Category Archives: Privacy Advice

EA Resolves Origin Login Vulnerablities

Last Thursday, security firms CheckPoint Software and CyberInt disclosed details of a collection of vulnerabilities found within the login process of the Origin online gaming platform operated by Electronic Arts. They worked with EA to resolve them.

TL DR: EA Origin users should enable 2 factor authentication (see this link for details) and only use the official Origin website to download or purchase games. Also, please make certain the version of the Origin client you are using is the most up to date; version 10.5.38 for PC adds additional security measures. Finally; always be cautious when receiving links from unknown sources:

How could have attackers exploited these vulnerabilities?
EA use Microsoft’s Azure to provide global access to for players to games, allowing the purchase of games and to access their Origin social network. The chain of vulnerabilities did not require the user to hand over any login details but instead made use of authentication tokens, oAuth single sign-on (SSO) and the TRUST mechanism used during the login process. Definitions of these terms are provided in the glossary below.

Various services offered by EA are each present on a separate sub-domain e.g. eaplayinvite.com But the researchers found one which no longer pointed to the correct DNS record ea-invite-reg-azurewebsites.net With an empty domain name now known the researchers purchased it.

Due to some issues discovered by the researchers within the TRUST login mechanism; they re-directed where the SSO token pointed to; namely their newly acquired domain. With this accomplished the researchers could access an Origin account of their choice and the data it contains and could buy games but charge the original user of the account for these purchases.

What can we learn from this disclosure?
For online accounts operated by corporations; they need to carry out validation checks on the login pages their users interact with. The domains used by their services should also be checked to make certain they don’t contain now unused domains.

For the users of these services; enabling two-factor authentication will mean new devices accessing an account will be prompted for a security code an attacker will not have access to. Parents and children should be aware that cyber criminals will attempt to trick them with legitimate looking links. Please only access the official pages by typing the address into your browsers address bar (or make use of a saved known safe bookmark).

Thank you.

=======================
Glossary:
=======================
Authentication Token:
=======================
After a user logs in using their username and password; the current logged in user and various attributes of your account e.g. what type of content they can access are stored within a token (e.g. a JSON web token) in encrypted form and then sent to the client (the device the user is accessing the service from). The token (similar to ID/access card) is stored on the client device and can be presented at any time to the server replacing the need to enter a username and password to verify the user’s identity. The server will validate the token before granting the user access to the requested service.

=======================
Single sign-on:
=======================
When a user logs onto a device or service; their identity can be validated using a username and password and possibly another factor of authentication e.g. a code sent to their phone or email address. Once validated; the user is provided with a token which can be shared with a central user authentication service known as single sign-on. This service can then act on the user’s behalf authenticating them to multiple services or applications without the need to request further usernames or passwords. Online examples would Google or Facebook accounts used to log into other accounts/services using the same already entered credentials.

=======================

NoScript Extension Made Available for Google Chrome

In early April the very well-known Firefox extension NoScript became available for Google Chrome. This extension should still be considered beta as detailed in this ZDNet article but it’s fast approaching a stable status expected later this month.

This extension helps to reduce the attack surface of your web browser by only executing (allowing to run) JavaScript (defined) for the websites that you have allowed. This reduces the possibility of exploitation of vulnerabilities and reduces/eliminated online adverts. Unfortunately, due to limitations within Chrome; the anti-XSS (cross site scripting)(defined) filter of NoScript cannot be implemented at this time). Further background on NoScript is available from here.

Thank you.

Blog Post Shout Out March 2019

TL DR: If a device that stores your personal information has reached the end of it’s life, please strongly consider erasing it correctly before recycling or disposing of it.

A security researcher from Rapid7 purchased 85 used pieces of technology to check them for data left behind by their previous owners. 80 of the devices had data still remaining on them.

He was able to uncover the following:

  • 214,019 images, 3,406 documents and 148,903 email messages
  • 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit-card numbers, six driver’s license numbers and two passport numbers.

For these reasons I wanted to provide a respectful shout out to the following blog post by Josh Frantz of Rapid7:

https://blog.rapid7.com/2019/03/19/buy-one-device-get-data-free-private-information-remains-on-donated-devices/

When our devices have reached the end of their useful life we need to become better at removing our data from them. Please find below recommended guides for Apple iPhones, Google Android device and hard disks (both RAID and simple disk set ups). My thanks to Mr. Josh Frantz for collecting these links within his post.

Thank you.

====================
Apple iPhone:
https://support.apple.com/en-us/HT201351

Google Android:
https://www.greenbot.com/article/2451612/how-to-properly-and-securely-erase-your-android-device.html

Hard disks (typically how they are set up):
https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148

Hard disks (when used in a RAID configuration):
https://linhost.info/2010/06/parted-magic-erase-a-hard-drive/
====================

PortSmash Vulnerability: What you need to know

Security researchers have released details of a new side channel attack known as “PortSmash” that can be used to steal information from processes running inside a computer systems CPU (defined)) when Intel Hyperthreading (HT)(defined here and here) is enabled. Their proof of concept allowed them to steal a private decryption from a thread running in the same core as their exploit. This thread belonged to an OpenSSL process.

How severe is this vulnerability?
It has been designated as CVE-2018-5407 and assigned a base score of 4.8 (medium severity) on the CVSS v3 scale (defined) with a high attack complexity and with only low privileges required. The attack cannot be exploited remotely. An attacker must have been able to compromise your system via another means most likely a phishing email (social engineering)(phishing: defined; social engineering: defined), accidentally clicking a malicious link or a drive by download (defined). The attacker will also still need to have their code running within the same core as the data/code they wish to obtain. Similar to Spectre; multi-tenant cloud environments are more at risk.

Red Hat’s security advisory states “In order to exploit this flaw, the attacker needs to run a malicious process on the same core of the processor as the victim process”. PortSmash is fundamentally different from Meltdown and Spectre vulnerabilities; it does not rely on speculative execution.

Collin Percival, a Computer Scientist summed up the attack as follows:

“I’ve been getting a few questions about the recent “PortSmash” vulnerability announcement. Short answer: This is not something you need to worry about. If your code is vulnerable to it, you were already vulnerable to other (easier) attacks.

He advises that users don’t need to worry about it and states: “the defence against microarchitectural side channel attacks from 2005: Make sure that the cryptographic key you’re using does not affect the sequence of instructions or memory accesses performed by your code”.

How does this vulnerability work?
When a thread (defined) is carrying out some work it has its own instructions (what to do) and data (the objects to work on) but it will share some of its hardware resources with another process operating on a collocated thread.

The attackers can obtain information about the decryption key by analysing how fast the (process) thread within the CPU is operating with particular assembly language (defined) instructions and uses that information to work backwards (reverse engineering) on what possible data was used as the input to achieve this data now being processed. In this case the data is a private decryption key (defined).

Explained another way: This attack uses instruction timing (how long it takes to process) based on port contention. Each core of a CPU has physical regions known as ports which carry out the necessary calculations. If two or more threads are processing at the same they may have to wait on each other to use those regions of the CPU.

PortSmash seeks to monopolise a port which is being shared with a thread with information the attack wishes to obtain. They can measure the time taken between instructions of the attackers thread and the legitimate thread (thus determining how long the legitimate thread spend processing). This will help to obtain the data being processed over a long period of time

PortSmash is a side channel attack meaning that the attacker doesn’t immediately find out the protected/secret value immediately; instead the attack seeks out information from the other thread running within the CPU for information on the secret value being processed.

The proof of concept code targeted OpenSSL but is not limited to just that software. OpenSSL was targeted due to the researcher’s familiarity with the OpenSSL code.

What CPUs are affected by this vulnerability?
The researchers verified that this vulnerability is present on Intel Skylake CPUs (6th generation Core models e.g. i7 6700K). However any Intel CPU which implements HT is likely to have this vulnerability. Intel’s Nehalem architecture first introduced HT in 2008. The researchers believe AMD Ryzen CPUs may be affected but did not confirm this.

How can I protect myself from this vulnerability?
OpenSSL have added a fix to version 1.1.1 and older versions greater than version 1.1.0i (Source)

However the only true means of mitigating this vulnerability for all software is to disable Intel’s HT. The operating system distribution OpenBSD has done so since June this year. Similarly Intel within their new 9th generation Core CPUs disabled HT to enable hardware protections against the Meltdown, Spectre and L1 Terminal Fault vulnerabilities. They did so to their gaming focused CPUs since many games don’t leverage HT and thus don’t suffer a performance penalty from not using it. It doesn’t appear that HT was removed for security concerns since the Core i9 9900K still features it.

Since corporate organizations may have invested in software that uses HT; they should only consider turning it off if continuing to use it places them at a high risk of exploitation and would place them outside of what they consider an acceptable risk. They will then need to consider the performance/security trade-off of doing so.

If you use Intel HT I would recommend testing your own software with this feature turned off to tell if it has too much of a performance penalty for your particular use cases. From researching this it is not a straightforward answer of turning it off and definitely not experiencing any slowdown; it may or may not happen depending on how you use your system and the software you use.

I have provided links to definitions of HT above and some references below which may assist you in making a decision to disable or leave it enabled. That research also pointed out that if you wish to disable HT; please do so from the BIOS (defined) of your computing system since it will have a blanket disablement across all software and your operating system. A software disablement can work but disabling via the BIOS leaves less room for error. Please refer to your system manufacturer or motherboard user guide for the steps to enter the BIOS of the system and disable this feature.

As more details of this vulnerability emerge I will consider disabling this feature on my water cooled Intel Core i9 7980XE CPU. Windows detects it with 36 logical cores; with HT disabled it will “drop” to 18 physical cores. I’ll need to evaluate the performance impact (if any) for my particular use cases. Given the attacker will need to already have compromised my system and the attack is of high complexity; it’s less likely I will need to disable HT. My existing security controls are more than enough to mitigate this risk; but your system, configuration and risk appetite may be different.

Thank you.

==============

References:

Why You Disable Hyper-Threading or NOT, and How to Know the Difference

https://bitsum.com/tips-and-tweaks/why-you-should-not-disable-hyper-threading-or-why-you-should/

Nehalem – Everything You Need to Know about Intel’s New Architecture

Source: https://www.anandtech.com/show/2594/8

 

Performance-impact of Hyper-Threading:

https://superuser.com/questions/1166529/performance-impact-of-hyper-threading

 

Is Hyper-Threading a Fundamental Security Risk?

https://www.extremetech.com/computing/276138-is-hyper-threading-a-fundamental-security-risk

Why does disabling hyperthreading supposedly give better gaming performance? (This is again a gaming focused discussion but would be relevant for software that does not use HT):

https://www.reddit.com/r/pcgaming/comments/2hti6m/why_does_disabling_hyperthreading_supposedly_give/

 

Why on earth would you disable Hyperthreading? (This is a more gaming focused discussion but would be relevant for software that does not use HT. Please ignore the advert spam posts for software named CPUCores, it’s confirmedsnake oil”):

https://steamcommunity.com/app/384300/discussions/0/530646080862961117/

==============

Google Responds Positively to Privacy related Feedback

It’s been a while since I covered potential privacy concerns on this blog. Google Chrome is my browser of choice so I read with interest when a tweet from the cryptographer Matthew Green (who I have discussed before on this blog) early this week gained the attention of Google stating that it appeared the browser was violating your privacy by performing un-authorised authentication with Google via the Sign-in feature of Chrome even when you were simply accessing your Google account within a webpage e.g. signing into Gmail or YouTube.

Google were swift to confirm this was not the case but this clarification was not backed up by the user interface of Chrome.

Later this week, Chrome was in the headlines again for not clearing all of the cookies it stores even when you specifically asked it to. Some Google cookies were being left behind or being removed and then quickly replaced the next time you login into a Google service.

The above potentially negative headlines resulted in Google making changes to the upcoming Google Chrome version 70 to resolve/clarify these points for users e.g. by adding a “Allow Chrome-sing-in” setting. Clearer status indicators of when you are logged in and whether data syncing is enabled will also be present. All cookies will also be deleted.

At this time it’s unclear whether these changes will be enough to convince Matthew Green to return to using Google Chrome or not.

These changes are good for Chrome and help to increase it’s trust/transparency. I’m staying with it for this reason. I realise no browser is perfect but we should all try to use the browser most suited to our preferences.

The above privacy settings serve to remind us that we should be aware of the data our browsers are potentially sending about us and provide our feedback when we feel it’s not in our best interests / or if it’s too much privacy to give away simply to use your web browser. As you can see; vendors are sometimes compelled to improve the situation. Google has also requested that feedback continue to be provided to them.

Thank you.

Blog Post Shout Out: June 2018

A number of varied security issues have come to my attention this week which I wanted to keep you informed of. I will provide a respectable shout out to the following sources:

Apple Encrypted Drive Information Disclosure:
At this time Apple macOS has an information disclosure vulnerability that affects encrypted drives in general (encrypted Apple HFS+ / APFS+ and VeraCrypt) that provide the potential for an attacker to obtain details of the files an encrypted hard drive is storing.

This vulnerability originates from the quick look feature of macOS; which allows a user to preview photos, files and folders quickly without having to open them. This feature stores the thumbnails (defined) of the files centrally in a non-encrypted area of the hard disk. This issue can also occur when a USB memory drive is inserted; the same feature stores thumbnails on the external drive and on the boot drive of the macOS system.

If you use an encrypted hard disk or value your privacy when using external drives, please run the following command documented at the end of the following news article after you have viewed sensitive info and want to clear that history/activity:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives: BleepingComputer by Catalin Cimpanu

This suggestion is a workaround until (and if) Apple patches this.

=================
Yubico WebUSB Bypass:
The two-factor authentication/secure login vendor, Yubico has published a security advisory for the use of their YubiKeys. The vulnerability does not reside within the hardware keys themselves but in the authentication steps a web browser (e.g. Google Chrome) uses to authenticate an individual.

In summary, if you are using Google Chrome, please ensure it is updated to version 67 or later and follow the additional suggestion from Yubico in their security advisory:

Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection: Yubico

Windows 10 Persistent Malware:
The security vendor BitDefender have published a 104 page report detailing a spyware (defined) which uses rootkit functionality (defined). This malware is noteworthy due to its longevity (dating back to 2012) and it’s ability to install even on modern versions of Windows e.g. Windows 10:

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation: BitDefenders Labs

=================
On a side note I am not too surprised this infection can persist on Windows 10. If a user is tricked into running malware e.g. by clicking a link or opening an attachment either of which can be contained in  a phishing (defined) email or an even more convincing spear phishing (defined) email from an organization or colleague you trust; strong defences won’t always keep you from becoming infected.

The BitDefender report can be downloaded from the above link (it does not request any personal information).

=================
The following news article links to 2 detailed but still easy to follow removal guides. If you are experiencing un-wanted adverts showing within websites that don’t usually show them (even though you are using an ad blocker) or are experiencing re-directs namely you wish to visit website A but are actually sent to website B, please follow these guides to remove this malware:

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US: BleepingComputer: by Catalin Cimpanu
=================

Thank you.

Blog Post Shout Out: Security Advice for Summer Holidays/Travel

With the Summer holiday season approaching I wanted to provide a respectful shout out to the following security tips/articles while travelling. Even when we are out of the office and our homes; we should maintain vigilance to stay secure and safe.

Many of these tips you may already be using and many of them are simple to use but can make a real difference to ensure your time away runs smoothly and with no unwanted surprises when you return back home:

Tips such as being mindful before using a public charging station I have discussed before but these series of tips group them together for ease of use and convenience.

Some of the most important tips are:

  • Ensuring your portable devices are encrypted
  • Portable devise are carried with you or safely locked away
  • Ensure you changes passwords (from a system you own) after you have used a publically available computer
  • Enabling two factor authentication (more on this below)
  • Not making it obvious you have expensive devices with you (the tips from the US CERT below will clarify this advice)

Securing Mobile Devices During Summer Travel: US CERT
Holiday Traveling with Personal Internet-Enabled Devices: US CERT
Protecting Portable Devices: Physical Security: US CERT
International Mobile Safety Tips: US CERT
Cybersecurity for Electronic Devices: US CERT

====================
How to set up 2FA on eBay – go do it now!: Sophos Naked Security blog: by Maria Varmazis
Enabling 2FA for any online account is a great security measure and will be particularly useful when travelling to provide that every layer of security.
====================

How digital spring cleaning can protect your personal information: WMBF News: Christina Lob
Digital spring cleaning involves (among other steps) removing apps from your smartphones/tablets/computer systems that you don’t use. This enhances security since there will be less for attackers to target in terms of software vulnerabilities (reduced attack surface (defined) and the personal information these apps may store or provide access to. It will make it easier for you to maintain the device while travelling since there will fewer apps to update and the device will have more free space should you need it.

When you are back home; this spring cleaning advices further steps e.g. regularly checking your bank account and credit cards for signs of unusual or unknown transactions and reporting them as soon as possible. This is a good practice just in case any of your cards were unknowingly compromised while abroad.

For the final tips this article describes; I wanted to provide clarification:

Clearing out email inboxes is a good idea but will only enhance security if your account was compromised or you are being shoulder surfed by those around you; if you are following password and email best practices this shouldn’t happen.

Its advice on passwords could be better (this advice from Sophos is more secure) and emptying recycle bins while useful doesn’t truly delete data beyond recovery.

Thank you.