At a glance.
- Signal designer finds a bug in Cellebrite's forensic tools.
- Ghosts in Clubhouse.
- Video tagging social media users.
- An anti-ransomware task force.
Signal points out a Cellebrite bug.
Cellebrite is known for helping government and police investigators break into mobile devices confiscated from criminals or other undesirables by ferreting out vulnerabilities in cell phones. Now the Israel-based digital forensics firm is on the receiving end of its own medicine. Researcher Moxie Marlinspike, creator of Signal messaging app, divulged on his blog that he has discovered security flaws in Cellebrite’s UFED and Physical Analyzer software. When used as intended, UFED cracks the device’s encryption in order to unlock the desired data on a Windows computer, while the Physical Analyzer displays the data in a searchable format. The bugs Marlinspike identified allow a hacker to execute malicious code on the Windows computer displaying the data.
As Ars Technica explains, the weaknesses can be exploited by embedding specially formatted files into any app on the phone, so that when the device is subsequently scanned by Cellebrite’s tools, the malicious code undetectably modifies Cellebrite’s scan results. As Marlinspike states, “This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.” As the very nature of Cellebrite’s software requires that it interact with untrusted data, it’s all the more important that the software be equipped with extensive exploitation mitigations, making Marlinspike’s findings particularly damning. It’s also worth noting that Marlinspike detected two MSI installer packages that appear to have been extracted from the Windows installer for Apple’s iTunes, possible evidence of a copyright violation.
Cellebrite has not stated whether they were previously aware of the vulnerabilities, but a spokesperson responded, "Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available."
Ghosts in the Clubhouse.
Clubhouse made headlines earlier this month due to a recent data leak that exposed the data of over a million users. Now, WIRED reports, security researcher Katie Moussouris has discovered two vulnerabilities (now fixed) in the audio social networking platform that would allow a threat actor to eavesdrop on a Clubhouse room without the other users’ knowledge.
The hack can be accomplished with just two iPhones (the app is only available on iOS), an account on Clubhouse, and very little technical prowess. By logging into and out of a Clubhouse room on one phone and then the other in the right sequence, any user can become a “ghost,” present in the room but invisible to other users, and can even interrupt the conversation without the moderator’s permission. This snooping hack is especially concerning considering Clubhouse has a history of privacy issues, as well as reports of harassment and hate speech.
After being notified about the issue last month, Clubhouse patched the bugs involved and stated, “We appreciate the collaboration of researchers like Katie, who helped us identify a few bugs in the user experience and allowed us to swiftly address those to remove any vulnerability before any users were affected.”
Video tagging operation targets social media users.
Social media users are reporting a hack in which they are being tagged in malicious videos, the Manila Standard explains. Here's how it works: the target (and possibly their connections) sees they’ve been tagged and they click the link to view the video, unwittingly opening up their profile to attack. This tactic takes advantage of an essential element of any social engineering operation, curiosity, which can drive victims to engage in risky actions without thinking. Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky, reminds users of the importance of securing social media accounts with a strong password, and configuring account settings to limit who can tag you or see you in videos or other posts.
US Justice Department forms anti-ransomware task force.
Ransomware as a whole continues to be a pervasive criminal threat to both data availability and data security. The US Justice Department, according to the Wall Street Journal, is establishing an anti-ransomware task force. It hopes thereby to increase training, devote more resources to the problem, and increase intelligence sharing. It also seeks, significantly, to work toward gaining more clarity about “links between criminal actors and nation-states.”
We heard from two industry experts about this response to a burgeoning threat to data privacy. CrowdStrike’s Chief Security Officer and President of Services, Shawn Henry (who's also a former FBI Executive Assistant Director) sees the move as a good first step.
"The DOJ’s creation of a new task force to restrict the explosion in ransomware cyberattacks is a solid first step in combating this pervasive problem, and one that is long overdue. In fact, 81% of the e-crime cases CrowdStrike investigated in 2020 involved the deployment of ransomware or the precursor to ransomware activities. While some in the private sector can prevent and defend against these attacks, the adversaries will keep coming until they’re deterred; that deterrence can be through a variety of engagements, including financial sanctions, diplomatic actions, and disruptive law enforcement efforts. This task force can be the springboard to those activities.”
ImmuniWeb CEO Ilia Kolochenko likes what he sees as an interest in getting to root causes:
“This is a laudable initiative that finally cures the root cause and not the mushrooming consequences. However, being mindful of the ongoing pressure from privacy advocates and a convoluted regulatory landscape, smooth execution of the takedown operations may be quite problematic. For instance, adverse foreign countries may purposely create CC servers in their jurisdictions, to later claim an act of cyber aggression by the US and justify a counter-attack. Similarly, sometimes such operations may have an unforeseen collateral effect on IT or cloud infrastructure of innocent third parties or even US governmental entities, who will certainly be unhappy about the DOJ policing efforts. Finally, the legality of such operations under international law is vague. Thus, the DOJ should rigorously plan and prepare their upcoming activities, carefully addressing both technical and legal implications of cyber operations.”