Tech Talk Show Notes

December 20 -26, 2020

Google Removed Shady Android VPN App That Allowed MiTM Attacks

Google has recently removed a shady Android VPN App from the Play Store. Identified as SuperVPN Free VPN Client, this app boasted 100 million installs and had vulnerabilities allowing for MiTM attacks.

SuperVPN Free VPN Client Bugs A couple of months ago, researchers from VPNpro shared a detailed study about various VPN apps on the Play Store exhibiting vulnerabilities. The most noteworthy of all was the SuperVPN Free VPN Client app, which exhibited shady behavior alongside security bugs. Now, in a recent post, the researchers have shared more details about this app. As revealed, the app not only had vulnerabilities allowing man-in-the-middle (MiTM) attacks. Rather it also used blackhat SEO tactics to top up the Play Store. Briefly, the app has its hardcoded encryption key stored within, allowing anyone accessing the key to decrypt all the data. Plus, it also became possible for an adversary to change the app’s data server.

_______________

Don’t use VPN services.

No, seriously, don’t. You’re probably reading this because you’ve asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party “VPN provider” does.

A Russian translation of this article can be found here, contributed by Timur Demin.

A Turkish translation can be found here, contributed by agyild.

___________

Kazakhstan spies on citizens’ HTTPS traffic; browser-makers fight back

Google, Mozilla, Apple, and Microsoft said they’re joining forces to stop Kazakhstan’s government from decrypting and reading HTTPS-encrypted traffic sent between its citizens and overseas social media sites.

All four of the companies’ browsers recently received updates that block a root certificate the government has been requiring some citizens to install. The self-signed certificate caused traffic sent to and from select websites to be encrypted with a key controlled by the government. Under industry standards, HTTPS keys are supposed to be private and under the control only of the site operator.

_____________

Twitter repeals retweet roadblocks, Facebook follows suit

With the worst of a storm of misinformation—and disinformation—about the 2020 US presidential election behind us, both Facebook and Twitter are relaxing some emergency measures put in place to limit its spread.

The most obvious changes taking place are on Twitter, which is getting rid of a measure it put in place in October to encourage quote tweeting (QT) instead of simple retweeting (RT). The intent was to encourage users to add thoughtful commentary and perhaps to actually read original content prior to amplifying it based on a headline alone.

_____________

2021 Cybersecurity Predictions: The Intergalactic Battle Begins

Cybersecurity predictions are something of a tradition in the security industry, as we look toward the year to come and see what may lie ahead in a field that changes constantly. Sometimes we’re right, and sometimes a once-in-a-generation pandemic comes along and challenges us in ways we could never have expected.

Let’s not focus on that, however. This is about 2021, and while we will take some of 2020’s adaptations with us, there’s a whole lot in store for the future of cybersecurity, and the most interesting things aren’t even happening here on Earth.

_______________

Russia’s hacking frenzy is a reckoning

Last week, several major United States government agencies—including the Departments of Homeland Security, Commerce, Treasury, and State—discovered that their digital systems had been breached by Russian hackers in a months-long espionage operation. The breadth and depth of the attacks will take months if not longer, to fully understand. But it’s already clear that they represent a moment of reckoning, both for the federal government and the IT industry that supplies it.

As far back as March, Russian hackers apparently compromised otherwise mundane software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, the attackers could distribute their malware to a vast array of customers without detection. Such “supply chain” attacks have been used in government espionage and destructive hacking before, including by Russia. But the SolarWinds incident underscores the impossibly high stakes of these incidents—and how little has been done to prevent them.

_____________

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay

FBI says ransomware group has been calling victims, threatening to send individuals to their homes if they don’t pay the ransom.

The US Federal Bureau of Investigations says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands.

The incidents have been happening since February 2020, the FBI said in a PIN (private industry notification) alert, a type of security advisory the Bureau sends to the US private sector on a regular basis to inform them of the latest cyber-security developments.

_____________

Intel falls on report Microsoft plans to design own chips for PCs and servers

Intel dropped 6.3% on Friday following a Bloomberg report that Microsoft plans to design its own chips, possibly for both its Surface PCs as well as servers.

Intel has famously had a long-running partnership with Microsoft as the primary processor maker for Windows PCs.

“Because silicon is a foundational building block for technology, we’re continuing to invest in our own capabilities in areas like design, manufacturing and tools, while also fostering and strengthening partnerships with a wide range of chip providers,” Microsoft spokesperson Frank Shaw said in a statement.

___________

Facebook Repays News Industry It Destroyed With Print Ads Begging You to Hate Apple

Facebook has taken out its second round of full-page ads in two days seeking to have Apple… not roll out a privacy update or something.

At issue is an iOS update that will require users to provide explicit, opt-in consent to allow apps to track them with Apple’s Identifier for Advertisers (IDFA), a unique “anonymous identifier” on each iOS device that allows for companies like Facebook, as well as advertisers, to track users’ activities on apps. Currently, IDFA tracking is opt-out, meaning companies get that data by default. Facebook’s concern is that—naturally, and for good reason—that when given the choice, users won’t want to let advertisers snoop through half the crap they do on their phones, as they don’t actually care about seeing personalized ads and the whole behavior-tracking thing actually creeps them out.