Security Roundup - 2017-01-12

Bruce Schneier writes a thoughtful article on Class Breaks, where a security vulnerability doesn’t just impact one system but an entire class of systems. He feels this concept should be thought about more, as we move to a more connected world. The IoT ecosystem has shown plenty of ‘class breaks’, where one vulnerability means that a large number of systems are impacted. As we automate more technology, building security in and planning for eventual class breaks will be important, as 2016’s IoT news has demonstrated.

Krebs on Security has a detailed article of problems with cardless ATMs. In this story, an attacker was able to add another number to someone’s account, and then use a cardless ATM strategy that Chase was testing to withdraw cash. This attack was made easier, since by default the transaction lacked 2FA (of which a bank card counts).

The above article led me to Two Factor Auth, a database of all the services that allow users to enable 2FA.

Do you use autofill on web forms? You may be giving away more information than you can see, since these features can also fill in hidden fields.

Troy Hunt wrote up an interesting story where he walks us through the process of data getting into HaveIBeenPwned (note, this uses an adult site as an example).

Kaspersky Labs discovered a C&C server that was also used as a shopping portal to also sell the data. Downside is that the shopping portion had a security vulnerability that allowed a malicious user to make off with the already stolen data.

ThreatPost reports that hackers are specifically targeting Mongo databases, deleting records and leaving a ransom note for if users want their data back. It looks like there are potentially multiple attackers doing this, and they are overwriting each other’s ransom notes in an attempt to get the payout. This decreases the likelihood of victims ever getting their data back. BleepingComputer contacted one hacker, who mentioned that his process is completely automated, and he is motivated that owners of these systems ‘have to learn a lesson’. They have been following the news pretty closely, and at time of writing ~21K MongoDB instances have been hit, and one of the major players has offered up their script for sale, to anyone who wants to fight over the remains.

BleepingComputer also reports on Spora, a very sophisticated ransomware strain. Spora works offline, and the encryption looks to be based on random keys created and then secured by public key encryption, requiring the keys to be manually sent in to attackers to potentially decrypt.

Security Roundup - 2017-01-05

33c3 happened at the end of the year and videos are already up. Writers for Hackaday attended and did a number of writeups.

At the same time, the FDA announced guidance on managing medical devices in a cybersecurity world. Among the suggestions include ‘having a way to monitor devices for vulnerabilities’, which seems in and of itself a potential exploit vector? I am sure 2017 will have more news on this topic.

Filippo Valsorda, currently on the Cloudflare Security Team, published an op-ed on “Why he is giving up on PGP”. Major difficulties include ease of use, lack of trust that it is working ‘correctly’, and suspicion of use of long term keys. This was followed by a rebuttal by Neal Walfield, an engineer who works on GnuPG, who point out a number of ways to mitigate Filippo’s problems, and some future proposals that might increase usability.

Slate has a good history lesson on the 2011 Notar breach, and how TLS security has changed in the last several years as a result. Minimum security requirement approvals for Cert provides issued by the Certificate Authority Security Council, Google’s Certificate Transparency program, browsers being more willing to de-list bad actors, and more.

Troy Hunt did an ‘Ask Me Anything’ for HaveIBeenPwned’s 3rd Birthday at the start of December, and recently published the video online. He also has an article around how responsible disclosure of account breaches should happen, using the recent Etherium forum breach as an example.

A year review of CVEs in 2016 give some interesting data points. Android OS had the most reported security vulnerabilities for a single product this year, while Oracle has the most CVEs for an individual vendor.

Talos Security goes in depth on hailstorm spam, where spammers launch an email campaign so quickly that traditional detection methods only kick in after the campaign is finished. They go on to describe research into detecting these type of campaigns more quickly, by monitoring DNS traffic.

Google announced Project Wycheproof, a collection of unit tests designed to expose weaknesses in implementations of several cryptographic algorithms. To date, they have uncovered 40 security bugs, which they are working with vendors to fix.

Similarly, Duo Labs has released a tool to do fuzz testing for Microsoft Edge and HTTP/2.

More and more malware kits appear to be turning to steganography to deliver payloads and instructions via image files. This includes the DNSChanger exploit, which attempt to use the victim’s browser to identify and compromise their own router. The attacker then tries to expose the router to the internet (to allow further control/compromise) as well as can manipulate the user’s traffic. A similar concept has also been found on Android, with the Switcher Malware trojan.

MalwareTech wrote up a great article on how Open Source Malware hurts the industry. Arguments include: lowering the bar of entry to those with limited technical experience, faster evolution, and an increase in overall volume of ransomware. Other interesting observations: they point out that ransomware just does a user operation - encrypting files. This makes detection perhaps a bit harder, if antivirus is trying to distinguish between ‘good’ and ‘malicious’ encryption. Open Source Ransomware is typically being written in languages that malicious users are not actually writting malware in, thus not benefitting a lot in terms of evolving analysis.

Check Point joined the “No More Ransomware” project, and promptly identified two new ransomware variants and built decryptors.

Cerber did an update on what files it does and does over the holidays. primarily targeting Microsoft Office documents, as well as potential bitcoin locations.

Security Roundup - 2018-01-04

CPU architecture vulnerabilities plague all. The big news this week is a series of vulnerabilities for many modern CPUs, including Intel (who fared the worst in the news), AMD, and ARM. The vulnerabilities allow malicious users to read memory they would not normally be able to, allowing them to do thinks like harvest passwords and encryption keys. Even worse, this breaks out of sandboxes such that an exploit on a virtual machine could read memory from other virtual machines on the same host. For those interested, you can now read the technical details.

Major hardware as a service providers like Google and Amazon have already suggested they have instituted corrections to their systems, while operating system providers have declared that patches to protect against these flaws are forthcoming. Microsoft has unfortunately discovered some problems with AV vendors and their proposed patch.

Mozilla has indicated that this type of attack is potentially possible from the browser and are implementing features to mitigate. Chrome already has additional sandboxing features that are labelled experimental, but that they plan to roll out in an upcoming major release.

2017 Breaches in review. Troy Hunt has done an annual retrospective of his 2017, which of course includes stats from 2017 was pretty sad, with a 50% increase in the number of breaches from all breaches previous to 2017, and total number of records more than doubling from 2 billion to 4.8 billion.

Threat Modeling Tools for 2018. Does part of your job involve threat modeling? Then you may be interested in this post by Adam Shostack enumerating some interesting new threat modeling tools developed in 2017.

Hacker Q&A With EdOverflow. EdOverflow is the person behind the security.txt RFC to make a robots.txt equivalent for hacking targets and contact information. HackerOne has a Q&A with him about his background in security and his experience with bug bounty programs.

TLS 1.3 could improve IoT security. Cloudflare points out how TLS 1.2 adds a lot of overhead for communication, to the point where IoT protocols become much more heavy. However TLS 1.3 improves on this considerably, reducing the number of round trips to make TLS more palatable. Additionally, new algorithms use smaller, more secure keys, which allows for low memory devices to be more likely to use them.

Interesting defense against ATM skimmers. We love/are horrified by reading about ATM skimmers. This week’s story comes with a twist in that it is a defense against current ATM skimmer attacks. Many ATM skimmers are still overlays, so one ATM owner printed their own card overlay so that fraudsters would have a rough time deploying their own. The author of the article finds the concept interesting, and extrapolates that to making each system have a degree of custom variability to thwart this type of attack. However, since the thing is (currently) 3D printed, it looks sketchy in and of itself and may cause users to turn away from valid ATMs.

Trackmageddon. Another alarmingly named issue is making the rounds with the name Trackmageddon. Involving a number of GPS tracking services for vehicles, this allows unauthorized and unauthenticated users api access to obtain information like location history, phone numbers, and vehicle IMEI numbers, though the researchers also found photo and audio files. Researchers later learned this might actually have been reported in 2015, but that means more than 100 sites are still vulnerable.

Security Roundup - 2016-12-16

End of the year is quickly approaching, and a number of groups are starting predictions for the new year, including:

Rapid 7 has an insightful (to me at least) article on Why Security Assessments are Often not a True Reflection of Reality, and how the scoping of security assessments can lead to a lot of caveats.

Checkpoint Labs put out their November Malware Most Wanted. Locky doesn’t quite top the list, but did manage to be the #1 malware family in 34 countries, while Conficker (still at the top) was only #1 in 28.

NakedSecurity has an end of year article around the number of records lost in breaches, totally 2.14 BILLION records, up from 480m records last year. Unfortunately, these numbers were reported before Yahoo indicated another breach of 1 billion records, a separate incident from the one reported this year.

Poor Yahoo, on top of all the bad news this year, they recently patched an XSS bug which would have allowed attackers the ability to read a user’s email.

BleepingComputer rounds up with Ransomware. Last week included: new variants, a botnet spreading ransomware that had a decryptor released in the summer (oops), a ransomware that will decrypt your files if you infect your friends (social!), and a new open source Ransomware that has already spawned at least 3 variants in the wild.

Security Roundup - 2016-12-08

Botnets might get a big influx in nodes this holiday season as researchers have discovered hard coded credentials in 80 Sony IP cameras. Sony has released a fix to remove this ‘debugging code’, but user’s still have to apply the updates.

A mobile malware strain called Gooligan has been making the rounds. Using unpatched exploits on older versions of Android, it roots the device to gain admin access, allowing it to download additional applications in the background to do things like steal information, install adware, and interact in the Google ecosystem as the user. Checkpoint has indicated that over 1 million accounts are impacted.

Duo does an analysis of their data to see if 2FA over SMS has decreased since NIST suggested it is insecure. Overall, it appears that in the 2 months since the announcement there has been no marked decrease so far, but overall SMS as a factor seems to be declining over the year in favor of methods like Universal 2 Factor (U2F) and Duo Push.

Researchers have discovered some attack vectors for credit cards which would allow attackers to repeatedly guess at details by distributing hundreds of guesses across eCommerce systems, allowing them to figure out information in seconds. MasterCard users will apparently have fraudulent activity lockdowns that occur after 100 tries. Visa, unfortunately, does not apparently have a similar lockdown.

The FBI has apparently stuck a major blow against the Avalanche botnet, taking ownership of 800K domains used by the DGA as well as seizing and shutting down servers suspected of being C&C nodes.

DeepDotWeb dives into the latest Locky mechanism where a specially crafted SVG image can direct users to malware, exploring the image itself and the browser extension it prompts users to install.

Similarly, Ars Technica explores some malware that was hidden in pixel ad banners on a variety of sites. The malware resides in a heavily obfuscated javascript file, but the actual malicious payload occurs when it loads an ad image that contains hidden malicious instructions.

BleepingComputer rounds up the ransomware. New this week: Screen lockers, tech support scams, new ransomware variants, including one that uses GPG to encrypt files.

Page 12 of 23