GitHub Takes Aim at Open Source Software Vulnerabilities

WIRED

Illustration: WIRED Staff; Getty Images

Open source software has the potential to be very secure. Unlike proprietary code that can only be accessed directly by its own developers, anyone can vet open source projects to spot flaws and bugs. In practice, though, being open source is no panacea. Now, code repository GitHub is rolling out new tools for its GitHub Advanced Security suite that will make it easier to root out vulnerabilities in the open source projects managed on its platform.

Open source code present a few security challenges. In practice there aren’t always enough people with the right expertise looking at it. And open source projects are generally ad hoc; they don’t necessarily have a clear process in place for people to submit vulnerabilities, or the resources available for someone to patch them. Even if you surmount those hurdles, you may not know who’s actually using your open source code and needs a patch.

A lot of what we talk about is there’s a vulnerability, what’s the workflow for that vulnerability, now it gets addressed, says Jamie Cool, vice president of product for security for Microsoft-owned GitHub. But the nirvana is you don’t introduce the vulnerability to begin with. You stop it from ever showing up. It really seems like this is a problem we should be able to help developers not introduce again and again, but by and large we haven’t succeeded at that as a software industry yet.

In September, GitHub acquired the code scanning tool Semmle as part of a plan to help the GitHub community catch common security flaws automatically. Advanced Security includes this service, calling out which line of code contains a potential vulnerability, why it might be exploitable, and how to fix it. In addition to this automatic scanning, Semmle’s technology can also be used manually by security researchers. GitHub’s goal is to use Advanced Security as both a warning system for developers and a built-in framework for bug hunters to find and report additional issues.

GitHub Advanced Security also includes tools that scan user repositories, essentially the folder where they store their development projects, for secret data like passwords and private keys that shouldn’t be exposed and accessible. GitHub works with a number of partners, including Amazon Web Services and Alibaba, to understand the characteristics of their authentication tokens and spot them automatically. The feature has already been available to public repositories for a couple of years, but today GitHub is also adding support to scan private repositories as well. GitHub says that eight percent of active public repositories had a secret exposed in them during the last month alone.

Full article

India’s Covid-19 Contact Tracing App Could Leak Patient Locations

WIRED

Photograph: Nitin Kanotra/Hindustan Times/Getty Images

As countries around the world rush to build smartphone apps that can help track the spread of Covid-19, privacy advocates have cautioned that those systems could, if implemented badly, result in a dangerous mix of health data and digital surveillance. India’s new contact-tracing app may serve as a lesson in those privacy pitfalls: Security researchers say it could reveal the location of Covid-19 patients not only to government authorities, but to any hacker clever enough to exploit its flaws.

Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter-radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.

The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area, says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.

Security researchers like Robert have focused their attention on Aarogya Setu in part due to its sheer scale. The Indian government has declared the contact-tracing app mandatory for many workers and it’s already been downloaded more than 90 million times according to government officials.

Full article

How to Cover Your Tracks Every Time You Go Online

WIRED

Illustration: Elena Lacey; Getty Images

Venture online nowadays, and your presence is immediately logged and tracked in all manner of ways. Sometimes this can be helpful—like when you want to see new movies similar to ones you’ve watched in the past—but very often it feels invasive and difficult to control.

Here we’re going to show you how to cover some of those tracks, or not to leave any in the first place. This isn’t quite the same as going completely invisible online, or encrypting every single thing you do. But it should help you sweep up most records of your online activity that you’d rather disappear.

Full article

Security News This Week: Signal Threatens to Leave the US If EARN IT Act Passes

WIRED

Photograph: Yifei Fang

The end-to-end encrypted messaging app Signal, which is respected and trusted for its transparent, open-source design, says that it will be one of the immediate casualties should the controversial EARN IT Act pass Congress. Written by South Carolina Republican senator Lindsey Graham and Connecticut Democrat Richard Blumenthal and introduced in the Senate last month, the EARN IT Act claims to be a vehicle for improving how digital platforms reduce sexual exploitation and abuse of children online. But the law would really create leverage for the government to ask that tech companies undermine their encryption schemes to enable law enforcement access. Signal developer Joshua Lund said in a blog post on Wednesday that Signal is not cool with that! More specifically, he noted that Signal would face insurmountable financial burdens as a result of the law and would therefore be forced to leave the US market rather than undermine its encryption to stay. Given that Signal is recommended and used across the Department of Defense, Congress, and other parts of the US government, this would be a seemingly problematic outcome for everyone.

Full article

Read the Signal blog post here!

The Rise and Spread of a 5G Coronavirus Conspiracy Theory

WIRED

From an interview with an obscure Belgian doctor to apparent arson attacks in the UK, the unfounded claim that the pandemic is linked to 5G has spread unlike any other.

Photograph: George Frey

It started with one doctor. On January 22, Belgian newspaper Het Laatste Nieuws published an interview with Kris Van Kerckhoven, a general practitioner from Putte, near Antwerp. “5G is life-threatening, and no one knows it,” read the headline. One scientifically baseless claim in this article, published in a regional version of the paper’s print edition and since deleted from its website, sparked a conspiracy theory firestorm that has since torn through the internet and broken out into the real world, resulting in fires and threats. Van Kerckhoven didn’t just claim that 5G was dangerous: He also said it might be linked to coronavirus.

At the time, the outbreak was a comparative speck. It had claimed nine lives and infected 440 people, almost all of them in the Chinese city of Wuhan. Under the heading “Link met coronavirus?” the Het Laatste Nieuws journalist pointed out that since 2019 a number of 5G cell towers had been built around Wuhan. Could the two things be related? “I have not done a fact check,” Van Kerckhoven cautioned, before piling in. “But it may be a link with current events.” And so the fuse was lit.

Van Kerckhoven’s comments were quickly picked up by anti-5G campaigners in the Dutch-speaking world, with Facebook pages linking to and quoting from the article. Here, they claimed, was proof of something very dark indeed. Within days, the conspiracy theory had spread to dozens of English-language Facebook pages. But the conspiracy theory that Van Kerckhoven was peddling isn’t new,. It has been bubbling away quietly for decades in unfounded concerns about high-voltage power lines in the 1980s to mobile phones in the 1990s. In coronavirus, such concerns had found a new hook. “Because the quotes were unfounded, we withdrew the article within a few hours,” says Het Laatste Nieuws editor Dimitri Antonissen. “We regret the fact that the story was online for a few hours,” he adds. “Unfortunately with conspiracy theories popping up on several places, this does not stop a story from spreading.” And spread it did.

Full article

A Hacker Found a Way to Take Over Any Apple Webcam

WIRED

Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target’s webcam and microphone on iOS and macOS devices.

Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

Full article

The Zoom Privacy Backlash Is Only Getting Started

WIRED

The popular video conferencing application Zoom has been having A Moment during the Covid-19 pandemic. But it’s not all positive. As many people’s professional and social lives move completely online, Zoom use has exploded. But with this boom has come added scrutiny from security and privacy researchers—and they keep finding more problems, including two fresh zero day vulnerabilities revealed Wednesday morning.

The debate has underscored the inherent tension of balancing mainstream needs with robust security. Go too far in either direction, and valid criticism awaits.

Zoom has never been known as the most hardcore secure and private service, and there have certainly been some critical vulnerabilities, but in many cases there aren’t a lot of other options.

Kenn White, Security researcher

It’s absolutely fair to put public pressure on Zoom to make things safer for regular users. But I wouldn’t tell people ‘don’t use Zoom.’ It’s like everyone is driving a 1989 Geo and security folks are worrying about the air flow in a Ferrari.

Kenn White, Security researcher

Zoom isn’t the only video conferencing option, but displaced businesses, schools, and organizations have coalesced around it amid widespread shelter in place orders. It’s free to use, has an intuitive interface, and can accommodate group video chats for up to 100 people. There’s a lot to like. By contrast, Skype’s group video chat feature only supports 50 participants for free, and live streaming options like Facebook Live don’t have the immediacy and interactivity of putting everyone in a digital room together. Google offers multiple video chat options—maybe too many, if you’re looking for one simple solution.

Full article

An Elite Spy Group Used 5 Zero-Days to Hack North Koreans

WIRED

Most North Koreans don’t spend much of their lives in front of a computer. But some of the lucky few who do, it seems, have been hit with a remarkable arsenal of hacking techniques over the last year—a sophisticated spying spree that some researchers suspect South Korea may have pulled off.

Cybersecurity researchers at Google’s Threat Analysis Group today revealed that an unnamed group of hackers used no fewer than five zero-day vulnerabilities, secret hackable flaws in software, to target North Koreans and North Korea-focused professionals in 2019. The hacking operations exploited flaws in Internet Explorer, Chrome, and Windows with phishing emails that carried malicious attachments or links to malicious sites, as well as so-called watering hole attacks that planted malware on victims’ machines when they visited certain websites that had been hacked to infect visitors via their browsers.

Google declined to comment on who might be responsible for the attacks, but Russian security firm Kaspersky tells WIRED it has linked Google’s findings with DarkHotel, a group that has targeted North Koreans in the past and is suspected of working on behalf of the South Korean government.

It’s really impressive. It shows a level of operational polish.

Dave Aitel, Infiltrate

South Koreans spying on a northern adversary that frequently threatens to launch missiles across the border is not unexpected. But the country’s ability to use five zero days in a single spy campaign within a year represents a surprising level of sophistication and resources. “Finding this many zero-day exploits from the same actor in a relatively short time frame is rare,” writes Google TAG researcher Toni Gidwani in the company’s blog post. “The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues,” In a followup email, Google clarified that a subset of the victims were not merely from North Korea, but in the country, suggesting that these targets weren’t North Korean defectors, whom the North Korean regime frequently targets.

Within hours of Google linking the zero-day vulnerabilities to attacks targeting North Koreans, Kaspersky was able to match two of the vulnerabilities—one in Windows, one in Internet Explorer—with those it has specifically tied to DarkHotel. The security firm had previously seen those bugs exploited to plant known DarkHotel malware on their customers’ computers. (Those DarkHotel-linked attacks occurred before Microsoft patched its flaws, Raiu says, suggesting that DarkHotel wasn’t merely reusing another group’s vulnerabilities.) Since Google attributed all five zero-days to a single hacker group, “it’s quite likely that all of them are related to DarkHotel,” Raiu says.

Raiu points out that DarkHotel has a long history of hacking North Korean and Chinese victims, with a focus on espionage. “They’re interested in getting information such as documents, emails, pretty much any bit of data they can from these targets,” he says. Raiu declined to speculate on what country’s government might be behind the group. But DarkHotel is widely suspected of working on behalf of the South Korean government, and the Council on Foreign Relations names DarkHotel’s suspected state sponsor as the Republic of Korea.

Full article

Coronavirus Sets the Stage for Hacking Mayhem

WIRED

The novel coronavirus has impacted the global economy, daily life, and human health around the world, changing how people work and interact everyday. But in addition to the pressing threat the virus poses to human health, these rapid changes have also created an environment in which hackers, scammers, and spammers all thrive.

Full article

Security News This Week: Elite Hackers Are Using Coronavirus Emails to Set Traps

WIRED

Photograph: BJ Formento/Getty Images

In a week dominated by news of the global Covid-19 pandemic, companies scrambled to find ways of securely supporting employees working from home. But the challenges are extensive, and in sectors like critical infrastructure and government defense, there’s often no safe way for workers to be remote.

Meanwhile, President Donald Trump suggested (not for the first time!) on Tuesday that a wall at the southern border with Mexico would help stop the spread of the novel coronavirus into the US. This is not true for a number of reasons. And Washington state made a good case for vote-by-mail infrastructure when its Democratic primary went smoothly on Tuesday in spite of the region’s major Covid-19 outbreak. The majority of voters send in their ballots rather than appearing at a polling place in person.

In other news, there were some small mercies in the security world this week as the certificate authority Let’s Encrypt engineered a massive course-correction after discovering a bug that could have broken millions of websites across the web. And researchers found that a staggering 83 percent of medical imaging devices run on operating systems that are too old to receive security patches from their developers—exposing the machines and healthcare networks more broadly to potential attack.

But wait, there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

Full article