Security Roundup - 2016-09-15

USB for data exfiltration came up last week. This week continues the trend with one researcher building a device that could grab a password from a locked computer by masquerading as an ethernet device and listening for network authentication requests. Hak5 demonstrates another device that could steal password hashes in seconds. On the other side of the spectrum, one researcher has figured out how to use USB to damage devices and infrastructure by discharging electricity back into the port.

Accessing IoT devices over the internet/SSL? Sophos points out that this isn’t necessarily secure, given these devices tend to use hard coded secret keys that anybody could easily extract. At time of publication, they had identified 4.5 million http servers using widely known ‘private’ keys.

Microsoft had their Patch Tuesday this week, and EnSilo goes into depth into one particular patched bug that potentially impacts security tools and virtualization software, due to the change being in their ‘Detours’ hooking engine. As mentioned earlier this year, bugs in hooking engines can allow a number of security bypass techniques. Talos Intel has a writeup on the rest of the bulletins, pointing out a number of memory corruption and security bypass bugs.

Apple has continued to make small steps forward with security, now by making system updates go over secure channels to mitigate against MitM attacks.

One high school student recently figured out how to use T-Mobile’s network without a paid account, by leveraging a whitelist misconfiguration on T-Mobile’s side.

In other encryption news, Google apparently plans to draw attention to sites that do NOT use TLS, pointing out that they are not secure.

As always, Bleeping Computer has the best ransomware roundup. This week includes numerous ransomware variants, Locky switching to embedded RSA keys, and a new Ransomware as a service platform.

Written on September 15, 2016