Security Roundup - 2016-11-03
The first O’Reilly Security Conference just wrapped up in NYC. I opted to attend last minute and was glad I chose to, due to a number of really good conversations with other attendees. I plan to share a separate write up of some of the highlights in the near future.
Let’s keep following the Mirai after effects:
- Cloudflare mentions the impact to their systems, and their own observations, on the Dyn attack. Additionally, they detail how they have set up their architecture to deal with large scale attacks, which includes speading load across tens of thousands of servers.
- ThreatPost reveals some exploits in the Mirai codebase can be used to stop attacks. However, ‘hacking back’ is not legal in the USA.
- Wirecutter, a gadgets and gear review site, has published an article asking ‘Are Smart Homes Open Houses for Hackers?’. Tying in the recent attack and giving a review of some fairly prominent device exploits, it is a good read.
- Engadget has a similar piece on ‘That time your smart toaster broke the internet’, going over the recent problems, as well as some of the history of botnets and connected devices.
- Rapid7 goes into how to avoid ‘Default Fail’ for wireless systems, of which IoT devices use.
- News has been circulating about a new IoT botnet, taking lessons from Mirai, building on top of Aidra from 2013, and apparently infecting 3500 machines in its first 5 days.
- HackForums.net has shut down a portion of their site which advertised ‘Stress Testing Services’, some of which may have been DDoS as a Service providers in disguise.
Google has indicated that Chrome will only trust certificates that participate in the certificate transparency standard. Google intends this to encourage Certificate Authorities to tighten up their own security, and cut down mis-issues certificates that can be used maliciously. One downside, however, is this would require certificates for inside corporate networks to be part of Certificate Transparency, which would leak internal networking details. Additionally, Google has indicated that they will stop trusting certificates signed by WoSign and StartCom due to certificate misuse.
Google has also disclosed the existence of a Windows zero day vulnerability being exploited, ahead of an announcement by Microsoft. While Google is acting under a long standing disclosure policy for ‘critical flaws under active exploitation’, but Microsoft suggests they are not being responsible for ‘coordinated vulnerability disclosure’ and putting customers at risk. Coincidentally, Rapid 7 has an article on Coordinated Vulnerability Disclosure Advice for Researchers.
A new named exploit called Atombombing has been detailed. The exploit rely’s on ‘atom tables’, an area of Windows where apps can share data. Researchers have discovered a way in which malware can share malicious code, and then trick legitimate apps into loading and executing the payload.
Sophos tells the tale of the recent Paypal 2FA bypass. It appears that the client side was submitting the questions AND the answers, and simply deleting both could bypass 2FA.
Breakpoint Labs continues their series on ‘How We Get Into Your System’. This week features Multicast Name Resolution Poisoning, which takes advantage of some local networking protocols to harvest username/password hashes.
Troy Hunt tells us how an anonymous user happened to find a chunk of Australian Red Cross blood donor records online, where they happened to have accidentally been exposed via a database backup that was accidentally exposed on a partner’s website. Troy tells the whole story, as well as why he decided NOT to load the data into Have I Been Pwned.
This week’s Ransomware Roundup by BleepingComputer contains more variants (including one that makes you fill out a survey!) and a malware developer who tried to sell security researchers decrypt keys when the researcher had already exploited the C&C to harvest decryption keys.