Security Roundup - 2018-03-09

USENIX Enigma 2018 videos. Missed USENIX Enigma 2018? Videos started showing up on YouTube, so you can catch up on the latest privacy and security research, including (but not limited to) topics like:

How to break encryption. Want to know more about how researchers break ransomware? You may want to start reading MalwareBytes Encryption 101 series, where this week they go over identifying crypto and finding weaknesses in its usage.

Breaking down a RAT. And for even more malware breakdown, ObjectiveSee breaks down a remote access trojan that (at time of writing) was not picked up by AV. This happened due to looking at VirusTotal for references to a database that was previously exploitable in OSX (now patched), where several malware authors still check for this exploit.

Are voting machines truely divorced from the internet? This is the question that a Princeton professor explores in this article, since voting machines still have modems. Since this is more like a voice call, it is possible that there is insulation from the internet, but one problem will always exist: this communication is still routed, opening the possibility of some exploit in the pathway allowing an attacker to tap into the communication, which the US-CERT has called attention to. But the researchers point out there is an easier way, just use the concept behind the Stingray to act as a cell tower and MitM the communication path, putting you much closer to your intended target and more likely for a successful interception.

New 4G vulnerabilities discovered. Speaking of mobile network vulnerabilities, researchers from Purdue and Iowa University have built a tool to scan for 4G vulnerabilities and published some of their results. Spoilers: attacks exist, and there are several.

WebUSB undermines physical token security. WebUSB is a feature that allows websites to access USB content, ostensibly for things like VR and 3D printers. However, researchers have used it to trigger a query to connected 2FA tokens and, if combined with tricking the user into entering their password, could be used to take over accounts otherwise secured by 2FA.

The history of L0pht. L0pht was one of the early and influencial hacker groups of the last 25 years, and Duo has a 4 part expose on their history. In the beginning, it all started with people dialing into BBSes and sharing information, and then moved to in person to a shared loft space…

Security Roundup - 2018-03-01

Biggest DDoS attack to date hits Github. And Github (relatively) came through with only minor bruises, despite traffic being measured at 1.35 terabits per second. Akamai technologies thwarted the attack, having planned for 5x traffic volume from the last major DDoS attack at 1.2 terabits/second. The attack leveraged memcached, a service used as a key value store to improve data lookups, of which indicates ~90k instances open on the internet and Rapid7 indicates similar numbers at around 100K instances.

Trustico or trust no more?. TLS certificate reseller Trustico hit the limelight this week when they attempted to revoke 50K TLS certificates they had issued and, as proof, emailed Digicert 23K private keys. Certificate Authorities are not supposed to store private keys, since they can be used to MitM traffic/allow someone to masquerade as a legitimate site if they happen to be leaked or stolen and Trustico is in some hot water over this revelation as security researches have found certificates for companies like banks.

Conterfeit code certificates more common than expected. Researchers at Recorded Future have indicated that an increase in legitimately signed malware isn’t due to stolen certificates, but actually due to stolen corporate identities allowing criminals to create new signing certificates effectively on demand (and thus undermining their value). While costs are still high, a determined and/or sophisticated user could use these certificates to lower the likelihood that their malware payload is detected as a malicious app.

Password leak checking. Checking for bad passwords got a lot of attention this week due to Troy Hunt releasing v2 of his Pwned Passwords list, designed to allow companies to build in better password checks (now at half a BILLION hashes and including counts for uniqueness checks), as well as news that 1Password was integrating this list into their service to let users know if a new password they would like to use has already been part of a breach.

Alexa top one million header analysis. Scott Helme has completed his by-annual analysis of security header adoption for the Alexa top million. In good news, adoption is increasing, mostly by double digits! Bad news, adoption is still in single to low double digit ranges.

To disclose, or not to disclose. This is the question more and more security researchers are starting to have to ask themselves as a number of companies have initiated lawsuits against security researchers that have publically revealed their findings. In the age of bug bounty programs like HackerOne and BugCrowd, this seems like two giant steps back.

Security Roundup - 2018-02-16

Telegram 0-day used to install malware. Security researchers at Kaspersky go into a Telegram 0-day, where attackers used special non-printing characters to convince users they were opening images, when they were in fact executing malicious javascript. The resulting malware then used Telegram as a C&C as well as launching bitcoin miners, the monitization strategy du jour.

Low powered encryption chip solution to IoT woes?. Part of the reason a number of connected devices are insecure is the power usage associated with running cryptographic functions, and device providers primary focus on utility over security. One of those reasons may dissapear soon as MIT is working on a new low power crytopgraphic processor, which uses less energy and is faster than software solutions.

DoubleDoor penetrates DoubleDeep. Botnets are evolving with the existence of DoubleDoor, a botnet that uses two exploits to more fully compromise the target. The first is an exploit to gain access to the firewall, giving the attacker internal access. The second uses their vntage point to exploit the target’s modem, in an attempt to be more persistent.

Thousands of websites impacted by domain hijack. Web hosting provider Newtek landed in some trouble, when three of their core domains hijacked, including one that customers used to manage their own sites.

Jumping the (air)gap. There are a number of interesting/esoteric ways in which someone can exfiltrate data off of computers, but using magnetic signals to breach faraday cages is a new one. While some extreme closeness to the device is still necessary, it is interesting in the ways that researchers are leveraging all the hardware and the physical properties they exert to do the unexpected.

Security Roundup - 2018-02-08

How To Stop Me From Harvesting Sensitive Information From Your Site. In January, we posted about a hypothetical plan to steal sensitive information via pervasive javascript plugins. The author has now followed up with what things you can do to mitigate the potential threat. It is partially a threat modeling exercise, with the key takeaway being “perhaps you shouldn’t use third party javascript in cases where you are collecting sensitive information”.

Cryptominers the new Malware?. More and more reports surface of malware authors installing cryptominers, rather than engaging in activities like ransomware. For last year we had Adylkuzz, a cryptominer that spread vua the EternalBlue vulnerability. Fast forward to this week where we have Smominru a mining malware that is reported to have made its authors millions in Monero, again leveraging EternalBlue. Not to mention DDG a mining botnet targeting database servers (presumably with the expectation of more resources to mine). What makes this much more attractive for attackers is simple - cryptocurrency requires no action on behalf of the user, is much more stealthy than encrypting stuff, and yet still has a payoff via Cryptocurrency.

Flash 0-day makes the rounds. Still using Flash? Be aware of a Flash 0-day currently being exploited. The twist is that the Flash content is being delivered via specially crafted Microsoft Office documents, rather than directly in the browser. The browser still comes into play once the content is executed, so the simplest defense is to disable flash everywhere, especially since many users have out of date versions installed.

Tech support scammers spam AV company. MalwareBytes experienced a bit of forum spam last week, and ended up tracking it back to a tech support scam. A dive into tech support scams ensues.

Abusing TLS extensions for fun and exfiltration. When is a TLS handshake not a handshake? When it is being used to exflitrate data proved some security researchers. By leveraging TLS extensions, a malicious user would potentially be able to pass information and avoid the types of perimiter checks that currently exist.

Don’t forget the small vulnerabilities! Why is it important to limit attack surface? Because even ‘small’ vulnerabilities could be chained to create bigger vulnerabilities, as Detectify blogs about a few examples.

Why I won’t whitelist your site. Use an ad-blocker? VP of Content Strategy for O’reilly Media Mike Loukides goes into why he used an ad-blocker and won’t whitelist sites. It all comes down to malware via ads and no one in the industry wanting to take responsibility for any damages.

Security Roundup - 2018-02-01

Self Destructing USB Drives. We’ve covered malicious USB drives many times, including one that will actively break. Going a step further, one budding engineer decided to build a USB drive that would deliver a payload, and then also trigger 5V internally to do something like trigger a small explosive charge.

Malicious extensions not just for Chrome. Perhaps the first instance of a Firefox plugin installing a cryptominer has recently been discovered. The addon is pushed from malicious sites as a ‘Firefox update’, but installs the malicious extension from another site instead, ‘rewarding’ users with spam pop ups as well as running a cryptocurrency miner in the background.

Google cleans out malicious android apps. Google has done a retrospective on malicious Android apps in 2017. All in all, they took down over 700K malicious android apps, and while this was more than a 70% increase over 2016 they claim they halved the chance of someone actually installing malicious apps because they are catching these apps sooner in the process.

Fitness tracker reveals all too much. Fitness tracking company Strava recently released a global ‘heat map’ of user activity. A university student in Australia was the first to point out it showed things like government military bases. Lifehacker reports on how hard it is to make your data private on Strava, though Strava has now indicated they will work on improving privacy and data protection.

All is fair in love and ransomwar? Ransomware authors themselves have raised the alarm that at least one Tor proxy service is replacing bitcoin wallet addresses from ransoms with their own. Understandably making ransomware authors angry, as well as probably frustrating ransom payers who are not getting unlock codes.

Fingerprints are not passwords. And I guess Lenovo recognized this since their fingerprint scanner for some laptops had a hardcoded password to bypass it. Lenovo has submitted an update, so if you are using one of their products be sure to upgrade!

ATM Jackpotting makes its way to America. ‘Jackpotting’ is an ATM based attack using malware to eventually trigger the ATM to spit out all its money and apparently this has now been recorded as happening in America. Initial reports indicate the malware used is targeted towards a specific manufacturer, but analysts believe that it could be modifier to work against ATMs provided by multiple manufacturers. These attacks apparently began late last year, with suspects arrested, though the attack has been known as feasible since 2010 when it was demonstrated at Black Hat.

CrossRAT Deconstruction. CrossRAT is a RAT which can run on Windows, Linux and OSX. Patrick Wardle of Objective-See breaks down the technical details of this RAT, with perhaps a slight eye on OSX.

Gitlab beefs up security for users. Gitlab is following in the footsteps of Github by working towards integrating security monitoring of project dependencies. Gitlab has aquired startup Gemnasium to further expand this initiative, which will give them an impressive roster of languages they will be checking.

Page 3 of 23