’s orbit with fragments and forcing astronauts on the International Space Station to temporarily take shelter.

The cloud of debris was generated when Cosmos 1408, a 2,200-kg defunct signals intelligence satellite launched in 1982, was blown up by a Russian anti-satellite missile. The US Department of State condemned the experiment for endangering “human spaceflight activities.”

“Earlier today, the Russian Federation recklessly conducted a destructive satellite test of a direct-ascent anti-satellite missile against one of its own satellites,” the department’s spokesperson Ned Price said at a press briefing on Monday. “The test has so far generated over 1,500 pieces of trackable orbital debris and hundreds of thousands of pieces of smaller orbital debris that now threaten the interests of all nations.

[…]

The seven astronauts onboard the International Space Station were directed to close all hatches to external modules and climb into the Soyuz MS-19 and Crew Dragon capsules for safety. They remained there for about two hours, and will periodically close off and isolate sections of the ISS as the debris cloud crosses the station’s path every 90 minutes or so, according to NASA.

[…]

Only last week, the ISS performed an orbital burn to avoid any chance of smashing into the passing remains of a Chinese satellite that was blown up by Beijing.

The cloud of shrapnel that was once Cosmos 1408 will disperse and continue to occupy low-Earth orbit, where it all risks crashing into other objects. Some 1,500 pieces will probably remain in the region for decades. Small flecks of debris traveling at orbital speeds can cause huge amounts of damage, potentially setting off a chain reaction where collisions create more amounts of junk that go on to smash into more objects and so on.

This nightmare scenario, known as the Kessler syndrome, would make low Earth orbit a hostile environment as debris levels increase. It’d be difficult to launch future spacecraft without weighty armor and all existing satellites and space stations would be in danger of getting pelted by the junk.

[…]

Source: ISS crew shelters from debris after Russia blows up old sat • The Register