Security Roundup 2017 12 21

layout: post title: Security Roundup - 2017-12-21 author: Seanstoppable category: security-roundup date: ‘2017-12-21’ tags:

  • breaches
  • encryption
  • exploits
  • internetofthings
  • ransomware
  • wordpress

Tripwires detect potential data breaches. Security researchers released recent work they have done to monitor sites for breaches. The work is simple, but effective in said simplicity: sign up to sites with unique emails and passwords and monitor the associated email accounts for login attempts. A successful login with a password is largely indicative of some sort of data leak and the researchers did this with varying lengths of passwords to try to infer password storage practices. Finally, they set up multiple accounts across 2302 organizations. After 9 months, they had collected evidence that 19 of them had some degree of compromise.

Another batch of printers remote controllable from the internet. NewSky Security has discovered another batch of printers completely exposed to the internet, this time in the form of 1123 Lexmark devices. Attackers could conceivably do things like gain a toe hold into a network, or simply just steal copies of documents that are sent to the printer.

Firefox joins Chrome in highlighting non-HTTPS sites. The Google Chrome team announced back in April plains to start marking HTTP sites as ‘Not Secure’, and now Firefox seems to be thinking about that as revealed by a new configuration option.

On the profitability of stolen credentials. Krebs On Security dives into the resellers market of stolen credentials. Specifically focusing on a site called “Carder’s Paradise” where credential prices range from $10 to $190. More disturbingly, entire sets of identities are available, indexed by credit score.

FoxIT speaks about MitM attacks. Earlier this year, FoxIT was the victim of a man-in-the-middle attack, when an attacker took over DNS entries and pointed them at their own servers to route traffic through. Specifically, attackers targeted the portal for secure exchange of files, hoping to gain access to credentials and files of FoxIT’s customers. The attackers also intercepted mail, allowing them to obtain a legitimate SSL certificate, since they appeared as if they owned the domain. The entire attack lasted 10 hours and 30 minutes, due to FoxIT’s quick investigation. The breakdown seems to indicate the attack happened after hours, likely deliberately to avoid initial scrutiny. Additionally, FoxIT points out that there is little to no reason they should not be using two factor authorization for their DNS provider (except, for course, it turns out their DNS provider doesn’t provide 2FA yet!).

Top 25 popular passwords of 2017. Despite all the breaches of 2017, password security has not improved, as demonstrated by the top 25 most popular passwords of the year. 123456 and Password still remain popular. Of note, most of these passwords are under or just barely conforming to NIST guidelines of 8 characters in a password, partially indicating that if sites just increased minimum password lengths, they would eliminate a subset of common passwords. Granted, this doesn’t protect us from the people that do password01 or 1234567890, but any trend towards longer/stronger passwords would be a welcome one.

BrickerBot retires. The author of BrickerBot, a botnet that tried to take a number of vulnerable devices offline, has retired and published a rought timeline of their work. Among other things, they outlines the problems of exposed devices and the botnets like Mirai that have disrupted the internet, and how they felt they had no choice but to enact “Internet Chemotherapy” in order to remove bad nodes from the system. They also point out that major providers like Akamai and Cloudflare have seen a downtrend in DDoS attacks, which they attribute to their own work of removing DDoS nodes from availability.

Copyright claim accidentally exposes Wordpress backdoor. Wordpress took down a third party captcha plugin due to misuse of the ‘Wordpress’ trademark. Incidentally, when plugins are removed from the Wordpress repository, security company Wordfence, dives in to check if this is due to security and if they should take action on behalf of their users. In this case, they discovered that the takedown wasn’t due to security but still managed to discover the fact that the plugin has a backdoor. The plugin in question is one of several stories this year of plugins in various software (Chrome, Wordpress, etc), being purchased or taken over and then updated to perform malicious actions once user’s update due to now implicit trust.

Inside look into SSRF. Server side request forgery (SSRF) is an attack in which an attacker uses one service to make unexpected requests to others. Follow along as one security researcher uses this to send emails from a companies internal email server.

Written on December 21, 2017