Reproducible Builds: Reproducible Builds in July 2021

Welcome to latest report from the Reproducible Builds project. In this post, we round up the important things that happened in the world of reproducible builds in July 2021. As always, if you are interested in contributing to the project, please visit the Contribute page on our website.

[...]

Joshua also mentions our sister Bootstrappable Builds project, as well as number of other reproducible adjacent tools such as the Bazel build system.

Israeli Government Finally Decides To Start Looking Into NSO Group And Its Customers

The NSO Group's latest scandal is the gift that keeps on giving. The malware purveyor has always been controversial, thanks to its decision to sell powerful cellphone exploits to known human rights violators. That these exploits have been used to place world leaders, journalists, activists, and religious leaders under surveillance is just the expected result of choosing to do business with extremely shady governments.

Apple unveils plans to scan US iPhones for images of child sex abuse

Apple will roll out an update later this year that will include technology in iPhones and iPads that allows the tech giant to detect images of child sexual abuse stored in iCloud, the company announced Thursday.

The feature is part of a series of updates Apple unveiled aimed at increasing child safety, but security researchers and advocates are warning the scanning update — along with one that aims to give parents protective tools in children’s messages — could pose data and security risks beyond the intended purpose.

Apple to Scan US IPhones for Images of Child Sexual Abuse

But in a blistering critique, the Washington-based nonprofit Center for Democracy and Technology called on Apple to abandon the changes, which it said effectively destroy the company's guarantee of "end-to-end encryption." Scanning of messages for sexually explicit content on phones or computers effectively breaks the security, it said.

The organization also questioned Apple's technology for differentiating between dangerous content and something as tame as art or a meme. Such technologies are notoriously error-prone, CDT said in an emailed statement. Apple denies that the changes amount to a backdoor that degrades its encryption. It says they are carefully considered innovations that do not disturb user privacy but rather strongly protect it.

Separately, Apple said its messaging app will use on-device machine learning to identify and blur sexually explicit photos on children's phones and can also warn the parents of younger children via text message. It also said that its software would "intervene" when users try to search for topics related to child sexual abuse.

Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life

Child exploitation is a serious problem, and Apple isn't the first tech company to bend its privacy-protective stance in an attempt to combat it. But that choice will come at a high price for overall user privacy. Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.

To say that we are disappointed by Apple’s plans is an understatement. Apple has historically been a champion of end-to-end encryption, for all of the same reasons that EFF has articulated time and time again. Apple’s compromise on end-to-end encryption may appease government agencies in the U.S. and abroad, but it is a shocking about-face for users who have relied on the company’s leadership in privacy and security.

There are two main features that the company is planning to install in every Apple device. One is a scanning feature that will scan all photos as they get uploaded into iCloud Photos to see if they match a photo in the database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). The other feature scans all iMessage images sent or received by child accounts—that is, accounts designated as owned by a minor—for sexually explicit material, and if the child is young enough, notifies the parent when these images are sent or received. This feature can be turned on or off by parents.

Apple builds a universal backdoor into the iPhone.

WGN reports that Apple has now announced a universal backdoor into the iPhone for law enforcement.

For now, they’re saying they’ll only use it for “child abuse” and have the phone automatically rat out the user to the police. But the same article then continues that “authoritarian” governments (which are actually most of them, and the US government is certainly authoritarian in some ways even though there certainly are many worse countries to be in) can then use the technology any way they please, and Apple is unlikely to tell them no.

Ransomware Gangs and the Name Game Distraction [iophk: Windows TCO]

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

Black Hat: Microsoft’s Patch for Windows Hello Bypass Bug is Faulty, Researchers Say

The vulnerability, tracked as (CVE-2021-34466, CVSS score: 5.7), was patched by Microsoft in July. However, according to research disclosed here at Black Hat USA 2021, the flaw still allows attackers – in some scenarios – to bypass Windows Hello and Windows Hello for Business, used for single-sign-on access to a user’s computer and a host of Windows services and associated data.

Step 1: Do a Google search. Ransomware [cracker] goes rogue, leaks gang's plan. [iophk: Windows TCO]

The files, posted to a forum frequented by Russian-speaking cybercriminals and reviewed by NBC News, include numerous instruction manuals allegedly belonging to Conti, a Russian-speaking [cracker] group that has attacked several hospitals, including health care chains in the U.S., and Ireland’s national system, the Health Service Executive.

In one step-by-step guide, written in Russian, members are instructed how to identify and [crack] victims using Cobalt Strike, software that includes a number of known [cracking] programs. While built for defenders to test their own systems, Cobalt Strike has become a popular tool for criminal [crackers].

Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations [iophk: Windows TCO]

Given its rampant adoption by red teams and attackers alike, we wanted to better understand the operational security of Cobalt Strike. This led us to discover the vulnerabilities reported in CVE-2021-36798 and which we describe below.

Three Problems with Two Factor Authentication

Before you implement 2FA, think about how you are going to reset the 2F. People will lose phones. They will forget tokens at work/home and still need to get access to specific applications. This is a bit like the password reset problem but often more difficult. I have not seen a good implementation yet, and if anybody has any ideas, let me know. Most sites will create a "recovery code," but that code may be lost as well (either for good or to an attacker). I once had a hardware token break that I use for a bank, and it came down to "answer these questions" before 2FA was disabled for my account and a new authenticator was sent. In some cases, it can help to allow the user to register multiple tokens.

Linux version of BlackMatter ransomware targets VMware ESXi servers [Ed: Microsoft propagandist Lawrence Abrams is at it again, trying to associate "Linux" with danger because some proprietary software that's a GPL violation (against Linux) is at risk from something that has nothing to do with Linux, maybe just weak passwords, misconfiguration etc. Microsoft's playbook is to directly or by proxy concern-troll "Linux" security. Projection tactics.]