Security Roundup - 2016-04-13

Ever heard the story where an attacker can compromise a site just by leaving some USB keys around? Elie decided to put these to the test and found that 48% of users will plug in a drive and open a file. 20% of the drives were connected in the first hour, the first being connected and a file opened within 6 minutes of the experiment starting.

Who phishes the phishers? PhishMe posts about a CEO wire transfer fraud attack directed at them, and how they decided to deal with it. Phishing a phishing defense company? Probably not the greatest idea.

Google just published a paper on their ‘trust nothing’ policy, where trust nothing means also not trusting internal networks. This means that attackers that make it past the perimeter still have to deal with a hard, crunchy interior. The Registry has a nice summary.

An interesting article on how Bitcoin is not entirely anonymous. By monitoring the entire blockchain and grouping transactions together, you can actually figure out what services an individual is using, which could lead to services being able to refuse funds from users based on activity.

Talos Intel provides an informative write up of the ‘Past, Present and Future of Ransomware’. The future? Moving from phishing payloads to becoming worms targeting internal vulnerabilities and/or other malware to propagate through networks. Checkpoint has an interesting perspective where they view Ransomware as increasing rapidly, with the previously lucrative banking trojans on a decline. Ransomware is proving to be much simpler to develop vs banking trojans which have to be customized for specific banks, thus allowing them to reach a larger audience of victims.

Locky, unsurprisingly, continues to evolve. Newest changes include a more robust Domain Name Generation (DGA) algorithm to avoid detection of outbound communications, saving data in random registry keys to avoid detection, and additional code obfuscation.

Several high profile sites, such as the New York Times and the BBC have been impacted by Malvertising. A classic third party attack where bad actors use ad networks to inject hostile payloads into sites. Checkpoint has a brief history.

Security Roundup - 2016-04-07

Latest batch of interesting Security news.

Cloudflare has written an interesting article on the Trouble With Tor. Tor is an important tool for anonymity on the internet, but 94% of requests Cloudflare sees from Tor are malicious. Cloudflare offers an honest discussion regarding Tor, how they balance protecting their customers while still respecting the anonymity and usefulness Tor can provide, and how they are hoping to improve their methods to that end.

Did you know that the reference implementations of the next round of Crypto mechanisms come with large contributions from a single individual? One Peter Gutmann posts about the Impending Crypto Monoculture.

LastLine Labs recently blogged about a number of interesting malware trends: Code signing of malware is on a steady incline, malware is increasingly changing browser settings like setting a proxy to reroute traffic, malware that brute forces passwords is also increasing, and malware with evasion capabilities is pretty much the norm.

Locky continues to evolve since its introduction in February. CheckPoint has noticed that it is now also being distributed via exploit kits, rather than exclusively via spam. Additionally, Locky has started making small changes to how it communicates with Command & Control (C2) servers, but enough to evade initial detection.

Fortinet has a report on the latest ransomware family. KimcilWare is a new ransomware targeting Magento eCommerce sites. In addition to encrypting files, it also acts as a backdoor. Fortinet has a great investigate writeup of how it works and backtracks it to the individual and group responsible.

Threatpost has an article on how Firefox’s extension framework does not isolate plugins. This could allow for a plugin that doesn’t look malicious as part of the validation process to actually leverage other plugins to do unintended things. Google Chrome and Microsoft Edge already sandbox extensions. Firefox plans to correct this problem later this year.

In ironic news, CNBC apparently offered a password strength widget in order to educate readers on how strong their passwords were. Unfortunately, anyone who used it should change their password, as the form actually submitted the password to CNBC in plaintext, and probably forwarded it to third parties as well.

The BREACH, the compression side channel attack on HTTPs is back, with a new variant dubbed Rupture. The researchers produced their findings at Black Hat Asia last week and have demonstrated practical attacks to steal secrets from Facebook and Gmail chat sessions.

Mitre, manager of the CVE database has recently been criticized for the length of time it takes for a vulnerabilities to be reviewed and assigned a CVE have announced that they are planning to decentralize the system, citing the doubling of CVEs year over year (20k CVEs were issued in 2015 vs 10k in 2014). This plan has received some criticism from the Open Source Vulnerability Database (which just announced they are shutting down), which points out facts such as Mitre falling behind other vulnerability databases by as many as 6k issues in 2015 alone (indicating Mitre missed more than 23% of reported vulnerabilities) and Mitre refusing to create CVEs for products they don’t monitor. The Register also has some commentary which suggests the new proposed format will require rewrites of existing tools due to the proposed format change, which is not particularly desirable for a ‘pilot project’ that may be discarded.

Security Roundup - 2016-03-30

Whitehat Security recently did a study of patching cadence across a number of websites. This includes a follow up survey on what drives remediation efforts, which I found interesting.

Duo has an article/paper on the various ways that Windows OEM laptops are compromising your privacy and safety, and what you can do about it.

Checkpoint has a brief article on how people get around Apple’s walled garden on iOS for malicious purposes. Apple has been making a number of improvements to secure their devices, but they have teased that they will be announcing some workarounds at Blackhat Singapore on Friday.

Rapid7 has an interesting article on the Topology of Malicious Activity in the IPv4 space. Of the 65,000 autonomous systems existing today, 200 are apparently responsible for 70% of all phishing activity.

Google has made a number of changes to gmail to highlight whether emails were delivered without TLS encryption. As a result, they have seen a 25% increase in TLS encrypted emails already. They have also further highlighted state sponsored attack warnings. Finally, t hey have teamed up with industry leaders to do a draft on Strict Transport Security, for emails that can ONLY be delivered over encrypted channels, a sharp contrast to regular ‘backwards compatible’ email recommendations.

Ransomware Roundup!

Apparently TeslaCrypt is now generating random encryption keys and sending them to remote servers, meaning that investigators can not obtain the key locally to unlock files. In related news, EC-Council, the company administering the Certified Ethical Hacker program has had a subdomain compromised and has been distributing TeslaCrypt as a result.

ThreatPost has some interesting information on two new strains of ransomware, SamSam and Maktub. These strains are following the trend of attacking hospital systems, and get into the system by looking for unpatched software.

Another new ransomware strain, Petya, has upped the game by encrypting Master Boot Records and then attempts to encrypt the Master File Table to make files inaccessible to users.

Yet another Ransomware variety, PowerWare, has upped the game in a different direction. It is leveraging macros (to be fair, a traditional form of delivery of malware) to avoid writing additional files to disk, and better blend in as actual user activity.

Security Roundup - 2016-03-23

Latest stories for you all!

My co-worker Asim mentions that iMessages are open to a MitM attach where attackers can gain enough data and have enough tries to brute force files from Apple’s servers. One of the researchers has posted an in depth description of the problem.

EFF apparently has a secure messaging scorecard, based on factors such as security in transit, security at rest, and whether the code is open and has been audited.

Google has announced they are expanding their certificate transparency project to include a log of certificate chains that are no longer trusted by browsers, or are pending inclusion into browsers. In additional Google security news, they recently announced a new transparency initiative around their own encryption efforts. ~77% of their traffic is now encrypted.

NIST just released a new draft on Cryptographic Standards in the Federal Government.

Uber just started a bug bounty program, and it looks like they are going to try gamification to keep researchers interested in trying to discover problems. Contrast this to the DoD, which started a program requiring researchers to jump through hoops to be ‘allowed’ to look at things. Not on the list? Well, that is apparently what legal threats are for. And finally, this years Pwn2Own has wrapped up, leading to 21 new browser based vulnerabilities being disclosed.

Locky AND hospital security? This appears to be the case for the Methodist Hospital in Kentucky. And for those surprised about finding hospital devices on the internet, ThreatPost has an article on serial servers with dumb defaults…. these being used to attach medical devices to networks.

Krebs also has an interesting article of spam and malware providers abusing open redirect systems on .gov sites to make links more trusted.

Security Roundup - 2016-03-16

In an amusing example of ‘trust but verify’, there is a story of data collection UIs not sanitizing input when displaying to users.

Last year Google Research apparently published “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google”, and I have discovered a quick summary of the paper. Summary of the summary: online guessing attacks can be fairly effective and cheap.

Security company Staminus Communications was hacked last week. Hackers dumped the data and started with a list of “TIPS WHEN RUNNING A SECURITY COMPANY”

After last week’s mention that Google open sourced their vendor survey system, my co-worker Bennet pointed out that Facebook has a program called ‘Facebook for Work’ and they are considering how to do vendor risk assessment.

Interested in hacking your vehicle? BoingBoing has a short review of the new edition of The Car Hacker’s Handbook.

For those who love dashboards, I just discovered the Kaspersky Cyberstat board.

Page 20 of 23