@Seirdy This is close to what Tauri does; it uses the system webview so applications don't need to ship Blink and update it every time there's a big security fix.
@jamesgecko @Seirdy From what I've read though, it seems that, perversely, bundling one's own copy of Blink is less trouble in Windows enterprise deployments than using Microsoft's "evergreen" WebView2 installer, which adds its own auto-updater to the mix. Having trouble digging up the HN comments I'm thinking of, though.
It's 2023 -- Please don't use an overlay if you care about web accessibility, disability inclusion, and a digital world that works for everyone. And please don't call me a "role model" and write about me on your website if you are using an overlay --like a company called Accessibility Checker did. Instead - read the Overlay Fact Sheet and spread the word. overlayfactsheet.com/ Happy New Year - let's get accessibility right in 2023!! #a11y #disability #TechEthics
Unlike past campaigns, today’s concern for the Great Barrier Reef is stuck in neutral | Rohan Lloyd - There seems to be little accord about what saving the reef means and how that is to be achievedAs part of the coverage of Labor’s first budget, the ABC provided analysis of the nation’s winners and losers. In it, the Great Barrier Reef was... #theguardian
stormdragon2976 pushed changes to the testing branch of the audiogame-manager project: git.stormux.org/storm/audiogam… Fixed a bug in sandbox that could affect some installers.
While attribution and crediting are not paying the rent, so many games that are linking (aka shipping) with Dear ImGui don't have it mentioned anywhere.
The MIT License technically requires it... obviously not going to chase developers for that but it's a bit discouraging... If you use and link with Dear ImGui it's a nice thing to honor that license.
Will the #GTK developers ever stop breaking their API with every new release? Some major apps just finished porting their code to GTK3 and now the list of breaking changes for GTK4 is absolutely insane. Looks like everyone that has to support a GTK application will be forever porting to a new version instead of working on the actual app.
This is a very, very bad take. GTK3 has been out since 2011, and GTK4 was released 9 years later, in 2020. Same as Qt, by the way, just to name another major toolkit.
The migration guide covers a lot of edge cases, for people that ported their application from GTK2 to GTK3, and left a bunch of legacy code; it's *exceedingly* hard for any application to actually check every single item in the list. A lot of API was introduced in GTK3 to begin with, to ease porting.
How you know you had a good year: Both #Filmora and #Adobe decide to use #Kdenlive as a keyword in their online ads to try and sell their own video-editing software to unsuspecting users.
It's slow, expensive, the engineering is mostly port-a-potty chemistry, and the best-case outcome is that thirty years from now we’ll get to watch someone remotely operate a soil scoop from Mars instead of Pasadena
People following my account for a while probably noticed me talking about South Korea every now and then. I’ve hinted towards doing some important research, and now the time has finally come for the first disclosures.
But first I need to do a bunch of explaining because most people (my past self from a few months ago included) are largely unfamiliar with the Korean software landscape. See: they have those “security” applications that everyone has to install if they want to use online banking for example.
What could possibly go wrong with applications developed by private vendors without any kind of security vetting and that everyone in a country has to install, whether they like it or not? A lot of course.
In this first blog post I explain how in my limited understanding the current situation came about, show why the companies lack incentive to really invest in security and give you a first slight idea of the disastrous consequences.
No, I’m not exaggerating. The next blog post is scheduled for January 9th, and it will be about a specific application. I submitted seven vulnerability reports for this one. It took a real issue and claimed to have solved it – by making matters considerably worse than they were.
Websites in South Korea often require installation of “security applications.” Not only do these mandatory applications not help security, way too often they introduce issues.
Reading people discuss my article, they are way more knowledgeable about the back story than I am. One commenter on a Korean website posted some news links explaining it:
So apparently there was an important story back in May 2005, the Korea Exchange Bank hacking incident. A person’s online banking was compromised by what I understand to be a remote access trojan. The installation of that trojan happened automatically when visiting a malicious website (no mention of a specific vulnerability here, presumably it was Internet Explorer?).
There was a public outrage because the victim didn’t do anything wrong – they didn’t give away their password, didn’t lose their security card. Rather than blaming Microsoft, they decided to blame the banks and their security precautions.
In particular, the second article states that installing security applications shouldn’t be optional. And the bank says that they deliver some “anti-hacking” application and make its use mandatory.
This indeed seems to be how this whole mess happened. What a sad story…
Time for the first disclosure. I present you TouchEn nxKey, an anti-keylogger solution with a very nice concept – in theory.
In practice, this concept requires TouchEn nxKey to implement keylogging functionality itself. And it exposes this functionality to arbitrary websites and unprivileged applications on the users’ computers.
This application also misimplements its communication with websites, facilitating XSS attacks on banking websites using it. Plus various memory safety issues, including one that appears exploitable for RCE. And a honorary mention for OpenSSL 1.0.2c anno 2015.
I usually try to avoid publishing zero-day vulnerabilities, but this vendor didn’t use the time. Not even the most trivial issues have been resolved. Instead, they managed to post exploit links publicly, resulting in them being indexed by Google two months ago already.
In general, I’m not convinced that TouchEn nxKey can be salvaged. Even if implemented properly, it is only useful against generic keyloggers. Any malware targeted specifically at South Korea will easily circumvent its protection.
This is by far the longest article I’ve ever published, sorry about that. There is just so much here…
TouchEn nxKey is supposed to combat keyloggers. Instead, this application made writing a keylogger extremely simple, allowed attacking banking websites and more.
Note that despite this article being already very long I’ve still left out a lot. Like a Citibank Korea page citibank.co.kr/CrdOsvcSecu9002… linking to TouchEn nxKey 1.0.0.5 download (a version from 2015, current one being 1.0.0.78). At least the page Citibank usually directs customers to distributes version 1.0.0.75 which is “merely” two years old.
Or the custom-built installer that is a UPX-packed binary dropping most files into the \Windows\System32 directory. Reminds me of the good ol’ Windows 9x days when all installers were doing that.
And the application doesn’t quite trust its files to stay there. So once per session it will run its CKSetup32.exe (still in \Windows\System32), making it replace the existing files by “fresh” copies from the installer. So first time you visit a banking website you get an elevation prompt.
You know, I saw South Korean banks offering Linux/Mac application packages for download, and I never bothered checking them out. I just assumed that Linux and Mac were somehow supported. But the Korean commenters said that they aren’t.
I now unpacked one such Linux package and noticed that it was built in 2014 (!). It’s an NPAPI plugin. Of course it doesn’t work. 🤦♂️
Interesting to watch how the vendors of South Korean “security” software react to disclosures. With me they won’t communicate at all. Now when Korean press comes asking, then they respond. But they respond with claims that don’t seem very defendable.
RaonSecure for example tells the press that they’ve already fixed all the issues, and the delays are now due to their customers (meaning: banks) having to distribute new builds. Yet RaonSecure has their own download server for their application, and that download server still offers the version from October last year. Also, their browser extension hasn’t been updated in Chrome Web Store. If they developed a fix, they keep it a closely guarded secret.
And the company due for disclosure on January 23rd? They told a reporter that they only received one of my reports in January. So they cannot possibly meet the deadline.
But that’s not what my server logs show. I see them accessing my proof of concept pages (all of them) starting November last year. They’ve been studying them for one week and then – nothing.
But after I announced my disclosures and it blew up in Korea I suddenly see new requests to these files. I’m not saying that this is what happened here, but this looks almost like they weren’t actually planning on fixing this stuff and only got scared when they realized that the disclosure won’t go by unnoticed.
Reading Korean news. Out of all the issues I pointed out, RaonSecure only felt the need to defend their use of the C programming language. “Keyboard security is a special situation that requires privileges such as compatibility or system level access, so there is a reason to use the C language” (automated translation).
Not sure whether this choice of topic was theirs or the journalist’s who asked them. I suspect that it’s the former and they felt this to be the most defendable point? Yes, nothing wrong with having multiple megabytes of binary code written in C just because you need system level access in a tiny part of it. Totally not because you never reviewed your coding practices in the past two decades. /sarcasm
For reference: I did not actually criticize them for their choice of programming language. I criticized them for taking a C JSON parser with various memory safety issues and failing to update it since 2014.
To be honest: I spent so much time on these applications exactly because they are so primitive. My binary reverse engineering skills aren’t good enough for modern code, I learned it in the 90ies. So this is my chance to get better at it without being completely overwhelmed.
It seems that this article was also what spooked AhnLab who emailed me asking about my vulnerability reports to them. No, it’s perfectly fine that AhnLab didn’t receive them because I never sent any. It’s the journalists who, after multiple rounds of copying speculations from one article to another, are now trading their list of my future disclosures almost as a fact.
[이뉴스투데이 김영욱 기자] 세계 점유율 1위 광고차단 프로그램 ‘애드블록 플러스(Adblock Plus)’ 개발자 블라디미르 팔란트(Wladimir Palant)가 국산 보안 프로그램 취약점을 공개하며 국산 보안 솔루션 문제점이 화제다. C언어를 사용하는 등 과거에 머물러 해커들로부터 공격받기 쉽다는 것. 그러나 국내 보안업계는 한국 보안 시장에 대한 이해 부족에서 비롯한 잘못된 지적이라는 반응이다.
The article on TouchEn nxKey is now also translated to Korean, thanks to @alanthedev: github.com/alanleedev/KoreaSec…. I hope this will help Korean news discuss the concerns raised there rather than some straw man arguments.
And unfortunately I realized that I should have checked the Korean holidays when making this schedule. I did make sure to start this disclosure series after the US/European holidays, but I didn’t realize that South Korea is celebrating Lunar New Year early next week.
So next disclosure has been moved to January 25th. Sucks to do that when the disclosure date has already been widely publicized, but the alternative is worse IMHO.
Next disclosure is about IPinside LWS Agent, an application required by pretty much every banking website in South Korea. The conclusion here: this application collects way more information about the user’s system than merely IP addresses. And it fails to protect this information, any website can get it.
· A 320 bit RSA key. Yes, really. Took me two hours to factorize on a laptop CPU. · OpenSSL 1.0.1j anno 2014. There is a recurring pattern here. · Enumeration of processes running on your system. · Various stack buffer overflows – I wasn’t actively looking for them, I merely couldn’t fail noticing.
Banking websites in South Korea can only be used with IPinside installed. This application collects lots of data about the user, and it makes that data accessible to each and every website. The protection is inadequate.
Continuing this series with a more basic flaw, which appears to be common practice for South Korean “security” applications: palant.info/2023/02/06/weakeni…
All these applications install their own Certification Authority (CA), only to be able to use HTTPS on 127.0.0.1. As a result, they put the integrity of HTTPS in danger for users in South Korea. Ironically, HTTPS contributes way more to banking security than their half-hearted at improving security do.
I found exactly one application using the right approach for this: generating a CA on installation, used only to sign 127.0.0.1 certificate for the one particular computer. All the other applications install the same CA on each computer. So the respective vendors must have the corresponding private key stored somewhere. Whether/how they protect it is unclear.
TLS protocol is fundamental to internet security. All South Korean security applications add their own “trusted” Certificate Authorities however, weakening this protocol severely.
KrCERT is working hard on becoming my least favorite security contact (lots of competition but…). Today they sent out an email notifying me and 739 other security researchers about a bug bounty program. No, I’m not complaining about spam that I didn’t sign up for. But dealing with a government agency that’s supposed to handle vulnerability reports, shouldn’t one at least assume that they won’t list all recipients in the To field of the email?
Looking forward to the first one doing Reply All. 🤪
Edit: KrCERT sent around an email (in Korean) apologizing for the issue. Apparently, they sent two emails, so 1490 email addresses were affected in total. They promise to improve their processes and avoid such issues in future. Supposedly, they recognized the issue themselves (I notified them but didn’t receive a direct response).
One of the suggested personal measures is sending a personal information infringement report to 🥁🥁🥁 KISA which KrCERT belongs to.
These applications rely on tons of open source libraries. Yet whenever I recognize one and check the version used, the result is invariably something released between 2010 and 2014. No, it isn’t only OpenSSL. It’s JSON parsers, image processors, all kinds of libraries processing data received from arbitrary web pages. What could possibly go wrong?
Published one more high-level overview before I move on to the next (very long) disclosure in two weeks: palant.info/2023/02/20/south-k…
Most important conclusion: the South Korean “security” applications are typically attempting to “secure” a compromised environment. That’s a lost cause. You either prevent a compromise, or you rely on 2FA with an uncompromised device (ideally both).
The one where I’m a little unsure are certificate-based logins. I *think* that they offer no advantage in the banking scenario compared to passwords (at least when not backed by specialized hardware), there are plenty of disadvantages however. But maybe I missed something.
And once again pointing out how delegating software distribution to banks was a huge mistake. Fun fact: I recently realized that one vulnerability I reported (scheduled for disclosure on March 6th) is already fixed. In fact, the fix was published back in 2021. The reason I didn’t realize that: no bank I looked at offered a version of the software with this fix! I incidentally found the software vendor’s unadvertised download server which likely isn’t even meant for external use. That’s how I realized that I investigated a software version several releases behind the latest state.
South Korea’s online banking relies on a number of “security” applications. Here I am looking into whether these applications can potentially make things more secure.
Interesting news: TouchEn nxKey 1.0.0.82 has been sighted in the wild. While the vendor’s download server is still distributing version 1.0.0.78, Citibank Korea apparently started offering the new one two weeks ago. I wonder what they actually managed to fix…
Next article in this series deals with Wizvera Veraport, the South Korean application management application which already made the news due to being abused by North Korean hackers: palant.info/2023/03/06/verapor…
The good news: unlike with the previous disclosures, here the company didn’t waste time and actually managed to fix most issues I reported. The bad news: from the look of it, it will take years for the updated version to reach the users. And some issues are of fundamental nature and cannot really be addressed.
A number of flaws allowed Veraport to be misused for drive-by downloads:
· HTTPS not enforced, and even when used server identity wasn’t validated. · Only means of checking application integrity is code signature, and self-signed applications are being accepted here. · Even for invalid/missing signatures, the user is asked whether they want to install regardless. · Websites can tell the application to start the installation automatically, without additional user interaction. · Websites setting a 1x1 pixel background image essentially renders the application window invisible.
Additional issues:
· As applications are installed from banking websites, all banking websites have their keys to sign installation policies. · No mechanism to revoke a leaked signing key or a problematic/malicious installation policy. · One of the root certificates for policy signing uses a 1024 bit key and MD5. · Full list of local processes exposed to arbitrary websites, for security applications also the application’s version number. · Vulnerabilities in the local web server allow Service Worker installation (essentially amounting to persistent XSS). · The classic of outdated open-source libraries: OpenSSL 1.0.2j anno 2016. And there is also mongoose 5.5 anno 2014. But that’s nothing compared to CppJson 0.5.0 anno 2010.
But the fundamental issue here is really arbitrary websites distributing applications, which is a very bad idea. Just one example: I checked whether they are distributing the current Veraport version, one month after a security update. In my sample of ten websites, only three did. Another three still distributed the previous release, and the other four were lagging behind by years – in one extreme case by ten years.
This will be the last article in this series for a while, so now I can finally focus more on doing some research and less on writing.
While Wizvera Veraport is supposed to manage security applications easily, it suffers from a number of design flaws. In the worst case, these can lead to arbitrary websites installing malicious applications without the user noticing.
I think that I’ll conclude the disclosure series at this point. I could finish already started research on another application, I could also look at more “security” applications used in South Korea. However, I see little point in helping improve the security of these applications – they rather need to be abolished altogether. And whatever impact my disclosures could make towards that goal, whatever awareness of the issues I could raise – this is done. So now it’s up to the South Korean society to take action.
And now on South Korean news: North Korean hackers abused some vulnerability in INISAFE CrossWeb EX application required for online banking and installed on more than 10 million computers. Apparently, they managed to infect a few hundred computers with malware. This isn’t an application I covered, but it shares some code with TouchEn nxKey which was my starting point.
Supposedly, the attack happened end of last year, before I even started publishing my articles. And: surprise, there is trouble distributing the patch. Despite the patch being available for more than a month already, only 40% of the companies installed it.
Which probably means: these companies put the patched version on their websites, but users still have to go and install it manually. These applications, despite being widely distributed, never bothered with auto-update. And that’s probably why this is in the news now, months after the attack was discovered by Korean authorities – telling people to update.
[디지털데일리 이종현기자] 북한 해커가 국내 금융보안 소프트웨어(SW)를 타깃으로 한 해킹공격을 수행한 것으로 파악됐다. 공공기관 및 방산·바이오업체 등 국내·외 주요기관 60여곳의 PC 210여대가 피해를 입었다.국내·외 1000만대 이상의 PC에 설치된 SW인 만큼 추가 피해도 우려된다. 이미 취약점을 보완하는 업데이..
One would think, the way out would be obvious: if South Korea doesn’t want to abandon their “security” applications, they have to make auto-update mandatory. So the applications would check with the vendor regularly, and if an update is available it would be installed.
Yes, that’s how the rest of the world does it. But that would have been too simple.
So: let’s keep banking websites as software distributors because they do such a GREAT job at it. Of course, they cannot be expected to publish the updates on their websites timely. But some of them certainly will! So if the user installed the software from website A and then visits website B which has a newer software version, let it update automatically. Problem solved! 🤦♂️
Wait, who are they quoting? CEO of Interezen, the makers of that IPinside spyware? Sure, why would he want to invest into a secure infrastructure when he can have all the data at virtually no cost for themselves?
[이뉴스투데이 김영욱 기자] 국내 금융보안프로그램이 보호하지 못할망정 북한 해커 집단의 공격 수단으로 사용됐다. 이러자 해외에서는 이 상황이 예견된 것으로 보안하는 척 연기해왔던 문제가 수면 위로 떠오른 것이며, 국내 보안프로그램의 ‘자동 업데이트 불가능’이 문제라고 지적하고 있다.
The changes include: - testing full features against all homeservers (#Synapse, #Conduit & #Dendrite) - normalize the app's behavior independent of platform (currently Android FLOSS, Android proprietary and Linux supported) - set of built-in helpers in order to simplify user login, logout or bootstrap processes in all future test cases
Platform-specific workarounds just took around 30 h of work.
It is kinda fun to ask #ChatGPT to draw things as an #SVG. The SVG structure is pretty good, but the actual images are pretty useless. Least right now. I imagine this will change substantially in 2023.
Interesting to be able to assemble simple icon libraries with this technology in 2023.
Tutanota is the secure email service, built in Germany. Use encrypted emails on all devices with our open source email client, mobile apps & desktop clients.
La desinformación mediática y la propaganda política alertan sobre un problema inexistente. Hay 180 veces más posibilidades de ser desahuciado que de encontrarte con alguien dentro de tu casa
Para quien necesite algo de picante, esta colección de jotas en plan pervertido. Aviso de contenido, que cuando digo pervertido es por algo. youtube.com/watch?v=MvhCEI58Eu…
Compared to the overall population, virtually no one built Wikipedia, virtually no one voted for that senator and virtually no one starts a business. Virtually no one cares enough to help a strange…
#Microsoft 365 - #Datenschutz in Absurdistan - sehr treffender Kommentar von Holger Bleich in der aktuellen c't: "Es ist absurd: Auf die Pfoten bekommen eher all die Kunden, die Microsoft 365 einsetzen. Unternehmen etwa können ihren Beschäftigten keine schlüssigen Informationen zum Verbleib der Daten geben, weil Microsoft als Auftragsverarbeiter diese nicht vorhält. Deshalb verstoßen sie selbst, nicht Microsoft, gegen die #DSGVO. heise.de/meinung/Microsoft-365… #Datenschutz
Microsoft ignoriert geltendes Recht und bringt damit andere in die Bredoullie. Das US-Unternehmen selbst hat dabei trotz Gesetzverstoß wenig zu befürchten.
Konečně jsem zabodoval. Je zde další #kviz Se Slováky jsme se rozešli před třiceti lety. Otestujte, zda umíte jejich jazyk - Aktuálně.cz zpravy.aktualne.cz/domaci/kviz…
no ... nekteri jo, nekteri par let, ale pouzivali to standardne pro blba i kdyz tu byli prvni rok na vejsce, takze jakoze ano osel, ale asi tak stejne jako kdyz to o nekom reknu ja :D
This gets reposted a lot by my followees, but I don't think I get it. Trains don't depart when I want to, and don't go wherever I want them to. I'd still prefer a self-driving car, even if it only goes on self-driving roads.
@Bubu Fair point, and I get that. Before I got a car I was surprised at people who choose to use them in a city – why would you choose to sit in traffic when you can take a bus to the metro station and so on? I was surprised at their choice, and they were surprised at my surprise.
And then I got my dad's old car (I wasn't really asking for it, but there it was), and my perspective has changed - even in the big city, it is *so much easier* to get to places (that aren't the city center in a rush hour, obviously). Visiting friends from the other side of town becomes more viable, and going outside of the city becomes as easy as going around inside of it.
I'm with you on the space-waste though – it's absurd how much car-first the infrastructure is, and the closer to the center you get the more human-hostile it becomes. I blame the existence of rush hours for this - everything needs to be overbuilt to support the load at peak (and storage at non-peak). I was hoping the pandemic and the rise of remote work will ease this somewhat, but it appears to have become even worse now (possibly with some help from the immigration waves we got recently).
Aktivní sportovec, skvělý kamarád, bezva parťák, ale hlavně milující a pečující táta od rodiny. Nemoc krutě zasáhla do života Libora, našeho spolužáka, a odvedla jej o mnoho desítek let dříve, než by se dalo pochopit.
Na naši instanci pixelfed.cz, lze použit již oficiální aplikace pro Android. Zatím je ve verzi beta, ale vypadá luxusně dl.apps.pixelcdn.net/pixelfed-…
Esto es demasiado brutal. Parece ser que en África hay pueblos enteros que se tenían por analfabetos, porque no saben leer ni escribir en el idioma oficial del país. Pero resulta que hace siglos aprendieron a usar el alfabeto árabe para escribir en sus idiomas locales, y lo llevan haciendo de forma discreta desde entonces. Y es que hay hasta poetas y eruditos "analfabetos" usando este sistema!! Parece que nadie les había preguntado.
Matt Campbell
in reply to Matt Campbell • • •Seirdy
in reply to Matt Campbell • • •JamesGecko
in reply to Seirdy • • •Matt Campbell
in reply to JamesGecko • • •