FOXTROT/ALFA: Patch Tuesday, Amazon Bottlerocket, Internet of Shit Confirmed

Welcome to FOXTROT/ALFA #87 for Wednesday, 11 March 2020. Here are the relevant tech and tech policy news items of the day (sans all the virus panic):

Patch Tuesday

Yesterday was the second Tuesday of the month, which means it’s time to patch your systems. Microsoft alone has pushed out more than 100 security updates.

The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild.

One particularly nasty remote-code execution hole revealed this week lies within SMBv3. “An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” says Microsoft. There is no patch available for this right now other than to disable SMBv3 compression for servers. There is no workaround nor patch for clients right now.

SAP has also urged people to install a number of updates.

Enterprise giant SAP has dropped a number of fixes for high-severity issues, with four bulletins for flaws with CVSS ratings of 9 or higher. Among those are two missing authentication checks in Solution Manager, a path manipulation vulnerability in NetWeaver, and an update for Chromium browser components in Business Client.

Also patched was a remote code execution flaw in Business Objects, a missing authorization check in Disclosure Management, denial of service in BusinessObjects Mobile, and a SQL injection flaw in SAP Max.

Interestingly, there were no security releases from Adobe.

One name notably absent this month is Adobe. It seems Flash, Reader, Acrobat, Creative Cloud, and the other offerings from the multimedia giant are all free of major security flaws this month, though we may very well see patches posted later this month.

There are also a number of fixes for Intel CPUs besides the LVI security vulnerability I reported on yesterday.

The March fix bundle includes nine advisories covering processors, FPGAs, and other components, as well as the high-profile Meltdown-style LVI hole.

Among the most expansive is the advisory for Intel graphics drivers. In total, 17 CVE-listed bugs were patched, ranging from elevation-of-privilege and denial-of-service to information-disclosure flaws.

Amazon Bottlerocket

Amazon is creating its own Linux distribution designed for running containers in AWS. It’s called “Amazon Bottlerocket”.

There are two main ideas behind Bottlerocket. The first is to make it easier to automate OS updates by applying them in a single step, rather than package by package. According to AWS, this will also improve uptime “by minimizing update failures and enabling easy update rollbacks.” The second part of the rationale is to strip down the OS so it only contains what is needed to run containers.

Sounds a lot like Fedora CoreOS to me. It seems to have some pretty cool new ideas, though.

Bottlerocket has two identical sets of partitions. When you update Bottlerocket, it is the inactive partition that gets the update. Then the partition table is changed to swap the active and inactive partition sets. If the boot fails, then it automatically rolls back, as controlled by the Signpost utility. The update is image-based, hence the “single step.” There is also provision for update waves, where groups of Bottlerocket hosts are scheduled to update at different times.

There is no SSH server, normally used to enable secure login, nor is there even a shell in the base Bottlerocket image. This is to improve security. To get a shell, you use a special control container, which is enabled by default, to start an admin container, which is disabled by default. In the admin container you can run a root shell using the command sheltie, though even then the system “will prevent most changes from persisting over a restart”.

AWS makes extensive use of Rust for Bottlerocket. “Almost all first-party components are written in Rust. Rust eliminates some classes of memory safety issues, and encourages design patterns that help security,” says the description.

Another Extension for Huawei Network Gear at US Telcos

Well, as expected, that very dangerous security issue with Huawei networking gear can’t be that dangerous after all. There’s now a fourth extension to Trump’s ban in effect, extending the deadline again, this time util 15 May.

The United States Department of Commerce has granted yet another extension – the fourth – to telcos using Huawei kit to run their networks.

While claiming the Chinese firm represents an existential threat to US security, Huawei still seems to be part of ongoing US-China trade talks. President Trump said last month that he wanted US chipmakers to be able to continue to trade with Chinese firms and previously said that Huawei’s status could be negotiated.

Huawei remains on the Entity List, because it “poses a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.”

US firms can carry on buying Huawei equipment and selling components and software to the company until 15 May. This follows 90-day extensions granted in May, August and November of last year.

The Internet of Shit is Indeed …Shit

Colour me surprised.

No less than 98 per cent of traffic sent by internet-of-things (IoT) devices is unencrypted, exposing huge quantities of personal and confidential data to potential attackers, fresh analysis has revealed.

What’s more, most networks mix IoT devices with more traditional IT assets like laptops, desktops and mobile devices, exposing those networks to malware from both ends: a vulnerable IoT device can infect PCs; and an unpatched laptop could give an attacker access to IoT devices – and vast quantities of saleable data.

Those are the big conclusions from a real-world test of 1.2 million IoT devices across thousands of physical locations in the United States, carried out by Palo Alto Networks.

Medical devices are also complete junk when it comes to security, almost without exceptions.

Read the full story in The Register.

Google Backtracks Claim that Chrome-Header Doesn’t Track You

Colour me surprised, Episode II: Google tracks people with their browser? No way!

In February, Arnaud Granal, a software developer who works on a Chromium-based browser called Kiwi, claimed the X-client-data header, which Chrome sends to Google when a Google webpage has been requested, represents a unique identifier that can be used to track people across the web. As such, it could run afoul of Europe’s tough privacy regulations.

When The Register reported these claims, Google insisted the X-client-data header includes information about the variation of Chrome being used, rather than a unique fingerprint. “It is not used to identify or track individual users,” the ad giant said.

The Register has no reason to believe the X-client-data header was ever used to track and identify people across websites – Google has better ways of doing that. Concern about the identifier has more to do with insufficient disclosure, inaccurate description, legal compliance, and the possibility that it might be abused for identifiable tracking.

The specific language appeared in the Google Chrome Privacy Whitepaper, a document the company maintains to explain the data Chrome provides to Google and third-parties. That language is no longer present in the latest version of the paper, published March 5, 2020.

Asked why the change was made, a Google spokesperson said only, “The Chrome white paper is regularly updated as part of the Chrome stable release process.”

Haha. Yeah, sure. You got caught in a lie. This is a way to track people when other measures fail. If it wasn’t, they’d explain what it was really for at this point, I’d think.

In an email to The Register, Granal said, “Knowing a bit the inner-workings on both sides (including Google’s lawyers), this is certainly a sensitive issue and it can be costly to Google if the issue is not addressed properly.

“As a user, in the current state, it’s important to understand that no matter if you use a proxy, a VPN, or even Tor (with Google Chrome), Google (including DoubleClick) may be able to identify you using this X-Client-Data. Do you want Google to be able to recognize you even if you are not logged-in to your account or behind a proxy? Personally, I am not comfortable with that, but each person has a different sensitivity with regards to privacy. “I’m sure if you explain in simple words, to national data protection offices that Google can track your computer with a ‘permanent cookie’ they wouldn’t be happy with that at all.”

Secret-Sharing App Shares Your Secrets …with the World

Here’s a good example why you shouldn’t use mobile apps that promise to share your posts anonymously or auto-delete sensitive messages. These things track you like every other app. Because bills need to be paid and everyone’s after the big advertising bucks.

Whisper, a mobile app for sharing those thoughts you’d rather not make public, turns out to be better at sharing secrets than keeping them, spilling a whopping 90 metadata fields associated with users in an exposed database.

The app, launched in 2012, is intended as a way for people to “share real thoughts and feelings, forge relationships and engage in conversations on an endless variety of topics – without identities or profiles.” But as reported by The Washington Post, security researchers found 900 million user records publicly accessible online, exposing both deliberately public and private metadata that could serve to identify supposedly anonymous users of the app.

That 5TB, 75-node database, which has been locked away since Monday, when the company and law enforcement were notified, presents a risk that some app users could be identified and linked to supposedly anonymous posts and potentially sensitive associations, such as membership in fetish groups, hate groups and suicide support groups, for example.

And here’s the kicker:

In 2014, The Guardian reported that Whisper was tracking the location of its users, even those who declined to be tracked. Whisper’s editor-in-chief at the time claimed The Guardian was lying, prompting the paper to defend the accuracy of its reporting. Whisper received a letter inquiring about the report from then US Senator Jay Rockefeller (D-W.Va.), leading to a response from CEO Michael Heyward and the firing of Whisper’s editorial team.

Security consultant Ehrlich believes Whisper’s representations at the time did not accurately portray its data collection practices.

The Register asked Whisper’s parent company, Media Lab, to explain how it makes that calculation. We also sought comment from Whisper. We’ve not heard back.

Also Noteworthy

Some other stories I saw that might interest you:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.