Security Roundup - 2016-11-03

The first O’Reilly Security Conference just wrapped up in NYC. I opted to attend last minute and was glad I chose to, due to a number of really good conversations with other attendees. I plan to share a separate write up of some of the highlights in the near future.

Let’s keep following the Mirai after effects:

Google has indicated that Chrome will only trust certificates that participate in the certificate transparency standard. Google intends this to encourage Certificate Authorities to tighten up their own security, and cut down mis-issues certificates that can be used maliciously. One downside, however, is this would require certificates for inside corporate networks to be part of Certificate Transparency, which would leak internal networking details. Additionally, Google has indicated that they will stop trusting certificates signed by WoSign and StartCom due to certificate misuse.

Google has also disclosed the existence of a Windows zero day vulnerability being exploited, ahead of an announcement by Microsoft. While Google is acting under a long standing disclosure policy for ‘critical flaws under active exploitation’, but Microsoft suggests they are not being responsible for ‘coordinated vulnerability disclosure’ and putting customers at risk. Coincidentally, Rapid 7 has an article on Coordinated Vulnerability Disclosure Advice for Researchers.

A new named exploit called Atombombing has been detailed. The exploit rely’s on ‘atom tables’, an area of Windows where apps can share data. Researchers have discovered a way in which malware can share malicious code, and then trick legitimate apps into loading and executing the payload.

Sophos tells the tale of the recent Paypal 2FA bypass. It appears that the client side was submitting the questions AND the answers, and simply deleting both could bypass 2FA.

Breakpoint Labs continues their series on ‘How We Get Into Your System’. This week features Multicast Name Resolution Poisoning, which takes advantage of some local networking protocols to harvest username/password hashes.

Troy Hunt tells us how an anonymous user happened to find a chunk of Australian Red Cross blood donor records online, where they happened to have accidentally been exposed via a database backup that was accidentally exposed on a partner’s website. Troy tells the whole story, as well as why he decided NOT to load the data into Have I Been Pwned.

This week’s Ransomware Roundup by BleepingComputer contains more variants (including one that makes you fill out a survey!) and a malware developer who tried to sell security researchers decrypt keys when the researcher had already exploited the C&C to harvest decryption keys.

Written on November 3, 2016