Each month, we publish a review that covers essential activities of the last 30 days. This month, we talk about side-channel attacks, Python 2 EOL (again), Jitsi Meet, and more.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
News of the month
In April 2020, we read the following reports:
In mid-April, security researchers reported a new technique to extract data from air-gapped systems, called “AiR-ViBeR.” The side-channel attack relies on vibrations of PC fans, like GPU fans and CPU fans.
The related ZDNet article lists a wide range of side-channel attacks on air-gapped systems:
- LED-it-Go – exfiltrate data from air-gapped systems via an HDD’s activity LED
- USBee – force a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data
- AirHopper – use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
- Fansmitter – steal data from air-gapped PCs using sounds emanated by a computer’s GPU fan
- DiskFiltration – use controlled read/write HDD operations to steal data via sound waves
- BitWhisper – exfiltrate data from non-networked computers using heat emanations
- Unnamed attack – uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
- xLED – use router or switch LEDs to exfiltrate data
- aIR-Jumper – use a security camera’s infrared capabilities to steal data from air-gapped networks
- HVACKer – use HVAC systems to control malware on air-gapped systems
- MAGNETO & ODINI – steal data from Faraday cage-protected systems
- MOSQUITO – steal data from PCs using attached speakers and headphones
- PowerHammer – steal data from air-gapped systems using power lines
- CTRL-ALT-LED – steal data from air-gapped systems using keyboard LEDs
- BRIGHTNESS – steal data from air-gapped systems using screen brightness variations
At first glance, such lists look like “everything is insecure.” However, it is crucial to understand the requirements of such attacks. Some attacks require physical access to the device; other security vulnerabilities are hard to exploit or only exist in theory. The same is true for the famous Spectre and Meltdown vulnerabilities in CPUs.
So if you look at security vulnerabilities, always try to understand how they are exploited and evaluate if these ways work in your environment.
Python 2 EOL
In our monthly review of last December, we pointed out the upcoming end of life (EOL) of Python 2. Python 2 reached its EOL on January 1, 2020. In April, the Python developers released the final version of Python 2 (2.7.18). Therefore, we repeat our advice:
As a user, check whether any of your applications still require Python 2. If you don’t need Python 2 anymore, remove it from your devices. If some applications still require Python 2, check whether there are any announcements regarding migrating to Python 3. In case of doubt, look for alternatives.
As a developer, immediately consider migrating to Python 3 as the EOL date is known for years, and Python 2 won’t get any planned security updates in the future.
Jitsi Meet – the “secure and privacy-friendly” alternative?
Many online publications presented “the best” video conferencing tools during the last weeks. Some of them recommended Jitsi Meet as a “secure and privacy-friendly” alternative to Zoom, Microsoft Teams, and other famous tools.
Our brief analysis showed several issues with Jitsi Meet. For instance, Jitsi Meet isn’t end-to-end encrypted by default but claims to be “fully encrypted.” We asked readers in the Fediverse for their understanding of “fully encrypted.” 74% said that they understand “fully encrypted” as “end-to-end encrypted.” Based on this poll, we suggested to change the wording, but a Jitsi developer stated that “No unencrypted data is ever transported. So it’s fully encrypted in transit, and since nothing is stored at rest, that’s all there is to it. We are not saying it’s E2EE, because it’s not, yet.” We (and many readers) are still convinced that the wording “fully encrypted” is misleading.
Finally, a security vulnerability in the Docker variant of Jitsi Meet showed that it is impossible to contact several operators of Jitsi instances due to missing contact details. Besides, basic good practices of information security were violated (the Jitsi developers chose “passw0rd” as a default password).
In summary, Jitsi Meet is not more or less secure or privacy-friendly than any other video conferencing tool. It has pros and cons, and you must consider your personal use cases and threat models.
Web browsers: The postponed deaths of insecure protocols
Similar to Mozilla’s decision to revive TLS 1.0 and TLS 1.1 due to the current pandemic, Google and other web browser developers postponed the removal of insecure TLS protocol versions.
This month, Google decided to postpone the removal of FTP from Chrome. Originally, Google planned to disable FTP in Chrome 81 and remove it in Chrome 82. Mozilla plans to remove FTP support, too. They announced to disable FTP in Firefox 77 by default, and plan to remove it in 2021.
We will likely see more delays of stricter security measures in web browsers since the major web browser developers fear that these measures could prevent people from accessing important pandemic-related websites and online resources.
Data breaches and leaks
Moreover, there were some data breaches and leaks. Have I Been Pwned added information about the following breaches and leaks:
- OGUsers (breached in April 2020)
- HTC Mania (breached in January 2020)
- Aptoide (breached in April 2020)
- Vianet (breached in April 2020)
Readers' questions of the month
Each month, readers send us questions via e-mail, Mastodon (Fediverse), Signal, or via the forum of privacytools.io. In general, we directly reply to questions. However, we would like to list some questions and answers that are interesting for more than only one person:
“Can you provide a template for privacy policies?”
No, for simple reasons:
- We aren’t lawyers who know all aspects and snares of current privacy laws and regulations.
- There is no “single privacy law” for everybody (even the GDPR isn’t the same for every EU country).
- We don’t know your setup, so our template will be likely incomplete for your use case.
- We saw other blogs that provided a template or stated “just use our policy as a template,” but their policy was incomplete.
“What do you think about BigBlueButton/Jami/Briar/…?”
Contrary to other blogs, we do not recommend any products or services that we don’t use ourselves. So we can’t provide any meaningful statements for these solutions. We are convinced that recommendations based on hearsay or binary thinking won’t help our readers. Keep in mind that every solution has its pros and cons, and talk about benefits and drawbacks.
We list our recommendations on our recommendations page.
“Can you host a Mastodon/Jitsi instance?”
Just send us your questions. Maybe, we answer your question in the next monthly review.
Our activities of the month
In April, we updated the content, style, grammar, and wording of several articles. This process is still ongoing.
Moreover, we documented the upcoming changes of our Web server security series on codeberg.org. Feel free to comment on our plan.
Other activities included the analysis of Jitsi Meet instances. Besides, we contacted several server administrators and notified them about a security vulnerability in their instance.
Follow us on Mastodon:
In May, we plan to publish new articles and update existing ones. Furthermore, we publish security news in the Fediverse (feel free to subscribe to our RSS/Atom feed, or directly follow us in the Fediverse).
- AiR-ViBeR: Exfiltrating Data from Air-Gapped Computers via Covert Surface ViBrAtIoNsexternal link (PDF file)
- ZDNet: Academics steal data from air-gapped systems using PC fan vibrationsexternal link