![How one leaked e-mail password may drain your online business [Audio + Transcript] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2022/11/s3-ep109-image-1200.png?w=775 "How one leaked e-mail password may drain your online business [Audio + Transcript] – Naked Security")
DOUG. A not-quite zero-day, a lock display screen bypass, e-mail scams, and Emmenthal cheese.
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, all people.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do right now?
DUCK. I’m nice, Doug.
And I don’t assume you talked about the Billionaire Gucci grasp.
DOUG. He is a part of “All that and more”, after all!
DUCK. Oh, and far, MUCH extra, Doug. [LAUGHS]
DOUG. Exactly.
We do like to begin the present with our This Week in Tech History section.
This is thrilling for me as a result of I used to be there, man!
This week on 14 November 2006, Microsoft launched the Zune, a 30 gigabyte moveable media participant meant to compete with Apple’s iPod.
Microsoft would make its method via three generations of Zune gamers, a music subscription service, and a handful of different suits and begins earlier than canning the {hardware} in 2011 and the software program and companies in 2012.
I used to be working at TechCrunch on the time, and the final consensus was that not till the Zune HD, which got here out in 2009, have been we speaking concerning the Good Zune.
But by then it was too little, too late, as a result of the iPod contact got here out in 2007…
…and I bear in mind protecting that occasion and being awed by such a tool.
I can’t bear in mind the final time I used to be awed by such a skinny MP3 participant; you may obtain songs on to it.
That was the story of the Zune for me.
The {hardware} and the display screen, although, have been actually good, so it was onerous to not prefer it…
…it simply was lacking one thing, after which they shut all the things down, so it didn’t actually matter.
Between the Zune and Windows Phone: these have been two initiatives by Microsoft I actually wished to work, they usually simply didn’t fairly work.
DUCK. I liked my Windows Phone, imagine it or not.
It’s at all times the third model with Microsoft, isn’t it?
Windows 3?
DOUG. The Zune, too – third model!
DUCK. And I assumed, “Great!”
But as quickly as I fell in love with Windows Phone, they discontinued it, simply when it acquired good. [LAUGHS]
DOUG. Well, we will keep with reference to Apple, as a result of that is not fairly a zero-day, however it was harmful sufficient to warrant an emergency patch:
Emergency code execution patch from Apple – however not an 0-day
DUCK. Yes, it wasn’t a zero-day as a result of it was disclosed responsibly, so far as I do know.
It was a bug in an XML parsing library known as libxml2… my very own Linux distro acquired an replace that occurred to incorporate that repair.
Now, no person else appeared to get terribly excited concerning the libxml2 replace.
It was simply, “Hey, they found a bug, they fixed it: get the new version.”
But Apple… simply out of the blue these updates arrived.
And they fastened the libxml2 bugs just for the very newest variations of their working system.
So, macOS 13 Ventura and iOS/iPadOS 16.
DOUG. So, if I’m an Apple consumer and I’m not operating the newest model of both of those working programs, I’m at nighttime about whether or not I want some kind of replace.
Am I ready on an replace, or is my present model, which isn’t 13.0 or 16.1… is it protected?
DUCK. That’s the issue that now we have each time this occurs, isn’t it?
Where there’s an replace for the newest variations and never the others.
So I want Apple would make it clearer whether or not there have been updates anticipated for different units, and even why they felt it was essential to push out an replace simply particularly for that one library.
My finest guess is that once they have been knowledgeable concerning the bug and their very own safety individuals began taking a look at it, they figured, “I wonder if you could exploit this… OH NO! It’s far too easy.”
Maybe they discovered that there was some a part of Apple’s code that was simply (in case you like) too near the sting of the community or the sting of the system, which may imply that someone may shortly determine the best way to exploit it.
So why not patch it?
If so, nice, however it will be good to know that!
DOUG. So I suppose the most effective recommendation we can provide is to go to the software program updates part and see if there’s one thing there.
If not, sit tight and we’ll regulate it.
OK, let’s shift gears from Apple to Android.
We’ve acquired a SIM-swap lockscreen bypass, and this lockscreen bypass is form of scary in that it was an unintentional discovery, so it may occur to anyone:
So it’s form of severe!
And Google form of dragged their toes slightly bit fixing it…
DUCK. Yes, Doug.
The fascinating factor about that is… I couldn’t consider a greater technique to describe it than a SIM-swap assault, as a result of it includes swapping a SIM card.
But it’s not what we usually consider as a “number porting” assault the place you go to a cell phone retailer and also you trick them, cajole them, bribe them, induce them to problem you with a model new SIM with someone else’s quantity utilized to it, so you possibly can take over their messages and skim their two issue authentication codes to log into their account.
That’s one sort of SIM swap.
In this case, the bug was triggered for someone who has restarted their cellphone.
And on this case, as a result of the chap had been travelling and his cellphone had run out of juice, he was compelled to undergo a full reboot.
When you undergo a reboot, in case you’ve acquired a PIN set in your SIM card (which you need to have, or somebody may simply steal your cellphone, take away the SIM card, and begin receiving all of your calls and your texts)… nicely, he acquired the PIN flawed, and also you solely get three goes, you then lock your self out.
Now you need to go and get the 10-digit PUK, which is the unlock code for the SIM itself.
You solely get 10 goes at that, after which the SIM principally destroys itself and isn’t any extra use.
But he seen that, when he put within the PUK… he realised that he was on the lockscreen, *however the flawed one*.
He was on the form of cellphone lockscreen that allowed him to unlock along with his fingerprint.
Not the “You’ve just rebooted your phone; you have to unlock properly with your full passcode” display screen.
So he figured, “I’ve landed up in the wrong place. This shouldn’t happen. I should be locked out of my phone with more than just my fingerprint.”
And so he was capable of finding out that he may, if he acquired the SIM PIN flawed intentionally and he timed it proper… he may bypass the lock code on a locked cellphone.
Just like that, Doug!
DOUG. OK, so the place does the SIM *swap* are available on this case?
DUCK. Well, that’s the factor…
Imagine that you simply steal someone’s cellphone and also you realise, “Oh, dear, it’s locked.”
Now, you swap the SIM, however as a substitute of attempting to swap their *quantity* onto a brand new SIM of yours, you simply go to the comfort retailer, purchase a brand new SIM card, swap it into their *cellphone*…
…and you understand the PIN on the brand new SIM card, so that you *intentionally get it flawed 3 times*.
Now you’re on the PUK code entry.
You learn the PUK code off the packaging, as a result of it’s printed there… scratch it off with a coin; there’s the magic code.
You put that in, and, “Bingo!”
You’ve finished his bypass!
DOUG. If I’m a pickpocket or a prison, or I discover a cellphone on the bottom, usually nowadays, you assume, “Oh, it’s useless because it’s locked and I’m not going to be able to get into it to wipe it and then sell it.”
In this case, you possibly can truly try this… simply purchase an inexpensive, a free SIM; you possibly can wipe it and promote it.
DUCK. And, because the chap who found it, David Schütz, factors out:
“I might be overreacting, but, I mean, not so long ago, the FBI was fighting with Apple for almost the same thing.”
I’ve acquired someone else’s cellphone… is there a magic method, with some particular {hardware}, that I can unlock it?
And it seems that, with Android, in case you acquired the timing proper, sure, there *was* some particular {hardware}, and you may go to a comfort retailer and purchase that {hardware} off the shelf for $1!
DOUG. OK, so that is severe.
So, he takes it to Google they usually do what?
Do they are saying, “We’re going to fix it right away”… or not?
DUCK. I feel each of these: “Yeah, OK, well, someone reported this before, but we couldn’t get it to work.”
Then nothing occurred, and nothing occurred…
So his disclosure deadline got here round, and he went to Google and stated, “I’m going to disclose this, but I’m uncomfortable. What are we going to do about it?”
And, luckily, Google then got here to the social gathering, and within the November 2022 replace (he discovered this again in June 2022)… within the November 2022 replace, they did present the repair.
Bless his coronary heart, he stated, “Look, I’ll come to your offices and I’ll show you that it does work.”
And apparently he’s good sufficient to search out vulnerabilities and do bug bounty attempting to find a dwelling, it appears…
…however not good sufficient to grasp that once you’re in an workplace constructing and also you don’t have a correct SIM ejector device, there’s in all probability a paperclip someplace round.
So as a substitute of asking for a paperclip, he tried to make use of a needle, and apparently stabbed himself. [LAUGHS]
It is now fastened, however in case you’ve acquired an Android cellphone, do just remember to have the November 2022 replace!
DOUG. OK, we talked not too way back a couple of Firefox “Browser-in-the-browser” assault, which I discovered fascinating… and it appears to be like like we might have the potential for an additional one, due to a brand new fullscreen bypass:
DUCK. Yes!
Firefox 107 got here out this week, and I feel the Extended Support Release is 102.5.
(Remember, it’s “102+5 = 107”, in order that’s no characteristic fixes, however all the safety fixes.)
There’s nothing crucial, there aren’t any zero-days, however there are many high-severity vulnerabilities, and the one which caught my eye is a quite simple and presumably trivial-sounding bug.
There’s a technique to get the browser into ful display screen mode with out popping up that little warning that claims, “Hey, guys, the browser is now in fullscreen mode, so don’t forget that everything you see *is the browser*; press Escape or F11 (or whateveritis) to get back to the regular screen.”
And you assume, “How harmful is that?”
But in case you bear in mind, that Browser-in-the-Browser assault was the place you paint what appears to be like like an working system popup dialog contained in the browser window, and also you trick individuals into placing, say, a password in there, considering they’re speaking with Windows…
…when in reality they’re speaking with the browser:
Serious Security: Browser-in-the-browser assaults – be careful for home windows that aren’t!
And I feel it was one Douglas Aamoth who stated to individuals, “Hey, just grab the window, the fake popup, if you’re suspicious, and try and move it outside the real browser window. And if it won’t go there, you know you’re looking at a fake.”
So, think about… what’s the danger of unintentional fullscreen?
Well, you then paint a faux browser window *inside which you paint a faux popup*.
And then, when the particular person follows your excellent recommendation, Doug, and drags the faux popup, it *will* go outdoors the faux browser window and also you’ll go, “OK, maybe it’s real after all.”
So the issue with fullscreen is it implies that code operating contained in the browser (untrusted JavaScript, HTML, CSS, and many others.) will get to color successfully any pixel on the display screen.
DOUG. I used to be additionally considering: an excellent technique to abuse this (now don’t do that, don’t do this at dwelling!) can be to make it appear as if the consumer’s session had, for some motive, simply logged out.
So you’re again to a “login screen”… it’s fullscreen, and it asks you to enter your password.
I imply, I’ve a button on my keyboard that logs me out if I hit it by accident, and now it desires my password to get again in…
DUCK. [LAUGHS] Doug, I’m glad you’re a colleague of mine, that’s all I’m saying, not working for the opposite aspect! [LAUGHS]
DOUG. And if I have been actually enterprising (I wouldn’t actually do that, after all!), I do know that Windows adjustments the login image day by day to a special stunning vista…
…I might simply test which one is happening right now, and I might cycle that day by day to the latest one, as soon as I knew what the brand new one was going to be.
DUCK. Are you certain you’re not a naughty boy, Doug? [LAUGHTER]
DOUG. So, let’s get these Firefox browsers up to date, and transfer on to what you described because the “Emmenthal cheese” assault.
Now, if I have been writing the headline… your headline was nice, it was very descriptive, however you may have drawn individuals in with the headline simply being The Emmenthal cheese assault, or why defence in depth depth is essential.
Though you’ve gotten “Log4Shell” in there… that’ll in all probability pull extra individuals in than cheese:
Log4Shell-like code execution gap in common Backstage dev device
DUCK. [MOCK AFFRONT] Are you accusing me of what I imagine is known as “Search Engine Optimisation”?
DOUG. [MOCK RIGHTEOUSNESS] I might by no means!
DUCK. Thank you, Doug.
It is Log4Shell-like, and I did assume that individuals would bear in mind Log4Shell as a result of it’s form of onerous to neglect:
Log4Shell: The Movie… a brief, protected visible tour for work and residential
I used to be fearful, if I put Emmenthal cheese within the headline, that in case you don’t precisely know that that may be a sort of cheese that usually has bubbles in it from the fuel that’s generated whereas it ferments, and due to this fact once you slice it, it has round holes in it; in case you don’t know that, then… [PAUSES] I suppose I may have put an image of a slice of Emmenthal cheese, however that will have been a bit tacky.
DOUG. Well Krafted!
DUCK. Anyway,the affected device is a factor known as Backstage, and I imagine it was initially developed as a developer’s toolkit for constructing what are known as APIs, software programming interfaces.
As the identify suggests, it’s extra of a back-end device, so that you loosely anticipate it to be inside your community, however however, if it’s a part of your online business logic companies, you then do need to be sure that they don’t have any bugs.
And I name it the Emmenthal Cheese Attack, as a result of, luckily, it’s not similar to Log4Shell, the place a number of companies have been uncovered inadvertently and you may simply ship them random HTTP requests…
…and a great deal of them would fall into the outlet of attempting to course of a string that contained particular “secret characters” that brought on them to run unauthorised instructions.
In this case, it was extra like having a number of slices of Emmenthal cheese, with all of the holes in.
And in case you can, because the attacker, determine that on this community the slices are lined up so there may be a minimum of one gap subsequent to a different gap on each slice, then you possibly can thread a string via there and get in.
The excellent news is, after all, that implies that in case you can transfer any one of many slices to a place the place there’s *no gap that goes all over*, you defend towards it.
DOUG. So what are the holes that an attacker must thread his or her method via to hit paydirt?
DUCK. Well, firstly they’d want to have the ability to entry a server that had the buggy code on within the first place, to ship a request.
That may be doable in case you’d already damaged into the community however you had restricted entry… say you’d compromised a developer’s laptop so you may make inner API calls.
Or it’d occur in case you simply have some companies that depend on this which can be seen externally.
But it’s reminder of a few of the supply-chain complexity that comes once you use merchandise like node.js (server aspect JavaScript), and the NPM Node Package Manager repository.
Because Backstage incorporates a factor, I feel, known as Scaffolder, which is a plugin that helps you prepare all of your numerous API backends properly.
And Scaffolder makes use of a logging system known as (don’t shoot the messenger, Doug, I’m simply reporting the identify; I didn’t make it up.)… this can be a Mozilla device, I imagine [LAUGHING] known as Nunjucks (I don’t know the place they get these names from!), and that’s a logging device.
So like Log4J, it has magic characters like ${{ …particular stuff in right here which may embody instructions to run on the server aspect… }}.
And that’s wrapped in a factor known as vm2, which is one other NPM module, one other Node JavaScript module.
That one is a sandbox that’s presupposed to make riskier JavaScript code a bit safer by limiting what it could possibly do.
And, sadly, the corporate that discovered the issue with the entire Backstage system, Oxeye… their researchers had beforehand, in August 2022, discovered a gap that allowed them to sneak via this vm2 sandbox.
So the excellent news is the proof-of-concept they produced required the final slice of Emmenthal cheese *nonetheless to have the outlet in that was patched again in August 2022*.
So, as steered, the answer is to be sure that one, some or your entire Swiss cheese slices are moved in order that there aren’t any holes that go all over.
And that’s simple sufficient to do by patching Backstage, and ensuring that your vm2 is patched.
Quite a number of merchandise use this vm2 sandbox – it’s meant to enhance safety.
So you will have vm2 even in case you don’t have Backstage.
We’ve acquired all the complete model numbers you want to go and search for within the Naked Security article, Doug.
DOUG. OK, excellent.
And final, however definitely not least, a wild story about Business Email Compromise [BEC].
DUCK. We have reached the Billionaire Gucci Master, presently serving an 11-stretch [an 11-year prison term] within the United States of America, Doug:
“Gucci Master” enterprise e-mail scammer Hushpuppi will get 11 years
So he’s not dwelling the excessive life in Dubai like he was a few years in the past!
DOUG. Maybe not fairly a grasp if he’s in jail…
DUCK. Well, in case you have a look at the images that have been on his Instagram account, you possibly can see that, a minimum of for some time, he definitely wasn’t in need of cash.
So he wasn’t pretending to be wealthy, however he *was* pretending to have acquired his wealth legitimately… he claimed to be an actual property wheeler-dealer.
In reality, as you say, he was a part of a so-called enterprise e-mail compromise/cash laundering community.
And, simply to reiterate, enterprise e-mail compromise… that time period is used pretty usually lately for crimes which can be predominantly orchestrated through e-mail that pretends to be from an organization, however I desire to maintain that time period BEC for the place the crooks not solely faux to be sending emails, say, out of your CEO or your CFO, or somebody senior in accounting, however they *even have that particular person’s e-mail password*.
So, once they ship their faux emails, they don’t simply appear like they arrive from the actual account, they really do come from the actual account.
And, as you possibly can think about, that’s fairly a easy crime to drag off, as a result of you possibly can go on the darkish internet and purchase e-mail passwords, and also you solely want one for the best particular person.
Once you’re inside the e-mail, you in all probability get, if the particular person is within the accounts division, a surprisingly common and dependable newsfeed of which offers are taking place, what accounts want paying, and what huge accounts are about to receives a commission in.
And so that you try to persuade both the client who’s about to repay a debt, otherwise you persuade somebody within the firm itself who’s about to pay out to a provider who’s a creditor… you persuade them to pay into the flawed account.
Behind the scenes, you’ve gotten an entire lot of cash mules and different associates in your cybercrime community who’re on the market going via the know-your-customer course of with banks.
Anyway, he was busted, and apparently he pleaded responsible.
He’s been in custody for 2 years, I imagine, awaiting trial:
Flashy Nigerian Instagram star extradited to US to face BEC prices
He lastly determined to plead responsible: he confronted 20 years; he acquired 135 months, which is simply over eleven years.
So he didn’t get the utmost sentence, presumably as a result of he pleaded responsible, and he formally admitted to 2 very sizable quantities that he had stolen.
One from an organization in New York; that quantity was near $1,000,000.
And one from a businessman in Qatar; I imagine that was additionally near $1,000,000.
So he has to pay again $1.7 million to these victims as a part of the entire deal.
But what was fascinating to me on this was the data that got here out from the investigations that have been finished into this chap, who’s referred to as Ray Hushpuppi.
An enchanting perception into all of the transferring elements which can be wanted behind enterprise e-mail compromise scams, and the way a lot effort the crooks put into staying only one step forward of the fraud prevention mechanisms which can be in place by every financial institution, in every nation, for every sort of account, for transfers between Country A and Country B, and so forth…
..And thus determining that the “holes” of their slices of Swiss cheese that they’ll thread their needles via.
If you don’t thoughts me mixing one more metaphor, Doug.
DOUG. It’s sufficient work that you may in all probability exit and get an everyday job, and possibly make… possibly not this a lot cash, however some respectable trustworthy cash.
The quantity of labor you need to put in maintaining monitor of all these banking laws and the best way to transfer cash!
“I can move it within the UK, but I can’t move it to Mexico”… all this stuff that he had to consider and cope with.
It’s an interesting learn, if you wish to head over there and skim the complete report.
But we do have some recommendation for individuals so far as avoiding enterprise e-mail compromise, beginning with: Turn on two issue authentication (2FA).
DUCK. Indeed, Doug.
You may as nicely be sure that a stolen password alone, or one which was purchased on the darkish internet, just isn’t sufficient for crooks to get in.
We’ve stated many occasions earlier than that 2FA just isn’t sufficient by itself – it doesn’t magically defend you towards all kinds of assault, however it does imply that crooks who don’t know the best way to pay money for passwords themselves, however who exit on-line and purchase them, can’t simply immediately steam in and begin scamming you.
DOUG. And then we’ve acquired: Look for options in your service supplier’s merchandise that may warn you when anomalies happen.
That’s one.
DUCK. Yes.
Tools resembling EDR or XDR (that’s prolonged detection and response)… they’re not solely there that can assist you discover blunders, they’re additionally there to be sure that the safety precautions which can be presupposed to be in place actually are there; that they’re actually doing what you assume.
And so, in case you’re maintaining a lookout for issues which may have gone flawed however you haven’t seen but, you might be in a a lot better place than simply ready for a recognized safety alert to pop up in your dashboard.
These days, that, by itself, is *obligatory*, however it’s not *ample*.
DOUG. And I actually like this one: Enforce a two step or extra course of for making important adjustments to accounts or companies, particularly adjustments in particulars for outgoing funds.
DUCK. It’s simple to say, “But why would any company or business person fall for that? It’s so obvious.”
But if the crooks have an in, say to the CFO or the top of accounting’s e-mail, they know precisely the best time to say the best contracts and the best quantities.
As at all times, two pairs of eyes are higher than one…
And not simply one thing the place, “Oh, I have to get my manager to click the button” and all of it goes via…
…for one thing like paying out one million kilos, you want to make it comparatively tough.
Ideally, you want two separate groups who examine whether or not the account change ought to undergo solely independently.
It additionally makes it more durable for insiders to collude, after all, if there are two separate groups which can be working individually.
DOUG. OK: If you see something that doesn’t look proper in an e-mail demanding your consideration, assume you’re being scammed.
DUCK. Yes, we had a Naked Security commenter as soon as (I feel you talked about it on the podcast, didn’t you, Doug?) the place they stated, “Hey, I spotted that a scammer was inside our network sending emails ,because they used an emoji where I was 99% certain that the sender of the email just wouldn’t have done so. [LAUGHTER] Not that they don’t know what emojis are, it’s just not their style.”
DOUG. And that dovetails properly with our subsequent tip: If you need to test particulars with one other firm primarily based on an e-mail, by no means depend on contact information supplied within the e-mail, particularly when cash is concerned.
DUCK. Yes, I feel you coated that elegantly final week, Doug, didn’t you, by saying, “You know, when there’s a phone number in the email, don’t phone it up and say, ‘Hi. Is that Twitter?’ Always find your own way there.”
DOUG. And then final, however definitely not least: Consider utilizing inner coaching instruments to show your employees about scams.
DUCK. Unsurprisingly, Sophos has simply such a device… we’re not giving that tip as a result of we need to sound like salespeople, however Sophos Phish Threat, that’s our device that can assist you:
If you don’t put your staff to the check, the place they’ll fail the check after which you should use that as a possibility to show them the best way to do higher subsequent time…
…in case you don’t check them, the crooks are jolly nicely going to do it for you, they usually’re going to strive it day after day after day, they usually’re not simply going to strive one particular person at a time.
Anything you are able to do to boost your organization’s collective resilience has acquired to be factor.
Just be sure that once you do issues like phishing checks that you simply deal with the instances of people that fail these checks with nice sympathy.
DOUG. OK, nice recommendation!
And because the solar begins to set on our present for right now, we do have our reader remark, and it’s on this story over on Twitter.
@Snowshoedan feedback on the Business Email Compromise story:
“it’s ironic that a dude who literally made a living off of other small mistakes made some huge ones. Don’t brag about your lifestyle on the socials if you did it illegally.”
DUCK. Hushpuppi definitely had thousands and thousands of followers, and I suppose he revelled in that, so he definitely went out of his method to attract consideration to himself.
I think about that he may very nicely have been caught anyway.
Though the images that you simply see within the Naked Security article got here from his Instagram account through the Department of Justice cost sheet to get a warrant for his arrest.
So they used it as a part of their very own proof to persuade the Magistrate Judge, “This guy is not just making dimes and nickels.”
DOUG. Excellent.
DUCK. “That’s definitely a Roller [Rolls Royce car], and that’s definitely a Bentley.”
DOUG. All proper, thanks for sending that in @Snowshoedan.
If you’ve gotten an fascinating story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.
You can e-mail suggestions@sophos.com, you possibly can touch upon any one in every of our articles, or you possibly can hit us up on social: @NakedSecurity.
That’s our present for right now, thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you, till subsequent time to…
BOTH. Stay safe