Security Roundup - 2017-10-27
China outpaces USA in terms of Vulnerability Disclosure. When vulnerabilities are disclosed, it looks like China rounds up details faster than the USA, especially in terms of uncoordinated releases, where the China National Vulnerability Database has details almost 5.5X faster than the the US National Vulnerability database. The difference? NIST does analysis and aggregation of publically available and/or voluntarily submitted information, vs CNNVD’s more proactive stance to monitor various outlets and produce details as quickly as possible for companies to make educated decisions.
Duhk, Duhk, Goose. Another named vulnerability has made the rounds with the existence of DUHK (Don’t Use Hard-coded Keys). DUHK is made possible by the usage of hard coded (hence the name) encryption keys used in a number of security devices, including a number of VPNs. However, the firmware for these devices is usually available for download, allowing attackers to extract the keys and then compute shared secrets and decrypt what should be encrypted traffic.
Google Likes To Play…. Dangerously. Google has been dealing with a number of Play store app issues over the last year. While they have taken a number of steps to deal with malicious apps they have also just invited further scrutiny, this time by starting a bug bounty program specifically for certain apps in the app store. Interesting Android App developers are eligible to opt in to this program, to further advance Google’s goal of increased Android app security.
HaveIBeenPwned API Hackathon. Troy Hunt of HaveIBeenPwned has challenged people to build something interesting with his APIs. Check out the comments for some interesting things that have already been completed!
Massive PII Data leak from South Africa. Troy also disclosed a large leaked dataset containing PII information. His article details the various things he did (and help he received) in identifying the likely source of data (South Africa), as well as details on how bad it is (PII and records for children and teens).
CERT Guide To Vulnerability Disclosure. CERT has released a massive 121 page guide on coordinated vulnerability disclosure. Thankfully, Hacker provides a summary. The summary of the summary is that the document goes over how to ensure that the least amount of harm is done to the public, while minimizing the amount of harm attackers can provide. Ultimately, it is beneficial for vendors to run responsible disclosure programs, to ensure that researchers can report findings to the appropriate channels, confident that there will be a response, allowing vendors to quickly resolve rather than researchers feeling they should create a media sensation to drive fixes.
Bad Rabbit. The ransomware making big headlines this week was Bad Rabbit. Using a fake flash update to get itself on victim computers, Bad Rabbit uses the EternalRomance vulnerability to try to spread laterally in a network, as well as using a set of hardcoded credentials to try to brute force SMB filesystems.
IoT Botnets still threatening. Checkpoint security provides details on a new IoT botnet they have been tracking, believing millions of bots may have been recruited providing plenty of DDoS capability. Further news seems to indicate that individuals with access to this botnet may be gearing up to weaponize it.