Security Roundup - 2017-01-12

Bruce Schneier writes a thoughtful article on Class Breaks, where a security vulnerability doesn’t just impact one system but an entire class of systems. He feels this concept should be thought about more, as we move to a more connected world. The IoT ecosystem has shown plenty of ‘class breaks’, where one vulnerability means that a large number of systems are impacted. As we automate more technology, building security in and planning for eventual class breaks will be important, as 2016’s IoT news has demonstrated.

Krebs on Security has a detailed article of problems with cardless ATMs. In this story, an attacker was able to add another number to someone’s account, and then use a cardless ATM strategy that Chase was testing to withdraw cash. This attack was made easier, since by default the transaction lacked 2FA (of which a bank card counts).

The above article led me to Two Factor Auth, a database of all the services that allow users to enable 2FA.

Do you use autofill on web forms? You may be giving away more information than you can see, since these features can also fill in hidden fields.

Troy Hunt wrote up an interesting story where he walks us through the process of data getting into HaveIBeenPwned (note, this uses an adult site as an example).

Kaspersky Labs discovered a C&C server that was also used as a shopping portal to also sell the data. Downside is that the shopping portion had a security vulnerability that allowed a malicious user to make off with the already stolen data.

ThreatPost reports that hackers are specifically targeting Mongo databases, deleting records and leaving a ransom note for if users want their data back. It looks like there are potentially multiple attackers doing this, and they are overwriting each other’s ransom notes in an attempt to get the payout. This decreases the likelihood of victims ever getting their data back. BleepingComputer contacted one hacker, who mentioned that his process is completely automated, and he is motivated that owners of these systems ‘have to learn a lesson’. They have been following the news pretty closely, and at time of writing ~21K MongoDB instances have been hit, and one of the major players has offered up their script for sale, to anyone who wants to fight over the remains.

BleepingComputer also reports on Spora, a very sophisticated ransomware strain. Spora works offline, and the encryption looks to be based on random keys created and then secured by public key encryption, requiring the keys to be manually sent in to attackers to potentially decrypt.

Written on January 12, 2017