FOXTROT/ALFA: Norway under Hacker Attack, Problematic Firefox Update, Apple and Google Enable Coronavirus Contact-Tracing without an App

Welcome to issue 143 of FOXTROT/ALFA, my daily newsletter for tech and tech policy. Today is Wednesday, 2 September 2020, which means I just got done releasing a new episode of my privacy podcast. You can read about that here.

The latest episode of my privacy podcast deals with the horribly written software that is used to store people’s contact data. Data that they are forced to hand over whenever visiting a restaurant here in Germany these days.

Okay, with the self promotion out of the way, here’s your tech news overview:

WordPress Sites under Attack

WordPress sites are currently being attacked via a flaw in the popular File Manager plugin.

Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.

Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. While that restriction prevents hackers from executing commands on files outside of the directory, hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.

The security flaw is in File Manager versions ranging from 6.0 to 6.8. Statistics from WordPress show that currently about 52 percent of installations are vulnerable. With more than half of File Manager’s installed base of 700,000 sites vulnerable, the potential for damage is high. Sites running any of these versions should updated to 6.9 as soon as possible.

Norwegian Parliament Hacked

Meanwhile, municipalities and the wider government in Norway are also under attack from hackers. Among the systems breached is are internal email servers of the country’s parliament.

The Norwegian Parliament (Stortinget) said on Tuesday that it fell victim to a cyber-attack that targeted its internal email system. In a press release today, Stortinget director Marianne Andreassen said that hackers breached email accounts for elected representatives and employees alike, from where they stole various amounts of information. Andreassen said the incident is currently under investigation, and, as a result, couldn’t provide any insight into who was behind the attack, or the number of hacked accounts.

Norway’s intelligence agency is currently investigating the incident, according to a statement the agency posted on its Twitter account earlier today. While the investigation is still ongoing, Andreassen said that Stortinget has already started notifying impacted representatives and employees about the incident. Local press, who first broke the story about the attacks, also reported that the parliament’s IT staff has shut down its email service to prevent the hackers from siphoning more data.

Problematic Firefox Update

Mozilla has had to release Firefox 80.0.1 because of problems with the original Firefox 80 release.

Mozilla today released Firefox 80.0.1, an out of band update designed to fix crashes caused by GPU resets and issues affecting downloads triggered by browser extensions. Firefox 80.0.1 also fixes rendering issues on some websites that are using WebGL to render content, a bug that leads to broken text being rendered on Linux systems (with Xorg and NVIDIA graphics) and on Windows 10 devices (with Direct3D 11). This version also addresses “a performance regression when encountering new intermediate CA certificates” and the “zoom-in keyboard shortcut on Japanese language builds.”

The download issues are caused by missing third-party cookies in the download requests which could result in incorrect downloads. Mozilla fixed this issue by adding relevant cookies to all extension-initiated download requests, as well as to all browser-triggered ‘Save as’ downloads. This happens “even when tracking protection is configured to be very strict (e.g. blocking all third-party cookies),” according to Mozilla Browser Engineer Rob Wu.

What Do You Want to Be When You Grow Up?

If you still have any doubt that the Chinese are going to take over, you best bury that notion now. We are doomed.

Ring Cameras Might be Used to Spy on Police

This is hilarious. First the police in the US use Amazon’s Ring cameras to spy on everyone, now the FBI is worried the cameras will be used to spy on police. Can’t make this shit up.

Hacked documents suggest that the FBI is concerned some people may be using Ring or other smart doorbells to watch the police. The papers describe a 2017 incident where someone remotely watched live footage of police preparing to serve a search warrant. Previously, privacy advocates have raised concerns about data from smart doorbells being shared with police.

The hacked papers, known collectively as BlueLeaks, were stolen from more than 250 police websites. The document in question is a technical analysis bulletin, offering an overview of the opportunities and challenges for police from home security systems and smart doorbells. The 2017 incident describes how someone under investigation was able to “covertly monitor law enforcement activity while law enforcement was on the premises” and alert his neighbour and landlord. It does not name the brand of video doorbell used.

If you want to learn more on why Ring cameras are such a privacy issue, I recorded a podcast episode on this a while back.

Apple and Google Enable Coronavirus Contact-Tracing without an App

Apple’s and Google’s coronavirus contact tracing framework now works without an app from a local health authority.

Google and Apple have updated their COVID-19 contact-tracing tool to make it possible to notify users of potential exposures to the novel coronavirus without an app. The new Exposure Notifications Express spec is baked into iOS 13.7, which emerged this week and will appear in an Android update due later this month.

The update is designed to let health authorities use Bluetooth-powered contact-tracing without having to build their own apps. It’s still non-trivial to play, as the system requires one server to verify test results and another to run both contact-tracing apps and the app-free service.

This is interesting as it goes somewhat against the whole setup as it was intended originally. It’s also news to me that local health authorities can use this system to prompt people into opting into the data collection. That’s pretty pervasive and an interesting precedent. I don’t think we had a situation before this where the state could use an operating system to directly send a message to a user without them being able to prevent it. They cover pretty much 100% of the market as well. Worrying, if you ask me. What’s the next step?

This is not, repeat not, pervasive Bluetooth surveillance. The tool requires users to opt in, although public health authorities can use the tool to send notifications suggesting that residents do so.

Linux From Scratch 10.0

The latest version of Linux From Scratch is out.

Just over twenty years after the Linux From Scratch project was started as a guide/book to building all of the software components manually from source, Linux From Scratch 10.0 has been released. With Linux From Scratch 10.0, the book has gone through a “major reorganization” to cover more cross-compilation techniques and other improvements. Linux From Scratch 10.0 focuses on using a toolchain of GCC 10.2, Glibc 2.32, and Binutils 2.35. Linux 5.8.3 is the current kernel being used for testing. An updated version of the Linux From Scratch book for systemd usage was also released.

Return of the JEDI

The Joint Enterprise Defense Infrastructure (JEDI) saga continues to plod on.

The ongoing JEDI pantomime took another turn today as Oracle’s challenges to the handling of the winner-takes-all $10bn cloud contract were rejected by a US appeals court. Somewhat irrelevant to Microsoft, which was awarded the Joint Enterprise Defense Infrastructure (JEDI) contract in October, Big Red’s protest was related to an alleged breaking of the rules in how the contract was set up by the Pentagon, as well as allegations of conflicts of interest with Oracle’s fellow JEDI loser, Amazon Web Services.

The lucky winner, pending all the appeals and stays, of the JEDI contract will be expected to provide America’s Department of Defense with enterprise-grade cloud computing services over the course of 10 years. That the deal was awarded to a single provider, rather than multiple vendors, upset Oracle among other things. Hence the lawyers and legal challenges.

The US Court of Federal Claims took a long, hard look at the database goliath’s gripes, and its decision on Wednesday was not good news for Larry Ellison’s crew. Although the court agreed that a legal error had been committed when Uncle Sam opted for the single-source approach, it also concluded that the error had been harmless. Even if the multi-source approach had been used, “Oracle would not have been able to satisfy the requirements of Gate 1.2.”

Gate 1.2 required a JEDI bidder to have already in place at least three commercial cloud-hosting data centers within the US, separated by at least 150 miles, and met various requirements regarding FedRAMP, which is the US government’s program for assessing and managing the security of computer systems used by federal workers.

“Oracle,” according to the court, “did not satisfy the FedRAMP Moderate Authorized requirement as of the time the proposals were to be submitted.” Furthermore, the court also rejected Oracle’s contention that Gate 1.2 was unreasonable because it “unnecessarily restricted competition.” Not so, said the court, which looked at the needs of the Department of Defense and reckoned its requirements were reasonable. Thus, in this instance, the complaint regarding single versus multiple awards was moot. The decision, filed this morning, held that “the only logical conclusion is that, if multiple awards were made, the security concerns would ratchet up, not down.”

Those worrying how all those lawyers will manage to pay for their Ferraris need not fret. The rejection by the appeals court of Oracle’s challenge is one of several appeals being processed by the US legal system regarding JEDI. In a separate vendor bias lawsuit filed by Amazon against the United States and Microsoft, the Pentagon last month asked for extra time to look over the contract bids again, and was allowed to stall the case until September 16. Amazon’s objection to the whole affair is based on a contention that Microsoft’s bid relied on allegedly “non-compliant” storage technology and should therefore have been ruled out.

Also Noteworthy

Other stories I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.