Security Roundup - 2018-03-22

Pwn2Own 2018 Results. This year’s Pwn2Own competition - where browser and virtual machine vendors challenge hackers to break their protections - has concluded, and like previous years a number of exploits have been discovered in major browsers, resulting in a grand total of $267K in bounties being paid out across the two days.

BitTorrent software victim of supply chain attack. The latest reported supply chain attack has occured against BitTorrent client Mediaget resulting in 400K machines being infected in just 12 hours. The attack was unsuccessful as Windows Defender picked up on the cryptominer and prevented the install.

Burying your head in the sand. In what appears to be a case of willful ignorance, check out this story about a company who appears to be ignoring news about their data being exposed. Allegedly, the company in question is making it as hard as possible for someone to disclose, even going as far as to block them on Twitter.

Chrome Extension designed to thwart CPU sidechannel attacks. Researchers that have contributed to CPU sidechannel investigation (including Rowhammer, Meltdown, and Spectre have used their findings to identify several categories these attacks exploit and then build a defense for them. Released as the browser extension ‘Chrome Zero’, the application intercepts javescript and rewrites it before it gets interpreted, attempting to try to neutralize any side channels that could be exploited.

More IoT Vulnerabilities. A number of high valued CVEs have been issued for a number of IP enabled security cameras. The flaws have such far reaching consequences that the manufacturer has opted to release an update to fix them, despite some of the products actually being end of life.

Breaking into encrypted external hard drives. I found this article of one user’s hobby of breaking into encrypted hard drives fascinating. This is one of those external hard drives that has hardware encryption and keypads to unlock the device, and the interested party here figured out how to actually pull the pin from the hardware.

Cryptocurrency hardware wallet defeated by teenager. In a similar story, a cryptocurrency wallet was reported to have security flaws that could allow attackers to install custom software on it, and this was discovered by a 15 year old. The flaw stems from the fact that the device has both a secure processor and an insecure processor, but since the two can (and have to!) communicate potential allows atttackers to siphon off keys.

Bug Bounty Bonanza. Lots of prominent bug bounty news lately, starting with Microsoft announcing a big bounty for CPU flaws like Spectre and Meltdown, with a bounty of up to $250K. Second, Box has announced updates to their Vulnerability Disclosure Program (VDP), simplifying their guidelines to bring simplicity and clarity to the process and better protect white hats from potential legal threats. Finally, Netlfix has announced their own public bug bounty program, after running a VDP for a number of years.

Written on March 22, 2018