Security Roundup - 2016-04-07

Latest batch of interesting Security news.

Cloudflare has written an interesting article on the Trouble With Tor. Tor is an important tool for anonymity on the internet, but 94% of requests Cloudflare sees from Tor are malicious. Cloudflare offers an honest discussion regarding Tor, how they balance protecting their customers while still respecting the anonymity and usefulness Tor can provide, and how they are hoping to improve their methods to that end.

Did you know that the reference implementations of the next round of Crypto mechanisms come with large contributions from a single individual? One Peter Gutmann posts about the Impending Crypto Monoculture.

LastLine Labs recently blogged about a number of interesting malware trends: Code signing of malware is on a steady incline, malware is increasingly changing browser settings like setting a proxy to reroute traffic, malware that brute forces passwords is also increasing, and malware with evasion capabilities is pretty much the norm.

Locky continues to evolve since its introduction in February. CheckPoint has noticed that it is now also being distributed via exploit kits, rather than exclusively via spam. Additionally, Locky has started making small changes to how it communicates with Command & Control (C2) servers, but enough to evade initial detection.

Fortinet has a report on the latest ransomware family. KimcilWare is a new ransomware targeting Magento eCommerce sites. In addition to encrypting files, it also acts as a backdoor. Fortinet has a great investigate writeup of how it works and backtracks it to the individual and group responsible.

Threatpost has an article on how Firefox’s extension framework does not isolate plugins. This could allow for a plugin that doesn’t look malicious as part of the validation process to actually leverage other plugins to do unintended things. Google Chrome and Microsoft Edge already sandbox extensions. Firefox plans to correct this problem later this year.

In ironic news, CNBC apparently offered a password strength widget in order to educate readers on how strong their passwords were. Unfortunately, anyone who used it should change their password, as the form actually submitted the password to CNBC in plaintext, and probably forwarded it to third parties as well.

The BREACH, the compression side channel attack on HTTPs is back, with a new variant dubbed Rupture. The researchers produced their findings at Black Hat Asia last week and have demonstrated practical attacks to steal secrets from Facebook and Gmail chat sessions.

Mitre, manager of the CVE database has recently been criticized for the length of time it takes for a vulnerabilities to be reviewed and assigned a CVE have announced that they are planning to decentralize the system, citing the doubling of CVEs year over year (20k CVEs were issued in 2015 vs 10k in 2014). This plan has received some criticism from the Open Source Vulnerability Database (which just announced they are shutting down), which points out facts such as Mitre falling behind other vulnerability databases by as many as 6k issues in 2015 alone (indicating Mitre missed more than 23% of reported vulnerabilities) and Mitre refusing to create CVEs for products they don’t monitor. The Register also has some commentary which suggests the new proposed format will require rewrites of existing tools due to the proposed format change, which is not particularly desirable for a ‘pilot project’ that may be discarded.

Written on April 7, 2016