Privacy, Security Archive
Unikernels are small, specialized, single-address-space machine images constructedby treating component applications and drivers like libraries and compiling them, along with a kernel and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun and IncludeOS, and found that this was decidedly not the case: unikernels, which in many ways resemble embedded systems, appear to have a similarly minimal level of security. Features like ASLR, W^X, stack canaries, heap integrity checks and more are either completely absent or seriously flawed. If an application running on such a system contains a memory corruption vulnerability, it is often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown. Furthermore, because the application and the kernel run together as a single process, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular OS, e.g. arbitrary packet I/O. We demonstrate such attacks on both Rumprun and IncludeOS unikernels, and recommend measures to mitigate them. This is a 100+ page article – book? – that isn’t for the faint of heart.
We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers. Google hopes other email services will also adopt these new security standards.
Colm MacCárthaigh, who was Principal Engineer for Amazon Web Services Elastic Load Balancer five years ago, posted an interesting recollection of his experience the day the Heartbleed bug went public. OpenSSL was in use widely across AWS, and the team there basically dropped everything to hot patch millions of deployments, then over the next hours and days took many other steps to mitigate the damage. It’s a fascinating story if you’re familiar with information security, or even just minimally familiar with the infrastructure that keeps the internet going.
A trending and vastly expanding GitHub database where Chinese developers have been airing their workplace grievances may be at risk of censorship. A number of internet users in China are reporting seeing their access to the database cut off when using browsers offered by companies like Tencent, Alibaba, Xiaomi, and Qihoo 360, as first spotted by Abacus. There’s no indication yet that these censorship efforts may have originated from government orders. And as a reminder: western technology companies, most prominently Apple, is working very closely with the Chinese government, giving them access to user data of Chinese users to aid the China’s totalitarian surveillance state.
HMD Global, the Finnish company that sublicensed the Nokia smartphone brand from Microsoft, is under investigation in Finland for collecting and sending some phone owners’ information to a server located in China. In a statement to Finnish newspaper Helsingin Sanomat, the company blamed the data collection on a coding mistake during which an “activation package” was accidentally included in some phones’ firmware. HMD Global said that only a single batch of Nokia 7 Plus devices were impacted and included this package. Why does stuff like this keep happening? It seems like such a simple thing to not preinstall dodgy stuff on factory-set smartphones.
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is a criminal enterprise that needs to be broken up into its constituent parts sooner rather than later.
David Balaban says, “There are plenty of operating systems aimed at achieving online anonymity. But how many of them are really good?” He highlights five candidates: Tails OS, Whonix, Kodachi, Qubes, and Subgraph. He concludes that Kodachi is the best OS to preserve anonymity. Have any OSNews readers evaluated any of these OSes? Do you agree with his conclusion?
Huawei’s rotating chairman Guo Ping has gone on the offensive this week at Mobile World Congress, following continued pressure on US allies to drop the Chinese telecoms giant over national security fears. In a strident on-stage speech and a Financial Times editorial, Guo is escalating Huawei’s side of the story by explicitly calling out the NSA, which Edward Snowden has shown to have hacked Huawei in the past, while presenting his company as a more secure option for the rest of the world. “If the NSA wants to modify routers or switches in order to eavesdrop, a Chinese company will be unlikely to co-operate,” Guo says in the FT, citing a leaked NSA document that said the agency wanted “to make sure that we know how to exploit these products.” Guo argues that his company “hampers US efforts to spy on whomever it wants,” reiterating its position that “Huawei has not and will never plant backdoors.” This war of words and boycotts will continue for a long time to come, but Guo makes an interesting point here by highlighting the fact the NSA hacked Huawei devices and email accounts of Huawai executives. I personally do not believe that devices made in China for other brands – Apple, Google, whatever – are any safer from tampering than devices from a Chinese brand. These all get made in the same factories, and I can hardly fault the Chinese government for doing what all our western governments have been doing for decades as well. It’s not a pretty game, and in an ideal world none of it would be necessary, but we should not let blind nationalism get in the way of making sound decisions.
The boot process, in computer hardware, forms the foundation for the security of the rest of the system. Security, in this context, means a “defense in depth” approach, where each layer not only provides an additional barrier to attack, but also builds on the strength of the previous one. Attackers do know that if they can compromise the boot process, they can hide malicious software that will not be detected by the rest of the system. Unfortunately, most of the existing approaches to protect the boot process also conveniently (conveniently for the vendor, of course) remove your control over your own system. How? By using software signing keys that only let you run the boot software that the vendor approves on your hardware. Your only practical choices, under these systems, are either to run OSes that get approval from the vendor, or to disable boot security altogether. In Purism, we believe that you deserve security without sacrificing control or convenience: today we are happy to announce PureBoot, our collection of software and security measures designed for you to protect the boot process, while still holding all the keys. Good initiative.
Security researchers at the Network and Distributed Systems Security Symposium in San Diego are announcing the results of some fascinating research they’ve been working on. They “built a fake network card that is capable of interacting with the operating system in the same way as a real one” and discovered that Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system. Vendors have been gradually improving firmware and taking other steps to mitigate these vulnerabilities, but the same features that make Thunderbolt so useful also make them a much more serious attack vector than USB ever was. You may want to consider ways to disable your Thunderbolt drivers unless you can be sure that you can prevent physical access to your machine.
Huawei Technologies Co. would deny any Chinese government request to open up “back doors” in foreign telecommunications networks because they aren’t legally obliged to do so, the company’s chairman says. Liang Hua, speaking to reporters in Toronto on Thursday, said the company had received an independent legal opinion about its obligations under Chinese law and said there is nothing forcing companies to create what he called “back doors” in networks. He said they’d never received any such request, but would refuse it if they did. At this point, it seems silly to assume such backdoors do not already exist in one form or another – if not at the device level, then at the network level. This isn’t merely a Chinese thing either; western governments are doing the same thing, draped in a democratic, legal veneer through secret FISA-like courts and similar constructions.
Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status. Unbeknown to most people, in many cases that data is being shared with someone else: Facebook. The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed. At this point, none of this should surprise anyone anymore. Still, this particular case involves applications without any Facebook logins or similar mechanisms, giving users zero indiciation that their data is being shared with Facebook. These developers are using Facebook analytics code inside their applications, which in turn collect and send the sensitive information to Facebook. Other than retreat to a deserted island – what can we even do?
A team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma, in a campaign that shows how potent cyber-weapons are proliferating beyond the world’s superpowers and into the hands of smaller nations. The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens. No device is secure.
Great reporting by TechCrunch’s Josh Constine: Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop. Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe. This is a very interesting case. These users are clearly doing this of their own volition; they are making the choice to give up their privacy so Facebook can see literally everything they do on their iPhone. At the same time, we can all agree this scummy, sleazy, and stupid, and I would love for Apple to have the guts to revoke Facebook’s iOS developer account. They won’t, of course, but if Apple really cares about privacy – they do not, but for the sake of argument, let’s assume that they do – they should remove Facebook from the App Store.
Christian Haschek found a Raspberry Pi attached in a network closet at the company he works for, and since nobody knew what it was or where it came from, he and his colleagues decided to investigate. I asked him to unplug it, store it in a safe location, take photos of all parts and to make an image from the SD card (since I mostly work remote). I have worked on many Raspberry Pi projects and I felt confident I could find out what it does. At this point nobody thought it was going to be malicious, more like one of our staffers was playing around with something. Interesting – but worrisome – story.
Internal Facebook documents seized by British lawmakers suggest that the social media giant once considered selling access to user data, according to extracts obtained by the Wall Street Journal. Back in April, Facebook CEO Mark Zuckerberg told congress unequivocally that, "We do not sell data." But these documents suggest that it was something that the company internally considered doing between 2012 and 2014, while the company struggled to generate revenue after its IPO.
This just goes to show that no matter what promises a company makes, once the shareholders come knocking, they'll disregard all promises, morals, and values they claim to have.
The government of The Netherlands recently commissioned the Privacy Company to perform a data protection impact assessment regarding the government's use of Microsoft Office products, and the results of this assessment are alarming.
The SLM Rijk conducts negotiations with Microsoft for approximately 300.000 digital work stations of the national government. The Enterprise version of the Office software is deployed by different governmental organisations, such as ministries, the judiciary, the police and the taxing authority.
The results of this Data Protection Impact Assessment (DPIA) are alarming. Microsoft collects and stores personal data about the behaviour of individual employees on a large scale, without any public documentation. The DPIA report (in English) as published by the Ministry is available here.
This shouldn't surprise anyone, but it's good to see governments taking these matters seriously, and forcing technology companies to change their policies.
A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.
The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.
Fresh fuel for the fire.
But that's just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People's Liberation Army. In Supermicro, China's spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
Both Apple and Amazon aggressively deny the reports, but such was to be expected - these companies aren't going to openly admit their products and data could be vulnerable to sophisticated Chinese hacking attempts. In addition, especially Apple is beholden to remaining in the Chinese government's good graces, and won't openly admit they're being targeted by them - like no other company in the world, Apple is dependent on China, because no other country has the manpower, labour laws, and welcoming totalitarian government required to build the massive amount of devices Apple orders from China.
None of this should surprise anyone, and further illustrates that any company - especially major ones - claiming their products are secure and privacy-focused have really no way of guaranteeing as such. Whether it be domestic carriers snooping in on internet traffic or the Chinese government adding small microchips to hardware, nothing is secure or private.
Does Lenovo put backdoors in if the Chinese government asks?
"If they want backdoors globally? We don't provide them. If they want a backdoor in China, let's just say that every multinational in China does the same thing.
"We comply with local laws. If the local laws say we don't put in backdoors, we don't put in backdoors. And we don't just comply with the laws, we follow the ethics and the spirit of the laws."
This shouldn't surprise anyone, really. At this point, it's pretty safe to assume that any major technology company selling products in China are putting backdoors into their products sold in China. Microsoft, Apple, phone makers - China is simply too powerful and important to ignore.
