Security Roundup - 2017-01-05

33c3 happened at the end of the year and videos are already up. Writers for Hackaday attended and did a number of writeups.

At the same time, the FDA announced guidance on managing medical devices in a cybersecurity world. Among the suggestions include ‘having a way to monitor devices for vulnerabilities’, which seems in and of itself a potential exploit vector? I am sure 2017 will have more news on this topic.

Filippo Valsorda, currently on the Cloudflare Security Team, published an op-ed on “Why he is giving up on PGP”. Major difficulties include ease of use, lack of trust that it is working ‘correctly’, and suspicion of use of long term keys. This was followed by a rebuttal by Neal Walfield, an engineer who works on GnuPG, who point out a number of ways to mitigate Filippo’s problems, and some future proposals that might increase usability.

Slate has a good history lesson on the 2011 Notar breach, and how TLS security has changed in the last several years as a result. Minimum security requirement approvals for Cert provides issued by the Certificate Authority Security Council, Google’s Certificate Transparency program, browsers being more willing to de-list bad actors, and more.

Troy Hunt did an ‘Ask Me Anything’ for HaveIBeenPwned’s 3rd Birthday at the start of December, and recently published the video online. He also has an article around how responsible disclosure of account breaches should happen, using the recent Etherium forum breach as an example.

A year review of CVEs in 2016 give some interesting data points. Android OS had the most reported security vulnerabilities for a single product this year, while Oracle has the most CVEs for an individual vendor.

Talos Security goes in depth on hailstorm spam, where spammers launch an email campaign so quickly that traditional detection methods only kick in after the campaign is finished. They go on to describe research into detecting these type of campaigns more quickly, by monitoring DNS traffic.

Google announced Project Wycheproof, a collection of unit tests designed to expose weaknesses in implementations of several cryptographic algorithms. To date, they have uncovered 40 security bugs, which they are working with vendors to fix.

Similarly, Duo Labs has released a tool to do fuzz testing for Microsoft Edge and HTTP/2.

More and more malware kits appear to be turning to steganography to deliver payloads and instructions via image files. This includes the DNSChanger exploit, which attempt to use the victim’s browser to identify and compromise their own router. The attacker then tries to expose the router to the internet (to allow further control/compromise) as well as can manipulate the user’s traffic. A similar concept has also been found on Android, with the Switcher Malware trojan.

MalwareTech wrote up a great article on how Open Source Malware hurts the industry. Arguments include: lowering the bar of entry to those with limited technical experience, faster evolution, and an increase in overall volume of ransomware. Other interesting observations: they point out that ransomware just does a user operation - encrypting files. This makes detection perhaps a bit harder, if antivirus is trying to distinguish between ‘good’ and ‘malicious’ encryption. Open Source Ransomware is typically being written in languages that malicious users are not actually writting malware in, thus not benefitting a lot in terms of evolving analysis.

Check Point joined the “No More Ransomware” project, and promptly identified two new ransomware variants and built decryptors.

Cerber did an update on what files it does and does over the holidays. primarily targeting Microsoft Office documents, as well as potential bitcoin locations.

Written on January 5, 2017