Kobold Letters – HTML Transformer Emails

HTML emails can be a serious security risk.

Simple version of the risk is that using the style-setting CSS feature of HTML email, completely different content can be substituted in various email viewing situations. The differning presentations can be used for phishing and other ill-intended games.

More technical explanation:

https://lutrasecurity.com/en/articles/kobold-letters/

What is Kobold?

Kobold https://en.wikipedia.org/wiki/Kobold

Basically Kobold is “mischief with a mind of its own.”

What does this mean for Hams?

That yet another way for external actors to get inside your systems exists, and one that you might not reasonably have much control over.

The late Steve Uhrig WA2SWS of SWS Security told me decades ago to only exchange plain text emails.  WA2SWS consulted to Tom Clancy on security matters and appeared in the movie “Enemy of the State” along with layers of less visible security work on contract, military and national interest basises.  Back then he had already realized that emails could be exploited to carry unexpected payloads.

As few of us are really going to revert to plain-text emails, keeping our protective systems and our awareness peaked might be the best response to this ongoing threat.

Other ideas?

73

Steve
K9ZW

Signals Jamming

Is your signal going to be allowed to get out?

Will it be spoofed?

Will you be recorded?

Will an “artificial you” be created from those recorded samples?

Will your GPS-disciplined equipment be accurate (time and/or location)?

All good questions.

Working from the last question up, check out a little on GPS jamming:

https://gpsjam.org/

It had been alleged that certain historic and world-event class plane crashes may have a jamming aspect to them. Whether satellite or terrestrial, there is enough question about geolocating services that some fingers point to this as a cause.

Much of equipment uses GPS time to regulate, so whether we remain in sync may well depend on GPS signal integrity.

The rest of the questions have bases in observed examples in the public realm. Jamming is real. Online spoofed presentations of both audio and deep fake video is suddenly common.

Stuff to think about!

Interested in your ideas about countermeasures!

73

Steve
K9ZW

Long Patient Linux Hack Narrowly Averted

Caught just before widespread distribution, few hams will have been exposed by this exploit which literally took years to install into a library of Linux.

The exploit is well explained at (note there continues to be more coming out on this):

Here is the ham radio minded takeaway – we need to always remember that patient people can create scenarios where our updates to gear might act in ways they want rather than what we expect.

Think Robber-Barons to outright Anarchists/Luddites who either hold our gear to ransom or simply want to shut it down for their ideological purposes.

Think eavesdropping to zombie usage by those who either want access to our gear, want to use it for their own purposes or want to imitate/impersonate us.

Think overt blackmail, where through constructs illicit content is installed on our gear which could ruin us if the bad actors were to expose it, so we get blackmailed to keep their actions from smearing ourselves.

Think watchdog squealers installed to alert the powers that be if we operate outside of their dictates.

Think “Giant Shutdown Switch” which can shut our gear off at someone else’s bequest.

Now these exploits have gone on for a long long time.

Example, I had a conversation with a world expert in Uninterruptible Power Systems – the stuff that keeps a hospital, or a prison, or an embassy, or a defense site running when the mains power goes off.

He mentioned “People will pay a lot of money to make sure that their power never goes off.”

When I retorted “How much money will people pay to make sure they can turn off someone else’s power?” his face took the look of brief panic and he replied “Lovely weather we seem to be having?”

I so hit a nerve with that question.

So what really is in our updates?  What exploits might be building up, whether inadvertently or like in the Linux case deliberate?

Who is behind this sort of stuff?

Why is it worth the long effort and expense to them?

The mind boggles!

73

Steve
K9ZW

How Secure are Computers? Breaking the Airgap

I’ve had hams tell me that their shack computer is secure because it is not connected to the internet.  Others have told me that they have security because the machines they do their home finances on is also separate from their hobby/browsing computer.

When I’ve told them that their security largely imaginary, they look at me like I’m making up things.

Stunning how the same hams who “get it” about RFI lack a mental concept how the “air gap” can be bridged.

First how about RF-leakage from HDMI:

https://www.windytan.com/2023/02/using-hdmi-radio-interference-for-high.html

https://hackaday.com/2023/03/07/pulling-data-from-hdmi-rf-leakage/

https://en.wikipedia.org/wiki/Van_Eck_phreaking

This is clever and joins the historic exploitation of leaking signal analysis.  Living in the UK during the TV License Van era, I saw the usage of RF leakage to identify TV Set Users who didn’t have a Reception License (settle down USA folks, different country, laws and expectations).  I just “may have” seen some other usage of RF leakage along the way <wink>.

Now breaking that Air Gap doesn’t need to be just a one-way listening deal.  Here are some links to bidirectional exploits.  The second links to a series of articles, and I found the use of computer fan noises as a data-carrying mechanism interesting.  Remembering that most modern appliances, smart thermostats, smart speaker systems and other IoT devices have microphones, makes this fairly interesting:

https://www.redalyc.org/journal/6617/661773214004/html/

https://thehackernews.com/2020/02/hacking-air-gapped-computers.html

Biggest take away is any form of RFI can also be a data leak, possibly bidirectional.

73

Steve
K9ZW

Bumbled Countersurveillance Effort – Protecting FedEx from John Doe

 

 

  A very badly Bumbled Counter-surveillance Effort at FedEx’s Memphis Facility was described to me this weekend. In an effort protecting FedEx large aircraft facility from any old John Doe taking pictures, a young professional American Citizen was detained and field interrogated for simply taking photos from the Airport public area.

  Every possible intelligence opportunity, if this young man had been an extremely brazen & stupid terrorist operative, was lost when the Airport police mustered no less than [REMOVED FOR OPERATIONAL SECURITY REASONS] units in response.

  Let us set aside the obvious problem with bullying a citizen engaged openly in a common & absolutely legal observation of an Airport from the public zone.

  On the Counter-surveillance/Counterintelligence angles the inappropriate response revealed:

• Level of Situational Awarness of Security
• Response Time
• Resources Available for Trivial matters.
• The willingness of Security to Trample Citizen’s Rights (which shows a high level fear or threat concern on Security’s part).
• That Security is operating at a Police Level without Counter-surveillance or Counterintelligence Oversight.

  The grandstand response not only played out security’s cards for all to see, but lost forever the chance to “work” the situation.

  If there was a potential issue with taking pictures from a public area, would it not be better to learn who the photos were for, who the photographers were, what was actually going on, and perhaps dismantle a threat?

  One cannot begin to understand why Security would risk giving away so much for nothing more than what could be seen as harassment?

  Were they simply “picking the low fruit” in escalating a non-event into something they can write up & take credit for?

  Or did they simply make a mistake?

  After sending [REMOVED FOR OPERATIONAL SECURITY REASONS] units, lights on, to detain a single person, they threatened the subject with calling in the FBI(on a subject they did NOT even arrest?) , hinting that this would be really bad for the subject,……

  …..the institutionalized intimidation didn’t relent even when they learned their subject was a FedEx employee!  They had more than enough to verify his bonifides.

  So lets recap – you can be engaged at a legal activity from a public area at Memphis Airport and be detained without being arrest, without being given your rights, and with threat of having “The Feds” called in to work you over.

  All despite being a US Citizen doing something perfectly legal?

  Are our “Guardians” so eager to grandstand that in the process of trampling the constitution are willing to give up almost every operational secret & advantage?

  One wonders if George Orwell wrote the script for this mistake.

73

Steve

K9ZW