Cybersecurity Roundup: May 15, 2018
This week: a branded bug appropriately named “efail,” a young hacker gets 14 felonies (but not an “A”) for changing his grades, a problem with Signal, John Bolton burns White House cybersecurity to the ground, a guy spoofs UPS with a change of address form, and much more…

Infosec gave them an “eff” in cybersecurity

When it comes to overhyping branded bugs these days, apparently old trash can make a really nice fire. Headlines and infosec twitter erupted into pants-wetting panic early monday morning as news outlets and the EFF trumpeted a flaw called “efail” and, though no one saw details relating to the research and alleged issues, they recommended everyone smash their computers with hammers and throw the remains under a steamroller to be safe.

To launch the hype, efail’s lead researcher tweeted (along with the bug’s branded name and cutesy logo) “We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

No one in infosec likes a tease when it comes to something as volatile as encryption; saying there are critical vulns in PGP/GPG and S/MIME while saying “stay tuned!” until Tuesday didn’t go over so well. Unfortunately, press ate it up, guided by the EFF’s synchronized-timed, hyperbolic posts and tweets urging everyone and their cat to disable PGP/GPG or S/MIME email altogether. Yes — they told everyone that using plaintext was safer. The message was sent, underscored by the EFF, that PGP was broken and everyone should stop using it.

It turned out that this was wrongheaded and fully bad advice. Kind of like embargoing a vuln disclosure, but let’s just scream into a pillow about one thing at a time.

(I mean, seriously: A branded bug, teasers with no details, claims of decrypted emails with no fix, and an embargo. This house was built out of kindling next to a volcano.)

The GnuPG team was livid, tweeting out a link detailing what was in the research (and essentially breaking the “embargo”), saying “Note that the GnuPG team was not contacted by them in advance.” Once GnuPG team let the cat out of the bag with their post, efail’s researchers published the paper — and everyone got to see the details for themselves.

The actual problem (which has been a known issue since 2001) is in mail clients, not GPG, and executes through emails sent with HTML in them. The attacker must also already have access to a previously sent email. The “fix” for this is simply to use updated and authenticated mail clients, and not to enable HTML or remote content for your messages. Actual attackers said that as an attack, efail was not only easy to detect, “It’s intellectually neat, but operationally stupid.”

ProtonMail contextualized the technical issues to Salted Hash:

It’s important to highlight that eFail is not a new vulnerability in PGP and S/MIME. It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself. What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation. Users should be encouraged to use clients that are using secure implementations of PGP.

Overall, this center-stage circus of errors reputationally buggered end-to-end encrypted email services with something hard and sandpapery that is certain to chafe for the foreseeable future. Much work had to be done to soothe and educate users. Enigmail wrote, “… we’re working on an official statement. But to soothe some Enigmail users who are a little scared right now, I present the following email from Patrick, the lead dev on Enigmail. The only edit I’ve made to this section has been to remove a journalist’s name.”

ProtonMail tweeted, “Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.”

A few articles about efail have been updated to add correcting information, but sadly, most mainstream sources of efail misinformation have not done so. Is that defensible? Not really.

Still, it’s entertaining to see just how much love is in the air when infosec and open source are in the same room together.

Class warfare

A 16-year-old Concord, California high school student was charged with 14 (!) felony counts after getting busted trying to do that thing every kid wants their hacker friend to do for them: change their grades. Maybe the sophomore at Ygnacio Valley High School shouldn’t have told ABC7 News “It was like stealing candy from a baby.”

According to ABC13:

It took Rotaro just five minutes to create a phishing email, which he sent out to school staff. Administrators were tipped off about two weeks ago when someone in the I.T. Department got that phishing email, but it went to spam.
Just in case, he asked all of the other teachers if they had gotten the same email. Only one admitted to opening it.
All he needed was one username and password. Rotaro raised and even dropped the grades of 10 to 15 people.

Once the jig was up “Officers showed up at his home with a search warrant and the K-9 unit,” Gizmodo wrote “and one of the police dogs — who is named Doug and is believed to be a good boy — was able to sniff out a flash drive stuffed in a tissue box.”

Burning questions

Believe it or not, Amazon is a popular place for people to grab burner phones for a variety of reasons. The main phone brand this group of discerning consumers prefers is Blu. Let’s just hope they’re aware of what led to the phone maker this week reaching a settlement with the US Federal Trade Commission over privacy practices.

“After security researchers discovered in 2016 that Blu’s phones were sending personal data — including text messages, contact lists and locations — to servers in China,” wrote CNET, “the Florida-based company said it would update the software to fix the “mistake.” Eight months later, the same security researchers found that Blu phones were still siphoning off the same data to Chinese servers.”

Under the new settlement, “Blu will also be required to undergo third-party checks every two years for the next 20 years. Blu and its president, Samuel Ohev-Zion, will also be prohibited from misleading the public about how it protects people’s privacy.”

More clickables:

Digital Photocopiers Loaded With Secrets “… from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.” (CBS News)

Man Allegedly Used Change Of Address Form To Move UPS Headquarters To His Apartment “At first, the initials ‘HS’ were written on the signature line, but the initials were then scratched out and replaced with ‘UPS,’ according to the charges.” (NPR)

‘Disappearing’ Signal Messages Are Stored Indefinitely on Mac Hard Drives (Motherboard)

Russian operatives accessed voter databases, says Senate Intel Committee (SC Magazine; see also: What if Russian voter hacks were just part of its Facebook ad campaign? – Engadget)

Digital PTSD is real (The Outline)

Shades of Ajit Pai: The man who testified on behalf of Equifax, Facebook, and Uber will head the FTC’s consumer protection, as he embodies the literal opposite of what the bureau does, which is police those very companies. Industry Lawyer Expected to Head F.T.C. Consumer Protection (NYT)

Cops Can Find the Location of Any Phone in the Country in Seconds, and a Senator Wants to Know Why (Motherboard)

Bolton pushing to eliminate White House cyber job “National security adviser John Bolton is leading the push to abolish the role of special assistant to the president and cybersecurity coordinator.” (Politico)

Huge new Facebook data leak exposed intimate details of 3m users (New Scientist)

Possible Kaspersky sanctions meet resistance inside U.S. government (CyberScoop)

Thank you

Dear readers: Thank you for your time, attention, and support. This weekly brief wouldn’t be possible without your monthly subscription and the sharing you do on social media. Thank you, Thank you, thank you for making my work possible!

Subscribers have this (and all my Patreon posts) hand-delivered by cat angels to their inboxes the minute I hit “publish” and it’s totally recommended. If you’re not a patron, please consider a small donation to keep this indie female cybersecurity brief going. If you can’t afford it right now, please share this post on social media — every little bit of support, especially the kind that brings visibility, helps in substantial ways.

Tier Benefits
Recent Posts