Security Roundup - 2016-08-25

Like free beer? One developer found a “Loyalty Program” app, and realized the system was subject to replay attacks, such that one could (theoretically) cash in on loyalty perks without even making a purchase.

Last week’s news of NSA hacker tools has led to a few of these tools being evaluated. So far, it looks like Cisco PIX routers were exploitable allowing VPN communications to be eavesdropped on, prompting Cisco to review their product line. Fortinet has also been auditing their code and has discovered at least one similar vulnerability. Juniper has been doing their own analysis to check their own products. Meanwhile, one security researcher has been auditing some code, and finds some of it to be sloppy.

Apparently, researchers have used Facebook photos to hack face recognition systems. Thankfully a bit more complex than just showing a picture, determined researchers used Facebook photos to 3D print heads to fool the systems in question.

Security firm Praetorian has published a report on insights from 100 penetration tests. Essentially, in the majority of cases, they were able to compromise security due to weak passwords/password security, rather than relying on software vulnerabilities.

With great openness comes great malware. Wikileaks provides dumps of leaked information, and security researchers have discovered malware in these data caches. To be fair, since bad actors are probably also trying to exploit the companies in question, we should be more surprised if there was no malware in some of their email dumps.

With the DNC being hacked, the fact that at least part of the election process being hacked should seem fairly real. In particular, a group of researchers continue to advocate against voting machines regularly pointing out vulnerabilities in them, as well as pointing out other points of attack in the electronic voting process.

Plenty of online bulletin boards have been compromised, many of which are using vBulletin. Troy Hunt picks apart how some of these sites are using old versions of software, and suggests that for some services it would be better to use managed hosting, as the host will probably update packages much more quickly than your organization would.

United Airlines has rolled out ‘security’ updates to their site, but Krebs feels this are security efforts circa 2009. Amazingly, ‘secret questions’ use a drop down for all the answers, among other things.

NIST is working on a new draft on password recommendations and Sophos has a nice writeup. Minimum length recommendations are 8 characters, minimum max length is 64 characters, emphasis is on password length vs traditional password complexity rules and get rid of password hints, as studies are showing these decrease security.

Malware tech has an update on the Kelihos botnet, which had a sudden surge of new nodes. Based on their research, it looks like Kelihos is joining other groups in doing ransomware spam campaigns.

As always BleepingComputer has the best ransomware roundup. This week features Pokemon Go malware, new variants of TorrentLocker, the Shark Ransomware as a Service platform, and Cerber apparently earned $195K in July as well as continues to evolve to evade researchers.

Written on August 25, 2016