Security Roundup - 2018-05-03

Backdooring Encryption. An industry veteran claims they have solved how to ‘safely’ backdoor cryptography. The solution is effectively key escrow. But, as a number of experts, such as Matthew Green are pointing out, Key escrow is going to make that key storage a big target. Especially given either: a) every organization will have to create their own implementation or b) Someone will mandate a centralize repo, ripe for exploitation and/or abuse. Also, that a lot of phones are manufactured overseas, what happens when a foreign government coerces the manufacturer to provide access to all the escrowed keys?

Alexa, record everything. Security researchers figured out a way to make an Alexa skill record all audio after a user activates their task.

RFID Lock Insecurities. When was the last time you were at a hotel that DIDN’T have an RFID or a magstripe lock? A+ for convenience, but a number of these locks have vulnerabilties, as security researchers prove they can break into a number of RFID locks with ~$300 worth of materials, an expired keycard, and about a minute of time.

Fun with Honeypots. A 2018 look at what happens when you set up an SSH honeypot. No surprise that there is a lot of IoT type guesses.

Share passwords…. Be careful using ‘sharing cultute’ SaaS apps. You may, for example, end up sharing passwords or confidential information with the public, as some Trello users accidentally did.

… or log passwords!. Both Twitter and Github announced they found subsystems that accidentally logged passwords. While no indication that someone obtained these logs, make sure to change passwords anyway.

Supply chain attacks in npm libs. A crafted backdoor was found in an npm package. While this npm package was not itself popular, the attackers actually got it merged in to an older, but still used, software package. The package would have allowed remote code execution, and could have been included in project just by a developer updating all packages. The impacted npm libraries have now been removed.

Massminer. Finally, for those that love stories of malware, check out Massminer the latest in cryptocurrency malicious miners. What seperated Massminer apart is its inclusion of masscan, a tool for scanning for open ports, which it then leverages to find targets for a number of popular exploits.

Written on May 3, 2018