recent safety developments and comments (3q 2019)

Posted by punzalan at 2020-02-27

Article directory

★ privacy protection ★ high risk vulnerability ★ network and web ★ mobile devices ★ network attack and network war ★ speech review and network shielding ★ security tools ★ hardware and physical security ★ cryptography ★ security programming

Tomorrow, I will start my holiday. I choose the last day of September to post this 3-quarter "recent safety news and comments". This article is a little long, with a little more external links. Students who can't finish watching can watch it slowly during the holiday.

After China, more and more countries deploy AI to track their citizens. According to Carnegie Endowment for international peace, at least 75 countries are using AI tools such as face recognition. It published the report the global expansion of AI surveillance. Countries that use some form of AI have liberal democracies like the United States and France, but more authoritarian governments. According to the report, Chinese technology companies led by Huawei, Hikvision, Dahua and ZTE have exported a large number of AI monitoring technologies to the world. Others such as NEC in Japan, IBM, Palantir and Cisco in the United States are major suppliers of AI monitoring technology. China has also provided loans for foreign governments to buy Chinese monitoring tools. Kenya, Laos, Mongolia, Uganda, Uzbekistan and other countries are unlikely to purchase AI monitoring tools without Chinese loans.

The popularity of Zao can be said to be overnight. Since its launch on August 30, within 24 hours, the app has rocketed to the second place in the list of free apps in various app stores, and the top ten topics of microblog hot search in the same period.

This is equivalent to the user "transferring" his / her portrait right when using the app. ZAO and its company Momo can do anything else with the user's portrait. The danger can be imagined.

Disputes over selling face data in online stores

Domestic media reported that in an online mall, there are businesses selling "face data" openly, with a number of 170000. According to the report, these "face data" cover the portraits of 2000 people. In addition to the information of face location, there are 106 key points of the face, such as the contour information of eyes, ears, nose, etc. Among them, there are stars, ordinary citizens and some minors. The shop owner said that he was usually engaged in the work of artificial intelligence, so he collected a lot of face data, sold them "to earn money", and did not provide the person name, ID card number and other information of the party concerned. After the reporter reported, the goods were removed from the shelves. Some lawyers said the move was suspected of violating the privacy rights of others.

The national computer virus center issued the "mobile app violations and governance measures". Among them, there are six categories of problems in app and SDK, including eight categories of malicious acts such as remote control, malicious fee deduction, suspected of violating citizens' personal privacy, suspected of over range collection of citizens' personal privacy, etc. Among them, Momo Momo (version 8.18.7), today's headlines (version 7.2.7), JD Finance (version 5.2.32), cloud flash payment (version 6.2.6) and other applications with high download volume are also included.

The Chinese government secretly installs an application on the mobile phones of inbound tourists to collect and monitor personal information of tourists. The mobile app, called Fengcai, can get all kinds of information from tourists, including email, SMS, residence or communication list, the southern Deutsche Daily reported on Wednesday (July 3). Previously, the southern Deutsche daily, the northern Deutsche Radio, the British guardian, the New York Times and other media jointly made an assessment.

According to the report, those affected were tourists from Kyrgyzstan who entered Xinjiang by land. They were asked to decode their phones at the border port, where police took them and entered another room, where they put the app into the phone.

What's new is that it seems that all foreigners entering by land have become the target of mobile phone inspection. Tourists were asked to decode their mobile phones at the border port, and the police took them to another room, where they installed the app, without explaining to the parties in detail.

The name that appears in the source code of Fengcai shows that the application is produced by Nanjing Fiberhome starrysky communication development company, a subsidiary of Fiberhome, a manufacturer of optical cables and telecommunication equipment, partially owned by the Chinese government. The company said on its website that its products can help police collect and analyze data and that it has signed cooperation agreements with security agencies across China.

Then, the U.S. government filed a civil lawsuit against Edward Snowden, which triggered the "Streisand effect" and caused more people to pay attention to the book. This book just came out. I haven't found the electronic version yet. If free, I will share the electronic version to my online disk.

Microsoft has fixed four high-risk vulnerabilities of Remote Desktop Services, which allow malicious programs to spread like worms, and the entire process does not require user operation. Numbers cve-2019 – 1181, cve-2019 – 1182, cve-2019 – 1222, and cve-2019 – 1226 allow unauthorized attackers to execute arbitrary code by sending a crafted message. The vulnerability affects Windows 7, 8, and 10, as well as server 2008, 2012, 2016, and 2019. Unlike the bluekeep vulnerability fixed in May this year, it affects the latest Windows operating system, while bluekeep mainly affects older versions. The computer must be patched as soon as possible before the vulnerability is reverse engineered.

TAVIS Ormandy, a researcher of Google Project Zero security team, reported that Microsoft's little-known CTF protocol has a vulnerability and is easy to exploit. Hackers or malicious programs who have gained a foothold in the victim's computer can use the vulnerability to hijack any windows application and take over the entire operating system The vulnerability affects all Windows versions since XP. It is unclear whether or when Microsoft will release the patch.

Researchers at security firm eclypsium found that more than 40 windows device drivers from at least 20 vendors had high-risk vulnerabilities in their hardware and firmware security studies, allowing them to bypass or claim rights. These equipment suppliers include ASUS, Toshiba, NVIDIA and Huawei. These device drivers are widely used and obtained Microsoft's digital signature, which allows attackers to penetrate the target network more easily and secretly. Device drivers usually have very high privileges, including the right to modify, which allows attackers to gain permanent foothold in the system. Eclypsium has informed Microsoft that NVIDIA has released the fix driver.

Researchers at zero day initiative, a trend technology, have disclosed a 0day privilege escalation vulnerability in the Android operating system, which allows attackers with low access rights on the affected devices to further enhance their privileges. The vulnerability lies in the v4l2 driver that captures real-time video, which is caused by the existence of an object that was not verified before the operation was performed. According to security experts, applications or codes that have obtained access to the V4L subsystem can use this vulnerability to gain access. Security researchers who discovered the vulnerability said they notified Google in March and confirmed in June that the vulnerability would be fixed, but in August Google said it had no further updates. The vulnerability has not been fixed.

A hacker group claiming to be 0v1ru $hacked into a Russian intelligence agency contractor and found that one of the Contractor's projects was to try to anonymous tor traffic. The invasion took place on July 13. The attacked company is called Sytech, which is believed to have cooperated with the government in many projects since 2009. The hacker accessed the whole IT network through the active directory server of Sytech, stole 7.5tb data, and compiled the company's web page. The disclosed secret projects of Russian intelligence agencies include: nautilus-s, anonymous tor traffic with the help of malicious tor nodes; Nautilus, collecting data of social media users; reward, secret penetration into P2P Network; mentor, which monitors and searches e-mail communications on Russian company servers; tax-3, which creates a closed intranet to store highly sensitive information of government executives, judges and local government officials, separated from other IT networks. The anonymous to traffic project started in 2012 and has been tested in the real world. In 2014, it was reported that 18 malicious tor export nodes were found in Russia, all running the same version of tor v0.2.2.37.

Programming random notes: about 10 days ago, when I was communicating with readers in the blog comment area, I just talked about this topic. Many cautious tor users will exclude some [dangerous countries] from tor's configuration file (torrc) - such as China, such as Russia... I would like to add a few points: 1. As for [sphere of influence], for example, "Belarus" is basically a "vassal" of "Russia". If you want to exclude the tor node of Russia, you also need to exclude the node of White Russia by the way. (Note: I'm just giving an example. Russia's "vassal state" must be more than this one.) the same principle - the "five eye alliance" mentioned in the previous chapter of this article can be regarded as the sphere of influence of the United States. 2. As for the [white list], if you dislike the [black list] method, it's too troublesome: (you can also use the [white list] method instead - limit your tor client to [use only] nodes of some reliable countries. 3. As for isolation, in order to further increase the difficulty of reverse tracing, you can also make the "entry node" and "exit node" of tor in a different sphere of influence. Because the tor users in China usually need to rely on the pre agent to let the tor client access to the global tor network. Therefore, you can also consider - let "front agent", "entry node" and "exit node" be in [different] sphere of influence.

torrc ru by torrc ru by

Extended reading: how to customize the configuration file of tor, see "how to climb the wall" series: FAQ about tor

In the latest quarter, two major browsers (chrome and Firefox) have started to support "password disclosure warning". The principle is simple - Mozilla works with "have I been Pwned" to find out if your password has been leaked. Google followed, adding "password leak detection" to chrome.

Programming random notes: before a reader in the blog message asked me: how many tor users in China? According to the above comments of tor project leader, at least [30000] users in China used tor bridge in 2010. Now after so many years, I [conservatively] estimate that it will be more than 100000.

How Simjacker works

Simjacker begins with an attacker using a smartphone, a GSM modem, or any A2P (application-to-person) service to send an SMS message to a victim’s phone number.


According to TNW, network security researchers have warned that there is a serious vulnerability in the SIM card, which allows remote attackers to send SMS without the user's knowledge to attack the target mobile phone and monitor the victims. Adaptive mobile security in Dublin said the vulnerability, known as "SimJack", had been exploited by a spyware provider for at least two years, but the security company did not disclose the name of the company that exploited the vulnerability and the information about the victims.

Kaspersky, a Russian anti-virus software, reported that camscanner (or camscanner phone PDF creator and camscanner to scan PDFs), a popular app downloaded by Google play store with more than 100 million downloads, was found to contain malicious modules. Camscanner used to be a legitimate application, which had no malicious function for most of the time. It earned revenue by advertising and in app purchase. But at some point the situation changed, and the latest release of camscanner included an ad library with malicious modules. Kaspersky called the module Trojan dropper. Android OS. Necro. N. Similar modules have previously been found in malicious programs pre installed on smartphones made in China. The module downloads the encryption code from the server designated by the developer, decrypts it on the device and executes it. Some camscanner users have noticed the suspicious behavior of the app, and they leave a message on the app page to warn other users.

Programming random note: not long ago, twitter CEO's account was hijacked. Many fans mistakenly think that his account has been hacked. In fact, "SIM card hijacking attack". This attack is aimed at [operators]. Because twitter provides a [text messaging service]. The attacker only needs to bind the victim's mobile number to the attacker's SIM card; then, the attacker can use his SIM card to implement [SMS tweet]. The effect is similar to hijacking the twitter account of the other party (at this time, the attacker does not need to know the twitter account password of the other party). Then, how can the attacker bind the mobile phone number of the other party (victim) to his SIM card? Roughly in the following two ways, choose one of them: one is to take care of the operators' staff in the way of "social engineering" (commonly known as "deception"). Second, first invade (infiltrate) the network of the operator, and then hijack the victim's cell phone number to his SIM card.

In December 2016, Russian hackers launched an unprecedented destructive attack on the Ukrainian power grid. Two days before Christmas, hackers implanted malicious programs into the network of ukrenergo, the Ukrainian State Grid operator. Before midnight, they opened all the breakers of a transmission substation in northern Kiev, causing a power failure. But the outage lasted only an hour, and ukrenergo's operators simply restored power. Did Russian hackers spend so much time just triggering an hour of blackout? According to the analysis of malicious program code and network log (PDF) by Dragos, an industrial control system network security company, hackers are much more ambitious. They try to cause a continuous damage, which leads to not only an hour, but also weeks or even months of power failure.

Washington (Reuters) - two U.S. senators on Monday asked the Federal Communications Commission and the national security agency to review whether two state-owned Chinese telecommunications companies should be allowed to operate in the U.S. amid mounting concerns about possible espionage in China.

Democratic Senate leader Charles Schumer and Republican Senator Tom cotton asked FCC chairman Ajit Pai to review the permits issued in the early 2000s to allow China Telecom (0728. HK) and China Unicom (0762. HK) to operate in the United States.

"These [China's] state-owned enterprises continue to have access to our telephone lines, fiber optic cables, mobile networks and satellites, which may enable [China] to target the communications content of the American people or enterprises and the US government, including 'hijacking' the traffic in a way that leads to China," two senators are giving the FCC The letter was also sent to the Department of defense and the Department of homeland security.

The FCC voted unanimously in may not to allow another state-owned Chinese telecommunications company, China Mobile (0941. HK), to provide services in the United States, stressing the risk that the Chinese government could use the license to carry out espionage activities against the United States government. At the time, the FCC revealed that it was examining existing licences.

Brian Hart, a spokesman for the FCC, said Pai "has made it clear that the committee is reviewing other Chinese telecom companies, such as China Telecom and China Unicom.".

(schematic diagram of China Telecom hijacking traffic)

(use traceroute command to display / verify that the traffic "from Britain to Australia" passes through China - actually [should not] pass through China)

(use traceroute command to display / verify the traffic from California to Washington, D.C. even through China)

According to the map of digital attack map, Hong Kong has become the center of DDoS attacks in the past few days. Digital attack map is a cooperative project of Google ideas and arbor networks. It uses the DDoS attack data of arbor networks. Google's big picture team helps to develop and design interactive maps to show the global DDoS attacks visually in real time.

Programming random notes: the release date of the above article is September 3, 2019, which is one of the climaxes of Hong Kong protests. Even if you think about it with your knees, you can understand - this is the dry dribble of the imperial court's [Royal hacker]. Private hackers, even if they launch DDoS attacks, are sporadic, not enough to be reflected in the global map of "digital attack map".

The Hong Kong Internet service providers Alliance (hkispa) issued an emergency statement on Wednesday saying that modern Internet, including complex technologies such as VPN, cloud and encryption, is almost impossible to effectively block any service unless the Hong Kong Internet is locked behind a monitoring firewall. Hkispa warned that restrictions could not stop determined users, who would continue to access services through VPN and other channels, forcing authorities to continue to increase restrictions. So any small restriction may eventually expand to the Great Wall firewall similar to China. However, the end of the launch of the open Internet in Hong Kong has resulted in the immediate and permanent reduction of investment by Internet companies in Hong Kong.

Programming random notes: I'm a bit worried - in the near future, Hong Kong netizens will also hit the wall (GFW). The Hong Kong ISP Association issued the above-mentioned public statement at the end of August, which seems to have concerns in this regard.

Crimea Cuba North Korea Iran Syria

Note: "trade war" and "trade sanctions" [different]. For the time being, there is no need to worry about the account restriction. I mainly want to remind those students who use Tor to log in to Github account. Because GitHub judges your country according to [visitor IP]. When you log in to GitHub using tor, the "public IP" of [exit node] is the "visitor IP" seen by GitHub server. In order to avoid being restricted by GitHub, you need to modify tor's configuration file (torrc) to exclude the above countries that are subject to U.S. trade sanctions ([no] to use tor nodes of these countries).

torrc torrc

Matt wixey, a security researcher, has found that a large number of electronic devices do little to prevent them from becoming "offensive" cyber weapons. His doctoral research topic is to explore whether malicious programs can cause direct physical harm. He checked a large number of devices to see if the volume and speaker controls on the device could be manipulated to produce harmful high and low frequency sounds. He found that in some cases, the volume emitted by electronic devices can be confusing, and the noise can be close to the level that damages people's hearing. He reported his findings at the def con security conference in Las Vegas on August 11.

Why do you have to work hard to find the 0day vulnerability or brute force to crack the login password when you can walk in directly? Security researchers at IBM X-Force red have developed a vulnerability exploitation concept prototype called warshipping. The way to invade the target network is to pack it in a mail bag and let the postman deliver it to the target's mail room. Warshipping is not a new concept, it is actually a modern version of the ancient Trojan horse. Warshipping is a mobile phone sized device that supports 3G and can be remotely controlled anywhere with mobile phone service. Its manufacturing cost is about $100. It can periodically scan the nearby wireless network, and attackers can execute passive or active attacks to penetrate the target wireless network.

Programming random notes: the above tactics belong to the category of "social engineering" and "physical security". This intrusion technique once again highlights the risk of [wireless network] (compared with "wired network") and demonstrates one of the ways to "break through network isolation" (there are many ways in this regard). In the above case, the package sent to the receiving room can act as a "transit springboard". For example, suppose that an organization's defense is very tight, and its internal network is completely [physically isolated] from the public network. Unfortunately, the intranet uses [wireless network], and some intranet servers have security vulnerabilities (because physical isolation is not convenient for "online upgrade", it is more likely to have unrepaired security vulnerabilities). In this case, the attacker can place a controller in the package (see the above article for details) by using the above [post package]. The controller itself is connected to the public network through the mobile network. If the controller can scan the vulnerability of the wireless network inside the organization and implement the intrusion. The controller can be used as a bridge between "physically isolated Intranet" and "public network". As a result, the physically isolated intranet is penetrated.

According to bitcoin's public key to crack a person's private key, using traditional computers takes longer than the age of the universe. But quantum computers are thought to be able to reduce the time required to crack to a few minutes. It is not a new problem for quantum computing to solve the traditional encryption method quickly. Many experts believe that it will take us at least ten years to develop a new encryption technology that can resist quantum computing. And the progress of quantum computing may allow bitcoin encryption to break earlier than expected. It is predicted that bitcoin will be cracked by 2027. Some believe that action should be taken as soon as possible.

Because of its cross platform capability, the electron development platform is a key component of many applications. Based on JavaScript and node.js, electron is used in Skype, WhatsApp, slack and other popular message applications, and even Microsoft's visual studio code development tools. But electron can also bring security risks, easy to modify and implant in the back door. Pavel tsakalidis, a security researcher, demonstrated a python development tool beemka that allows you to extract the electron ASAR archive file and inject new code into JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not in the application, but in the underlying framework electron used by the application. Tsakalidis said he contacted electron but didn't get a response.