Security Roundup - 2016-03-09

Checkpoint has a nice article on ‘Why Visibility Is Critical To Your Security Management Program, where I feel there are a lot of overlaps on ‘Why Visibility Is Critical To Your Third Party Risk Management Program’.

Google just open sourced their Vendor Security Assessment Questionnaire system, which they use to automate their vendor survey process of hundreds of vendors each year.

For those interested in a VPN, one reddit user has compiled a giant list of datapoints on over 100 VPN services.

High Scalability has an article on backdoors and code reviews.

Use your fingerprint to unlock your smartphone? You might want to watch this video.

My co-worker Bennet has pointed out that Akamai has released their Q4 State of the Internet report, detailing the attacks they are seeing on their customers. Overall DDOS was up 150% YoY. Application level attacks increased 28% QoQ, with 59% of application level attacks targeted retailers.

Following up on the previous Locky news, Checkpoint has some more information, including volume (100K attempts on their clients in 2 weeks), data collection analysis, server identification and some DGA analysis.

Because it is tax season, phishing scams are going after W-2 forms. And unfortunately companies are forking them out by the thousands, including Seagate.

Wordpress powers tens of millions of websites, and hacking them is big business. Recently, Sucuri noticed that popular, but largely abandoned plugins have been taken over to inject vulnerabilities. Of course, not upgrading plugins means you are open to being attacked by old vulnerabilities like this old RevSlider vulnerability. Google dorking is being used to find this vulnerability, and the culprit is leveraging Google’s large number of TLDs to get around the captcha search limits.

Security Roundup - 2016-03-02

Yesterday a new TLS vulnerability called DROWN was revealed, using weaknesses in SSLv2 to attack TLS. Cloudflare has already announced that anyone using their platform is protected.

Speaking of Cloudflare, they have decided to become their own registrar, with extra security built in. They have also built a handy ‘best practices’ checker for DNS security, which contains some interesting things people might want to consider doing.

In the growing trend of hospital hacks, the Independent Security Auditors group recently released a report on Hacking Hospitals. They found that the primary focus is on protecting PII and PHI information, and less on protecting devices that are keeping lots of people alive.

When everything is connected, can you even trust your car? Nissan Leaf owners who use a companion app were open to hijack of some functions, retrieve trip logs and user identities. The app used the VIN for identification, so bad actors can even do drive by detection. Nissan has currently shut down the app while they work on a fix. In a recent report, car manufacturers are three years behind current cybersecurity threats.

Security Roundup - 2016-02-26

Krebs mentions some increasingly sophisticated phone scams to Dell customers. These calls allegedly involve the caller correctly providing unique service tags of Dell equipment, as well as historical service records. Dell currently says their customer data has not been breached.

I think biometric security is a big miss, but that isn’t stopping HSBC from rolling out “Voice ID” to 15 million customers. Meanwhile, looks like the FBI could potentially use fingerprints of dead people to unlock devices.

Checking input is important! Even barcode scanners can be subject to string injection attacks.

Wordpress is the new botnet. Simple exploitation of the pingback XMLRPC command allows attackers to flood some target with HTTP requests.

Akamai is rolling out a tool to allow users to better monitor and analyze bot traffic and take whatever action they want.

Security Roundup - 2016-02-26

Using a default password for your device sucks. TP-LINK chose not to do this, but ended up using a unique password that their device broadcasts. I actually have one of these, and did not make the connection when originally setting it up.

Default app on LG G3 phone doesn’t validate data, allowing arbitrary Javascript to run code, including system code. Demonstrates the importance of validating user supplied data.

Patchwork Security tries monitoring Heroku dynos for security upgrades. Initial findings are things are not upgraded quickly, but overall observation window is quite small.

Norse Corp seems to be imploding, and Krebs has a some details, including a History of Norse Corp. Some fun comments on this Hacker News thread.

NSA TAO Chief talks about Disrupting Nation State Hackers at Engima 2016. He goes into ways at which they will exploit networks, which he generalizes as ‘knowing a network better than the people who set it up’, ‘Poke and prod it, just like an adversary would do’

User figures out how Shodan.io is discovering and scanning IPv6 addresses. Looks like they have added nodes to the NTP pool, and are harvesting IP addresses for requesting servers to figure out what ones to scan. Looks like Check Point has classified Shodan as a threat and has made attempts to thwart scans.

Security Roundup - 2016-02-24

Sara “Scout” Sinclair Brody, previous product manager at Google and Executive Director of the new Simply Secure organization has an interesting article on how security software should be more usable for the average person.

Fraud! Ever interested about how banks figure out whether activity is fraudulent? Art forgery is fairly prevalent, and one scientist has come up with a method of ‘synthetic DNA authentication’ where they hide unique one time codes in DNA.

Thanks to my co-worker Marcello for pointing out the severity of CVE-2015-7547. Dan Kaminsky has a detailed explanation of why it is bad to have a bug like this in such a low library, as so much that uses DNS is built on top of it.

The Linux Mint’s server was hacked this week, resulting in their distribution being backdoored before the maintainers shut things down. The hacker responsible apparently did an interview, indicating they were hoping to build a botnet.

As a consumer of threat intelligence, I find Netflix’s FIDO Automatic Security Incident Response system super interesting.

Comodo, the ‘leading Internet Security Provider’, has been found to not only have disabled some security protections in their custom browser, but more recently been found to bundle a VNC server with a discoverable password.

There is a new ransomware package on the loose named Locky. Here is a detailed breakdown on the phishing, social engineering, and technical steps that it takes to take over your system.

Page 21 of 23