With Doug Aamoth and Paul Ducklin.
DOUG. Extra extortion scams, extra crypto theft, and a bugfix for a bugfix.
All that extra on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, all people.
I’m Doug Aamoth, and he’s Paul Ducklin.
Paul, how do you do?
DUCK. I’m super-duper, thanks, Douglas.
DOUG. We like to start out the present with a little bit little bit of tech historical past, and I’d wish to remind you that this week, in 2007, the primary era iPhone was launched in the USA.
At a time when most high-end telephones had been promoting for $200 with a two-year wi-fi service contract, the iPhone began at $500 with a two-year contract.
It additionally sported a slower connection pace than many telephones on the time, with 2.5G, or EDGE, versus 3G.
Nonetheless, two-and-a-half months after its launch, Apple had offered 1,000,000 iPhones.
Within the US alone.
DUCK. Sure, I’d forgotten that thorny element of the of the 2-dot-5 EDGE!
I simply bear in mind considering, “You can’t be critical?”
I used to be in Australia on the time, they usually had been *costly*.
I feel that was nonetheless the period once I was simply hanging onto my EDGE gadget… I maintain calling it a JAM JAR, nevertheless it was really known as a JASJAR or a JASJAM, or one thing.
A kind of sliding-keyboard Home windows CE gadgets.
I used to be the one particular person on this planet that liked it… I figured, nicely, somebody has to.
You can write your individual software program for it – you simply compiled the code and put it on there – so I bear in mind considering, this App Retailer factor, solely 2.5GG, super-expensive?
It can by no means catch on.
Effectively, the world has by no means been the identical since, that’s for certain!
DOUG. It has not!
All proper, talking of the world not being the identical, we’ve bought extra scams.
This one…why don’t I simply learn from the FTC about this rip-off?
The FTC (the Federal Commerce Fee in the USA) says the criminals normally work one thing like this:
“A scammer poses as a possible romantic accomplice on an LGBTQ+ courting app, chats with you, rapidly sends specific pictures, and asks for related pictures in return.
For those who ship pictures, the blackmail begins.
They threaten to share your dialog and pictures with your folks, household, or employer until you pay, normally by present card.
Different scammers threaten people who find themselves closeted or not but absolutely out as LGBTQ+. They might stress you to pay up or be outed, claiming they’ll damage your life by exposing specific pictures or conversations.
No matter their angle, they’re after one factor your cash.”
Good individuals right here, proper?
DUCK. Sure,. that is actually terrible, isn’t it?
And what significantly caught me about this story is that this…
A few years in the past, the massive factor of this kind, as you bear in mind, was what turned generally known as “sextortion” or “porn scamming”, the place the crooks would say, “Hey, we’ve bought some screenshots of you watching porn, and we turned in your webcam on the identical time. we had been in a position to do that as a result of we implanted malware in your laptop. Right here’s some proof”, they usually’ve bought your cellphone quantity or your password or your private home deal with.
They by no means present you the video, after all, as a result of they don’t have it.
“Ship us the cash,” they are saying.
Precisely the identical story, besides that in that case we had been capable of go to individuals and say, “All a pack of lies, simply overlook it.”
Sadly, that is precisely the alternative, isn’t it?
They *have* bought the picture… sadly, you despatched it to them, possibly considering, “Effectively, I’m certain I can belief this particular person.”
Or possibly they’ve simply bought the present of the gab, they usually discuss you into it, in the identical method as conventional romance scammers… they don’t need specific pictures for blackmail, they need you to fall in love with them for the long run, to allow them to milk you for cash for weeks, months, years even.
However it’s difficult that we’ve got one sort of sexually-related extortion rip-off the place we are able to inform individuals, “Don’t panic, they will’t blackmail as a result of they really don’t have the picture”…
…and one other instance the place, sadly, it’s precisely the opposite method round, as a result of they do have the picture.
However the one factor it is best to nonetheless not do is pay the cash, as a result of how do you ever know whether or not they will delete that picture.
Even worse, how have you learnt, even when they really are – I can’t consider I’m going to make use of these phrases – “reliable crooks”?
Even when their intention is to delete the picture, how have you learnt they haven’t had an information breach?
They may have misplaced the info already.
As a result of dishonour amongst thieves and crooks falling out with each other is frequent sufficient.
We noticed that with the Conti ransomware gang… associates leaking an entire load of stuff as a result of they’d fallen out with the individuals on the core of the group, apparently.
And plenty of cybercrooks have poor operational safety themselves.
There’s been any variety of instances previously the place crooks both ended up getting bust or ended up gifting away the secrets and techniques of their malware as a result of their techniques, the place they had been supposedly preserving all of the secrets and techniques, had been vast open anyway.
DOUG. Sure.
At a really private and unsure time in individuals’s lives, after all, once they lastly trusted somebody they’ve by no means met… after which this occurs.
In order that’s one among our suggestions: Don’t pay the blackmail cash.
One other tip: Think about using your favourite search engine for a reverse picture search.
DUCK. Sure, a lot of individuals advocate that for all kinds of scams.
It’s quite common that the crooks will achieve your belief by choosing a web based courting profile of somebody that they’ve pre-judged you’ll in all probability like.
They go and discover somebody who really may be an excellent match for you, they rip off that particular person’s profile, they usually come steaming in, pretending to be that particular person.
Which will get them off to an excellent begin in relation to romantic machinations, doesn’t it?
And so, if you happen to do a reverse picture search and someone else’s profile comes up: bingo! You’ve busted them!
The dangerous information is you could’t use that to show something concerning the individuals…
…in different phrases, if you happen to do the reverse search and nothing comes up, it doesn’t imply that the particular person you’re talking to essentially is the unique proprietor of that {photograph}.
Nevertheless, we’ve got had individuals on Bare Safety commenting saying, “I bought one among these; I did a reverse picture search; it immediately got here out within the wash. Reverse search labored rather well for me.”
You may journey the cook dinner up on the very, very first hurdle.
DOUG. Sure, I feel I shared this in one of many first podcast episodes we did…
We had been attempting to hire a ski-house, and the place we had been attempting to hire regarded a little bit too good to be true for the worth.
And my spouse known as the particular person to ask them about it, and clearly woke somebody up in the midst of the night time on the opposite aspect of the world.
As she was doing that, I dropped the picture right into a reverse picture search, and it was a Ritz Carlton Resort in Denver or one thing like that.
It was not even near the place we had been attempting to hire.
So this works past simply romance scams – it really works for something that simply smells sort of fishy, and has photographs related to it.
DUCK. Sure.
DOUG. OK. After which we’ve got the tip: Remember earlier than you share.
DUCK. Sure, that’s one among our little jingles.
It’s straightforward to recollect.
And, actually, it’s not simply true for these sexual extortion scams, though, as you say, it’s particularly troubling and evil-sounding in such instances.
It’s completely true in all instances the place there’s somebody that you just’re unsure about – don’t give out data, as a result of you possibly can’t get it again later.
When you’ve handed over the info, you then don’t simply should belief them… it’s important to belief their laptop, their very own perspective to cybersecurity and all the things.
DOUG. That dovetails properly with our subsequent tip, which is: If doubtful, don’t give it out.
DUCK. Sure, I do know some individuals say, “Oh, nicely, that sounds such as you’re sufferer blaming.”
However when you hand out your knowledge, you possibly can *ask* for it again, however you possibly can’t actually do rather more than that.
It’s trivial to share stuff, nevertheless it’s pretty much as good as unattainable to name it again afterwards.
DOUG. OK, then we’ve bought some sources within the article about how one can report such scams based mostly on the nation that you just dwell in, which is fairly useful.
DUCK. Sure, we put in on-line fraud reporting URLs for: the USA, the UK, the European Union, Canada, Australia and New Zealand.
The US one is https://reportfraud.ftc.gov.
And the FTC, after all, is actually the patron rights physique in the USA.
I used to be very pleasantly shocked with that website – I discovered it very straightforward to navigate.
You’ll be able to put in as a lot or as little data as you need.
Clearly, if you wish to sustain with a case later, you then’re going to should share data that enables them to contact you again – in different phrases, it will be troublesome to stay fully nameless.
However if you happen to simply need to say, “Look, I’ve bought this rip-off, I should be one among 1,000,000 individuals”…
…if no one says something, then primarily, statistically, nothing occurred.
You’ll be able to report issues and simply say, “I bought this URL, I bought this cellphone quantity, I bought this data,” no matter it’s, and you’ll present as a lot or as little as you need.
And though it generally seems like reporting these things in all probability doesn’t make a distinction – as a result of clearly if you happen to don’t give your electronic mail deal with and your contact particulars, you gained’t get any reply to say whether or not it was helpful or not – you simply should take it on religion.
And my opinion is: I don’t see the way it can presumably do any hurt, and it could perform a little bit of excellent.
It might assist the authorities to construct a case towards someone the place, with out a number of corroborating experiences, they could have discovered it very troublesome to get to the authorized commonplace they wanted to really do one thing about what’s a very nasty crime.
DOUG. OK, that’s: FTC warns of LGBTQ+ plus extortion scams: Remember earlier than you share” on nakedsecurity.sophos.com.
And talking of being conscious, when are we going to have one week the place we’re not conscious of some form of crypto theft?
One other $100 million vanished into skinny air, Paul!
DUCK. I didn’t realise that was a rhetorical query.
I used to be about to chime in and say, “Not this week, Doug.”
Truly, while you have a look at the present alternate price of US greenback to Ether, I’m wondering if this one was even value writing about. Doug?
It was not fairly $100 million… It was, “I don’t know, $80 million, $90 million – it’s nearly not value getting off the bed to jot down about,” he mentioned
very cynically.
Sure, this was one more decentralised finance, or De-Fi, firm catastrophe.
You wouldn’t understand it to go to their web site.
The corporate known as Concord – they’re primarily a blockchain good contract firm… you go to the web site, and it’s nonetheless filled with how nice they’re.
For those who go to their official weblog from their web site, there’s a story on there which is “Misplaced Funds Investigation Report”.
However that’s not *these* misplaced funds; that’s *these* misplaced funds.
That’s from again in January… I feel it was “solely” one thing like a $5 million hack, possibly even much less, Doug, that someone made off with.
And that’s the final story on their weblog.
They do have data on Twitter about it, to be truthful, they usually have printed a weblog article someplace on Medium.com which particulars what little they appear to know.
It feels like they’d an entire lot of funds that had been locked up centrally, funds wanted to make the wheels work, and to permit these issues to be moved out and in, they had been utilizing what’s known as a “multi-signature” or “multisig” method.
One personal key wouldn’t be sufficient to authorise transferring out any of those specific funds.
There have been 5 individuals who had been authorised, and two of them needed to are available collectively, and apparently every personal key was saved sort-of cut up in half.
The particular person had a password to unlock it, they usually wanted to get some key materials from a key server, and apparently every personal key was on a special key server.
So, we don’t know the way it happend… did someone collude? Or did someone simply assume they’d be actually intelligent and say, “Hey, I’ll share my key with you, and you share your key with me, simply in case, as additional backup?”
Anyway, the crooks managed to get two personal keys, not one, in order that they had been capable of fake to be a couple of particular person, they usually had been capable of unlock this huge quantity of funds and switch it to themselves.
And that added as much as some $80 million-plus US {dollars} value of Ether.
After which, it appears, that Concord, like they did again in January once they had the earlier rip-off… they did that what everybody’s doing today.
“Pricey Mr. White Hat, pricey Pretty Criminal, if you happen to ship the funds again, we’ll write it up as a bug bounty. We’ll rewrite historical past, and we’ll attempt to not allow you to get prosecuted. And we’ll say it was all within the identify of analysis, however please give us our a refund.”
And also you assume, “Oh, golly, that smacks of desperation,” however I assume that’s all they’ve bought to attempt.
DOUG. And I like that they’re providing 1% of what was stolen.
After which the icing on the cake is they’ll “advocate for no legal costs” when funds are returned, which appears arduous to ensure.
DUCK. Sure, I assume that’s all they will say, proper?
Effectively, actually in England, you possibly can have issues known as personal prosecutions – they don’t should be introduced by the state.
So you might do a legal prosecution as a non-public particular person. or as a charity, or as a public physique, if the state doesn’t need to prosecute.
However you don’t get the alternative, the place you’re the sufferer of a criminal offense and also you say, “Oh, I do know that man. He was drunk out of his thoughts. He crashed into my automobile, however he repaired it. Don’t prosecute him.”
The state will in all probability go, “You realize what? It’s really less than you.”
Anyway, it doesn’t appear to have labored.
Whoever it was has already transferred one thing like 17,000 Ether (one thing simply shy of $20 million US, I feel) out of the account the place they’d initially collected the stuff.
So, it’s wanting as if that is all happening the gurgler. [LAUGHS]
I don’t know why I’m laughing, Doug.
DOUG. This simply retains taking place!
There’s bought to be a greater method to lock down these accounts.
So, they’ve gone from two events having to co-sign to 4 events.
Now, does that repair this drawback, or will this maintain taking place?
DUCK. “Hey, two wasn’t sufficient. We’ll go to 4.”
Effectively, I don’t know… does that make it higher, or the identical, or worse?
The purpose is, it depends upon how the crooks, and why the crooks, had been capable of get these two keys.
Did they simply goal the 5 individuals they usually bought fortunate with two of them and failed with three, by which case you possibly can argue that making it four-out-of-five as a substitute of two-out-of-five will elevate the bar a bit additional.
However what if the system itself, the way in which that they’ve really orchestrated the keys, was the explanation the crooks bought two of them… what if there was a single level of failure for any variety of keys?
And that’s simply what we don’t know, so simply go from two to 4… It doesn’t essentially clear up the issue.
In precisely the identical method that if somebody steals your cellphone they usually guess your lock code and also you’ve bought six digits, you assume, “I do know, I’m going to go to a ten-digit lock code. That will probably be rather more safe!”
But when the explanation the crooks bought your lock code is that you’ve a behavior of writing it down on a bit of paper and leaving it in your mailbox simply in case you’re locked out of your home… they’ll return and get the ten-digit, the 20-digit, the 5000-digit lock code.
DOUG. All proper, nicely, we’ll keep watch over that.
And one thing tells me this gained’t be the final of those tales.
That is known as: Concord Blockchain loses almost $100 million on account of hacked personal keys, on nakedsecurity.sophos.com.
And now we’ve bought a bug repair for a bug repair in OpenSSL.
DUCK. Sure, we’ve spoken about OpenSSL a number of instances on the podcast, primarily as a result of it’s probably the most fashionable third get together cryptographic libraries on the market.
So, a lot of software program makes use of it.
And the issue is that when it has a bug, there are a great deal of working techniques (significantly a lot of Linux is shipped with it) that have to replace.
And even on platforms which have their very own separate cryptographic libraries, just like the Home windows and the macOS techniques of the world, you could have apps that nonetheless deliver alongside their very own copy of OpenSSL, both compiled in or introduced alongside into the applying folder.
It’s good to go and replace these, too.
Now, happily, this isn’t a super-dangerous bug, nevertheless it’s sort of an annoying form of bug that’s an important reminder to software program builders that generally the satan’s within the particulars that encompass the trophy code.
This bug is one other model of the bug that was mounted within the earlier bugfix – it’s really in a script that ships together with OpenSSL, that some working techniques use, that creates a particular searchable hash, an index, of system “certificates authority” certificates.
So it’s a particular script you run known as c_rehash, brief for “certificates rehash”.
And it takes a listing with an inventory of certificates which have the names of the individuals who issued them and converts it into an inventory based mostly on hashes, which could be very handy for looking and indexing.
So, some working techniques run this script repeatedly as a comfort.
And it turned out that if you happen to might create a certificates with a bizarre identify with magic particular characters in it, identical to the “dollar-sign spherical brackets” in Follina or the “dollar-sign squiggly brackets” in Log4Shell… principally they’d take the file identify off disk, and they’d use it blindly as a command shell command line argument.
Anybody who’s written Unix shell instructions, or Home windows shell instructions. is aware of that some characters have particular superpowers, like “dollar-sign spherical brackets”, and “better than” signal, which overwrites information, and the “pipe” character, which says to ship the output into one other command and run it.
So it was, if you happen to like, poor consideration to element in an ancillary script that isn’t actually a part of the cryptographic library.
Principally, that is only a script that many individuals in all probability by no means thought of, nevertheless it was delivered by OpenSSL; packaged in with it in lots of working techniques; popped right into a system location the place it turned executable; and utilized by the system for what you may name “helpful cryptographic housekeeping”.
So the model you need is 3.0.4, or 1.1.1p (P-for-Papa).
However having mentioned that, whereas we’re recording this, there’s an enormous fuss occurring concerning the want for OpenSSL 3.0.5, a very completely different bug – a buffer overflow in some particular accelerated RSA cryptographic calculations, which might be going to wish fixing.
So, by the point you hear this, if you happen to’re utilizing OpenSSL 3, there may be one more replace!
The nice aspect, I suppose, Doug, is that when these items do get seen, the OpenSSL staff do appear to get onto the issue and push out patches fairly rapidly.
DOUG. Nice.
We’ll keep watch over that, and maintain a watch out for 3.0.5.
DUCK. Sure!
Simply to be clear, when 3.0.5, there gained’t be an identical 1.1.1q (Q-forQuebec), as a result of this bug is a brand new code that was launched in OpenSSL 3.
And if you happen to’re questioning… identical to the iPhone by no means had iPhone 2, there was no OpenSSL 2.
DOUG. OK, we’ve bought some recommendation, beginning with: Replace OpenSSL as quickly as you possibly can, clearly.
DUCK. Sure.
Regardless that this isn’t within the cryptographic library however in a script, you may as nicely replace, as a result of in case your working system has the OpenSSL package deal, this buggy script will nearly actually be in it.
And it’ll in all probability be put in the place someone together with your worst pursuits at coronary heart might in all probability get at it, presumably even remotely, in the event that they actually wished to.
DOUG. OK, with that: Think about retiring the c_rehash utility if you happen to’re utilizing it.
DUCK. Sure, that c_rehash is definitely a legacy perl script that runs different applications insecurely.
Now you can really use a built-in a part of the OpenSSL app itself: openssl rehash.
If you wish to know extra about that, you possibly can simply kind openssl rehash -help.
DOUG. All proper.
After which, we’ve mentioned this time and time once more: Sanitise your inputs and outputs.
DUCK. Completely.
By no means assume that enter that you just get from another person is protected to make use of simply as you acquired it.
And while you’ve processed knowledge that you just acquired from elsewhere, or that you just’ve learn in from some place else, and also you’re going at hand it on to another person, do the good factor and examine that you just’re not passing them dud data first.
Clearly, you’ll hope that they’d examine their inputs, however if you happen to examine your outputs as nicely, then it simply makes assurance double certain!
DOUG. OK. After which lastly: Be vigilant for a number of errors when reviewing code for particular kinds of bug.
DUCK. Sure, I assumed that was value reminding individuals about.
As a result of there was one bug, the place Perl carried out what’s known as command substitution, which says, “Run this exterior command with these arguments, get the output, and use the output as a part of the brand new command.”
It was in sending the arguments to that command that one thing went incorrect, and that was patched: a particular operate was written that checked the inputs correctly.
However evidently no one went by actually fastidiously and mentioned, “Did the one who wrote this utility initially use an analogous programmatic trick elsewhere?”
In different phrases, possibly they shell out to a system operate elsewhere in the identical code… and if you happen to regarded extra fastidiously, you’ll have discovered it.
There’s a spot the place they do a hash calculation utilizing an exterior program, and there’s a spot the place they do file copying utilizing an exterior operate.
One had been checked and glued, however the different had not been discovered.
DOUG. All proper, good recommendation!
That article known as: OpenSSL points a bugfix for the earlier bugfix, on nakedsecurity.sophos.com.
And, because the solar slowly begins to set on our present for in the present day, let’s hear from one among our readers on the OpenSSL article we simply mentioned.
Reader Larry hyperlinks to an XKCD Internet comedian known as Exploits of a Mother… I implore you to go and discover it.
I realise that me attempting to verbally clarify an online comedian just isn’t actually nice fodder for a podcast, so go to https://xkcd.com/327 and see it your self.
DUCK. All that you must do, Doug, as a result of many listeners may have thought, “I’m actually hoping that somebody would commented this”… I used to be!
It’s the one about Little Bobby Tables!
DOUG. All proper…
DUCK. It’s develop into a sort of web meme in its personal proper.
DOUG. The scene opens up.
A mother will get a cellphone name from her son’s faculty that claims, “Hello, that is your son’s faculty. We’re having some laptop hassle.”
And she or he says, “Oh, pricey, did he break one thing?”
And so they say, “In a method. Did you actually identify your son Robert'); DROP TABLE College students;--?”
“Oh, sure. Little Bobby Tables, we name him.”
And so they say, “Effectively, we’ve misplaced this yr’s pupil information. I hope you’re completely satisfied.”
And she or he says, “And I hope you’ve realized to sanitize your database inputs.”
Excellent.
DUCK. Just a little little bit of a naughty mum… bear in mind, we’re saying sanitize your inputs *and your outputs*, so don’t exit of your method to set off bugs simply to be a smarty-pants.
However she’s proper.
They shouldn’t simply take any outdated knowledge that they’re given, make up a command string with it, and assume that it’ll all be advantageous.
As a result of not all people performs by the principles.
DOUG. That’s from 2007, and it nonetheless holds up!
When you’ve got an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You’ll be able to electronic mail suggestions@sophos.com; you possibly can touch upon any one among our articles; or you possibly can hit us up on social: @nakedsecurity.
That’s our present for in the present day.
Thanks very a lot for listening… for Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. …keep safe!
[MUSICAL MODEM]
