Security

WhatsApp security failures led to widespread political spying: “spouse, key staff members, and close associates”

Leave a comment

There’s a buried lede in the recent CitizenLab report about Catalans targeted by Spanish government spyware: an overly broad dragnet model.

In 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones around the world…. […] The spouse, key staff members, and close associates of Carles Puigdemont (MEP, JUNTS) were all targeted…. We count up to eleven individuals that fit this category. For example, Marcela Topor, his spouse, was infected at least twice (on or around October 7, 2019 and July 4, 2020).

This reminds me of news from 50 years ago.

…Gallagher’s concerns were being aired just as FBI wiretaps and bugs targeting Martin Luther King were believed to have violated the privacy rights of over 6,000 people by 1968.

In addition to spying to everyone around a person of interest, the method used by Spain is technically interesting because software patching usually diminishes with degrees of separation from a target.

Does everyone in your circle of family and friends update regularly? They should.

The WhatsApp CVE-2019-3568 cited above was a particularly critical buffer overflow — rated by some as CVSS 9.8 out of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It led to unauthenticated remote access.

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

It was just one out of seven overflow vulnerabilities disclosed by WhatsApp that year alone!

What do I mean by update regularly? This official vulnerability notice for WhatsApp was published 14 May 2019. I tried my best to warn at that time

Facebook’s “secure” messaging app has been found vulnerable to compromise by a simple call.

That makes timing of the above October 2019 and July 2020 infections even more noteworthy because exploits happened many months late.

Could a simple patch within a month of notice (customary turnaround given the CVSS 9.8 rating) blocked the attacks on a politician’s spouse? And more importantly perhaps would a politician’s spouse have updated quickly?

It seems WhatsApp security marketing and promotion gave everyone a false sense of confidence.

In other words, here’s the real twist to this otherwise routine story, which should be reported far more widely. On April 11, 2019 a disgraced and fired former CSO of Facebook went on tour to promote WhatsApp as “the most privacy enhancing” product of all time.

Source: Twitter

And here’s a pro-tip about encryption: It doesn’t do anything to protect privacy when its application opens up a giant vulnerability giving open access to the system it runs on. Facebook (e.g. WhatsApp) thus may be recorded as the most privacy-destroying software in history because of its deceptive claims about safety.

Their ex-CSO could have been warning about the litany of security vulnerabilities in software that makes it an inherently untrustworthy communication channel, requiring careful management and maintenance — WhatsApp being no exception. That’s normal security professional advice (again, as I warned in May 2019).

Instead it seems overconfidence and bluster went unchallenged until far too late, a story all too familiar for those who know what’s going on behind the scenes in Silicon Valley.

For nearly a decade now and certainly since 2015 I’ve warned Spanish-speaking officials (among others) to ignore encryption puffery — not to trust WhatsApp for communication.

Given these technical details the political part of the story that seems to get lost in the news is that Facebook has strong ties with Russia, Catalan separatists had strong ties with Russia, and so… Catalans using Facebook were spied on by Western intelligence because Facebook (like Russia) is so awful at real security.

History, Security

“Slavery is not in the past”

Leave a comment

The BBC has just published an excellent article called “Confronting my family’s slave-owning past”

As I grappled with the philosophical question of whether personally I owed anything, I sought the advice of Sir Hilary Beckles, the historian and vice-chancellor of the University of the West Indies who is the chair of the Caricom Reparations Commission.

“Slavery is not in the past,” said Sir Hilary. “Our grandparents remember their great-grandparents who were slaves. Slavery is part of our domestic present. Slavery denies you access to your ancestry. It leaves you in this empty void.”

Indeed. Slavery is not only part of our domestic present, I regularly present it as fundamental to understanding the near future of AI and robotics.

Security

15 Year Imprisonment Recommended for Hacker Pleading Guilty to Denial of Service

Leave a comment

Reading this “digital protest” story at face value makes a justice process sound rather… disproportionate.

Christopher Doyon, also known as “Commander X,” will be sentenced June 28 in U.S. District Court California Northern District. On Tuesday, Doyon appeared before District Judge Beth Labson Freeman to reverse his earlier plea of “not guilty.” The change of course came as part of a plea agreement in which the U.S. Attorney’s Office will recommend a 15-year prison sentence for Doyon, according to court documents. […] Santa Cruz County officials estimated damages to the computer network as a result of the conspiracy at approximately $4,060.

Denial of service isn’t exactly hacking into county services, since it’s more like sleeping on the court steps than walking into court. A fifteen year sentence for damage of less than $5K sure sounds extreme, given how his crimes are being reported.

History, Security

Ukraine spends under $30K to destroy multiple $2M Russian tanks

Leave a comment

A new SOFREP article, which reminds me of US anti-tank innovations in the 1980s Toyota War, offers us some plain numbers to explain why Russian tanks are being so easily defeated.

So, let’s do some basic math: If a Polaris Ranger costs $12,000 and the Stugna-P is at $20,000 (compared to the Javelin at $178,000 per set), you have a very mobile tank killer at just $32,000. The Ukrainian military will be saving a huge ton of money by destroying these Russian tanks, which have an estimated price of around $2,000,000 per unit…

A Polaris MRZR D2 is more like $50,000… but I digress.

Only $32K needed for the reusable Ukrainian platform that takes out multiple tanks. Such economics underscore unmistakable levels of incompetence in Russian operations, as seen in their heavy financial and troop losses.

A reputable source of these destroyed tanks is Oryx. So far, they have recorded that some 312 Russian tanks have been destroyed during the almost 3-month-old war, with another 17 damaged, 49 abandoned, and a whopping 222 captured. More so, the Russians aren’t looking too good as their tank manufacturer Uralvagonzavod had halted production and servicing due to a low supply of parts and foreign components and they are forced to draw tanks from repair depots and put them back into operational condition.

Russia appear as inept with technology and planning as the Nazis were, and might have been better off invading on horses as the Nazis did. At least it would have cost less.

But seriously, check out how the 1980s Toyota War was described at that time. Inexpensive light vehicles fitted with heavy weaponry and ridden hard, like horses.

Small groups of Toyota desert vehicles, with 106-mm recoilless rifles mounted at the rear, wheel and charge like cavalry in the vastness of the Sahara. Outriders hang from the sides, firing their AK-47s with deadly grace. Very young and therefore very brave, the men of these small fighting units, or escadrons, whip their Toyotas’ flanks until the vehicles seem to snort and froth at the bit like fine-blood Arab stallions. The young soldiers move silently, without war cries except for the high-pitched scream of their engines. […] A French officer says that the Goran are still the finest light cavalrymen in the world. But now, he adds, “they are mounted on Toyotas instead of horses.”

Does that really sound much different than reporting from Ukraine in 2022?

Speaking of animal metaphors, I’m not sure who made this video, but it’s quite good:

Anyway, the point is that anybody and everybody including both Ukraine and Russia for decades have been talking about evolution in light, mobile attack platforms.

So guess who seems to have planned not at all for an obvious “operationally unsuitable” reality in their invasion of Ukraine?

In the January 1987 Battle of Fada, northern Chad, nearly 100 Soviet T-55 were quickly destroyed by Toyota pickups firing anti-tank guided missiles

Apparently the old school “insurgent” marketing brochures (or actual lessons since the 1980s) didn’t give a big enough clue to the Russians despite significant foreshadowing… and this is the second time I’ve written here about them ignoring history. It reminds me of American generals in the Vietnam War being accused of basic ignorance.

It was not so much that American commanders read the wrong book on the art and science of war as it was that, in too many cases, they had read no such book at all.

We’re just talking about recent history too, not Major Bagnold’s 1940s Long Range Desert Group (LRDG) vehicles: “one of the most cost-effective special forces in the history of warfare” that ran circles around Nazi armor.

Long Range Desert Group (LRDG) Photo © IWM (E 12380): “A posed close-up view of a Chevrolet truck and its three man crew in the Western Desert. The gunner beside the driver is manning a modified Browning Mk II aircraft machine gun, while the soldier in the back is ready with the Lewis gun.”