Security Roundup - 2018-05-18

Incorrect handling of HTML leads to security problems. eFail is the latest named vulnerability going around. Initially hyped as a PGP failure, what actually is happening is that systems interpreting HTML can be abused to exfiltrate data. If you combine this with automatic decryption of PGP data in your email client, you potentially have your client decrypt the text and then handily send it to an external source. The EFF has an extensive FAQ.

Remote code injection in DHCP client. RedHat Linux and variants have released patches for a bug that caused the dhcp client to parse responses like commands allowing for remote code execution. The PoC exploit fit into a tweet.

Rowhammer in the wild. Several Rowhammer attacks have been demonstrated in the wild, including one triggered by sending packets over a network and another that used the GPU on phones.

When your desktop apps have XSS. Electron, a framework for creating cross platform desktop apps using html, css and javascript had a remote code execution exploit disclosed this week, due to an incorrect handling of defaults. This potentially means that a number of Electron apps are exposed to cross site scripting attacks. Related, the secure messaging app Signal had two XSS vulnerabilities found in their desktop app.

Active zero day for Internet Explorer. Discovered by two seperate security companies investigating attacks, make sure you upgrade and/or move to more modern browsers.

IBM bans thumb drives. IBM has recently reviewed their security standards and has decided that thumb drives are no longer to be used. Given their history as an attack vector, as well as a common method to lose/leak data this seems like a smart (though perhaps hard to enforce/implement) strategy.

Subliminal IoT. Students at UC Berkley have demonstrated that voice assistants can be controlled by subliminal messages.

This photocopier contains secrets. Getting rid of old photocopiers/scanners at work? Make sure they aren’t storing secrets, like maybe social security numbers, contracts, or medical records.

People Don’t Patch. I actually talked to members at Sonatype about this, where they see thousands of organizations downloading vulnerable software packages, like the Struts vulnerability that resulted in huge news stories when it was the cause of the Equifax breach.

Security Roundup - 2018-05-10

RouterSploit 3.0 Released. A security tool for auditing routers has gotten a major upgrade. The biggest new feature tries to address the plague of default credentials, but providing a framework for anyone to add the appropriate authentication method for devices. This seems pretty important area of research, given stories like:

Other internet connected device flaws. Routers are not the only devices with reported flaws this week:

Office 365 Zero day discovered. Overlooked html functionality has resulted in an Office 365 zero day which bypasses security checks.

Fun with passwords. Who better to get password tips than from those that break them? Rapid7 has collected passwords from a number of security engagements and has some tips on how people can do better. Troy Hunt also reminds us all that password selection is horrible, with more than 86% of passwords in a recent breach already appearing in other breaches making brute force attempts that much easier.

Hijacked Accounts on Steam. Finally frustrated by scammers on the online gaming community Steam, one security researchers set out to discover how they worked, leading to him finding their admin console and alerting Steam of compromised user accounts.

OS Makers misread docs, build in vulnerabilities. The majority of OS providers are releasing patches this week to deal with a misunderstanding on how Intel deals with debug exceptions due to ambiguous documentation. This could allow an attacker with physical access to a machine to get elevated privileges.

Security Roundup - 2018-05-03

Backdooring Encryption. An industry veteran claims they have solved how to ‘safely’ backdoor cryptography. The solution is effectively key escrow. But, as a number of experts, such as Matthew Green are pointing out, Key escrow is going to make that key storage a big target. Especially given either: a) every organization will have to create their own implementation or b) Someone will mandate a centralize repo, ripe for exploitation and/or abuse. Also, that a lot of phones are manufactured overseas, what happens when a foreign government coerces the manufacturer to provide access to all the escrowed keys?

Alexa, record everything. Security researchers figured out a way to make an Alexa skill record all audio after a user activates their task.

RFID Lock Insecurities. When was the last time you were at a hotel that DIDN’T have an RFID or a magstripe lock? A+ for convenience, but a number of these locks have vulnerabilties, as security researchers prove they can break into a number of RFID locks with ~$300 worth of materials, an expired keycard, and about a minute of time.

Fun with Honeypots. A 2018 look at what happens when you set up an SSH honeypot. No surprise that there is a lot of IoT type guesses.

Share passwords…. Be careful using ‘sharing cultute’ SaaS apps. You may, for example, end up sharing passwords or confidential information with the public, as some Trello users accidentally did.

… or log passwords!. Both Twitter and Github announced they found subsystems that accidentally logged passwords. While no indication that someone obtained these logs, make sure to change passwords anyway.

Supply chain attacks in npm libs. A crafted backdoor was found in an npm package. While this npm package was not itself popular, the attackers actually got it merged in to an older, but still used, software package. The package would have allowed remote code execution, and could have been included in project just by a developer updating all packages. The impacted npm libraries have now been removed.

Massminer. Finally, for those that love stories of malware, check out Massminer the latest in cryptocurrency malicious miners. What seperated Massminer apart is its inclusion of masscan, a tool for scanning for open ports, which it then leverages to find targets for a number of popular exploits.

Security Roundup - 2018-04-26

“Hacker” accesses non-public data in public portal. The most dissapointing news lately is about how a young Canadian realized that the Nova Scotia Freedom of Information Act site has an enumerable url parameter. Said individual wrote a script to download a bunch of files, and was later arrested due to said files being deemed ‘sensitive’ and erroneously uploaded in a public matter. This has led many people to be critical, pointing out that this wasn’t the 19 year old’s fault so much as the fault of the owners of the system (again, portrayed as public information). Troy Hunt has a good writeup, including some history of similar accusations of “unauthorized use of a computer”.

BGP Hijack of Amazon DNS. Malicious attackers somehow used an Ohio based ISP to advertise several hundred IP addresses, many of them addresses for AWS’ DNS offering. The ultimate target was hijacking cryptocurrency website MyEtherWallet, making off with $150K over 3 hours. Other AWS customers were potentially impacted as well, but current scope is still unknown.

Webstresser de-stressed. Attack-as-a-service platform Webstresser was taken offline the other day after a coordinated effort several law enforcement agencies. Interestingly, this has resulted in a number of other malicious services down, as they appear to have been resellers of Webstresser.

How OSX malware can take screenshots. After some reports of malware families taking screenshots of desktops on OSX, one security researcher has dived in. Reverse engineering the technique independently, as well as digging in to actual malware samples, he finally suggests ways in which this type of activity could actually be detected.

IPv6 as a backdoor. Think you’ve locked down your local network? Have you checked your IPv6 setup? Trustwave points out that modern devices configure IPv6 automatically and the same rules that you have set up to protect services on IPv4 interfaces may still be open on IPv6.

Drupal suffers multiple high severity vulnerabilities. Last month was Drupalgeddon 2, but now Drupal has announced another highly critical vulnerability which impacts all versions of Drupal, going so far as to provide patches for unsupported versions of the CMS. Unlike Drupalgeddon2, this vulnerability was immediately seized upon and is currently being exploited in the wild.

Steganography new tool on the block. Security researchers warn that steganography, the act of hiding data in other files, is increasingly being deployed by malicious actors. This technique is being used to avoid monitoring solutions by making payloads look like images rather than the malicious package they actually are.

Security Roundup - 2018-04-19

RSA attendee list exposed. Attended RSA? A subset of your data turned out to be decryptable by reverse engineering the mobile app and grabbing the sqlite database from a publically accessable api endpoint. This is apparently similar functionality to their 2014 mobile app.

Android patch gap. The android ecosystem already suffers from lags in security patches, due to a fragmented OS and manufacturer ecosystem. Now security researchers have found that even when manufacturers apply patches, they may not include all security updates. In some cases, this appears to be deliberate, with at least one vendor changing patch numbers without actually updating code, potentially misleading users.

A day in the life of a CISO. While no two days are ever quite the same Cory Scott, CISO of LinkedIn, attempts to put together what an average day as a CISO is like for him.

Abusing Google Tag Manager for fun and profit. Google Tag Manager lets site admins create custom scripts they can reference on their site for loading. Sucuri goes over how an attacker with write privileges could subtly load malicious scripts by copying your script, adding their own content, and then changing content on your site. This assumes they are able to modify content on your site, but with the number of CMSes with exploits…

Microsoft Outlook bug exposes account information. A large bug has been found in Microsoft Outlook previews, where previews of RTF documents that happen to have remote samba content will helpfully attempt to reach out to the server, leaking user information like IP Address, windows domain, username, machine name, and a session password hash which an attacker could break to get a user’s password.

The early internet lacked security because… Believe that the early internet did not have security built in because of ‘open networks’ and ‘inherent trust’? You may want to fact check against the US export regulations against cryptography. Engineers were essentially torn between adoption and interoperatibility or having all their systems being restricted by export control. Can you imagine a world in which the US had its own network, European nations another, etc? And you think getting on wi-fi at an airport is bad NOW…

Botnets kept on their toes. Two prominent botnets have had their work cut out for them, as researchers have focused on identifying and defanging. The first is Smoke Loader, which Microsoft has spent considerable time providing countermeasures for, and the malware authors trying to develop new workarounds. The second is EITest a major botnet used to redirect users to malware and tech support scams has had key C&C infrastructure taken over, effectively dismantling the entire operation.

A study of login abuse. Akamai recently unveiled some research into fraudulent login activity for API based login activity. This type of login is largely service to service. Their research indicates that 30% of all api login requests they observed are fraudulent.

More abuse of Facebook data. Security researchers found that malicious scripts could abuse the login with Facebook functionality to harvest user data, including name, email address and profile photo. In one case, the data was accidentally made available to any javascript running on a site.

2018 Tax Fraud Shenanigans. Brian Krebs points out some new ‘fun’ for tax fraud. His article contains not only a story of a CPA who had their account compromised for weeks (and thus a fair number of his clients having their returns stolen), but also an extension of IT Support fraud - tax refund fraud.

Page 1 of 23