Connect with us

Technology

So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into • The Register

Published

on

Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.

Details of holes cannot be publicized until the bugs are fixed. Malicious exploit code cannot be released. There are restrictions on disclosing details of flaws to foreign organizations. And vendors will be under pressure to address these vulnerabilities as soon as they can and set up bounty programs to reward researchers.

The regulations are intended to tighten up the nation’s cyber-security defenses, crack down on the handling and dissemination of bugs, and keep China’s elite up to speed on exploitable flaws present in Chinese-made communications systems, wherever in the world that technology may be deployed.

It appears these rules ensure Beijing will be among the first to know of security weaknesses in equipment and software potentially present in foreign infrastructure and networks as well as domestic deployments. The rules were issued on Tuesday, come into effect on September 1, and apply to people and organizations operating within China. The following articles stuck out to us:

Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers. These sorts of regulations matter a lot: infosec experts in the Middle Kingdom earlier pulled out of exploit contests like Pwn2Own due to changes to the law within China.

“Chinese teams stopped participating in Pwn2Own after 2017 when there were regulatory changes that no longer allowed for participation in global exploit contests,” Brian Gorenc, head of ZDI and Pwn2Own at Trend Micro, told The Register on Wednesday.

It will also complicate matters for those hoping to engage with foreign bug bounty programs, which may or may not follow China’s strict rules – particularly articles 7 and 9 – creating legal uncertainty for those participating.

“The law looks rather unclear,” Katie Moussouris, founder of Luta Security and a pioneer in designing bug bounties, told The Register. “There are Chinese bug bounty programs but whether or not Western based companies would comply is a question that needs answering. We’ll need to see a case emerge where the Chinese authorities attempt to exert the directive to see.”

Another part of the order that worries Moussouris is the central Chinese vulnerability database that will be created to house all of these reported bugs: it’s an obvious target for espionage. Then there’s the fact that two days is not long enough to triage a bug report.

“Two days isn’t enough for a thorough investigation for a flaw and certainly not enough time to make a fix that works,” she said.

“It’s also a dangerous place to be for an unpatched-vulnerabilities database, which would be an incredibly attractive target for adversaries – our people will be targeting it, I’m sure.”

Who could forget Uncle Sam’s Office of Personnel Management, which was ransacked in 2015 by Chinese cyber-spies who made off with sensitive records on more than 20 million US govt staff. Former NSA boss Michael Hayden said the United States, given the opportunity, would have done the same to a foreign power.

“If I as director of CIA or NSA would have had the opportunity to grab the equivalent from the Chinese system, I would not have thought twice, I would not have asked permission, I’d have launched the Star Fleet and we’d have brought those suckers home at the speed of light,” Hayden said.

There’s also the question of what the Chinese government will do with its haul of vulnerability reports. With some in the West hurrying to remove Chinese vendors’ kit from networks, this edict may intensify such efforts for fear a zero-day in such equipment will be exploited by Beijing. ®

Source link

Technology

Emmanuel Macron ‘pushes for Israeli inquiry’ into NSO spyware concerns | France

Published

on

Emmanuel Macron has reportedly spoken to the Israeli prime minister, Naftali Bennett, to ensure that the Israeli government is “properly investigating” allegations that the French president could have been targeted with Israeli-made spyware by Morocco’s security services.

In a phone call, Macron expressed concern that his phone and those of most of his cabinet could have been infected with Pegasus, hacking software developed by the Israeli surveillance firm NSO Group, which enables operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones from infected devices.

The leaked database at the heart of the Pegasus project includes Macron’s mobile phone number.

NSO has said Macron was not a “target” of any of its customers, meaning the company denies he was selected for surveillance using Pegasus. The company says that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.

The Pegasus project could not examine the mobile phones of the leaders and diplomats, and could therefore not confirm whether there had been any attempt to install malware on their phones.

Quick Guide

What is in the Pegasus project data?

Show

What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

What does the leak indicate?

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

What did forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

Which NSO clients were selecting numbers?

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

What does NSO Group say?

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a “target” to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent “targets” of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus. 

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.

Thank you for your feedback.

The Macron-Bennett phone call reportedly took place on Thursday, but was first reported by Israel’s Channel 12 News on Saturday evening after the end of Shabbat, the Jewish day of rest.

The prime minister’s office has declined to comment on the phone call or the two leaders’ conversation. According to Channel 12, an unnamed source said Bennett had stressed that the alleged events occurred before he took office in May, and that a commission was examining whether rules on Israel’s export of cyberweapons such as Pegasus should be tightened.

The Pegasus project – a consortium of 17 media outlets, including the Guardian – revealed last week that government clients around the world have used the hacking software sold by NSO to target human rights activists, journalists and lawyers.

The investigation has been based on forensic analysis of phones and analysis of a leaked database of 50,000 numbers, including that of Macron and those of heads of state and senior government, diplomatic and military officials, in 34 countries.

In multiple statements, NSO said the fact a number appeared on the leaked list was in no way indicative of whether it was selected for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO Group in any way.”

But the list is believed to provide insights into those identified as persons of interest by NSO’s clients. It includes people whose phones showed traces of NSO’s signature phone-hacking spyware, Pegasus, according to forensic analysis of their devices. The analysis was conducted by Amnesty International’s security lab, which discovered traces of Pegasus-related activity on 37 out of 67 phones that it analysed.

Q&A

What is the Pegasus project?

Show

The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.

Thank you for your feedback.

While the rest of the world grapples with the seismic consequences of the revelations, in Israel reaction has been muted. Meretz, a leftwing party long in opposition but now part of the new government coalition, has asked the defence ministry for “clarification” on the issue, but no party is seeking a freeze of export licences or an inquiry into NSO’s close links to the Israeli state under the tenure of the former prime minister Benjamin Netanyahu.

The defence minister, Benny Gantz, has defended export licences for the hacking tools, claiming that “countries that purchase these systems must meet the terms of use”, which are solely for criminal and terrorism investigations.

But as the mammoth impact of the disclosures has become clearer, the diplomatic pressure on Israel is mounting. On Thursday, the senior Israeli MP Ram Ben-Barak – a former deputy head of the Mossad spy agency – confirmed that the Israeli defence establishment had “appointed a review commission made up of a number of groups” to examine whether policy changes were needed regarding sensitive cyber exports.

US defence officials have also asked their Israeli counterparts for more details on the “disturbing” disclosures stemming from the Pegasus project, the Israeli newspaper Haaretz reported on Saturday.

Source link

Continue Reading

Technology

Google fixes ‘Chromebork’ one-character code typo that prevented Chrome OS logins • The Register

Published

on

Bug of the week Google has fixed a bug in Chrome OS version 91.0.4472.165 that surfaced on Monday and prevented some users from being able to login to their systems.

Chrome OS downloads updates automatically but doesn’t apply them until reboot, so only those who restarted their Chromebooks to ingest the force-fed broken update were affected.

Earlier this week, the internet titan on its Google Workplace status page said, “Our engineering team has identified an issue on Chrome OS 91.0.4472.165. The rollout of this version was halted.”

As a workaround for those bitten by the bug, Google advised users: to “powerwash” their Chrome OS devices back to factory settings; to rollback the Chrome OS device to a previous version via USB; or to remove the affected account and add the account back to the device. All three mitigations, however, clear local data on the device.

The programming blunder consists of a single missing character, an ampersand (&), that was inadvertently omitted from the Chrome OS C++ code. That oversight changed the logical AND operator (&&) in this conditional statement to a bitwise AND (&):

if (key_data_.has_value() && !key_data_->label().empty())

That means, for one thing, both sides of the conditional statement would be evaluated every time, rather than the right-hand-side call to empty() only being made if the left-hand-side has_value() returned true. In any case, omitting the ampersand changed the behavior of Chrome OS’s code.

The typo was committed to the Chrome OS source on July 2, 2021, and didn’t affect anyone until this week. The typo was discussed on Reddit earlier this week.

Google’s patch, Chrome OS 91.0.4472.167, was issued on Wednesday and has been rolling out gradually per Google’s release pattern.

“Affected devices can login via guest mode or an account that hasn’t signed into the device and follow the steps in this [Help Center] article to download the update,” said Google.

This is the second Chrome OS version 91 update to go awry this month. An update to version 91.0.4472.147, issued on June 30, 2021, proved problematic for certain hardware configurations, causing extreme CPU usage. Google undid the offending update about a week ago but the problematic code has yet to be dealt with. ®

Source link

Continue Reading

Technology

Power Capital takes majority interest in Terra Solar’s portfolio

Published

on

Terra Solar, a NovaUCD start-up founded in 2016, is giving up its sites in Wexford and Cork to Power Capital to develop solar farms.

Dublin-based company Power Capital Renewable Energy (PCRE) has announced plans to acquire majority interest in Terra Solar’s 400MW portfolio.

This will bring the company’s total solar assets to 840MW and boost its presence in the Irish solar power space.

A start-up that sprung out of NovaUCD, the University College Dublin accelerator, Terra Solar was founded by David Fewer and André Fernon in 2016. State-owned ESB was one of Terra Solar’s early investors, putting up €2.5m for a stake in the company.

Paris-based VC firm Omnes Capital will back the development of the solar sites over the next few years, which require around €200m to build out. Irish and international lenders will also back the development.

Power Capital director Peter Duff said that his company’s aim of becoming Ireland’s leading independent power producer has come a step closer with the deal.

Support Silicon Republic

“Both Terra Solar and PCRE share common values and ambitions to help Ireland meet its 2030 targets and we are excited that Terra Solar chose us as a partner to bring these sites through construction,” he said.

The solar farm sites, located in Wexford and Cork, are a culmination of more than four years of engagement with local landowners, communities and planners, said Fewer.

“We will be retaining an equity stake in the developments and will be working intensively with all stakeholders over the coming few years to ensure that these sites are successfully constructed while equally continuing to grow our remaining development pipeline of 600MW.”

Justin Brown, co-founder of Power Capital, said that the company is currently in talks with other industry bodies about “increasing our foothold in the sector and we expect to see renewable energy being the dominant generator of electricity across Ireland within the next decade”.

Construction on the solar farms is set to begin in 2022 and the project is expected to be completed in the next five years.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!