Security Roundup - 2018-04-12

The ‘convenience’ of a bluetooth credit card. Who would have imagined that wirelessly enabling credit cards would be a problem? Several ‘consolidated’ credit cards have hit the market in the last few years and now researchers have broken into them. In particular, the FUZE card can be broken into with a only seconds of physical access (like, when you hand it over to pay), where credit card details can be downloaded over bluetooth as long as the card remains in range.

Phishing attacks can leverage email handling discrepencies. Did you know that Gmail ignores the . character in email addresses? A software engineer discovered this the other day when they received an unexpected from Netflix that a credit card had been declined. Only it wasn’t their credit card, but someone else’s account with a . in the email address. Was this an honest mistake? Or potentially a new scam to try to collect accounts being paid off by unsuspecting people?

Harmless social quiz, or tactical information harvesting? Have you even thought about how much information you are potentially giving away with small quizes on social sites? Have you even thought about these questions and felt some of them may be very similar to your password recovery questions?

2017 Hacked Website Report. Sucuri has released their annual hacked website report. There are some interesting items including:

  • Wordpress is the most prevalent CMS, and the one that is most likely to be up to date. BUT since it is so common it also ends up being the platform with the most infections over the same period.
  • Only 17% of websites Sucuri identified as compromised ended up on blacklists in the same interval.
  • The number of infected files needing cleaning almost doubled YoY, demonstrated an increase in depth of compromise.

How (not) to do session management What happens when you design session managements where sessions are timestamps and never seem to expire? This blog post for one, where one researcher noticed he could effectively gain access to any client’s files for a specific cloud data storage company.

Malware code signing abuse deep dive. We’ve talked about malware code signing recently, but Trend Micro does a further deep dive on the topic. Interestingly, they see more signed malware than signed legitimate apps.

On the lifecycle of exploit development. There is obviously much interest in how long it takes from an exploit to be known to being used in the wild. One security researcher was surprised to discover that some SQLi injection vulnerabilities he had documented had not been used and decided to find out why. This seems to be in part due to malicious actors monitoring certain sites, where if an exploit is not disclosed on those sites it might be ignored.

Security Roundup - 2018-04-05

Panera bread data leak. The big news this week was Panera’s treatment of a security disclosure, where they did not address a security flaw that exposed user information for 8 months. Panera was driven to take action only after the security researcher reached out to Brian Krebs, who published a scathing article of the details. You can read the researcher’s story here.

Honeypot meat HoneyBot. In an ever increasingly connected world, there is increased concern about security surrounding connected devices, including robots. Now, one set of researchers have started experimenting with HoneyBots, taking the concept of a honeypot where researchers observe malicious users and applying the same concept to robots.

Chat Widgets leak PII. Security researchers discovered a number of live chat systems, used by companies including Google, Verizon and Disney, were leaking actual employee names and other identifying details. This could lead to tailored social engineering attacks, or even directed harrasment of employees.

Obfuscation through legitimate appearances. Analysts at Sucuri had fun analyzing what at first glance may look like an innocent file with proper code structure, but turned out to be obfuscated wordpress malware.

Privacy in DNS. While the push for TLS to provide secure communications continues, others have decided to look at other points of internet privacy. Now, while communications over TLS may be unknowable, someone still knows who you are calling due to DNS. There are now numerous researchers looking at this problem, from OpenDNS who has run DNSCrypt for several years, Cloudflare who is pushing DNS over TLS and just launched a new resolver, and even academic researchers in Princeton who are working on Oblivious DNS.

Security Roundup - 2018-03-29

Processor based attacks continue to be researched. It should surprise no one that security researchers have begun a close inspection of the hardware platforms our software runs on. The latest one, called BranchPredictor, appears to be a compliment of Spectre. Where Spectre leverages cached branch predictions, BranchPredictor tries to prime branch prediction for exploitation. Meanwhile, Microsoft’s released a bad patch for Meltdown on Windows 7 machines allowing programs to read and write to arbitrary memory locations (including what would otherwise be protected kernel memory).

Your library account has expired. That is the beginning of a highly effective phishing hook that a set of hackers used for years resulting in hacks into at least 300 universities. The phishing lures were so successful that the text rarely changed over the course of four years, according to researchers into these campaigns.

DNS over HTTPS promises security, bring privacy concerns. DNS is one of the primary protocols used on the internet. It was, however, not built with security or privacy in mind, meaning that anyone able to monitor your traffic can what servers a user is trying to contact. DNS over HTTPS (DoH) is a proposed solution undergoing discussion at the IETF. In the wake of Facebook’s privacy leaks, privacy advocates worry that one level of privacy protection will enable more centralized points of spying.

Invasive introspection of microcontroller firmware. How far do you think one is willing to take to reverse engineer programs on a hardware chip? Researchers at Duo Security show you just how far down the rabbit hole they have gone.

GoScanSSH targets multiple devices. A new malware straing that has been active since at least June 2017 has been discovered by TalosIntel. What is of interest of this malware is its leveraging of Golang to target multiple hardware architectures. The software itself uses an extensive list of 7K usernames and passwords to break in, as well as a blacklist of IP blocks to try to avoid the scrutiny of government actors.

Security Roundup - 2018-03-22

Pwn2Own 2018 Results. This year’s Pwn2Own competition - where browser and virtual machine vendors challenge hackers to break their protections - has concluded, and like previous years a number of exploits have been discovered in major browsers, resulting in a grand total of $267K in bounties being paid out across the two days.

BitTorrent software victim of supply chain attack. The latest reported supply chain attack has occured against BitTorrent client Mediaget resulting in 400K machines being infected in just 12 hours. The attack was unsuccessful as Windows Defender picked up on the cryptominer and prevented the install.

Burying your head in the sand. In what appears to be a case of willful ignorance, check out this story about a company who appears to be ignoring news about their data being exposed. Allegedly, the company in question is making it as hard as possible for someone to disclose, even going as far as to block them on Twitter.

Chrome Extension designed to thwart CPU sidechannel attacks. Researchers that have contributed to CPU sidechannel investigation (including Rowhammer, Meltdown, and Spectre have used their findings to identify several categories these attacks exploit and then build a defense for them. Released as the browser extension ‘Chrome Zero’, the application intercepts javescript and rewrites it before it gets interpreted, attempting to try to neutralize any side channels that could be exploited.

More IoT Vulnerabilities. A number of high valued CVEs have been issued for a number of IP enabled security cameras. The flaws have such far reaching consequences that the manufacturer has opted to release an update to fix them, despite some of the products actually being end of life.

Breaking into encrypted external hard drives. I found this article of one user’s hobby of breaking into encrypted hard drives fascinating. This is one of those external hard drives that has hardware encryption and keypads to unlock the device, and the interested party here figured out how to actually pull the pin from the hardware.

Cryptocurrency hardware wallet defeated by teenager. In a similar story, a cryptocurrency wallet was reported to have security flaws that could allow attackers to install custom software on it, and this was discovered by a 15 year old. The flaw stems from the fact that the device has both a secure processor and an insecure processor, but since the two can (and have to!) communicate potential allows atttackers to siphon off keys.

Bug Bounty Bonanza. Lots of prominent bug bounty news lately, starting with Microsoft announcing a big bounty for CPU flaws like Spectre and Meltdown, with a bounty of up to $250K. Second, Box has announced updates to their Vulnerability Disclosure Program (VDP), simplifying their guidelines to bring simplicity and clarity to the process and better protect white hats from potential legal threats. Finally, Netlfix has announced their own public bug bounty program, after running a VDP for a number of years.

Security Roundup - 2018-03-16

AMD vulnerabilities spark controversy. Security research firm CT Labs turned heads this week after publicly disclosing a number of AMD vulnerabilities on very short notice. CT Labs defends their actions by suggesting responsible disclosure is broken, and trying to find a balance between 0-day notice, and full technical disclosure. The exploits themselves appear to require admin access to the machines, but still potential cause of worry since they could result in persistent threats outside of the regular operating system.

More Enigma 2018 Roundup. Lots of content from Enigma and just had to share some more!

  • Anatomy of Account Takeover from Google Security. They apparently collected 4K data breach dumps with 3.3B credits in 2016. In comparison, at time of writing, HaveIBeenPwned has ~5B credentials from 271 breaches sites over all time. They break down the risk from breaches vs keyloggers vs phishing, as well as investigate the low adoption of additional security measures by users, and go over what additional steps they do to try to protect their millions of users.
  • Insecurity In Information Technology. About moving beyond a culture of blame or overwhelming people with information of varying actionability and engaging and empowering developers such that they embrace “Security is Everyone’s Job”.
  • Surfing the Motivation Wave to Create Security Behavior Change. More on understanding and trying to influence positive vs negative behavioral changes within a company.

Mobile malware adopts sandbox evasion. At a recent security conference a member of Google Play’s security team went into how mobile apps are trying to avoid detection. The examples decribed appear to be similar to sandbox evasion, where depending on the environment the malware will perform different actions.

NSA tools reveal known unknowns. One security researcher has been fascinated with exploring the tools leaked by the Shadow Brokers last year. In particular, he is trying to figure out what threats the NSA may have known about, compared to what threats we currently know about. So far, he has found references to malware we know about, but NSA’s knowledge predates public knowledge significantly, as well as some references he is currently unable to match against public samples.

Page 2 of 23