IEEE Cipher --- Items from security-related news (E177), January 2024
Summary:
Personal data of nearly all Xfinity customers was "probably" accessed
by hackers in October using a vulnerability in Citrix cloud software.
Citrix notified Xfinity and other companies about the vulnerability on
October 10. It released a patch at that time, but other guidance was
announced on October 23. Between those October 16 and 19, Xfinity
determined that its own customer data had been accessed by
unauthorized parties. Xfinity disclosed this situation in a
regulatory filing with the SEC.
Citrix said that when it issued a notice about the vulnerability on October 10, it was unaware that any exploits had occurred. However, by October 23 it was aware of "targeted attacks" that were enabled by the vulnerability. Mandiant issued guidance about remediation for the affected products (NetScaler ADC and Gateway appliances), and Citrix gave the information to its customers.
Summary:
The SSH protocol for secure access to remote computers has been used
since 1996, and it has been the subject of extensive security
analysis. Thus, it was a surprise when it was recently found to have
a flaw. The hack, named "Terrapin", utilizes an active man-in-middle attack
against particular ciphers and/or cipher modes. These are supported by
over 75% of Internet servers, and one or more are preferred access
modes on over half of the servers.
The "ChaCha20-Poly1305" cipher or "CBC with Encrypt-then-MAC" mode for SSH have the vulnerability. If an attacker can block several messages at the beginning of the protocol, when it is setting up a secure end-to-end connection, then the integrity of the exchange can be undermined. The attacker can inject packets that will be accepted by the server as having come from the client. The result is an SSH session that the attacker controls.
The researchers who discovered the vulnerability have recommended a complete redesign of SSH. The protocol suffers from having had too many new ciphers and modes added to it over time, and some of those additions are inconsistent with the assumptions used in 2016 to prove the protocol's security.
Summary:
Modern-day museums offer views of their collections through online
photographs and videos, and management of those digital artifacts is
done through software systems tailored to the way museums operate.
The company Gallery Systems is such a provider to the likes of the
Boston Museum of Fine Arts, the Rubin Museum of Art in New York, and
the Frances Lehman Loeb Art Center at Vassar College, When Gallery
Systems was hit by a ransomware attack on December 28, they took
immediate steps to isolate their affected systems. As a result, the
museums' digital collections were unavailable, and in some cases their
administrative data, like lists of donors, were similarly offline.
Those museums that took care to keep such data on local systems did
not suffer disruption to their administrative functions. Curators
noted that information is the major part of the value their
collections, and they would be much harmed if the information behind
the objects was lost.
The status of recovery by Gallery Systems was not readily available at the time of this writing.
In a similar story, the British Library is "crawling back online" after a cyberattack in October on its website.
Summary:
Beijing Wangshen Dongjian Justice Appraisal Institute in China's
capital announced that they could compromise the user privacy of
Apple's cellphone protocol for peer-to-peer networking. The
announcement implied that the information had been used by police to
identify several people suspected of sharing "inappropriate
information". The suspects are assumed to be participants in the 2022
anti-government protests in Hong Kong.
However, no one familiar with AirDrop security should be surprised. The weaknesses in the protocol are well-known.
Summary:
China monitors iPhone AirDrop usage in Hong Kong, not just during
protests. Anti-government people share organizational and other
information using the peer-to-peer protocol. Apple's intention was
to keep everything except the iPhone "name" (which is user settable)
protected from view, but the user name and email address of both
the sender and receiver are inadequately obscured. The hash values
of the fields are accessible, and there is no cryptographic protection.
This means that brute force attacks can easily reveal the information
for the phone number, and the email address will also be revealed if
it is either short (less than 14 characters randomly chosen) or
available in any kind of public database.
Apple has known about the problem since at least 2019, but industry experts surmise that changes to the protocol were ruled out because they could not achieve backwards compatibility.
Summary: This article, from 2021, explains more detail about the AirDrop protocol and its "handshake" in which "the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses". Researchers who found the problem distributed an open source solution called "PrivateDrop" on GitHub, but Apple did not have any comment on the matter.
Summary:
On January 9, the X social media account for the US Securities and
Exchange Commission announced the widely anticipated approval of "spot
bitcoin exchange traded product (ETP) shares" (aka ETFs), but the
Commission immediately retracted the statement, blaming a compromise
of its X account for misinformation. However, the next day, the
Commission actually did issue the approval. On January 12, the SEC
issued a statement the "unauthorized party" access to its X
account, noting that it "takes its cybersecurity obligations
seriously" but giving no information other than their preliminary
assessment that their internal infrastructure was not compromised.
Their statement did not seem to rule out the possibility of an insider ("authorized user") leaking the information ahead of time. Until the SEC releases a complete analysis of the incident, mysteries remain.
Summary:
As long ago as last November, a nation-state entity surreptitiously
accessed "a very small percentage of Microsoft corporate email
accounts," the company announced in a blog post. Moreover, some of
the accounts belong to members of its senior leadership team and
employees in its cybersecurity and legal departments. That attacking
entity was "Midnight Blizzard", a Russian state-sponsored group aka
"Nobelium."
And what was the group seeking from Microsoft's senior leadership? None other than information about Midnight Blizzard itself. And how did they gain access to that small percentage of accounts? Apparently by trying a bank of commonly used passwords. Did Microsoft fail to notice the password guessing activity? Why didn't their own security team detect the guessable passwords as part of normal security checkups? What about two-factor authentication? Etc., etc. In all likelihood, these barndoors are in the process of being closed.