While many of us were enjoying a Thanksgiving holiday, the US government took drastic action against Huawei and four other Chinese companies. The hardest hit are Huawei and ZTE as the ban prevents new products from being approved for the US market. The other three companies are Dahua and Hikvision, which make video surveillance equipment, and Hytera, which makes wireless systems. FCC Commissioner Brendan Carr underscored the seriousness of the decision.
[As] No new Huawei or ZTE devices can be approved based on our order. And no new Dahua, Hikvision, or Hytera equipment can be approved unless they assure the FCC that their equipment will not be used for public safety, government security, or other national security purposes.
There is even a possibility that previously approved devices may have their approval revoked. The raw FCC docs are available if you really want to dig through them. Notably, two diametrically opposed US administrations have both pushed for this ban. It would certainly be interesting to take a look at the classified reports detailing what was actually found. Maybe in another decade or two we can make a Freedom of Information Act request and finally get the full story.
Fuzzing for recollapse
[0xacb] has a fun new technique to share that he calls REcollapse. It’s all about regular expressions used in validating and sanitizing user input. Regex is hard to really get right and is full of quirks in the way different languages and libraries implement it. A simple example is an email address that contains “Punycode” – non-ASCII Unicode characters. It is perfectly legitimate for an address to contain Unicode, but many normalization schemes reduce Unicode strings to the closest approximation to ASCII. Take example.com and example.com. If one part of a web service sees them as the same and another backend service still sees them as unique, this discrepancy can allow account takeover. Enter your email address here to receive a password reset link.
What’s new here is a structured approach to fuzzing these problems. [0xacb] proposes to identify “regex pivot positions”, places in a string where unexpected or inconsistent regex matches can occur. A very different example of this is the end-of-string symbol $. A developer can use this to indicate that a given pattern should only be matched if it comes at the very end of a string. But what happens when a newline is embedded in the string? It depends on the language. Oops!
Now available as an open source tool, REcollapse is great for feeding fuzzy input into an automated tool. Run it against a target and watch for different reactions. Find something good and profit!
Smartwatch phishing
The Cybervelia team came up with another way to reach a target via spear phishing. Many of us have smartwatches, and one of the most useful features of these wrist-worn marvels is being able to glance at an SMS or other message without fishing out a phone. Could an attacker with a Bluetooth Low Energy antenna spoof a text message to a nearby smartwatch? After some reverse engineering, absolutely. With the right message, like “need help, 2nd floor,” the target might just move around without looking at the phone and spotting the spoof.
Real-time malware hunting
This is fun because Phylum researchers found another malicious PyPi package campaign on the 15th. Their tools alerted them to activity very early in the campaign, when packages were uploading and the payload was still being fine-tuned. This payload was developed on Github, so there was only one thing to do.
The union of memes and security research is a wondrous thing. The packages have been reported, removed, and it looks like this particular malware campaign has been eliminated before it actually started.
This leads to a hilarious comment from Phylum about some of the ridiculously horrible attempts at malware they’ve uncovered in other campaigns. There is a certain poetic justice to malware that refuses to run, as the de-obfuscation routine checks for the confirmation string and emits errors if tampered with.
LastPass violation continued
LastPass has updated its security incident report and noted that there appears to have been subsequent access to data. They noticed “unusual activity within a third-party cloud storage service,” which usually means Amazon’s AWS. The story here seems to be that a token for the storage service was captured during the August Compromise and is being used for more mischief right now. This raises some uncomfortable questions about how well LastPass understands what data was accessed in the previous breach. However, cleaning up after an incident is a complicated task, and it’s all too easy to miss a single AWS token in the action.
Another “legitimate” commercial spyware vendor
In the “Just what we needed” category, the latest report from Google’s Threat Analysis Group names Variston as a previously unknown player in the commercial malware game. Like NSO Group and others, Variston appears to have access to 0-day exploits across multiple devices and platforms.
A trio of bug reports were opened in the Chrome bug system and each contained a mature framework and exploit code for a fatal bug. All of these were known and fixed bugs, but putting the clues together would suggest they were used as 0-days by a vendor, likely Variston. It’s not uncommon for “legitimate” spyware authors like the NGO Group, the NSA, and others to duly report bugs after exploiting them, or presumably after a target has discovered the exploit.
500 years later
There is a concept in encryption that pretty much any encryption scheme is theoretically crackable given enough time and technological innovation. As an example, consider the speed at which quantum computers are evolving and the predicted collapse of some classic cryptos. The philosophy that emerges from this reality is that crypto only needs to be strong enough that the secrets being protected will be completely obsolete as technology and computing power catches up. Which finally brings us to the story that Emperor Charles V was almost 500 years out of his cipher. Probably strong enough.
Turns out, this cipher had some clever elements, like multiple symbols that didn’t mean anything at all, just to make it harder to figure out. The real breakthrough was finding an encrypted text that had been loosely translated. It was enough to finally figure out the basic rules. So what was in the central letter that was finally deciphered? Political maneuvering, fear of murder, and a fake news conspiracy to downplay a backlash. Some things never change.
Font fingerprint
During the break, a Reddit post caught our attention in which a user transferred money online from their bank in England to Kenya to pay for a trip. It was a legitimate transaction but triggered his bank’s fraud protection. Speaking to the fraud department, one of the possible fraud flags surprised the Redditor in question: you have TeamViewer installed on your machine.
wait now That’s a bit worrying, a website can see your list of installed programs? No, not directly. There is no web API to list applications, at least not since ActiveX died. However, there is an API to list installed fonts. And since Teamviewer comes with its own font, it’s pretty easy to spot once it’s installed. And let’s face it, a remote controlled desktop is a reasonable indicator of malicious activity. So now you know that your fonts might just leave a fingerprint of you.
bits and bytes
The Google Play Store threw out two slightly popular apps that spied on users’ SMS messages. The data collection was incidental and the real purpose was to activate fake accounts on various web services by using the victim’s mobile phone numbers. Need a Hundred Twitter Accounts? Lease access to hundred compromised phones to use these numbers for activation flow.
Need to get something past a plagiarism checker? Just change rot13 and font! It’s a silly demonstration, but it actually works. Create your own font to change the letter mapping, then apply the reverse mapping to the underlying text. To the human eye it’s the same, but to an automated tool it’s garbage. Save as a PDF and off you go. While bypassing a plagiarism filter is a bad idea, it could have other, more positive uses, like bypassing censorship.
Black Hat 2022 videos are available just three months later. There are some fun presentations here, like the Starlink hack, analyzes of real-world malware campaigns, and lots of software being compromised. Enjoy!