Security Roundup - 2017-12-15

Phishing abuses psychology of HTTPS. A recent survey from PhishLabs indicates that 80% of respondents believe that seeing the lock indicating a website is served over HTTPS means that a site is legitimate or somehow ‘safe’, despite the fact that it just means that your communication is encrypted. Phishers are abusing this misconception by increasingly using HTTPS for their sites, with 25% of known phishing sites now using HTTPS (up from 3% last year). Don’t forget to educate your users on how to avoid phishing in the first place!

New Android vulnerability abuses update mechanism. Researchers have found out how to abuse Android’s app update mechanism to execute unverified code. Based on how signatures are calculated for applications, an attacker could append a malicious app to an existing one and trick the installer into installing the second app with whatever privileges are available to the first.

Mailsploit, email vulnerabilities for all. With email having been around for 45 years and spam and malicious content being a known, one would hope that the basics have been hammered down pretty heavily here. However, one security researchers has manages to trigger an exploit leading to code execution. Dubbed ‘Mailsploit’, this actually exploits the From: field in an email by abusing unicode handling. This results in issues like web based clients being subject to XSS attacks and spoofing of email addresses, the later of which could conceivably also bypass DMARC protections.

ROBOT attack. Another witty acronym attack in the form of ROBOT (Return Of Bleichenbacher’s Oracle Threat), in which an attacker can extract private session keys from TLS sessions. Practical applications are an attacker being able to pull out encryption keys you are using to communicate to thinks like a VPN or a secure website, and decrypt your traffic. Specifically, this targets PKCS#1v1.5 with RSA encryption, and a mitigation factor would be to stop using this setup.

Deep dive into Napolean ransomware. For those that have been missing a technical deep dive into malware, Malwarebytes delivers the goods with a look into ‘Napolean’ - a variant of the Blind ransomware that they recently discovered.

Debugger could be leveraged into a keylogger. Debug code in touchpad drivers for multiple HP laptops could have been turned on to use as a keylogger. While admin access would need to be available to enable, this attack vector would be one that would have avoided anti-virus scanners, since it is an expected driver.

Extended Validation Certificate Abuse. A few recent studies have discovered flaws in the Extended Validation certificate issuance process. One used stolen identities (from the many personal data breaches that are available) and another set up a fake company with the same name as a legitimate company (since no one checks for collisions in EV certs), resulting in legitimate looking EV certificates being issued. With the total cost at under $200, and questions minimal, this is potentially more viable attack in the upcoming months.

Written on December 15, 2017