Security Roundup - 2016-07-28

KeePass, a password management system, is getting a code audit thanks to a pilot project by the European Parliament. Other projects proposed to be audited include the Apache HTTP server, Linux and MySQL.

Do you allow data to be exported as a CSV? Then you might be subjecting your users to CSV injection exploits. Essentially, if someone can insert data that is not sanitized, if it is exported and opened by something like Excel, it could execute arbitrary code on the recipient’s machine.

NIST has issued a new draft of secure communication guidelines, most norably tightening up 2-Factor auth recommendations by suggesting the deprecation of SMS 2-Factor auth. Since social engineering has allowed call forwarding of SMS attacks this sounds like a good recommendation.

A few stories about bug bounties this week, with Uber fixing a bug allowing customer password resets and PHP having two remote code execution bugs involving the garbage collector.

With the rise of car hacks, the CEO of GM has now said that these incidents are not just a consumer or an automaker problem, but a matter of public safety. This week, the Alliance of Automobile Manufacturers has apparently released a set of security best practices for vehicles.

Meanwhile, Bruce Schneier has a thoughtful article on security in the Internet of Things. Essentially with the proliferation of connected devices, since they also can interact with each other, the footprint of things that can be exploited (sometimes in unexpected ways) is expected to increase. Since these devices are also automated, this makes it easier for attackers to execute some unintended (to the device owner) behavior before they can even react. We have seen this with a number of stories in the last year, from the remote camera takeovers to medical devices being infiltrated and we should expect those stories to continue.

As an example on how ubiquitous connected systems are….. do you use a wireless keyboard? Someone could eavesdrop on everything you type as well as execute keystrokes from 250 feet away using less than $100 of equipment. Researchers testing a number of currently available models found a complete lack of encryption in 8 out of 12 they tested.

In responsible disclosure news, Google security researchers have discovered a remote execution bug in LastPass. The two companies are working on a fix.

Talos Intel has a great article on tracking down ties between different malware, where they discover relationships between Jigsaw, Ranscam and AnonPop.

As always, Bleeping Computer has the best ransomware roundup. Beyond the new variants, and unlockers, it appears that the Stampado family that was selling for cheap already has a decryptor.

Written on July 28, 2016