Security Roundup - 2018-04-19

RSA attendee list exposed. Attended RSA? A subset of your data turned out to be decryptable by reverse engineering the mobile app and grabbing the sqlite database from a publically accessable api endpoint. This is apparently similar functionality to their 2014 mobile app.

Android patch gap. The android ecosystem already suffers from lags in security patches, due to a fragmented OS and manufacturer ecosystem. Now security researchers have found that even when manufacturers apply patches, they may not include all security updates. In some cases, this appears to be deliberate, with at least one vendor changing patch numbers without actually updating code, potentially misleading users.

A day in the life of a CISO. While no two days are ever quite the same Cory Scott, CISO of LinkedIn, attempts to put together what an average day as a CISO is like for him.

Abusing Google Tag Manager for fun and profit. Google Tag Manager lets site admins create custom scripts they can reference on their site for loading. Sucuri goes over how an attacker with write privileges could subtly load malicious scripts by copying your script, adding their own content, and then changing content on your site. This assumes they are able to modify content on your site, but with the number of CMSes with exploits…

Microsoft Outlook bug exposes account information. A large bug has been found in Microsoft Outlook previews, where previews of RTF documents that happen to have remote samba content will helpfully attempt to reach out to the server, leaking user information like IP Address, windows domain, username, machine name, and a session password hash which an attacker could break to get a user’s password.

The early internet lacked security because… Believe that the early internet did not have security built in because of ‘open networks’ and ‘inherent trust’? You may want to fact check against the US export regulations against cryptography. Engineers were essentially torn between adoption and interoperatibility or having all their systems being restricted by export control. Can you imagine a world in which the US had its own network, European nations another, etc? And you think getting on wi-fi at an airport is bad NOW…

Botnets kept on their toes. Two prominent botnets have had their work cut out for them, as researchers have focused on identifying and defanging. The first is Smoke Loader, which Microsoft has spent considerable time providing countermeasures for, and the malware authors trying to develop new workarounds. The second is EITest a major botnet used to redirect users to malware and tech support scams has had key C&C infrastructure taken over, effectively dismantling the entire operation.

A study of login abuse. Akamai recently unveiled some research into fraudulent login activity for API based login activity. This type of login is largely service to service. Their research indicates that 30% of all api login requests they observed are fraudulent.

More abuse of Facebook data. Security researchers found that malicious scripts could abuse the login with Facebook functionality to harvest user data, including name, email address and profile photo. In one case, the data was accidentally made available to any javascript running on a site.

2018 Tax Fraud Shenanigans. Brian Krebs points out some new ‘fun’ for tax fraud. His article contains not only a story of a CPA who had their account compromised for weeks (and thus a fair number of his clients having their returns stolen), but also an extension of IT Support fraud - tax refund fraud.

Written on April 19, 2018