DOUG. Juicejacking, public psychotherapy, and Fun with FORTRAN.
All that and extra on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do immediately, Sir?
DUCK. I’m very properly, Douglas.
I’m intrigued by your phrase “Fun with FORTRAN”.
Now, I do know FORTRAN myself, and enjoyable will not be the primary adjective that springs to thoughts to explain it. [LAUGHS]
DOUG. Well, you would possibly say, “You can’t spell ‘FORTRAN’ without ‘fun’.”
That’s not fairly correct, however…
DUCK. It’s truly astonishingly *inaccurate*, Doug! [LAUGHS]
DOUG. [LAUGHING] Keep that in thoughts, as a result of this has to do with inaccuracies.
This week, on 19 April 1957, the primary FORTRAN program ran.
FORTRAN simplified programming, starting with a program run at Westinghouse that threw an error on its first try – it produced a “missing comma” diagnostic.
But the second try was profitable.
How do you want that?
DUCK. That’s fascinating, Doug, as a result of my very own – what I at all times thought was ‘knowledge’, however seems could be an city legend…
…my very own story about FORTRAN comes from about 5 years after that: the launch of the Mariner 1 house probe.
Spacecraft don’t at all times observe precisely the place they’re purported to go, they usually’re purported to right themselves.
Now, you think about the form of calculations concerned – that was fairly laborious within the Nineteen Sixties.
And I used to be informed this semi-officially (which means, “I heard it from a lecturer at university when I was studying computer science, but it wasn’t part of the syllabus”)…
..apparently, that bug was all the way down to a line in FORTRAN that was purported to say DO 51 I = 1,100, which is a “for loop”.
It says, “Do 100 loops, up to and including line 51.”
But the particular person typed DO 51 I = 1.100, with a dot, not a comma.
FORTRAN ignores areas, so it interpreted DO51I = as a variable task, assigned that variable the worth 1.100, after which went around the loop as soon as… as a result of it hadn’t been informed to loop at line 51, and line 51 simply executed as soon as.
I at all times assumed that that was the correction loop – it was purported to have 100 goes to get the spacecraft again on course, and it solely had one go, and due to this fact it didn’t work.
[LAUGHS]
And it appears it could not truly be true… could also be a little bit of an city legend.
Because there’s one other story that claims that really the bug was all the way down to an issue within the specs, the place somebody wrote out the equations that wanted to be coded.
And for one of many variables, they stated, “Use the current value of this variable”, when in actual fact, you have been purported to clean the worth of that variable by averaging it over earlier readings.
You can think about why that will toss something astray if it needed to do with course correction.
So I don’t know which is true, however I just like the DO 51 I = 1,100 story, and I plan to maintain eating out on it for so long as I can, Doug.
DOUG. [LAUGHS] Like I stated, “Fun with FORTRAN”.
DUCK. OK, I take your level, Doug.
DUCK. Both these tales are enjoyable…
Something not so enjoyable – an replace to an replace to an replace.
I consider that is a minimum of the third time we’ve talked about this story, however that is the psychotherapy clinic in Finland that housed all its affected person knowledge, together with notes from classes, on-line within the cloud below a default password, which was leveraged by evildoers.
Those evildoers tried to get some cash out of the corporate.
And when the corporate stated no, they went after the sufferers.
Ex-CEO of breached pyschotherapy clinic will get jail sentence for unhealthy knowledge safety
DUCK. How terrible should which have been, eh?
Because it wasn’t simply that they’d the sufferers’ ID numbers and monetary particulars for the way they paid for his or her remedy.
And it wasn’t simply that they’d some notes… apparently, the classes have been recorded and transcribed, and *these* have been uploaded.
So they mainly had every thing you’d stated to your therapist…
…and one wonders whether or not you had any concept that your phrases could be preserved without end.
Might have been within the small print someplace.
Anyway, as you say, that’s what occurred.
The blackmailer went after the corporate for, what, €450,000 (which was about half 1,000,000 US {dollars} on the time), they usually weren’t inclined to pay up.
So they thought, “Hey, why don’t I just contact all the patients? Because I’ve got all their contact details, *and* I’ve got all their deepest, darkest secrets and fears.”
The criminal figured, “I can contact them and say, ‘You’ve got 24 hours to pay me €200; then I’ll give you 48 hours to pay me €500; and then I’m going to doxx you – I’m going to dump your data for everybody to see’.”
And I did learn one article that prompt that when the sufferers didn’t provide you with the cash, he truly discovered individuals who’d been talked about of their conversations.
DOUG. Didn’t somebody’s mom get roped into this, or one thing like that?
DUCK. Yes!
They stated, “Hey, we have conversations with your son; we’re going to dump everything that he said about you, from a private session.”
Anyway, the excellent news is that the victims determined they have been undoubtedly not going to take this mendacity down.
And a great deal of them did report it to the Finnish police, and that gave them impetus to take this as a severe case.
And the investigations have been ongoing ever since.
There’s anyone… I consider he’s nonetheless in custody in Finland; he hasn’t completed his trial but for the extortion facet.
But additionally they determined, “You know what, the CEO of the company that was so shabby with the data should bear some personal liability.”
He can’t simply go, “Oh, it was the company; we’ll pay a fine” (which they did, and in the end went bankrupt).
That’s not sufficient – he’s purported to be the boss of this firm; he’s purported to set the requirements and decide how they function.
So he went to trial as properly.
And he’s simply been discovered responsible and given a 3 month jail sentence, albeit a suspended one.
So if he retains his nostril clear, he can keep out of jail… however he did get taken to job for this in courtroom, and given a legal conviction.
As gentle because the sentence would possibly sound, that does sound like a great begin, doesn’t it?
DOUG. Numerous feedback on this publish are saying they need to drive him to go to jail; he ought to truly spend time in jail.
But one of many commenters, I believe rightly, factors out that that is frequent for first-time offenders for non-violent crimes…
…and he does now have a legal file, so he might by no means work on this city once more, because it have been.
DUCK. Yes, and maybe extra importantly, it’s going to give anyone pause earlier than permitting him the authority to make this type of poor choice in future.
Because it appears that evidently it wasn’t simply that he allowed his IT staff to do shabby work or to chop corners.
It appears that they did know they’d been breached on two events, I believe in 2018 and 2019, and determined, “Well, if we don’t say anything, we’ll get away with it.”
And then in 2020, clearly, a criminal received maintain of the information and abused it in a approach that you simply couldn’t actually doubt the place it got here from.
It wasn’t simply, “Oh, I wonder where they got my email address and national identity number?”
You can solely get your Clinic X non-public psychotherapy transcript from Clinic X, you’d count on!
DOUG. Yes.
DUCK. So there’s additionally the facet that in the event that they’d come clear in 2018; in the event that they’d disclosed the breach as they have been purported to, then…
(A) They would have completed the fitting factor by the legislation.
(B) They would have completed the fitting factor by their sufferers, who may have began taking precautions upfront.
And (C), they’d have had some compunction upon them to go and repair the holes as an alternative of going, “Oh, let’s just keep quiet about it, because if we claim we didn’t know, then we don’t have to do anything and we could just carry on in the shabby way that we have already.”
It was undoubtedly not thought-about an harmless mistake.
And due to this fact, on the subject of cybercrime and knowledge breaches, it’s potential to be each a sufferer and a perpetrator on the similar time.
DOUG. level properly put!
Let’s transfer on.
Back in February 2023, we talked about rogue 2FA apps within the app shops, and the way typically they only form of linger.
And linger they’ve.
Paul, you’re going to be doing a stay demo of how considered one of these fashionable apps works, so everybody can see… and it’s nonetheless there, proper?
Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!
DUCK. It is.
Unfortunately, the podcast will come out simply after the demo has been completed, however that is some analysis that was completed by a pair of impartial Apple builders, Tommy Mysk and Talal Haj Bakry.
On Twitter, you will discover them as @mysk_co.
They repeatedly look into cybersecurity stuff in order that they will get cybersecurity proper of their specialist coding.
They’re programmers after my very own coronary heart, as a result of they don’t simply do sufficient to get the job completed, they do greater than sufficient to get the job completed properly.
And this was across the time, if you happen to bear in mind, that Twitter had stated, “Hey, we’re going to be discontinuing SMS-based two-factor authentication. Therefore, if you’re relying on that, you will need to go and get a 2FA app. We’ll leave it to you to find one; there are loads.”
Twitter tells customers: Pay up if you wish to preserve utilizing insecure 2FA
Now, if you happen to simply went to the App Store or to Google Play and typed in Authenticator App, you bought so many hits, how would you recognize which one to decide on?
And on each shops, I consider, the highest ones turned out to be rogues.
In the case of the highest search app (a minimum of on the Apple Store, and among the top-ish apps on Google Play), it seems that the app builders had determined that, in an effort to monitor their apps, they’d use Google Analytics to file how individuals use the apps – telemetry, because it’s known as.
Lots of apps do that.
But these builders have been both sneakily malicious, or so ignorant or careless, that in amongst the stuff they collected about how the app was behaving, additionally they took a duplicate of the two-factor authentication seed that’s used to generate all of the codes for that account!
Basically, they’d the keys to everyone’s 2FA castles… all, apparently innocently, by program analytics.
But there it was.
They’re gathering knowledge that completely ought to by no means depart the cellphone.
The grasp key to each six-digit code that comes each 30 seconds, for evermore, for each account in your cellphone.
How about that, Doug?
DOUG. Sounds unhealthy.
Well, we can be trying ahead to the presentation.
We will dig up the recording, and get it out to individuals on subsequent week’s podcast… I’m excited!
Alright, shifting proper alongside to our last matter, we’re speaking about juicejacking.
It’s been some time… been about over ten years since we first heard this time period.
And I’ve to confess, Paul, after I began studying this, I started to roll my eyes, after which I ended, as a result of, “Why are the FBI and the FCC issuing a warning about juicejacking? This must be something big.”
But their recommendation will not be making an entire lot of sense.
Something have to be happening, however it doesn’t appear that massive a deal on the similar time.
FBI and FCC warn about “Juicejacking” – however simply how helpful is their recommendation?
DUCK. I believe I’d agree with that, Doug, and that’s why I used to be minded to write down this up.
The FCC… for many who aren’t within the United States, that’s the Federal Communications Commission, so on the subject of issues like cellular networks, you’d assume they know their oats.
And the FBI, in fact, are primarily the federal police.
So, as you say, this turned a large story.
It received traction all around the world.
It was actually repeated in lots of media shops within the UK: [DRAMATIC VOICE] “Beware charging stations at airports.”
As you say, it did seem to be a little bit little bit of a blast from the previous.
I wasn’t conscious why it could be a transparent and current “massive consumer-level danger” proper now.
I believe it was 2011 that it was a time period coined to explain the concept that a rogue charging station would possibly simply not present energy.
It may need a hidden pc on the different finish of the cable, or on the different facet of the socket, that attempted to mount your cellphone as a tool (for instance, as a media gadget), and suck information off it with out you realising, all below the guise of simply offering you with 5 volts DC.
And it does appear as if this was only a warning, as a result of typically it pays to repeat outdated warnings.
My personal exams prompt that the mitigation nonetheless works that Apple put in place proper again in 2011, when juicejacking was first demonstrated on the Black Hat 2011 convention.
When you plug in a tool for the primary time, you’re supplied the selection Trust/Don't Trust.
So there are two issues right here.
Firstly, you do need to intervene.
And secondly, in case your cellphone’s locked, anyone can’t get on the Trust/Don't Trust button secretly by simply reaching over and tapping the button for you.
On Android, I discovered one thing comparable.
When you plug in a tool, it begins charging, however you must go into the Settings menu, enter the USB connection part, and change from No Data mode into both “share my pictures” or “share all my files” mode.
There is a slight warning for iPhone customers once you plug itinto a Mac.
If you do hit Trust by mistake, you do have the issue that in future, once you plug it in, even when the cellphone is locked, your Mac will work together together with your cellphone behind your again, so it doesn’t require you to unlock the cellphone.
And the flip facet to that, that I believe listeners ought to pay attention to is, on an iPhone, and I contemplate this a bug (others would possibly simply say, “Oh no, that’s an opinion. It’s subjective. Bugs can only be objective errors”)…
…there isn’t a strategy to overview the checklist of units you’ve trusted earlier than, and delete particular person units from the checklist.
Somehow, Apple expects you to recollect all of the units you’ve trusted, and if you wish to mistrust *one* of them, you must go in and mainly reset the privateness settings in your cellphone and mistrust *all* of them.
And, additionally, that possibility is buried, Doug, and I’ll learn it out right here since you most likely received’t discover it by your self. [LAUGHS]
It’s below Settings > General > Transfer or Reset iPhone > Reset Location and Privacy.
And the heading says “Prepare for New iPhone”.
So the implication is you’ll solely ever want to make use of this once you’re shifting from one iPhone to the following.
But it does appear, certainly, as you stated on the outset, Doug, with juicejacking, that there’s a risk that somebody has a zero-day meaning plugging into an untrusted or unknown pc may put you in danger.
DOUG. I’m making an attempt to think about what it could entail to usurp considered one of these machines.
It’s this massive, garbage-can dimension machine; you’d need to crack into the housing.
This isn’t like an ATM skimmer the place you may simply match one thing over.
I don’t know what’s happening right here that we’re getting this warning, however it looks like it could be so laborious to truly get one thing like this to work.
But, that being stated, we do have some recommendation: Avoid unknown charging connectors or cables if you happen to can.
That’s a great one.
DUCK. Even a charging station that was arrange in completely good religion may not have the decency of voltage regulation that you want to.
And, as a flip facet to that, I might recommend that if you’re on the street and also you notice, “Oh, I suddenly need a charger, I don’t have my own charger with me”, be very cautious of pound-shop or dollar-shop super-cheap chargers.
If you need to know why, go to YouTube and seek for a fellow known as Big Clive.
He buys low cost digital units like this, takes them aside, analyses the circuitry and makes a video.
He’s received a incredible video a couple of knockoff Apple charger…
…[a counterfeit] that appears like an Apple USB charger, that he purchased for £1 in a pound-shop in Scotland.
And when he takes it aside, be ready to be shocked.
He additionally prints out the producer’s circuit diagram, and he truly goes by with a sharpie and places it below his digital camera.
“There’s a fuse resistor; they didn’t include that; they left that out [crosses out missing component].”
“Here’s a protective circuit; they left out all those components [crosses more out].”
And finally he’s all the way down to about half the elements that the producer claimed have been within the gadget.
There’s a degree the place there’s a niche between the mains voltage (which within the UK could be 230 volts AC at 50 Hz) and a hint on the circuit board that will be on the supply voltage (which for USB is 5 volts)…
…and that hole, Doug, might be a fraction of a millimetre.
How about that?
So, sure, keep away from unknown connectors.
DOUG. Great recommendation.
DUCK. Carry your personal connectors!
DOUG. This is an effective one, particularly if you happen to’re on the run and you want to cost rapidly, other than the safety implications: Lock or flip off your cellphone earlier than connecting it to a charger or pc.
If you flip off your cellphone, it’ll cost a lot sooner, in order that’s one thing proper there!
DUCK. It additionally ensures that in case your cellphone does get stolen… which you possibly can argue is a little more possible at considered one of these multi-user charging stations, isn’t it?
DOUG. Yes!
DUCK. It additionally signifies that if you happen to do plug it in and a Trust immediate does pop up, it’s not simply sitting there for another person to go, “Ha, that looks like fun,”and clicking the button you didn’t count on.
DOUG. Alright, after which we’ve received: Consider untrusting all units in your iPhone earlier than risking an unknown pc or charger.
That’s the setting you simply walked by earlier below Settings > General > Transfer or Reset iPhone…
DUCK. Walked *down* into; approach down into the pit of darkness. [LAUGHS]
You don’t *want* to try this (and it’s a little bit of a ache), however it does imply that you simply aren’t risking compounding a belief error that you might have made earlier than.
Some individuals would possibly contemplate that overkill, however it’s not, “You must do this”, merely a good suggestion as a result of will get you again to sq. one.
DOUG. And final however not least: Consider buying a power-only USB cable or adapter socket.
Those can be found, they usually simply cost, they don’t switch knowledge.
DUCK. Yes, I’m unsure whether or not such a cable is out there within the USB-C format, however it’s simple to get them in USB-A.
You can truly peer into the socket, and if it’s lacking the 2 center connectors… I put an image within the article on Naked Security of a motorbike gentle I’ve that solely has the outer connectors.
If you may solely see energy connectors, then there’s no approach for knowledge to be transferred.
DOUG. Alright, superb.
And allow us to hear from considered one of our readers… one thing of a counterpoint on the juicejacking piece.
Naked Security Reader NotConcerned writes, partly:
This article comes off a bit naive. Of course, juicejacking isn’t some widespread drawback, however to low cost any warning primarily based on a really primary check of connecting telephones to a Windows and Mac PC and getting a immediate is form of foolish. That doesn’t show there aren’t strategies with zero clicks or faucets wanted.
What say you, Paul?
DUCK. [SLIGHT SIGH] I get the purpose.
There might be an 0-day meaning once you plug it in at a charging station, there is likely to be a approach for some fashions of cellphone, some variations of working system, some configurations… the place it may in some way magically bypass the Trust immediate or robotically set your Android into PTP mode or File Transfer mode as an alternative of No Data mode.
It’s not inconceivable.
But if you happen to’re going to incorporate most likely esoteric million-dollar zero-days within the checklist of issues that organisations just like the FCC and the FBI make blanket warnings about, then they need to be warning, day after day after day: “Don’t use your phone; don’t use your browser; don’t use your laptop; don’t use your Wi-Fi; don’t press anything at all”, in my view.
So I believe what worries me about this warning will not be that it is best to ignore it.
(I believe that the element that we put within the article and the information that we simply went by recommend that we do take it greater than severely sufficient – we’ve received some first rate recommendation in there that you may observe if you’d like.)
What worries me about this type of warning is that it was introduced as such a transparent and current hazard, and picked up all all over the world so that it sort-of implies to individuals, “Oh, well, that means that when I’m on the road, all I need to do is don’t plug my phone into funny places and I’ll be OK.”
Whereas, in actual fact, there are most likely 99 different issues that will offer you much more security and safety if you happen to have been to do these.
And you’re most likely not at a big danger, if you’re wanting juice, and you actually *do* have to recharge your cellphone since you assume, “What if I can’t make an emergency call?”
DOUG. Alright, wonderful.
Well, thanks, NotConcerned, for writing that in.
DUCK. [DEADPAN] I presume that identify was an irony?
DOUG. [LAUGHS] I believe so.
If you’ve an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You can electronic mail suggestions@sophos.com, you may touch upon any considered one of our articles, or you may hit us up on social: @nakedsecurity.
That’s our present for immediately; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you, till subsequent time, to…
BOTH. Stay safe!
[MUSICAL MODEM]
Featured picture of punched pc card by Arnold Reinhold by way of Wikipedia below CC BY-SA 2.5