FOXTROT/ALFA: DEF CON is Cancelled, Zombieload Won’t Die, Avast Anti-Virus is Spying on its Users

Good evening! This is FOXTROT/ALFA #72, it is Tuesday, 28 January 2020. Before we get into the tech news, the biggest non-tech story at the moment is obviously the coronavirus outbreak in China. I feel it is being reported very badly by most big news organisations, so I wrote a little primer on this thing between other stuff today. Just in case you are interested. Now here’s the tech stuff:

DEF CON China Cancelled

Oh wait, there actually is a coronavirus-related technology story:

DEF CON is cancelled. DEF CON China, that is. The Middle Kingdom edition of the computer hacking conference has been called off due to the nation’s latest coronavirus outbreak.

The cancellation was announced by the DEF CON team on Monday, a little more than ten weeks before the confab was scheduled to take place in Beijing. This was to be the second annual outing of the DEF CON event in the Middle Kingdom.

Fortinet Removes SSH Backdoor

Firewall manufacturer Fortinet has removed a hardcoded SSH user from its FortiSIEM software. Attackers could have extracted the credentials for this user from the code of a FortiSIEM installation and gained access.

A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.

This user runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP (i.e. enabling reverse-shell connections to the IP that initiated the connection). This is a feature that exists to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Looks like the issue (CVE-2019-17659) was found by an independent security researcher.

Intel Attempts Another Zombieload Fix

Intel is fixing Zombieload again.

On Monday, Intel announced that it will issue yet another update to its processors designed to solve a problem it calls “microarchitectural data sampling,” or MDS. Different teams of researchers who independently discovered the issue call it RIDL or Zombieload, and warned Intel about the problem as early as June of 2018. The new update, which Intel says will be made available “in the coming weeks,” is intended to fix two methods to exploit Intel chips via MDS, which have remained possible even after Intel released MDS patches in May of 2019 and then again last November. Some of the researchers first warned Intel about the more serious of the two flaws that it’s trying to fix now in a paper shared with Intel fully a year ago. Other researchers even shared proof-of-concept code with the company last May.

To recap what Zombieload is:

As a time-saving measure, Intel processors sometimes execute a command or access a part of a computer’s memory “speculatively,” guessing at what a program will want before it even asks. When that speculative execution accesses an invalid location in memory, the process aborts. In that event, the processor is designed to access arbitrary data from buffers, parts of the chip that serve as the “pipes” between different components, such as its processor and cache. The researchers who discovered MDS showed last year that a hacker could use that trick to obtain information that should be protected – anything from sensitive user data and passwords to decryption keys.

The guys researching this don’t think highly of Intel’s ways of preventing and fixing these things. Intel is famously secretive and has been accused by many in the security and hardware fields of often resting on its laurels as biggest desktop chip manufacturer.

“Security engineering at Intel (or rather lack thereof) is still business as usual,” writes Cristiano Giuffrida, one of the researchers at Vrije Universiteit in Amsterdam who first discovered the MDS attacks, in an email to Wired. “These issues aren’t trivial to fix. But after eighteen months, they’re still waiting for researchers to put together proofs-of-concept of every small variation of the attack for them? It’s amazing. We don’t know the inner workings of Intel’s team. But it’s not a good look from the outside.”

Avast Anti-Virus is Spying on its Users

Meanwhile, Czech anti-virus vendor Avast is in hot water over selling the web browsing data of its users. This has been uncovered by journalists at Vice and PC Magazine who write:

Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it.

The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples' internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called “All Clicks Feed,” which can track user behavior, clicks, and movement across websites in highly precise detail.

The free version of Avast is one of the most used anti-virus solutions on consumer PCs. The company was hacked last year through its subsidiary CCleaner and it was reported back then that the hackers had full access to Avast’s networks. I kinda wonder if this data leak is from that hack.

Avast claims to have more than 435 million active users per month, and Jumpshot says it has data from 100 million devices. Avast collects data from users that opt-in and then provides that to Jumpshot, but multiple Avast users told Motherboard they were not aware Avast sold browsing data, raising questions about how informed that consent is.

Multiple users, eh? When they have 435 million in total? Not good sourcing there, guys. But I wouldn’t be surprised if most people using this product aren’t aware of this. Nobody reads terms and conditions or other fine print. Regular consumers regularly are surprised about data collection that seems par for the course for anyone who’s doing any work with technology.

The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites. It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.

Ah yes, nothing to scare your readers like rolling out the old porn spectre.

Although the data does not include personal information such as users' names, it still contains a wealth of specific browsing data, and experts say it could be possible to deanonymize certain users.

In a press release from July, Jumpshot claims to be “the only company that unlocks walled garden data” and seeks to “provide marketers with deeper visibility into the entire online customer journey.” Jumpshot has previously discussed some of its clients publicly. But other companies mentioned in Jumpshot documents include Expedia, IBM, Intuit, which makes TurboTax, Loreal, and Home Depot. Employees are instructed not to talk publicly about Jumpshot’s relationships with these companies.

“It’s very granular, and it’s great data for these companies, because it’s down to the device level with a timestamp,” the source said, referring to the specificity and sensitivity of the data being sold. Motherboard granted the source anonymity to speak more candidly about Jumpshot’s processes.

That’s actually the first time they mention their source. It really makes you wonder…

Until recently, Avast was collecting the browsing data of its customers who had installed the company’s browser plugin, which is designed to warn users of suspicious websites. Security researcher and AdBlock Plus creator Wladimir Palant published a blog post in October showing that Avast harvest user data with that plugin. Shortly after, browser makers Mozilla, Opera, and Google removed Avast’s and subsidiary AVG’s extensions from their respective browser extension stores.

Palant is, of course, a bit of a shady character himself. AdBlock Plus famously whitelists certain kinds of ads and it was reported in the past that companies pay for this privilege. I’ve never understood how people could use an ad blocker that purposefully lets ads get through. Seems to me you either use an ad blocker because you don’t want to see any ads or you might as well not use one.

Avast had previously explained this data collection and sharing in a blog and forum post in 2015. Avast has since stopped sending browsing data collected by these extensions to Jumpshot, Avast said in a statement to Motherboard and PCMag.

However, the data collection is ongoing, the source and documents indicate. Instead of harvesting information through software attached to the browser, Avast is doing it through the anti-virus software itself. Last week, months after it was spotted using its browser extensions to send data to Jumpshot, Avast began asking its existing free antivirus consumers to opt-in to data collection, according to an internal document.

By the way, of all the excuses companies have for buying this data, Yelp takes the cake. Hold on to your hats, this is a good one, boys and girls.

A Yelp spokesperson wrote in an email, “In 2018, as part of a request for information by antitrust authorities, Yelp’s policy team was asked to estimate the impact of Google’s anticompetitive behavior on the local search marketplace. Jumpshot was engaged on a one-time basis to generate a report of anonymized, high-level trend data which validated other estimates of Google’s siphoning of traffic from the web. No PII was requested or accessed.”

So yes, instead of going on with this very long story, here’s the gist of it: Avast, probably in a effort to make some money on those its customers it probably sees as freeloaders for using its free product, collected all their browsing data. They probably complied with basic legislation by putting this into their TOS and outsourced it into another company, probably to protect themselves in case of legal fallout. Classic Silicon Valley move, even though they’re in Prague.

I’d be very surprised if their half-assed way of acquiring consent from people passes muster under the GDPR, though. I know next to nothing about Czech law, but since they are an EU member, they were required to pass local legislation in line with GDPR and are responsible towards EU citizens from other countries using their software. The fact that they’ve started asking for consent more directly, probably in line with GDPR regulations, and probably after they cottoned on to the Vice investigation, will not save them from the massive EU fine headed their way once Brussels gets its act together on this. And it shouldn’t.

Make no mistake, this is an asshole move on their part. Yes, yes, techie smartasses will be happy to point out that “with a free product, you’re the product” and so on but that doesn’t make this less wrong. It’s not surprising if you know what’s been going on in tech in the last ten years, but it’s still very wrong and it’s time for companies to understand that this kind of behaviour is not tolerated by users or legislators alike.

UK to Restrict Huawei Network Gear

Even though nobody, not even the Five Eyes intelligence agencies, can point to an actual factoid of Huawei network gear being dangerous, we apparently must keep it out of our 5G networks. Probably so the US backdoors – Snowden, cough, cough – have no competition. The UK has now communicated a decision in line with this thinking.

The British government is set to severely restrict the use of Huawei’s cheap kit to a fraction of non-core networks across the UK due to worries about the Chinese vendor’s link to China.

Huawei is singled out as an example of a “high risk vendor” that should be kept away from anything important. To be clear, the proposed guidance and rules fall short of demanding a full ban on these so-called high risk vendors, and instead insist that they should be limited to non-sensitive areas of the network and have their market share artificially limited.

As previously expected, the government reckons communications providers should be legally prohibited from using risky vendors on core network elements. They will, however, continue to be allowed to use such equipment on non-core elements of the network. In the case of 5G, this extends to things like antennas and radio access network (RAN) infrastructure. The guidelines define high-risk vendors as those who pose “greater security and resilience risks.”

This is all politics. There’s no actual evidence to suggest there are Chinese backdoors in actual devices. Same with US and Russian gear. We should probably expect all of these states to have backdoors in all kinds of communications equipment. Especially the Chinese, because they build almost all of it. Singling them out like this is propaganda, though.

The US and UK just want to direct your attention away from them spying on you to China spying on you.

Also Noteworthy

Other stories that I came across today that might be worth checking out:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.