21 February: a Meze of Stories

A meze is what people in many countries in the Eastern Mediterranean call a selection of small dishes. Compare it to the Spanish tapas. This week, I didn’t find time (or inspiration, or maybe both) for a longer main story, so instead I present you with a meze of interesting dishes stories relevant to those working in digital security.

Thank you for reading this newsletter. If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox. Feedback and suggestions are always welcome!

Martijn
martijn@lapsedordinary.net 

A meze of stories

Security company Group-IB analyzed GoldDigger, malware targeting iOS for financial gain. iOS malware is extremely rare given Apple’s tightly controlled ecosystem, which is why advanced spyware like Pegasus or Predator requires zero-day vulnerabilities to install itself on people’s phones.
GoldDigger uses two different techniques: mobile device management (MDM) and TestFlight. MDMs are used by larger organizations to manage mobile devices used by staff and allow the organizations to install custom apps on the devices. TestFlight can be used to distribute apps that are being tested to a select number of users. Apps installed through MDM or TestFlight aren’t subject to Apple’s strict screening, making it easier to install malware this way, though users still need to be socially engineered to install the malware themselves.
There is a big catch for malware operators though: in both cases, if Apple discovers the abuse, which is a lot easier than discovering the use of a zero-day, it can turn off the campaign with a single action, by disabling the MDM or TestFlight profile. This makes these techniques, though still rare, more likely to be used by financially motivated malware actors (for whom these kinds of disruptions are part of doing business) and less by developers of advanced spyware, whose business model depends on longer term access to infected devices.

Telecom security company ENEA has reproduced what it believes to be a device fingerprinting technique used by NSO Group (who make the infamous Pegasus spyware) that was referred to in court documents. The technique uses MMS, a multimedia extension of SMS and takes a single MMS message to collect information on the phone and its operating system. You may not think this is very private information, but mobile spyware typically only works on one particular kind of phone, so the first task a spyware operator has is to find out what kind of phone their target has. This technique solves that problem for them.
It is unclear whether the technique still works, but ENEA says it can easily be blocked at the network level, while many telecom companies may have stopped using MMS altogether. 
Should this worry those targeted by NSO spyware? The capacity is not good news, but it is also fair to say that details of one's phone leak in all kinds of subtle ways. If someone really wanted to find out what phone you use, they probably could, even without this technique.

Operation Safe Escape writes about duress codes, pre-arranged 'messages' (in a very general sense) that someone at-risk can use to safely signal the need for help. They are writing about domestic abuse survivors in particular, but the technique could also be used for other high-risk people, such as human rights defenders or activists working in an adversarial environment.

Researchers at Citizen Lab uncovered a network of news websites in 30 countries operated by the People’s Republic of China and that unsurprisingly serve pro-PRC content. What is interesting about their research, aside from the content, is that they were able to find most of the websites because they shared IP addresses (DNS A records, if you want to be precise). The same technique is also commonly used to link various domains to a single malware campaign.

Indian company Appin (remember that name: Appin) doesn’t want you to know they engage in hacker-for-hire activities and have targeted civil society. For that reason, they (Appin, that is) used a court order to force Reuters to take a December 2023 article uncovering their activities offline. I thus don’t think you should read the articles the EFF and Wired wrote about them. About Appin.

Have you ever wondered why you are always told to choose long and complex passwords, yet it is apparently okay to protect your phone with a six digit PIN? In his irregular newsletter cryptographic engineer Filippo Valsorda explains the reason for this. The very short answer: hardware security modules.

Speaking of authentication, you will probably have heard of Passkeys, the new way to securely authenticate that does away with passwords. Wired’s Matt Burgess tried it out and wrote about his experience, which he summarizes as “great — and a total mess”. For now, if passkeys work for you, go ahead and use them, but it’s probably too early to make it a requirement for people in your organization. Oh, and if you’re just curious about passkeys, passkeys.io lets you play with them, so you can see if they work for you.

Dangerzone is a tool initially developed by Micah Lee that converts dangerous email attachments (such as PDFs and Word files) into safe PDFs. It’s ideal for those who both need to receive such attachments from unknown sources and who are also at risk of targeted attacks, with newsrooms being an obvious example. The Freedom of the Press Foundation, which currently hosts Dangerzone, reports that it has been audited, which I think is crucial for any tool used by at-risk communities. For me it was a good reason to try the tool again and I was pleasantly surprised that it took me a few minutes to install it on my Mac, after which it worked seamlessly. 

That Internet censorship in Iran is widespread is hardly news. A report by the Tehran E-Commerce Association, translated into English by Project Ainita, is a surprising and therefore interesting source on the effect this censorship has on the country.

404 Media writes about a connected vibrator that allegedly served malware. The article is interesting for two reasons: first because 404 consistently writes about anything related to sex in a grown-up way. And secondly, because there may not have been any malware at all. Users, through no fault of their own, are unreliable narrators when it comes to stories of malware or hacked accounts and while it’s always good to take such stories seriously, it is equally important to be skeptical about the actual details. (404 requires you to sign up to read the article in full. I’d say it’s really worth it and I even think it’s worth becoming a paid subscriber, though you don’t need to be to read this article.)

Also at 404, the story that the Mastodon instance queer.af was taken offline by the Taliban-run government of Afghanistan, which runs the .af top-level domain. That is sad, though given the Taliban’s views on queerness not exactly surprising. It is a reminder though that country top-level domains (the two letter ones like .de, .fr or .mx) are ultimately run by the respective countries.

In non-security news

A book I read: I read David Van Reybrouck’s Revolusi: Indonesia and the Birth of the Modern World a few years ago in the original Dutch, my native language and that of the Belgian author. I was excited to learn it has finally been translated into English. Revolusi (Indonesian for ‘revolution’) tells the story of Indonesia’s struggle for independence and the consequences for the rest of the world. It thus also tells the story of Dutch colonialism, a story I was frustratingly unfamiliar with, despite being a Dutch person with an interest in global history. I’m not spoiling anything to say that Dutch colonialism was really bad, but Van Reybrouck doesn’t need to point that out: he lets the story, through the people, tell itself, just like he had done in his 2010 book Congo. I think that makes the story even stronger.

A song I like: I can’t think of a more perfect 74 seconds than the song Eric Idol (Bandcamp – Spotify –  YouTube) from 1990s Canadian indie pop band Gaze. I mean: who doesn’t like simple indie punk with two girls alternatively singing two lines? Well, most people don’t, apparently, as the song has a meager 5,900 plays on Spotify. And I wouldn’t be surprised if half of these are mine.