Security Roundup - 2016-12-01

cURL, an open source program/library used by many open source projects, recently underwent a security audit from Mozilla’s Secure Open Source initiative. Overall 23 issues were proactively identified and fixed, prior to a ‘Heartbleed’ like event the initiative was created in reaction to.

In a post Mirai world, Fortinet delves in to managing the attack surface of Smart Cities in the world of tomorrow.

Deutsche Telekom customers have had their modems targeted this week, knocking users off the internet. Researchers from the SANS institute indicate that left unchecked these routers could be compromised and become part of a botnet. Deutsche Telekom has apparently already pushed out a fix. Rapid7 has a summary of some of the raw data.

Firefox user’s should update, as Mozilla has fixed a 0-Day that was used to de-anonymize users. While this is important for TOR users specifically, researchers indicate the payload could also have been used to execute malware. Endpoint Security provides an in-depth technical writeup.

On the importance of maintaining and monitoring your third party accounts, it appears as though a small number of MailChip accounts were broken into and used to send malicious attachments. Mailchimp does offer 2FA, making it easier for user’s to secure their accounts.

Proving that pretty much anyone can be a victim of Ransomware, SF MUNI was a victim to HDDCryptor. MUNI suggests that there was no actual breach, and no data was stolen, nor were actual transit systems impacted. KrebsOnSecurity has already been provided some information on the hacker in the form of emails from his email account, which someone has hacked. These provide details into the number of companies impacted, as well as the techniques the attacker used.

BleepingComputer brings the rest of the Ransomware Roundup. Nothing particularly ‘new’ this week, but still plenty of variants, new versions, and decryptors.

Security Roundup - 2016-11-23

Happy Thanksgiving! I just found out that DerbyCon 2016 videos have been up for over a month, and DefCon 24 videos went up in the last week, so I know what I am going to be filling SOME of my time this weekend.

Some internet of things news:

Several Siemen’s branded CC TV cameras are vulnerable to a bug that would allow attackers to gain admin credentials.

Similarly, security researcher Robers Stevens recently purchased an IP based camera and decided to see how quickly it was compromised. In under 2 minutes he had details on how some attackers were exploiting and what they were doing once they gained control.

Some phone related problems were mentioned this week including:

An insecure update mechanism for a number of phones which could operate as a rootkit to execute arbitrary system commands.

An unknown set of phones regularly sends user data to servers in China. The company responsible declares it was a mistake, intended for Chinese devices, but it unfortunately impacts some US ones as well. The company in question has also suggested they have taken steps to correct, including distruction of the data, but as of this time they have not detailed which devices might actually be impacted.

Qualcomm has opened up a bug bounty program for their Snapdragon processors used to power multiple mobile devices.

In a follow up on a previous article on how he validates data breaches, Troy Hunt reiterates why alleged data breaches need to be validates, before being shared as such. It all comes down to publicity, who wants it and how easy it might be to just make up/relabel data to gain it.

In a somewhat similar vein, O’Reilly hosts an article on the challenges of validating attack detection methods. Challenges include tainted data, a variety of datasets, attacks in the wild being perhaps detected so rarely as to provide too small a sample set, and no incentive for defenders to share their overall raw data to provide data scientists better data.

Akamai released their Q3 State of the Internet Report. Unsurprising at this point, DDoS attacks are up with a 138% increase of attacks

100 Gbps YoY and a 58% increase QoQ. They have also noticed a downward trend of NTP reflection attack volume, from upwards to 40 Gbps in 2014 to 700 Mpbs in 2016, this decrease is attributed to organizations patching their servers to mitigate known problems that allowed these attacks.

CheckPoint labs provides their ‘October Most Wanted Malware List’, where they see a 5% growth in families and distribution over the course of the month. Zeus and Locky continue to be prevalent in the ranks, though Conficker is still #1 after several months.

Ars Technica reports on one researcher’s discovery of subtle bugs in a linux audio processing library. With it, the researcher was able to craft specific audio files that could be used to bypass some standard linux security constraints.

BleepingComputer provides plenty of interesting ransomware news again this week. This week: The CrySiS ransomware had its encryption keys released, ransomware writers seeking help from security researchers to fix their crypto to ‘help victims ensure their files can be decrypted’, an uptick in distribution channels, and plenty of new variants.

Security Roundup - 2016-11-17

Following up on the ‘Hack The Pentagon’ bug bounty program, the Army announced ‘Hack The Army’ on Veteran’s Day.

The Verge reports an unfortunate cause of user’s Skype accounts being compromised. Despite urging customer’s to migrate their accounts to Microsoft accounts for stricter security, user’s original Skype accounts could be used to log in, potentially leaving accounts vulnerable due to leaked credentials. User’s are urged to ‘complete’ the migration.

‘Pwnfest’, a security bug finding festival wrapped up this week. Among the systems available, VMWare was exploited (and subsequently fixed), as well as Microsoft Edge exploits found, as well as the new Pixel phone being exploited.

Talos goes in depth on how they do triage for some vulnerabilities for binaries, specifically stack based buffer overflow and heap based buffer overflow/heap overflow bugs.

I imagine everyone has heard of PoisonTap at this point, but for those who haven’t…. PoisonTap is an exploit device based on the Raspberry Pi that emulates a network device. Once connected, it convinces the laptop that all traffic should be routed to it. This allows the device to intercept traffic, harvest cookies, and poison the browser. The later allows the device to open up a websocket to allow remote control of the browser. The engineer behind the device suggests simple security measures be added for usb devices: simply prompt the user when (most/all) when connected if they would like the device to be allowed.

Chinese researchers have revealed that poor OAuth 2.0 (used to do single sign on via services like Facebook and Google) implementations cam be hijacked. Based on their analysis of top performing apps, they believe more than 1 billion accounts could be subject to compromise. The attack relies on a a malicious app being installed on the device, allowing the attacker to MitM connections.

Fortinet has been working to identify the author of several strains of malware and gives an inside view of what sorts of information they look for in order to find relationships.

BleepingComputer wraps us up with the Ransomware Roundup. Among the regular variants, some interesting news: Multiple new versions of Cerber, which has expanded the ip subnets they use to communicate back information and statistics to C&C nodes; A ransomware variant that is marketed as a Paysafe (Prepaid money card) number generator, asking people who are trying to ‘generate’ money to pay money; proof of concept PHP ransomware which could use another exploit to encrypt web servers; a new variant dubbed ‘Telecrypt’ due to the fact that it uses the Telegram service as its C&C channel.

Security Roundup - 2016-11-11

A few good IoT related articles:

  • Mirai may be imploding as competing hackers fight over the resources. As these botnets are also designed to keep out the competition, the botnets may be fracturing into smaller and smaller groupings.
  • Rapid 7 has been tracking Mirai, and also noticed a drop in overall active nodes.
  • Several people sent me “IoT Goes Nuclear”, a research paper that illustrates a proof of concept worm for the Philip’s Hue. They were able to develop a technique to force a bulb in proximity to update its firmware. From there, the infected device was able to spread through the network. Assuming a critical mass of similar devices, the entire network could be shut down or repurposed for malicious activity.
  • Wired has a story of a researches that built a stingray device that looks like an office printer. Since the device is indoors, it is that much easier to overwhelm outside cell towers, to monitor your traffic and perform malicious things.

Sucuri has published their October Lab Notes recap. Lots of eCommerce related maliciousness, where they believe attackers are preparing for the holiday season. Additionally, two notes on tricks backdoors are using to avoid casual detection.

Google has expanded their HTTPS Transparency Report, demonstrating an upwards trend in Chrome users interacting with sites over HTTPS. Additionally, they have rolled out a new Safe Browsing site.

Rapid 7 has developed a new Honeypot network and has a writeup of some early observations. They spread their pots across a number of cloud providers, and noticed a decidedly uneven distribution of attacks. They also noticed that inter-cloud communication was heavier in AWS to AWS public traffic than expected, a possible indicator of companies using AWS Classic, vs using VPCs to keep traffic internal.

Can your password survive 100 guesses? This is the question posed by recent research, which found that, with a little bit of PII, they has a one in five chance of guessing a password before reaching NIST’s lockout guidelines.

Endgame Security researcher Bobby Flair provides a writeup of AISec, where they also presented their paper on “DeepDGA: Adversarially-Tuned Domain Generation and Detection”. Effectively automating better ways to avoid DGA detection, to be used to automate better detection of generated domains.

Talos does a deep dive on the RIG Exploit Kit. RIG apparently has a number of configurable variants, and various levels of obfuscation to make tracking difficult. It tends to try to infect with various scripts, so where one might fail another may succeed. This includes ActionScript, Flash, JavaScript, and VBScript. MalwareBytes also has an Exploit Kit Retrospective for the last few months, giving some highlights on how these operate and are changing.

BleepingComputer rounds up the ransomware, detailing several new ransomware variants.

O'Reilly Security Conference

As previously mentioned, the first O’Reilly Security Conference just wrapped up in NYC. I opted to attend last minute and was glad I chose to, due to a number of really good conversations with other attendees.

Some of the highlights:

O’Reilly provided ‘office hours’ with most of the speakers, giving attendees the opportunity to pick the brains on speakers. I took advantage of this to sit down at a table with Cory Doctorow, who was one of the keynote speakers. This ended up being people going around, introducing themselves and describing what they are up to. I described my current job at SecurityScorecard, to which Cory expressed interest and thought it was pretty cool.

Had a great conversation with one of the guys from SourceClear about their work. They claim to have a vulnerability that is 50% greater than the NIST Vulnerability Database, accomplished by scanning Github for PRs related to security, as well as using that data to find similar patterns. They have some interesting scaling challenges, as they manually verify all the vulnerabilities. They then use this data to let people scan their dependencies and get a list of dependencies with vulnerabilities. We chatted about vulnerability databases in general, as well as Mitre’s occasional slowness in providing details.

Went to a great talk from HackerOne on Hacker Quantified Security, which went over some of the data they have collected from their bug bounties, showing security trends from making this a bit more public. I talked to their CTO about possibly working on an API where they can expose what companies are running bug bounty programs, and perhaps some of the metrics that are already available on their site.

Had a hallway conversation with one of the founders of, a crowdsourcing pentest company, where they match up pentesters to specific engagements, and wrap that in some management and a good web platform. We talked about how security is becoming more and more transparent, and how it might be interesting if companies were able to share a subset of pentest results in a verifiable way.

Sat in on Jay Jacob’s talk on Security Data Beyond Operations. He went over some interesting things, like clustering security breaches by industry, and not seeing any cross industry patterns, so much as patterns within industries. He also went over Bitsight’s recent research on malware/torrent correlation.

Kelly Harrington from the Google Safe Browsing team gave a talk on their efforts entitled “Are we out of the woods? The current state of web malware”. They have covered a number of these things in their blog, but it was nice to see a talk that expands on the topics and pulls it all together.

There were two talks in particular where I was exposed to a lot of new information.

The first was Deriving actionable intelligence from spoofed domain registrations where Kyle Ehmke from ThreatConnect went over some research where they observed spikes in typosquat registration for domains that were later attacked. He went over various ways in which they try to correlate some of the data to find out more about attackers and related potentially malicious domains.

The second was Dan Kaminsky’s ‘A technical dive into defensive trickery’. Prefaced with the comment ‘I am tired of doing keynotes, let me tell you the cool projects I am working on’, and then went into a LOT of experiments in:

  • DDoS attacks, and how to better communicate around these events. He is experimenting with shipping a subset of netflow data to destination networks. You can check out some of this in his overflowd project.
  • Crypto/TLS Deployment. Let’s Encrypt makes this easier, but he suggests the easiest thing would probably be to jump to full encryption, which is a wrapper that will act as a TLS wrapper on any port, and provision TLS certificates on the fly.
  • Data Loss Prevention. Experimentation in rate limiting data access through a proxy. Example was for querying password data at a rate of 7 requests/second. At that rate, querying for 500M users would take 2.26 years to exfiltrate the data.
  • Code Safety. How to protect end users from executing bad code. Experimenting with making it easy to sandbox every application, via VMs/docker and syscall firewalling.
Page 13 of 23