Security Roundup - 2017-11-03

CyberSecurity Month Wraps Up. And WeLiveSecurity has finished up their expanded coverage of Twitter conversations. You can check out Part 3, wherein they cover “CyberAwareness” and Part 4 where they talk about the Internet of Things.

Hardware Hacking. Speaking of the Internet of Things, this week brings us an interesting article from a Pentester, going over his view on hardware hacking. Covering a number of attack vectors we have seen over the last year (and no surprise that outdated software is #1 in the list), but also covers more interesting stuff for those that have physical access.

Terrifying USB Find. I know this week was Halloween, but this news about a USB drive containing plaintext files on Heathrow Airport’s security was downright terrifying. Items included, but are not necessarily limited to, details about security badges, patrol routes, and even travel routes for the Queen and other traveling dignitaries.

Google’s Recaptcha Broken. Google’s system to try and distinguish people from robots has been broken again. This time, researchers have leveraged the improvements in speech to text engines to solve ~85% of captchas in ~5.4 seconds on average.

“Smart” Locks. Amazon has recently announced a locking system that would allow people to deliver things straight into your home. This is a risky proposition, and MalwareBytes gives some good reasons why, including security vulnerabilities and accidentally getting locked out of your own home.

Chrome to remove Public Key Pinning. Chrome developers have signaled their intention to remove Public Key Pinning (PKP) support from the browser in 2018. PKP was intended to be a method in which an organization can specify which HTTPS certificated are used to serve the site. However, in practicality they have been difficult to roll out, with a misconfiguration making it possible to have an outage until the specified timeout. Google now advocates the usage of certificate transparency, which they have made mandatory, to detect miss-issuance of certificates and protect users from them.

Dell Loses Control of Update Domain. Earlier this month, we learned that Dell lost control of a domain designed to help customers recover from malware. Ironic in that it was taken over by malware devs and likely used to serve the same exploits it was meant to help customers deal with.

More Malicious Chrome Extensions. The latest appears to be spread by phishing attacks, and is used to harvest any data posted to forms, like usernames, passwords and people’s Facebook updates. Malware Analysis Via API Calls. MalwareBytes has seen more obfuscation of malware making static analysis harder for malware devs. Rather than trying to reverse engineer the outer layer, they go into a technique of using dynamic analysis of system api calls doing.

Written on November 3, 2017