SERIES: Security Now!
DATE: September 17, 2019
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: This week we continue following the DoH story, which we begin discussing two weeks from now as a result of a rip in the space-time continuum. We also look at recent changes to Chrome 77 and the forthcoming Chrome 78, the already compromised iOS 13.0, and Mozilla Firefox's new browser VPN offering. We take a look back at last Tuesday's Patch Tuesday, take note of Chrome's Remote Desktop feature, cover another serious Exim mail server problem, handle a bit of miscellany, and examine a serious vulnerability affecting essentially ALL smartphone users known as “Simjacker.”
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We have a catch-up on DNS over HTTP. We talk about some great new features coming to Chrome and Firefox. Steve sings the praises of the Chrome Remote Desktop. And then hold onto your hats because there's bad news about simjacking. It's all coming up next on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 732, recorded Tuesday, September 17th, 2019: Simjacking.
It's time for Security Now!, the show where we talk about the latest in security and privacy and keeping yourself safe online with this guy right here, Steve Gibson, in the house. Hello, Steve.
STEVE GIBSON: Yo, Leo.
LEO: We've done a lot of Security Nows, it feels like, in the last few days.
STEVE: It has. And in fact I made note of that. For this week I said we continue following the DoH story, which we begin discussing two weeks from now in the future, as a result of a rip in the space-time continuum.
STEVE: We also look at recent changes to Chrome 77 and the forthcoming Chrome 78; the already compromised, though not yet released, iOS 13.0; Mozilla Firefox's new browser VPN offering; and a look back at last Tuesday's Patch Tuesday. We take note of Chrome's remote desktop feature, which I just discovered, cover another serious Exim email server problem, handle a bit of miscellany, and then conclude with an examination of a serious vulnerability affecting essentially all smartphone users, known as simjacking.
LEO: Oh, man. This has been a big problem.
STEVE: Yeah. It got a lot of coverage in the tech press. And I had to, like, I had no idea that a SIM could be jacked. I just figured it was a bit of - I thought it was like a bit of ROM or something. But it turns out there's a browser in your SIM. It's like, what?
STEVE: Yes. And so the good news is that firewalls, cellular carrier firewalls can be erected to stop this. But at the moment, there isn't any.
LEO: They're not doing it, yeah.
STEVE: And it's possible for bad guys to send you an SMS message which jacks your SIM and can take over your phone. And it's like, because it's down at the SIM level, it's carrier agnostic. It's phone source agnostic. It's, if your phone has a SIM in there, and they all do, you're in trouble. I mean, but not…
LEO: Even an eSIM, even an eSIM would be vulnerable to this.
STEVE: Yes. And it's going to be targeted attacks. It's not like you're going to get sprayed with it. But for people who are subject to targeting, this is a problem. So anyway, we have lots of stuff to talk about.
LEO: I can't wait, as always. Security Now!, we look forward to it every week. A reminder, Steve and I are going to be in Boston. That's why we were pre-recording our October 1st episode. On October 3rd we will be doing an event on behalf of LastPass. It's exciting. It's an event about the future of authentication. It'll be Steve. It'll be the legendary William Cheswick, Bill Cheswick, who actually created the first firewall at Bell Labs and has written a lot about security and has recently written about passwords and why they're bad. We'll also have Gerry Beuchelt, who is the CISO of LogMeIn.
It's going to be a fantastic panel event. It is absolutely free. If you're in Boston on that Thursday afternoon, October 3rd, you can go to our website, twit.to, that's the URL shortener, twit.to/unlocked. We have, I think, some room left. What's happened is that they've slowly expanded the venue. It was initially 100 people, then 200. I think we're up to 350. I think they're going to have to go to five or 600. But we're slowly expanding the venue to accommodate at the Intercontinental Hotel in Boston. If you will be in the Boston area on October 3rd, twit.to/unlocked. It's free.
It's actually for charity. Everybody who attends will get a $100 token they can donate to one of LogMeIn's three choices of charity. So that's going to be really nice, too. You get to put your token in a charity of choice. And I can't wait to do that with you, Steve. It's going to be a lot of fun.
STEVE: We'll have a ball.
LEO: Yeah. I mean, eventually we will sell out. This may be the last round of announcements. So don't delay. Let's get going, Steve. We've got a picture. We've got a picture.
STEVE: I've been sitting on this one for a while. I just get a kick out of it. So this is from the iconic sci-fi movie “The Terminator” with Arnold the robot sent back in time from the future, who's at a phone booth looking up the…
LEO: You remember he was looking for Sarah Connor. He had to find her.
LEO: He took the phone book.
STEVE: And so there's a scowl on his face down at the bottom frame because in the phone book Sarah Connor's name has been distorted with a line running through it to create a CAPTCHA.
LEO: I am a robot. I cannot read it. What have they done?
STEVE: Anyway. Just a little bit of geeky security humor.
LEO: I don't think these CAPTCHAs fool anybody, especially not robots.
STEVE: No. They fool us more than they fool, you know, robots.
LEO: Yes. They're hard for humans.
STEVE: I'm looking at them going, I have no idea what that thing says. Just give me another one, please.
STEVE: So Chrome follows Mozilla to DoH with a bit of a twist. Google has announced that they, too, will soon be performing a trial of DNS over HTTPS, DoH, in the upcoming Chrome beta 78, which will be releasing this Thursday, September 19th. We're currently at Chrome 77. What's interesting is that, rather than having Chrome preconfigured with a default DoH server like their own, Google will instead attempt to preserve whatever DNS the user already has chosen. And I love that idea. I think that's very clever, and that it would be really cool if they were to probe the user's currently selected DNS server to see if it was offering DoH support, test it locally, then switch to it.
But apparently that's a bit too aggressive, at least initially. So what they'll be doing is only if the user has already configured their DNS to one of six providers: CleanBrowsing, Cloudflare, DNS.SB, Google, OpenDNS, or Quad9. On the other hand, those are high-reputation, well-known services, and I imagine a lot of our listeners probably have done that.
So initially, for a small group of users running Chrome 78 beta, Google will be running an experiment that checks to see if their provider is on that short list of well-known DoH-compatible providers. And if the user's provider is, Chrome will automatically upgrade to that provider's DoH server for its DNS resolution. And if they're not already using one of those servers, nothing will change. So this will affect all platforms of Chrome other than Linux and iOS. And on Android 9 and later, if a user has already configured a DNS over TLS provider, Chrome will use that instead of the ones that are listed.