Security Roundup - 2017-03-02

The big news this week is, of course, Cloudbleed. Troy hunt provides his own take on the issue. Of note, he points out the total impact is not measurable. While Cloudflare was able to measure 0.00003% of requests, since the bug leaked information from unrelated sites it is unable to measure how many sites were actually impacted. He also points out that 0.00003% is still a huge volume of traffic, given that Cloudflare deals with trillions of requests per month, meaning millions of requests potentially leaked data. However, not all Cloudflare users are at risk, simply due to the fact that not all Cloudflare customers have sensitive data. Plenty of informational only sites use Cloudflare services, meaning there was no sensitive information to leak for those sites. Cloudflare has their own follow up on impact.

Duo Security posts a summary of the ‘The Human Exploitation Kill Chain’ talk from the RSA Conference. The talk goes over the various points of a phishing attack that we should attempt to layer security, vs just training users on identification. While humans are important, it is also important for them not to have enough individual power to allow an attacker to pivot through an entire system.

Yahoo has followed up on the report of forged browser cookies by announcing up to 32 million accounts were impacted.

605 websites were defaced recently, after attackers achieved access to the machine they were all hosted on. Any data that those sites were storing are likely to have been stolen as part of the attack.

For those familiar with the Hak5 suite of tools such as the RubberDucky, Hak5 has announced the BashBunny. It is essentially a ‘bring your own network MitM attack platform’, ala the PoisonTap that was demonstrated last year, just with the convenience and form factor closer to the RubberDucky, and including a full linux machine that allows a pentester to use all their normal security tools. Hak5 has done a handy how-to video going into detail.

Netsparker goes into depth about how lack of access control let anyone take over the Maiain Support system. While users were limited from seeing things due to roles, the backend apis themselves were not authenticated, potentially allowing someone who doesn’t even have login privileges to the application to access data.

With a recent article on data exflitration via drones and blinking LEDs, Naked Security provides a recap of exotic exfiltration methods. While many are not immediately practical without close access to a machine, they are still fairly interesting. Some highlights: Using ultrasound, smartphone sensors, measuring fan sounds, and thermal cameras.

In some fun news, one researcher breaks Google’s Recaptcha mechanism by using Google’s Speech recognition API and the audio ReCaptcha

Following up on last week’s breach notification news:

A discussion at RSA argued that the US Government’s Vulnerability Equities Process (VEP) should not be voluntary, but mandatory. The VEP has largely been criticized as allowing government agencies to stockpile, rather than disclose, vulnerabilities they find. Generally, the community is supportive of the government aiding research and finding vulnerabilities, and are pushing for more disclosure to raise the bar on security.

MalwareBytes has an article on What to do after recovering from a cyberattack. Important in the article is to promptly inform customers. In regards to the Australian breach disclosure laws,

Troy Hunt writes a critical article about it. In this article he points out that disclosure is far from mandatory, allowing companies up to 30 days to investigate, allowing them to not inform customers if there is an ‘administrative burden’, and suggesting that not ever breach should result in notification as that might result in ‘breach fatigue’. Troy points out that this just gives attackers that much extra harm to use any data they retrieved, furthering harm to any individuals that had their data stolen.

Google has been building tools that will eventually leverage their Key Transparency initiative. The latest is E2Email, a browser extension that makes it easier to use PGP keys for emails in web browsers.

Interested in attack mitigation techniques and circumvention? Endgame security discusses the Chakra exploit in Windows 10 and Edge and how it avoids some security features therein.

Exposed databases being compromised and held from ransom has continued, with Mysql being the latest victim. In all cases, these attacks could be mitigated by following simple security practices, such as not having databases on the internet and using strong passwords for database accounts.

Bleeping Computer also reports that Necurs may have added a DDoS component. Necurs is a botnet that produces spam, and BleepingComputer covers why this addition doesn’t make much sense.

Speaking of Botnets, Bruce Schnier has a long post on the subject, covering the growth of the Internet of Things based botnets.

A major version of Dridex has been detected in the wild and is apparently the first malware strain to make use of the Atombombing technique of code injection that EnSilo published last October.

Written on March 2, 2017