FOXTROT/ALFA: The UN Covered Up That It Was Hacked, Avast Backpaddles, Mozilla Looking to Monetise Thunderbird

Hello and welcome to FOXTROT/ALFA #73 for Thursday, 30 January 2020. First of all, I’m sorry for missing an issue of the newsletter yesterday. I just simply didn’t get around to it because of work and social commitments. So here’s a recap of the tech news of the last two days.

Apple has issued a number of software updates for macOS and iOS that fix critical vulnerabilities.

In particular, both iOS 13 and the most recent three versions of macOS get fixes for several kernel-level security problems (the relevant macOS versions are 10.13, 10.14 and 10.15, better known as High Sierra, Mojave and Catalina).

There are also updates for critical flaws in the online shop software Magento, which is owned by Adobe.

Adobe issued patches on Tuesday as part of its overall release of the Magento 2.3.4 upgrade, giving the fixes a “priority 2” rating. In Adobe parlance, priority 2 means that administrators should apply the updates within 30 days. Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could “allow malicious native code to execute, potentially without a user being aware.”

OpenBSD has released a patch for its SMTP daemon OpenSMTPD, which could be taken over by an attacker sending a malicious email to a system running the unpatched service.

Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon’s default configuration, or locally and remotely if the daemon is using its “uncommented” default configuration, in which it listens on all interfaces and accepts external mail. Getting root access means it’s game over: the machine is now yours.

This bug is bad news for anyone running a public-facing, external-mail-accepting OpenSMTPD deployment. Check for security updates to close the hole, apply this patch, or disable the daemon. The version shipping with OpenBSD 6.6, the latest available, and Debian testing, aka Bullseye, are vulnerable to attack; other releases may be as well. The bug dates back to May 2018.

Hack of the Day: The UN

Anybody can get hacked. It’s nothing to be ashamed of, really, no matter how big your organisation is. The real test of character is how you deal with it afterwards. A test that the UN just failed abysmally.

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public. That is the extraordinary claim of The New Humanitarian, which until a few years ago was an official UN publication covering humanitarian crises. Today, it said the UN has confirmed both the hack and the decision not to divulge any details.

Dozens of UN servers were impacted in an attack that began in mid-July 2019 but was only noticed one month later, according to a confidential report dated September 20. The publication gained access to that report, which outlines a series of security holes discovered by an external forensic company as well as internal efforts to contain the hack.

A senior IT official dubbed the attack a “major meltdown,” in which personnel records – as well as contract data covering thousands of individuals and organizations – was accessed. The hackers were able to get into user-management systems and past firewalls; eventually compromising over 40 servers, with the vast majority at the European headquarters in Geneva. But despite the size and extent of the hack, the UN decided to keep it secret. Only IT teams and the heads of the stations in question were informed.

As to the miscreants' entry point, it was a known flaw in Microsoft SharePoint (CVE-2019-0604) for which a software patch had been available for months yet the UN had failed to apply it.

Wow. This does not inspire confidence. At all.

Employees whose data was within reach of the hackers were told only that they needed to change their password and were not informed that their personal details had been compromised. That decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the publication.

I wonder what else they’ve covered up in the past…

Avast Kills Jumpshot and Apologises

After Avast was discovered to have sold out its user’s browsing data, there is now a lot of backpaddling going on.

Avast will pull the plug on Jumpshot, its controversial data analytics business, after it was revealed the company was harvesting its users' data. The Brit antivirus firm ran into trouble last month when a security researcher, Wladimir Palant, found that the company’s Firefox browser extensions were collecting customers' browsing data, including URLs of sites they had visited, and per-device unique IDs, and selling it, apparently deanonymised, to customers such as Revlon, Tripadvisor and Intel.

Two corrections here: Avast is a Czech firm and Palant isn’t a security researcher, he’s co-founder and co-owner of Cologne-based Eyeo GmbH which markets Adblock Plus and in the past was criticised for allowing companies to evade its adblocking software if they paid for it. No idea where The Register got these other ideas from.

Avast announced the closure, which it termed a “winding down” in a press release this morning, saying that it would “terminate its provision of data” to Jumpshot immediately and eventually close the business. It added: “Jumpshot may not use any existing data provided by Avast and no further data will be provided by Avast.”

In a linked blog post, the company’s newish chief exec, Ondrej Vlcek, said Jumpshot had acted “fully within legal bounds”. The decision to close the company was made because it did not fit with its privacy policies for 2020 and beyond, he said. “Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable,” the blog post read.

Ha… Kinda hard to believe as you only closed that company when you were caught with your hand in the cookie jar and publicly shamed.

He added that the closure would “impact” hundreds of employees across the company’s five global offices. The company intends to continue paying its suppliers “in full as necessary” during the closedown.

Oh, great! Now we’re supposed to feel bad because you’ll terminate these jobs? That company should have never been founded in the first place. You fuckers are in the wrong here, plain and simple. Stop trying to distract from your responsibility for all of this! If you feel bad for those employees, you could give them some of your (no doubt) generous salary. How about that? Put up or shut up.

More Emojis Nobody Needs

Everyone is virtue signalling hard these days. The Unicode Consortium, not wanting to be left out, has unveiled some new emojis probably nobody will ever use.

More than a hundred new emoji are on their way this year. The governing body in charge of official emoji, the Unicode Consortium, announced the addition of 117 new emoji for 2020, as part of Emoji 13.0. The expansion includes 62 brand-new emoji as well as 55 new gender and skin-tone variants, many of which are new gender-inclusive emoji. Other notable additions this year include the transgender flag – from a proposal co-sponsored by Google and Microsoft – as well as the new smiling face with tear, the two people hugging, pinched fingers, a disguised face, not to mention tons more animals, food items and other objects.

“Until this year, the only emoji that depicts childcare is the ‘breastfeeding’ emoji,” explained Jennifer Daniel, Google’s design director for the Android Emoji Program. “Since an inability to breastfeed doesn’t preclude you from nurturing your child, we want to introduce an emoji that everyone can use,” she said.

Great. I’m so glad that exists, Jenn. Absolutely what I needed.

The animal lineup now includes a black cat, bison, mammoth, beaver, polar bear, dodo, seal, beetle, roach, fly and worm.

Other additions include a feather, potted plant, rock, wood, hut, pickup truck, roller skate, magic wand, piñata, nesting dolls, sewing needle, knot, flip flop, military helmet, accordion, long drum, coin, boomerang, carpentry saw, screwdriver, hook, ladder, elevator, mirror, window, plunger, mousetrap, bucket, toothbrush, headstone, placard, transgender symbol, transgender flag, anatomical heart and lungs.

You know, I’m really glad there’s now an emoji of a guy with a tash wearing a wedding dress, which might come in really handy on the next stag do. But when will they finally fix the really important problems? Like hats. There are clearly not enough hat emojis. There isn’t even a proper fedora one, FFS.

Linux 5.6 News

With Linux 5.5 having just been released, the kernel developers are hard at work on version 5.6, which should bring some interesting features. One of those is a fix is the Y2038 problem.

Arnd Bergmann, an engineer working on the thorny Y2038 problem in the Linux kernel, posted to the mailing list that, yup, Linux 5.6 “should be the first release that can serve as a base for a 32-bit system designed to run beyond year 2038”. Bergmann has also been on a trawling exercise, replacing code that uses time_t with something a little safer for the long term.

time_t represents the number of seconds since the start of the Unix epoch (1 January 1970) and systems using a signed 32-bit time_t integer type could well suffer borkage in 2038, when that seconds count blows past the maximum that can be stored.

There are, as ever, caveats. User space must be compiled with a 64-bit time_t and applications that use the system call interfaces directly need to be ported to use the time64 syscalls added in Linux 5.1. Bergmann also cautioned that there were a few interfaces that could not be changed “in a compatible way”, and needed to be configured to use CLOCK_MONOTONIC, which doesn’t suffer from that 1 January 1970 epoch issue but has challenges of its own, or an unsigned 32-bit timestamp, which could choke in 2106.

The next kernel version will also include the new WireGuard VPN technology.

The WireGuard VPN protocol, which is smaller, faster and easier to configure than IPsec, has been merged into Linus Torvalds' git repository for version 5.6 of the Linux kernel, the next release.

There is no set date for Linux kernel releases. Version 5.5 was released on 26 January 2020 and there is typically a couple of months between releases, so 5.6 may come in April.

The reason for enthusiasm around WireGuard is a combination of relatively simple configuration, small codebase, sound cryptography, fast connection and strong performance. “Compared to behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the gigantic codebases is an overwhelming task even for large teams of security experts, WireGuard is meant to be comprehensively reviewable by single individuals,” claims the homepage.

If you want to know what’s new in kernel 5.5, here’s an overview.

Mozilla Looking to Monetise Thunderbird

It looks like that after years of being the red-headed stepchild at Mozilla, they’re now trying to make some money off the unloved email client Thunderbird. The Register reports on the move of the software to MZLA Technologies, a wholly owned subsidiary of the Mozilla Foundation. It would allow Mozilla to monetise Thunderbird.

The company reckons the move will not impact the software’s day-to-day activities or mission. “Thunderbird will still remain free and open source, with the same release schedule and people driving the project,” wrote chair of the Thunderbird Council, Philipp Kewisch, in a blog post confirming the move.

Thunderbird’s future has been on shaky ground for a number of years. Mozilla dropped development on the email client in 2015, saying that it would only deliver security and maintenance updates in the future. Later that year, Mozilla Foundation chair Mitchell Baker said it was separating Thunderbird from Firefox in a post to a Mozilla newsgroup, saying she did not believe Thunderbird has the same potential “industry-wide” impact as Firefox.

Possible new homes for the email client suggested at the time included the Software Freedom Conservancy, the Document Foundation, or inking a new deal with the Mozilla Foundation, according to report commissioned at the time. A separate Thunderbird Foundation was also considered, but ruled out as a first step. The company’s new home ended up being its old home: the Mozilla Foundation, but with a fresh agreement that would ensure the company could keep its “focus” on its browser business. Thunderbird’s development would be mostly independent of Firefox, but it would still receive some support from the mother nest.

In Huawei / 5G / Propaganda News…

…the EU has now also outlined its 5G technology security rules:

Short of a full ban, the European Commission has agreed to permit Huawei’s equipment on the national EU networks, although says it will impose “strict” rules. These strongly mirror those proposed by the UK’s comms-regulating ministry – DCMS – yesterday.

What the EU is calling its “Toolbox for 5G Security” asks national regulators to impose strict governance standards. It urges national bodies to vet the risk profiles of specific 5G vendors, and limit those deemed risky from the core elements of national networks. It also recommends that individual providers limit their exposure to any one vendor, by having a multi-vendor approach.

So far, the four companies offering 5G infrastructure are Huawei, Nokia, Ericsson, and Samsung.

Meanwhile, the US government allegedly has proof that China has bugged Huawei gear. They supposedly have shared this information with Germany. We don’t have any proof, of course.

America warned Germany Huawei’s cheap’n’cheerful 5G gear was effectively bugged by Beijing’s spies and leaking secrets to agents, it is claimed. The US government’s evidence of this alleged espionage has not been shared publicly, we note.

According to a report published Wednesday by Handelsblatt, a German business and policy publication, the German Federal Government received intelligence from the US at the end of 2019 “that Huawei has been proven to work with China’s security agencies.”

Huawei, in a statement to The Register, rejected that claim.

So with other words: We have some propaganda that is claiming that there’s proof for the previous propaganda. Yeah, sure. It’s totally not part of Trump’s trade war.

“Huawei cannot be trusted to tell the truth or protect the interests of others, and it should not be trusted with the vital security of 5G networks,” the US State Department explains in document about 5G security titled “Huawei: Myth vs. Fact.”

Yeah, but the US State Department is trustworthy? Give me a break.

Also Noteworthy

Some additional stories that might be worth a read:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.