Security Roundup - 2016-08-11

Several major security conferences wrapped up in the last week, prompting many interesting articles.

This year’s Pwnie Awards added a few new awards, including ‘Best Cryptographic Attack’ (awarded to DROWN) and ‘Best Backdoor’ (awarded to Juniper).

The Cyber Grand Slam was won by ‘Mayhem’, built by ForAllSecure.

Imperva has discovered a number of vulnerabilities in HTTP/2 implementations, some of which are similar to vulnerabilities that existed in HTTP/1.x.

Checkpoint announced Quadrooter, a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Many popular Android devices use this chipset, and the exploits allow malicious apps to escalate privileges and gain root access to the device.

In another SSL vulnerability with a catchy name, HEIST makes other attacks like BREACH and CRIME easier because it enables the use of malicious javascript to measure HTTPS responses, skip the need to perform a MitM attack.

Two large companies launched bug bounty programs this week. The first being Kaspersky Lab, who wants everyone to report as many bugs as possible. The second being Apple, who continues their efforts to embrace the security community. Their payouts of up to $200K make it one of the largest paying programs available. Despite that, these programs still pale in comparison to the zero day bounties that black hat groups currently advertise, including $500K for iOS 9.3+ exploits.

Who has their hands in the (session) cookie jar? Two academic researchers set out to find out, simply by listening to traffic on wifi networks. Using simple traffic sniffing tools, they were able to discover large amounts of data including usernames, email addresses, and occasionally even address information.

A security researcher has written a tool called ‘OnionScan’, which is used to find vulnerabilities and data leaks for TOR hidden services. Their goal is to help increase anonyminity on TOR by helping some operators further secure their sites.

Security researchers have discovered a very persistent malware platform dubbed ProjectSauron. While found on a number of targets, the fingerprints for every version are unique enough that no overall patterns have emerged. Due to the overall sophistication, it is currently believed to be at least funded by a nation state. Given that it had gone undetected for 5 years, what level of sophistication is possible today?

Rapid7 has apparently discovered a timing attack with chip and pin cards, where an attacker can make small changes to PoS terminals to clone cards, and then use them with a recorded pin for a small window of time. While the window is in the range of minutes, this potentially still allows for some quick withdrawals.

Have you thought about the fact that your monitor uses a computer and it is insecure? One security researcher did and figured out a method to exploit. Who monitors your monitor? Somewhat similarly, researchers have demonstrated a way to hijack a phone’s ability to export HDMI to tap in and record screen content over USB. They set up some fake charging stations at DefCon to demonstrate.

Industrial automakers use common communication standards across a variety of devices (including transport trucks and buses). University of Michigan researchers have done an audit, and found it is easy to take control of most of these vehicles systems. While they relied on physical access, there is no reason to believe a wireless attack wouldn’t be possible in the future. In other news - Charlie Miller and Chris Valasek, who have been pioneers in automotive hacking, have delivered their final DefCon talk on the subject. Their latest research involved tricking systems into diagnostics mode, in order to bypass some protections.

You would think digital locks would be locked down, but security researchers find that is far from the case after doing analysis of 16 smart locks. They were able to unlock 75% of them, ranging from finding passwords passed in plaintext, replay attacks, and sending bad data to trigger an error state.

Following up on SMS again, looks like a number of Telegram accounts have been compromised due to a weakness in using SMS to activate new devices.

As always, BleepingComputer has the best ransomware roundup. This week includes a number of ‘educational’ ransomware variants, and many new variants in general.

Written on August 11, 2016