From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode #51 - July 21, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. GoldenSpy, Crypto Trojans, & BadPower Attacks - 02:00 PM-02:30 PM


This week, Twitter updates, Chinese GoldenSpy, Cloudflare outages, Rapid 7 reports, Crypto Trojans, BadPower attacks, and Jason Wood returns for Expert Commentary on 7 VPNs that leaked their logs – the logs that “didn’t exist”!


Doug White's Content:


  1. Chinese Tax Software may contain backdoor trojans.
  2. Cloudflare outage cuts off Discord, cryptocurrency exchanges.
    1. Cloudflare DNS outage caused a sharp decline in Bitcoin Transactions.
  3. South Korea is the lastest COVID app to have security flaws.
  4. Google Promises privacy with virus app but still requires location data be turned on.
  5. Rapid 7 Cloud Exposure Report.
  6. 4 counterfeit apps pose as cryptocurrency trading apps, contain GMERA.
  7. Twitter released a statement on the compromise from last week.
    1. Krebs information about the twitter attack.
    2. Lucky225 explanation of the twitter hack.
  8. Microsoft server flaw called "workable" is patched.
    1. CVE-2020-1350
  9. BadPower firmware attack may cause physical flames on fast charger.
    1. Tencent lab report, which includes video.

Jason Wood's Content:


7 VPNs that leaked their logs – the logs that “didn’t exist”

VPNs have become pretty popular with people who are concerned about their ISP spying on them. When I saw a friend who is a college music professor asking about VPN providers after net neutrality was ended, I knew they reach (and hype) had expanded far beyond the tech savvy population. In a post on the Naked Security blog, Sophos discusses 7 VPN providers which logged data that was supposed to have not been. To make maters worse, the data was exposed to the public via a ElasticSearch database exposed to the internet.

All told 20 million users are supposed to have been impacted in some way. The logged data included “Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links.” So, yeah… that was bad news.

There are very legitimate reasons to use a VPN when accessing the internet. If you are in a country where government surveillance is a clear and present danger to you, you need some way to tunnel that data out of the area encrypted. If you are hooking up to the local coffee shop’s free public wifi, it’s also a good thing to use. Unfortunately, there’s a lot of hype and misinformation about what a VPN provides users. Some folks see them as a way to stay anonymous online and their VPN provider is only too happy to claim that they can do this.

Here’s the thing. They can’t. They can make it so that your ISP can’t see what you are doing. All the ISP can see is that you connected to a VPN and then it is just encrypted traffic. However, all you’ve done is move the risk of surveillance to the VPN provider and their ISP. Your traffic still has to exit the tunnel somewhere and become normal internet traffic.

VPN providers claim that they keep no log files and do not track anything anyone is doing. That’s a nice claim, but we are trusting that is true. Things still get misconfigured and data that is unintended gets logged. Most sysadmins can tell stories of opening up a log file and see credentials or credit cards being dumped into a log file. I know I can. Why? Because the developer was debugging their code and didn’t think about the impact of log storage. Or they meant for the logs to never make it to production, but they did. It happens far too often.

So what’s the moral of the story here? We need to spread the information around about what VPNs can and can’t do. VPN providers are promising things they can’t provide; anonymity being a prime example. They can also screw up and log a lot of data. They can be malicious and access a lot of data. We are putting our trust in them to do the right things and configure their systems correctly. That’s a lot of trust. Encourage the people you know to do their homework. Point them to this episode if you think that would help.

If you’d like to see who the VPN providers were who botched up their logging, then check out the show notes to the Naked Security blog. The post also includes information about what VPNs can and can’t do, which may be useful to folks.