Security Roundup - 2016-08-25

Like free beer? One developer found a “Loyalty Program” app, and realized the system was subject to replay attacks, such that one could (theoretically) cash in on loyalty perks without even making a purchase.

Last week’s news of NSA hacker tools has led to a few of these tools being evaluated. So far, it looks like Cisco PIX routers were exploitable allowing VPN communications to be eavesdropped on, prompting Cisco to review their product line. Fortinet has also been auditing their code and has discovered at least one similar vulnerability. Juniper has been doing their own analysis to check their own products. Meanwhile, one security researcher has been auditing some code, and finds some of it to be sloppy.

Apparently, researchers have used Facebook photos to hack face recognition systems. Thankfully a bit more complex than just showing a picture, determined researchers used Facebook photos to 3D print heads to fool the systems in question.

Security firm Praetorian has published a report on insights from 100 penetration tests. Essentially, in the majority of cases, they were able to compromise security due to weak passwords/password security, rather than relying on software vulnerabilities.

With great openness comes great malware. Wikileaks provides dumps of leaked information, and security researchers have discovered malware in these data caches. To be fair, since bad actors are probably also trying to exploit the companies in question, we should be more surprised if there was no malware in some of their email dumps.

With the DNC being hacked, the fact that at least part of the election process being hacked should seem fairly real. In particular, a group of researchers continue to advocate against voting machines regularly pointing out vulnerabilities in them, as well as pointing out other points of attack in the electronic voting process.

Plenty of online bulletin boards have been compromised, many of which are using vBulletin. Troy Hunt picks apart how some of these sites are using old versions of software, and suggests that for some services it would be better to use managed hosting, as the host will probably update packages much more quickly than your organization would.

United Airlines has rolled out ‘security’ updates to their site, but Krebs feels this are security efforts circa 2009. Amazingly, ‘secret questions’ use a drop down for all the answers, among other things.

NIST is working on a new draft on password recommendations and Sophos has a nice writeup. Minimum length recommendations are 8 characters, minimum max length is 64 characters, emphasis is on password length vs traditional password complexity rules and get rid of password hints, as studies are showing these decrease security.

Malware tech has an update on the Kelihos botnet, which had a sudden surge of new nodes. Based on their research, it looks like Kelihos is joining other groups in doing ransomware spam campaigns.

As always BleepingComputer has the best ransomware roundup. This week features Pokemon Go malware, new variants of TorrentLocker, the Shark Ransomware as a Service platform, and Cerber apparently earned $195K in July as well as continues to evolve to evade researchers.

Security Roundup - 2016-08-18

Researchers have discovered a vulnerability in an RFC5961. While designed to prevent a number of attacks, the disclosed vulnerability opens up new forms of attacks, where users could disconnect traffic, as well as inject content into unencrypted communications.

Blackhat 2016 videos are starting to trickle online, as is material from the 25th USENIX Security Symposium.

O’reilly posts an interesting article on “Patrolling the dark net”, where they go over the deep web, the dark web, and monitoring to check for the worst case scenario, your information is up for sale on the dark web.

For those companies that require absolute control of their encryption keys, Amazon and Google now allow you to provide your own keys for use on their services, rather than relying on third party key generation.

Interested in banking malware? You might enjoy this article on Automatic Transfer Systems by MalwareTech.

Rapid 7 has some interesting articles this week, including a writeup of how small companies have a great opportunity to set up a security foundation while they are small, as this inevitably gets harder as the organization grows.

The creators of Mayhem, the bot that won Darpa’s Grand Slam challenge, did an AMA on Reddit!

Attackers use a variety of methods to exfiltrate data from their targets. PhishLabs has apparently seen a recent attempt that uses XMPP to push data out.

Troy Hunt has an other article on security (or lack thereof). This time features account enumeration and some examples where sites leak far too much information due to enumeration techniques.

Checkpoint has released their latest Malware Top 10. Conficker still reigns supreme, but most of the other spots are in flux. They also have a nice expose on ransomware as a service, staring Cerber.

DDoSes frequently use DNS ANY queries to perform reflection attacks on the victims. Savvy attackers are turning to DNSSEC supported servers, as their signed responses can be up to 30x larger, thus increasing the impact of reflection by just choosing the right target. Just like any service exposed to the internet, failing to properly secure DNSSEC makes it potentially exploitable. Cloudflare has been actively trying to deprecate the ANY query for DNS in general, to minimize the ability for DNS to be exploitable for reflection to the extent it currently is.

Open source GPG libraries have had vulnerabilities discovered in the random number generator, allowing an attacker that obtains enough data to predict the outcome.

Security Roundup - 2016-08-11

Several major security conferences wrapped up in the last week, prompting many interesting articles.

This year’s Pwnie Awards added a few new awards, including ‘Best Cryptographic Attack’ (awarded to DROWN) and ‘Best Backdoor’ (awarded to Juniper).

The Cyber Grand Slam was won by ‘Mayhem’, built by ForAllSecure.

Imperva has discovered a number of vulnerabilities in HTTP/2 implementations, some of which are similar to vulnerabilities that existed in HTTP/1.x.

Checkpoint announced Quadrooter, a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Many popular Android devices use this chipset, and the exploits allow malicious apps to escalate privileges and gain root access to the device.

In another SSL vulnerability with a catchy name, HEIST makes other attacks like BREACH and CRIME easier because it enables the use of malicious javascript to measure HTTPS responses, skip the need to perform a MitM attack.

Two large companies launched bug bounty programs this week. The first being Kaspersky Lab, who wants everyone to report as many bugs as possible. The second being Apple, who continues their efforts to embrace the security community. Their payouts of up to $200K make it one of the largest paying programs available. Despite that, these programs still pale in comparison to the zero day bounties that black hat groups currently advertise, including $500K for iOS 9.3+ exploits.

Who has their hands in the (session) cookie jar? Two academic researchers set out to find out, simply by listening to traffic on wifi networks. Using simple traffic sniffing tools, they were able to discover large amounts of data including usernames, email addresses, and occasionally even address information.

A security researcher has written a tool called ‘OnionScan’, which is used to find vulnerabilities and data leaks for TOR hidden services. Their goal is to help increase anonyminity on TOR by helping some operators further secure their sites.

Security researchers have discovered a very persistent malware platform dubbed ProjectSauron. While found on a number of targets, the fingerprints for every version are unique enough that no overall patterns have emerged. Due to the overall sophistication, it is currently believed to be at least funded by a nation state. Given that it had gone undetected for 5 years, what level of sophistication is possible today?

Rapid7 has apparently discovered a timing attack with chip and pin cards, where an attacker can make small changes to PoS terminals to clone cards, and then use them with a recorded pin for a small window of time. While the window is in the range of minutes, this potentially still allows for some quick withdrawals.

Have you thought about the fact that your monitor uses a computer and it is insecure? One security researcher did and figured out a method to exploit. Who monitors your monitor? Somewhat similarly, researchers have demonstrated a way to hijack a phone’s ability to export HDMI to tap in and record screen content over USB. They set up some fake charging stations at DefCon to demonstrate.

Industrial automakers use common communication standards across a variety of devices (including transport trucks and buses). University of Michigan researchers have done an audit, and found it is easy to take control of most of these vehicles systems. While they relied on physical access, there is no reason to believe a wireless attack wouldn’t be possible in the future. In other news - Charlie Miller and Chris Valasek, who have been pioneers in automotive hacking, have delivered their final DefCon talk on the subject. Their latest research involved tricking systems into diagnostics mode, in order to bypass some protections.

You would think digital locks would be locked down, but security researchers find that is far from the case after doing analysis of 16 smart locks. They were able to unlock 75% of them, ranging from finding passwords passed in plaintext, replay attacks, and sending bad data to trigger an error state.

Following up on SMS again, looks like a number of Telegram accounts have been compromised due to a weakness in using SMS to activate new devices.

As always, BleepingComputer has the best ransomware roundup. This week includes a number of ‘educational’ ransomware variants, and many new variants in general.

Security Roundup - 2016-08-03

Motherboard editor Kate Lunau recently went to a Toronto Hackerspace and learned how to pick locks. She gives an interesting analogy between physical security and digital security. We lock our doors every day, but how secure are they really? We use various websites and share our information every day, but how safe are they really? Pentesters test for digital security similar to how lock pickers have been testing locks for ages, and lock disclosure is a thing too.

Don’t forget to secure your development environment! One hacker details how he infiltrated Imgur’s dev environment and managed to find production credentials that could be utilized to escalate access.

As a follow up to last week’s LastPass exploits, it turns out that there were actually two. The first allowed a user to use javascript to extract passwords. The second is a bit more sophisticated, and requires a user to be lured to a malicious site. But once that happens, an attacker could execute a number of actions on the user’s behalf. LastPass has already addressed and asks users to upgrade accordingly.

One user has a new solution to the Internet of Things access problem. Rather than access in the clear over the internet, or route through a third party, what if you hid your things behind TOR. By using TOR’s hidden services as the access point for remote management, the software in question is able to avoid a host of problems, such as automatic enumeration by services like shodan.io. While perhaps not for the average person (yet), just wrap a fancy app around it and who knows?

Motherboard is running a video series called ‘Can I Hack It?’. The latest video is titled ‘How Hackers Could Wirelessly Bug Your Office’, where some white hat hackers demonstrate how they can update devices remotely in order to exfiltrate data unexpectedly.

The 11th HOPE Conference ran from July 22nd to July 24th. There were a lot of great talks, which are now available online. Some suggested viewing:

Last week, NIST suggested 2 factor over SMS be deprecated. DUO is on board with this change, but the U.S. Social Security Administration just rolled out two factor auth over SMS.

Cisco has released their Midyear Cybersecurity Report. A few key takeaways:

  • Ransomware is going to continue to expand. Cisco predicts that attackers will write more sophisticated ransomware that will spread across an organization and then start encrypting in parallel, maximizing the damage.
  • As the number of system vulnerabilities disclosed has grown in the last year, so has the importance of proper patching cadence. The longer a company leaves vulnerabilities exposed, the more time attackers have to use it to gain a foothold. Using their own devices as an example, they analyzed 115,000 devices and found 23% of them had vulnerabilities 5 years or older, with 92% of the devices having some known vulnerability.
  • Many attack types (ransomware, malicious ads, botnets) are increasingly using encryption, from communicating through TLS to using TOR to obfuscate network communications.

As always, Bleeping computer has the best ransomware roundup. This week includes the NoMoreRansomware initiative going public, new ransomware, more decryption, and Mischa and Petya becoming Ransomware as a Service.

Security Roundup - 2016-07-28

KeePass, a password management system, is getting a code audit thanks to a pilot project by the European Parliament. Other projects proposed to be audited include the Apache HTTP server, Linux and MySQL.

Do you allow data to be exported as a CSV? Then you might be subjecting your users to CSV injection exploits. Essentially, if someone can insert data that is not sanitized, if it is exported and opened by something like Excel, it could execute arbitrary code on the recipient’s machine.

NIST has issued a new draft of secure communication guidelines, most norably tightening up 2-Factor auth recommendations by suggesting the deprecation of SMS 2-Factor auth. Since social engineering has allowed call forwarding of SMS attacks this sounds like a good recommendation.

A few stories about bug bounties this week, with Uber fixing a bug allowing customer password resets and PHP having two remote code execution bugs involving the garbage collector.

With the rise of car hacks, the CEO of GM has now said that these incidents are not just a consumer or an automaker problem, but a matter of public safety. This week, the Alliance of Automobile Manufacturers has apparently released a set of security best practices for vehicles.

Meanwhile, Bruce Schneier has a thoughtful article on security in the Internet of Things. Essentially with the proliferation of connected devices, since they also can interact with each other, the footprint of things that can be exploited (sometimes in unexpected ways) is expected to increase. Since these devices are also automated, this makes it easier for attackers to execute some unintended (to the device owner) behavior before they can even react. We have seen this with a number of stories in the last year, from the remote camera takeovers to medical devices being infiltrated and we should expect those stories to continue.

As an example on how ubiquitous connected systems are….. do you use a wireless keyboard? Someone could eavesdrop on everything you type as well as execute keystrokes from 250 feet away using less than $100 of equipment. Researchers testing a number of currently available models found a complete lack of encryption in 8 out of 12 they tested.

In responsible disclosure news, Google security researchers have discovered a remote execution bug in LastPass. The two companies are working on a fix.

Talos Intel has a great article on tracking down ties between different malware, where they discover relationships between Jigsaw, Ranscam and AnonPop.

As always, Bleeping Computer has the best ransomware roundup. Beyond the new variants, and unlockers, it appears that the Stampado family that was selling for cheap already has a decryptor.

Page 16 of 23