🚨 Woah. An intentional backdoor discovered in encrypted radio comms used globally for over 25 years.
Buckle up!
Follow
Matt Johansen
@mattjay
Helping Secure the Internet | Long Island elder emo surviving in ATX | Expect: infosec current events, DFIR, appsec & cloudsec - and me!
Matt Johansen’s posts
Imagine being in infosec and proudly announcing all the false positives you blocked.
Quote
Display of oversized liquids, gels and aerosols that travelers had in their carry-on bags at the @SyracuseAirport @TSA Checkpoint in a 3-day span. The limit for liquids through a checkpoint is 3.4 oz.
Why all phishing education is fruitless. This is a legitimate email I just got from a doctor’s payment processor.
🚨 A new vulnerability found in Telegram that can grant access to your camera and microphone.
Found by an engineer at Google, reported to Telegram and they haven't addressed it.
So now we get a detailed public disclosure!
How this works and what it means for your privacy 👇
Internet Explorer being developed by a bunch of strung out people going through divorces makes the most sense of anything I’ve heard recently.
🚨 Woah. Crazy new research paper I just read.
Remotely and inaudibly issue commands to Alexa, Siri, Google Assistant, etc.
"allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing)" 🔊
Woah. Unicode 'n' characters in a domain name as a super dangerous spoofed cryptocurrency exchange. Even has an SSL cert.
You find a Raspberry Pi plugged into a network switch at work. What do you do?
I think infosec should start hiring librarians for documentation, education, and research.
I got a quote for $17k to install a gate. So I did the damn thing myself for less than $250
Replying to
The encryption algorithms used in TETRA were kept secret until a group of Dutch researchers got their hands on them and found severe flaws, including a deliberate backdoor.
This backdoor could allow someone to snoop on communications and potentially send harmful commands.
Replying to
The technology in question is a European radio standard called TETRA (Terrestrial Trunked Radio).
It's used in radios made by Motorola, Damm, Hytera, and others and is embedded in critical infrastructure like pipelines, railways, and the electric grid.
Replying to
These vulnerabilities are not just theoretical.
TETRA radios are used in 2+ dozen critical infrastructure systems in the US.
- Electric Utilities
- A State border control agency
- An oil refinery
- Chemical plants
- A major mass transit system on the East Coast.
Replying to
The researchers plan to present their findings at the BlackHat
They plan to release a detailed technical analysis and the secret TETRA encryption algorithms that have been unavailable to the public until now.
Replying to
Replying to
TETRA is also used in specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services.
This includes the C2000 system used by Dutch police, fire, ambulance, and the Ministry of Defense. 🚓🚑
Replying to
The researchers also found a second vulnerability that could let someone decrypt encrypted voice and data communications and send fraudulent messages.
This could be used to spread misinformation or redirect personnel and forces during critical times. 📡
And my favorite response so far:
Quote
Replying to @KimZetter
Reader comment:
"I love Murgatroyd's response: 'It's not a backdoor, we just left the front door open.'"
Replying to
The researchers discovered these vulnerabilities in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations.
BUT
Not all of these issues can be fixed with a patch.
It's not clear which manufacturers have prepared them.
Are you actually relaxing? Or are you just shutting down and disassociating because you’re stuck from all the stress you’re dealing with?
I know my answer!
Hey friends - I won't be drinking in Vegas this year. I'd appreciate support in this matter and not trying to force me to because I'd still like to hang out with you and I won't if that nonsense goes on.
Generally good advice to not do that since you don't know someone's reasons
If you're an experienced security pro in Vegas this week I've got 2 challenges for you.
1. Watch one talk you know NOTHING about. Like barely understand the title.
2. Find at least one student or much younger pro and buy them a meal/coffee/drink and let them ask you questions.
The rookie years breaking into infosec are rough.
I felt like an idiot most of the time. Didn't understand the acronym soup.
I couldn't even figure out what to ask half the time. I was so lost.
Here are 13 infosec career hacks I wish I had known when I was getting started:
Replying to
They found evidence in the Edward Snowden leaks that indicate the NSA and UK’s GCHQ intelligence agency targeted TETRA for eavesdropping
I remember sitting in the crowd in Miami when Barnaby Jack used a Pringles can antenna to scan the audience for insulin pumps.
He found one, and informed the gentleman who stood up he could make his pump dispense all of its insulin right now from the stage.
Replying to
The first vulnerability the researchers found was the backdoor in TEA1.
All four TETRA encryption algorithms use 80-bit keys, but TEA1 has a feature that reduces its key to just 32 bits.
The researchers were able to crack it in less than a minute using a standard laptop
Here is an interesting bit about the stolen MSA signing key from the China/Microsoft Incident this week:
MS doesn't know how the hackers stole it.
Replying to
TETRA was developed in the ’90s by the European Telecommunications Standards Institute (ETSI)
The standard includes four encryption algorithms—TEA1, TEA2, TEA3, and TEA4
🚨 Over 250,000 Fortinet firewalls publicly accessible on the Internet.
They just dropped a patch for a major Remote Code Execution vulnerability.
...and then announced the vuln may have been used in attacks already.
Lets dive in 👇
Replying to
One of the best static analysis people I hired was delivering pizzas for domino's when I interviewed him. Don't limit your talent pool.
Replying to
The second major vulnerability isn’t in one of the secret algorithms... it affects all of them.
The issue lies in the standard itself and how TETRA handles time syncing and keystream generation.
This could allow an attacker to intercept and decrypt communication.
🔥 Thousands of container images on Docker Hub are leaking confidential secrets!
We've seen this a lot on GitHub repos, but it seems there is another growing way to accidentally publish private keys... Your container images.
Let's look at what's going on:
Replying to
A worrying detail:
We don’t know if the vulnerabilities they found are being actively exploited.
Replying to
This is scarily accurate. "That was assigning the whole network IP addresses!"
Replying to
As for fixes...
ETSI fixed the keystream/timestamp issue in a revised TETRA standard published last October, and they created three additional algorithms for vendors to use, including one that replaces TEA1
However, the problem with TEA1 cannot be fixed with an update
Replying to
I'd rather wear a backpack than have 23599296 at the end of my handle.
OH: "Whats MFA?"
"Multi factor auth"
"oh, I'm used to 2fa. is 2fa like bi and mfa like pan?"
"yes. mfa is the pansexual authentication
Replying to
Is this one of those fake jets you pose for influencer posts in?
Tabletop scenario: your infosec team has pooled for the billion dollar lotto jackpot and won. They all quit tomorrow. What do you do?
I'm missing a department presentation called "What is Burnout" because I've been pulled into some urgent meetings. Alanis Morissette take note.
Wow! Interesting data. When launched security alerts they were tracking 500k known vulnerabilies. Shorty after alerting repo owners, 450k of them were fixed.
Replying to
This was over 10 years ago.
The FDA just now issued a policy that it will turn down medical devices for cybersecurity flaws.
scmagazine.com/editorial/news
Grateful to work for a company that gives new Dads paternity leave to spend time figuring it all out during the first year. Seems my little girl is grateful too.
Living vicariously through my kid who doesn’t know the gravity of what’s happening and is just stoked for ice cream.
Looking for a Security Data Engineer @ Reddit - can be remote. Build logging and SIEM/SOAR pipelines and workflows. Cool threat detection automation slice and dice stuff. Cloud heavy. DM me for link to apply. RT pls!
My buddy texted me saying he gave 90 day notice but got walked out the door. The straw that broke his back? He called out sick on Monday because his daughter was exposed to Covid with symptoms. His boss said “no” - ok I quit then. The great resignation and power shift is real.
Hear me out. What if we didn’t have a system reliant on someone elderly surviving cancer and working till the last possible day in order for democracy to not die a fiery death?
🧵 HUGE Update around the active exploitation of MOVEit 0day!
From - CVE-2023-34362 is not just SQLi - they reversed it and found full RCE as well...
Security people mocking a company for not patching a known vulnerability, claiming how easy it was, have obviously never worked blue team.
Most important news I've discovered in months. LAX has dedicated pups for you to pet during your layover. 2 super sweet pits made my day.
Tabletop exercise of the day: You lead a small security team for a tech startup
No Active Directory or mail servers, but a fleet of macbooks and SaaS apps
You hear mumblings of some weird Slack DMs & later a teammate texts you saying they have a ransomware message.
What next?
15 year old family pup’s last meal is a puppacino from Starbucks today. Never easy decision but it was time.
Just wrapped up my first day as Lead Security Architect for ! Can’t understate how excited I am to be part of this team.
Badass security job alert:
I'm looking for a Sr. Security Engineer - Would be working on our detections, threat hunting, automation, siem/soar, etc. Reports to head of the SOC
Small team, lots of room to grow and make it your own. Going to be picky on this one. Key role. pls RT
📣 I just got sent the most comprehensive list of Purple Team resources I've ever seen!
And it was compiled for 's PhD Dissertation.
github.com/ch33r10/Enterp
I'd be insufferable if I was them - "That's DOCTOR threat hunter to you"
My dearest,
I'm writing to inform you we've updated our privacy policy...
#secondcivilwarletters
I stopped drinking right before blackhat and it was rough.
Today is 9 months sober. Fitting that it’s an anniversary during RSA.
Replying to
Even macOS Root users can't access the microphone or screen recording unless the app has direct user consent or manually granted permissions.
But this newly discovered weakness in Telegram's macOS application can sidestep that security measure.
Barista asked me what “k8s” was on my RUN K8S shirt.
Instinctively said “Kubernetes” and realized how unhelpful that was.
What would you have said?
And gay engineers. And male office managers.
If you read the Dragos breach disclosure and didn't immediately ping your IT team to ask them how they're verifying new hires are who they say they are...
...what are you waiting for?
Replying to
Thanks for the awesome research and write up.
To read the whole thing check out Dan's blog:
danrevah.github.io/2023/05/15/CVE
Stay safe out there!
If you’ve ever been to a DEFCON you don’t need to worry about what’s in the vaccine.
You only have 18 summers with your kid at home.
A friend told me that over coffee in SF a few weeks ago and I can't get it out of my head.
Don't wait to take that trip, see that show, buy that tent...
Replying to
If you like news like this, you'll love my free newsletter:
Join over a thousand security pros here:
Replying to
The weakness was discovered in February, and despite attempts to alert Telegram's security team, the issue remains unresolved.
The vulnerability was publicly disclosed today after the grace period with VINCE expired.
why aren't infosec folk sponsored by coffee companies the way energy drinks sponsor athletes?
Tabletop Thursday:
You wake up to find out your main domain wasn't on auto-renew, and someone snagged it. It's tied to your primary email, aka all password reset power.
The person who snagged it isn't responding to comms to repurchase it.
What do you do?
Me, two Great Danes, and pretty much what’s left of what I own. On the move.
🚨 Woah. Crazy spyware analysis just dropped.
Triangulation iOS spyware that targeted Kaspersky employees.
Upon analysis, this implant might work on macOS as well.
Lets dive in! 👇
Just because you don’t workout today doesn’t make you a piece of shit.
You’re a piece of shit for so many other reasons.
Well, my pup passed away tonight at home. She lived an incredibly loved life and I’m going to miss her terribly. 🌈
Tabletop scenario time:
Your IT staff is doing new hire onboarding Monday morning and they think 1 of the 6 new hires might be an impersonator.
They claim to not have got the laptop in the mail but are trying to do orientation and need Slack and Email.
What do you do?
Replying to
The weakness involves macOS's Transparency, Consent, and Control (TCC) mechanism.
This mechanism manages access to "privacy-protected" areas in macOS, which Telegram's vulnerability can exploit.
Looking for a security data engineer. Log pipelines, SIEM, SOAR, etc. Hit me and i'll get you a job application link.
Last year Blackhat vs this year Blackhat.
Very serious business shirt upgrade.
🎲 Tabletop scenario time!
You're the CISO of a major corporation. Suddenly, you discover stalkerware on an executive's endpoint.
But wait, there's more!
The stalkerware's c2 itself is breached, and the collected data leaks to the dark web.
What do you do?
It turns out not enough houses burned down for FEMA to declare it a disaster and give me any money. My house didn’t burn down any less just because another neighborhood nearby still stands. Strange rules.
Replying to
iOS requires an app to be signed with Hardened Runtime entitlement to be uploaded to the App Store
macOS doesn't have this requirement
This loophole can potentially leave macOS apps more vulnerable.
Excited to announce we're expecting a little girl this fall. I'm just impatient to meet her already.
Whelp. Whole house has Covid. Positive test back. I’m completely fine and asymptotic. The rest are mild colds. Hunkering down.
Replying to
What makes an application like Telegram susceptible to this? It comes down to Entitlements and Hardened Runtime.
Entitlements are permissions given to a binary to obtain certain privileges like accessing the microphone. Hardened Runtime prevents certain types of exploits.
wow! thats new.
all signs point to a scam but it was by a legit employee committing fraud for quota incentives.
Quote
Woah, first time getting scammed from a real @Att employee directly.
I only caught this because I got suspicious and started digging
Here's what happened...