Security Roundup - 2016-06-02

LinkedIn is apparently not the only service to have a large number of user accounts come to light this month. MySpace (breach between 2007 to 2010), Tumblr (2013), and Fling (2011) are all data sets that have apparently been lying dormants, but add up to 642 million user accounts. Troy Hunt of Have I Been Pwned has indicated these 4 breaches are in the top 5 of the 109 breaches he has recorded to date.

World renowned password cracker Jeremi M Gosney has an article on “How LinkedIn’s password sloppiness hurts us all”. He has worked with teams to crack 98% of the LinkedIn password data and they managed to do so in 6 days. End result is a large corpus of actual user password data which can be used as a wordlist, to analyze to create newer/better fuzzing rules, and overall makes slow-hashing functions like BCrypt and Argon2 less effective since password crackers will potentially require less attempts to break into accounts.

Microsoft, meanwhile, has announced an initiative to better protect user passwords. One layer actively bans bad passwords, which Microsoft collects more and more data on based on attacks. Another layer actively locks out accounts with attempts meeting a certain criteria and actively notifies an account holder. These features are being rolled out to Azure AD in a limited beta.

In terms of randomness, TOR goes to great lengths to generate enough randomness to encrypt all communications across its network. Naked Security has an article on how Tor generates randomness such that poisoned nodes don’t undermine the network as a whole.

For those procuring workstations for their employees, be sure to read this Duo article on OEM Updater Security. Duo managed to find vulnerabilities in all OEM Updater software that would allow them to execute arbitrary commands as a system user. While some attempts were made to harden updaters, more often than not some basic security measures (TLS communication, update validation, manifest validation) were not done.

The Internet Crime Complaint Centre has published their 2015 report. Highlights include: wire transfer fraud via phishing attacks have losses of over $263 million reported, corporate data breaches resulted in ~$39 million in losses, and malware compromised ~$5 million in losses with ransomware breaking the 1 million mark with ~$1.6 million in losses.

Checkpoint has an updated write up of CryptXXX. Evolving out of TeslaCrypt, CryptXXX seems to be serving their code as a DLL, and then using Windows binaries to execute the code at some later time. Since there is no base executable, this evades many sandboxes. CryptXXX takes this one step further by delaying execution, to further thwart any sandboxing.

This week I learned about some implementations of TLS have apparently failed to respect nonce uniqueness when setting up connections, thus opening the opportunity for forgery attacks against HTTPS sites. Unfortunately, some VISA sites have been discovered to have this issue.

Written on June 2, 2016