Security Roundup - 2016-09-02

RC4 being deprecated is old news, but researchers are set to demonstrate that 3DES and Blowfish have met their end as well, with a demonstrable collision attack. OpenSSL seems poised to drop 3DES from default installs, and OpenVPN already plans a new version that warns against Blowfish.

Inversoft, a provider of moderation and DB SSO tools, recently released a guide to User Data Security. They set up a server using those guidelines, and challenged attackers to break in. Read one team’s chronicle of completing this challenge.

Anyone using Opera’s built in password manager and sync service, had all their passwords compromised this week.

Yet another historical breach has come to light, with Dropbox password data coming to light from 2012. It looks like the data contains a mix of SHA1 and BCRYPT hashes. Dropbox is forcing password resets for a certain set of users, but it probably doesn’t hurt to change your own.

Troy Hunt does an in depth exploration on what using Cloudflare to provide encrypted content means. Summary: If you are not encrypting between Cloudflare and your own servers, you are subject to MitM attacks anyway. Even then, having Cloudflare in the middle opens things up to potentially leaking information, or having Cloudflare as an intercept point. You have to ask yourself, “What is my risk model?”. He also suggests a few things Cloudflare could do to increase overall security, while also offering some transparency.

Steganography AND C&C control? The EndGame blog has an article on this specific combination using public image hosting. Included is a proof of concept using Instagram, called Instegogram.

I imagine a number of bad actors want to break into Facebook, and one researcher recently found an exploit in Facebook’s password reset functionality, relying on the fact that reset tokens had a keyspace of 1 million entries, and being able to initiate enough password reset requests would mean you could find out the token for a specific user.

Botnets leveraging IoT devices continues to trend, with BASHLITE being the latest version, having grown from 74 observed instances to 120000 instances fairly rapidly. Interestingly, this doesn’t seem to be very sophisticated, with payloads running through a list of things to try until something works, and no C&C rotation as such, relying on the ability to re-compromise if a move ever needs to occur.

Naked Security has an article on, not if a CA goes rogue, but what happens if a CA has a sloppy bug and doesn’t clean up their mistakes rapidly.

Duo Security was performing some research on exposed Redis servers, and noticed that a number of them all used the same SSH key. They learned that attackers that are able to send CONFIG directives can essentially overwrite keys on the server and gain complete SSH access, which was actually pointed out by the developer almost a year ago. Duo went so far as to set up a HoneyPot and caught an attacker ‘faking’ ransomware by just deleting data and leaving a notice.

I stumbled upon this interesting article about usage around target=”_blank” attribute for links, where apparently misuses can open up users to phishing attacks due to the referring site able to manipulate the opening window.

As always BleepingComputer has the best ransomware roundup. This week features 6 new ransomware including one that pretends to be a windows update screen.

Written on September 2, 2016