Security Roundup - 2016-10-05

October is National Cyber Security Awareness Month. I’m looking forward to a slew of new articles to read through.

For a big start, one security researcher did an Ask me Anything on reddit the other day.

The overall message is ‘Stop. Think. Connect’. Sophos details what they believe this means, but Bruce Schnier has a counterpoint on how we should stop trying to fix the user and rather focus on trying to fix underlying security problems.

Rapid7 plans to highlight security research as part of the National Cyber Security Awareness Month. They are also looking forward to the DMCA exceptions for security research to kick in at the end of the month, which will allow security researchers to bypass protection measures on legally acquired devices to test security.

Big batch of Internet of Things news:

The Internet of Things botnet (Mirai) that has been responsible for recent large DDoS attacks has had it’s source code released. There is some more detail on how this malware works, which is as simple as just exploiting default passwords and getting code run in memory. Research indicates that impacted IoT devices can get infected within minutes of being put on the internet. MalwareTech also has a great article on Mirai, where they mapped out a number of infected devices.

Further digging into IoT devices, Ars details how easy it is for a DVR to get compromised, while other security researchers analyze a popular wifi router and suggest it is so broken that users should throw it away.

Krebs continues the news with a breakdown of which companies are building these devices.

And Sophos suggests that we should be worried about the scope of these attacks, as the scale has increased drastically, and the effort required to put together a large botnet further decreases. The number of organizations that can weather such an attack only grows smaller.

The roundup of the roundup:

Malwarebytes shares some less known ways in which attackers may spoof file extensions on windows.

Facebook has rolled out end to end encryption for Messenger, but the feature is opt-in, rather than on by default.

Endgame security goes into various ways code might be obfuscated and how to reverse engineer. Additionally, they have detailed how they hunt for exploit kits, which they have automated and turned into an open source project.

Did you know that Mongo has a REST interface, which by default has no authentication? Netsparker filled me in on this, as well as detailing a CSRF attack to recon and exfiltrate data.

A number of security firms have analyzed some malware in the Google Play store that establishes a proxy to allow attackers a foothold in any network the phone is on. Researchers found ~400 of these apps in the Play store directly.

Bleeping Computer provides an update on ransomware. This week includes many new variants, a few decryptors, and criticism of open sourcing ransomware for ‘research’.

Security Roundup - 2016-09-29

Content Service Policies are a way to mitigate XSS attacks, and Google has rolled out a tool to evaluate CSP policies, allowing people to check the impact of rolling out CSP to their sites. Google goes into how they rolled out CSP to a large suite of their apps, which prompted to the creation of this tool.

Meanwhile, Microsoft is rolling out a new tool for automated fuzz testing, designed to automatically find bugs (and security vulnerabilities) before software even launches.

Megabreaches continue, as Yahoo discloses a 2014 breach resulting in half a billion user records stolen. Yahoo initially stated that the attack was state sponsored, but some security firms are suggesting otherwise. Other researchers suggest that Yahoo has poor cryptographic controls, which were a contributing factor. Unfortunately, it looks like this was suspected in August, when some records went up for sale on the DarkNet.

In other large attacks, two big DDoSes happened this week. The first was the security site KrebsOnSecurity, which was taken offline by peak traffic of 620 Gbps. Akamai, who was previously providing DDoS protection, apparently had to stop. Krebs has resurfaced under Alphabet’s Project Shield program. The second involved the OVH hosting site being hit by a DDoS attack topping 1.1 Tbps. It is believed that this attack was launched from a large number of compromised IoT devices.

Interestingly, Akamai has also released their Q2 2016 State of the Internet report. Some big jumps in attacks, including 276% increase in NTP reflection attacks YoY and 44% QoQ. Also, a 47% increase in UDP flood attacks QoQ. 12 attacks in the last quarter exceeded 100 Gbps (already blown away by records this quarter). Of all bot traffic they observed, they believe 63% of it was malicious in some way.

A Hacked Website Trend Report was released by Sucuri as well. Unsurprisingly, Wordpress showed the greatest number of compromises based on its overall popularity. Overall, it appears that compromised sites are decreasing, though out of date CMSes appear to be unchanged. Overall, compromises are primarily backdoors or malware, with spam being a slightly more distant third.

Honeypots, setting up a service that is weak to monitor what attackers do to it, is one way to gather threat intelligence. Sucuri recently set up a few on both IPv4 and IPv6, to see how quickly they would be compromised. They found that IPv4 was compromised in under 30 minutes, while IPv6 was (at time of writing) not compromised. Their experiment resulted in at least one of their machines being used in a DDoS attack, and they break down what the attackers actually did.

The FBI has again warned that hackers might be probing voting infrastructure. Seems to be correct, given that the Louisiana Voter’s database has been dumped online.

Malware of all types use various techniques to avoid detection and analysis by sandboxes. Threatpost has found a new unique strategy that is relatively straightforward, just check whether there are user like files to detect ‘clean’ installs.

As always Bleeping Computer has the best ransomware roundup. This week features a number of new ransomware strains, including one that does filename introspection to set the ransom amount, and Cerber infections on the rise, jumping from 6K infections per day to 80K infections per day.

Security Roundup - 2016-09-21

Damage due to a breach doesn’t necessarily end after resetting user’s passwords. TalkTalk customers are being targeted by scammers who are using the personal information from the TalkTalk breach in order to better target their victims. Meanwhile, another 33 million user accounts have been dumped online, as data from 2009-2011 has surfaced.

One security researcher found a bug in Facebook Business Manager, allowing an attacker to take over any Facebook page. Facebook has fixed the issue, as well as another one they discovered in the process, and paid the researcher $16k as part of their bug bounty program.

Use WebEx? Might want to make sure that the servers you use are updated. Cisco recently patched WebEx to fix a remote command execution bug, as well as denial of service bugs. A number of bugs also exist for other Cisco products, which they have sent notifications for.

After last week’s announcement that Chrome will be flagging non-HTTPs sites as insecure, Troy Hunt decided to take the new settings for a spin and see how many sites would have warnings. The results will probably not surprise you.

Hosting sites on a shared server? Sucuri reminds us all that our security is only as strong as the weakest link, or only as strong as your weakest neighbour. Using a combination of attacks, they demonstrate how exploiting Wordpress on shared servers allows for cross contamination, pivoting further into whatever databases the compromised host has access to.

CryLocker has been making the rounds, as a ransomware that collects a bunch of metrics, including location and then dumps them to sites like or

Talos security indicates SPAM is back at 2010 levels. The culprit? Malware campaigns including either banking malware like Dridex, or ransomware like Locky.

TLS 1.3 should be finalized later this year, but that isn’t stopping larger organizations from trying it out. The latest adopter? Cloudflare, who has made it available for all their customers.

As always, Bleeping Computer has the best ransomware roundup. This week includes: The Shark Ransomware-as-a-Service platform being rebranded as Atom, plenty of new ransomware variants, and the trend of ransomware no longer using C&C nodes continuing.

Security Roundup - 2016-09-15

USB for data exfiltration came up last week. This week continues the trend with one researcher building a device that could grab a password from a locked computer by masquerading as an ethernet device and listening for network authentication requests. Hak5 demonstrates another device that could steal password hashes in seconds. On the other side of the spectrum, one researcher has figured out how to use USB to damage devices and infrastructure by discharging electricity back into the port.

Accessing IoT devices over the internet/SSL? Sophos points out that this isn’t necessarily secure, given these devices tend to use hard coded secret keys that anybody could easily extract. At time of publication, they had identified 4.5 million http servers using widely known ‘private’ keys.

Microsoft had their Patch Tuesday this week, and EnSilo goes into depth into one particular patched bug that potentially impacts security tools and virtualization software, due to the change being in their ‘Detours’ hooking engine. As mentioned earlier this year, bugs in hooking engines can allow a number of security bypass techniques. Talos Intel has a writeup on the rest of the bulletins, pointing out a number of memory corruption and security bypass bugs.

Apple has continued to make small steps forward with security, now by making system updates go over secure channels to mitigate against MitM attacks.

One high school student recently figured out how to use T-Mobile’s network without a paid account, by leveraging a whitelist misconfiguration on T-Mobile’s side.

In other encryption news, Google apparently plans to draw attention to sites that do NOT use TLS, pointing out that they are not secure.

As always, Bleeping Computer has the best ransomware roundup. This week includes numerous ransomware variants, Locky switching to embedded RSA keys, and a new Ransomware as a service platform.

Security Roundup - 2016-09-07

Engadget has posed the question of ‘should we be worried about election hacking?’. Rounding up a lot of election data problems of the last several weeks, including the FBI alerting that at least 2 state election databases were hacked into, as well as various groups hacking voting machines, certain groups refusing security audits, and state representatives sending people complete voter lists. Thankfully, some of the older voting machines are being phased out after support has been but, overall, eVoting seems like a risky prospect.

Mobile 2FA tokens seem to be the safest 2FA option, right? Given enough time and resources, anything is hackable as one researcher demonstrates the ability to clone a 2FA app. Current research involves root level access, a lot of bypasses, and only impacts some demo apps, so the attack is not particularly practical at this time. A full set of slides is available here. joins the 2012 megabreach crowd with 43 million user accounts surfacing. knew about this breach in 2012 and already took steps to protect users but are pre-emptively taking steps again. having not expected this data to surface 4 years later. Sadly, it appears that was using unsalted md5 hashes meaning that the majority, if not all, of the passwords are probably known.

Rapid7 has been scanning parts of the internet for a number of years now, and has decided to do a nice write up of Netbios collection, which is part of their dataset. Unsurprisingly, there are a lot of Netbios services exposed on the internet, despite recent high profile vulnerabilities like HotPotato and BadTunnel.

Google has rolled out changes to their Safe Browsing tool for webmasters adding further transparency and actionability on issues they detect.

Rapid 7 has continued research into SNMP for Networked Management Systems, finding another 11 vulnerabilities across 4 different vendors.

Security researchers have discovered how to use Tor’s hidden service directories in a correlation attack against anonymity. The TOR Project has already indicated that the attack will be mitigated with the next generation of hidden services. Meanwhile, a number of TOR alternatives are springing up, aiming to provide solutions for some of TOR’s current known problems.

BleepingComputer’s ransomware roundup gives the low down on all the ransomwre updates/variants. Also this week - a ransomware that communicates over UDP, as well as harvests system information.

Page 15 of 23