Security Roundup - 2016-09-29

Content Service Policies are a way to mitigate XSS attacks, and Google has rolled out a tool to evaluate CSP policies, allowing people to check the impact of rolling out CSP to their sites. Google goes into how they rolled out CSP to a large suite of their apps, which prompted to the creation of this tool.

Meanwhile, Microsoft is rolling out a new tool for automated fuzz testing, designed to automatically find bugs (and security vulnerabilities) before software even launches.

Megabreaches continue, as Yahoo discloses a 2014 breach resulting in half a billion user records stolen. Yahoo initially stated that the attack was state sponsored, but some security firms are suggesting otherwise. Other researchers suggest that Yahoo has poor cryptographic controls, which were a contributing factor. Unfortunately, it looks like this was suspected in August, when some records went up for sale on the DarkNet.

In other large attacks, two big DDoSes happened this week. The first was the security site KrebsOnSecurity, which was taken offline by peak traffic of 620 Gbps. Akamai, who was previously providing DDoS protection, apparently had to stop. Krebs has resurfaced under Alphabet’s Project Shield program. The second involved the OVH hosting site being hit by a DDoS attack topping 1.1 Tbps. It is believed that this attack was launched from a large number of compromised IoT devices.

Interestingly, Akamai has also released their Q2 2016 State of the Internet report. Some big jumps in attacks, including 276% increase in NTP reflection attacks YoY and 44% QoQ. Also, a 47% increase in UDP flood attacks QoQ. 12 attacks in the last quarter exceeded 100 Gbps (already blown away by records this quarter). Of all bot traffic they observed, they believe 63% of it was malicious in some way.

A Hacked Website Trend Report was released by Sucuri as well. Unsurprisingly, Wordpress showed the greatest number of compromises based on its overall popularity. Overall, it appears that compromised sites are decreasing, though out of date CMSes appear to be unchanged. Overall, compromises are primarily backdoors or malware, with spam being a slightly more distant third.

Honeypots, setting up a service that is weak to monitor what attackers do to it, is one way to gather threat intelligence. Sucuri recently set up a few on both IPv4 and IPv6, to see how quickly they would be compromised. They found that IPv4 was compromised in under 30 minutes, while IPv6 was (at time of writing) not compromised. Their experiment resulted in at least one of their machines being used in a DDoS attack, and they break down what the attackers actually did.

The FBI has again warned that hackers might be probing voting infrastructure. Seems to be correct, given that the Louisiana Voter’s database has been dumped online.

Malware of all types use various techniques to avoid detection and analysis by sandboxes. Threatpost has found a new unique strategy that is relatively straightforward, just check whether there are user like files to detect ‘clean’ installs.

As always Bleeping Computer has the best ransomware roundup. This week features a number of new ransomware strains, including one that does filename introspection to set the ransom amount, and Cerber infections on the rise, jumping from 6K infections per day to 80K infections per day.

Security Roundup - 2016-09-21

Damage due to a breach doesn’t necessarily end after resetting user’s passwords. TalkTalk customers are being targeted by scammers who are using the personal information from the TalkTalk breach in order to better target their victims. Meanwhile, another 33 million user accounts have been dumped online, as QIP.ru data from 2009-2011 has surfaced.

One security researcher found a bug in Facebook Business Manager, allowing an attacker to take over any Facebook page. Facebook has fixed the issue, as well as another one they discovered in the process, and paid the researcher $16k as part of their bug bounty program.

Use WebEx? Might want to make sure that the servers you use are updated. Cisco recently patched WebEx to fix a remote command execution bug, as well as denial of service bugs. A number of bugs also exist for other Cisco products, which they have sent notifications for.

After last week’s announcement that Chrome will be flagging non-HTTPs sites as insecure, Troy Hunt decided to take the new settings for a spin and see how many sites would have warnings. The results will probably not surprise you.

Hosting sites on a shared server? Sucuri reminds us all that our security is only as strong as the weakest link, or only as strong as your weakest neighbour. Using a combination of attacks, they demonstrate how exploiting Wordpress on shared servers allows for cross contamination, pivoting further into whatever databases the compromised host has access to.

CryLocker has been making the rounds, as a ransomware that collects a bunch of metrics, including location and then dumps them to sites like imgur.com or pastebin.com.

Talos security indicates SPAM is back at 2010 levels. The culprit? Malware campaigns including either banking malware like Dridex, or ransomware like Locky.

TLS 1.3 should be finalized later this year, but that isn’t stopping larger organizations from trying it out. The latest adopter? Cloudflare, who has made it available for all their customers.

As always, Bleeping Computer has the best ransomware roundup. This week includes: The Shark Ransomware-as-a-Service platform being rebranded as Atom, plenty of new ransomware variants, and the trend of ransomware no longer using C&C nodes continuing.

Security Roundup - 2016-09-15

USB for data exfiltration came up last week. This week continues the trend with one researcher building a device that could grab a password from a locked computer by masquerading as an ethernet device and listening for network authentication requests. Hak5 demonstrates another device that could steal password hashes in seconds. On the other side of the spectrum, one researcher has figured out how to use USB to damage devices and infrastructure by discharging electricity back into the port.

Accessing IoT devices over the internet/SSL? Sophos points out that this isn’t necessarily secure, given these devices tend to use hard coded secret keys that anybody could easily extract. At time of publication, they had identified 4.5 million http servers using widely known ‘private’ keys.

Microsoft had their Patch Tuesday this week, and EnSilo goes into depth into one particular patched bug that potentially impacts security tools and virtualization software, due to the change being in their ‘Detours’ hooking engine. As mentioned earlier this year, bugs in hooking engines can allow a number of security bypass techniques. Talos Intel has a writeup on the rest of the bulletins, pointing out a number of memory corruption and security bypass bugs.

Apple has continued to make small steps forward with security, now by making system updates go over secure channels to mitigate against MitM attacks.

One high school student recently figured out how to use T-Mobile’s network without a paid account, by leveraging a whitelist misconfiguration on T-Mobile’s side.

In other encryption news, Google apparently plans to draw attention to sites that do NOT use TLS, pointing out that they are not secure.

As always, Bleeping Computer has the best ransomware roundup. This week includes numerous ransomware variants, Locky switching to embedded RSA keys, and a new Ransomware as a service platform.

Security Roundup - 2016-09-07

Engadget has posed the question of ‘should we be worried about election hacking?’. Rounding up a lot of election data problems of the last several weeks, including the FBI alerting that at least 2 state election databases were hacked into, as well as various groups hacking voting machines, certain groups refusing security audits, and state representatives sending people complete voter lists. Thankfully, some of the older voting machines are being phased out after support has been but, overall, eVoting seems like a risky prospect.

Mobile 2FA tokens seem to be the safest 2FA option, right? Given enough time and resources, anything is hackable as one researcher demonstrates the ability to clone a 2FA app. Current research involves root level access, a lot of bypasses, and only impacts some demo apps, so the attack is not particularly practical at this time. A full set of slides is available here.

Last.fm joins the 2012 megabreach crowd with 43 million user accounts surfacing. Last.fm knew about this breach in 2012 and already took steps to protect users but are pre-emptively taking steps again. having not expected this data to surface 4 years later. Sadly, it appears that Last.fm was using unsalted md5 hashes meaning that the majority, if not all, of the passwords are probably known.

Rapid7 has been scanning parts of the internet for a number of years now, and has decided to do a nice write up of Netbios collection, which is part of their scans.io dataset. Unsurprisingly, there are a lot of Netbios services exposed on the internet, despite recent high profile vulnerabilities like HotPotato and BadTunnel.

Google has rolled out changes to their Safe Browsing tool for webmasters adding further transparency and actionability on issues they detect.

Rapid 7 has continued research into SNMP for Networked Management Systems, finding another 11 vulnerabilities across 4 different vendors.

Security researchers have discovered how to use Tor’s hidden service directories in a correlation attack against anonymity. The TOR Project has already indicated that the attack will be mitigated with the next generation of hidden services. Meanwhile, a number of TOR alternatives are springing up, aiming to provide solutions for some of TOR’s current known problems.

BleepingComputer’s ransomware roundup gives the low down on all the ransomwre updates/variants. Also this week - a ransomware that communicates over UDP, as well as harvests system information.

Security Roundup - 2016-09-02

RC4 being deprecated is old news, but researchers are set to demonstrate that 3DES and Blowfish have met their end as well, with a demonstrable collision attack. OpenSSL seems poised to drop 3DES from default installs, and OpenVPN already plans a new version that warns against Blowfish.

Inversoft, a provider of moderation and DB SSO tools, recently released a guide to User Data Security. They set up a server using those guidelines, and challenged attackers to break in. Read one team’s chronicle of completing this challenge.

Anyone using Opera’s built in password manager and sync service, had all their passwords compromised this week.

Yet another historical breach has come to light, with Dropbox password data coming to light from 2012. It looks like the data contains a mix of SHA1 and BCRYPT hashes. Dropbox is forcing password resets for a certain set of users, but it probably doesn’t hurt to change your own.

Troy Hunt does an in depth exploration on what using Cloudflare to provide encrypted content means. Summary: If you are not encrypting between Cloudflare and your own servers, you are subject to MitM attacks anyway. Even then, having Cloudflare in the middle opens things up to potentially leaking information, or having Cloudflare as an intercept point. You have to ask yourself, “What is my risk model?”. He also suggests a few things Cloudflare could do to increase overall security, while also offering some transparency.

Steganography AND C&C control? The EndGame blog has an article on this specific combination using public image hosting. Included is a proof of concept using Instagram, called Instegogram.

I imagine a number of bad actors want to break into Facebook, and one researcher recently found an exploit in Facebook’s password reset functionality, relying on the fact that reset tokens had a keyspace of 1 million entries, and being able to initiate enough password reset requests would mean you could find out the token for a specific user.

Botnets leveraging IoT devices continues to trend, with BASHLITE being the latest version, having grown from 74 observed instances to 120000 instances fairly rapidly. Interestingly, this doesn’t seem to be very sophisticated, with payloads running through a list of things to try until something works, and no C&C rotation as such, relying on the ability to re-compromise if a move ever needs to occur.

Naked Security has an article on, not if a CA goes rogue, but what happens if a CA has a sloppy bug and doesn’t clean up their mistakes rapidly.

Duo Security was performing some research on exposed Redis servers, and noticed that a number of them all used the same SSH key. They learned that attackers that are able to send CONFIG directives can essentially overwrite keys on the server and gain complete SSH access, which was actually pointed out by the developer almost a year ago. Duo went so far as to set up a HoneyPot and caught an attacker ‘faking’ ransomware by just deleting data and leaving a notice.

I stumbled upon this interesting article about usage around target=”_blank” attribute for links, where apparently misuses can open up users to phishing attacks due to the referring site able to manipulate the opening window.

As always BleepingComputer has the best ransomware roundup. This week features 6 new ransomware including one that pretends to be a windows update screen.

Page 15 of 23