Security Roundup - 2018-03-16

AMD vulnerabilities spark controversy. Security research firm CT Labs turned heads this week after publicly disclosing a number of AMD vulnerabilities on very short notice. CT Labs defends their actions by suggesting responsible disclosure is broken, and trying to find a balance between 0-day notice, and full technical disclosure. The exploits themselves appear to require admin access to the machines, but still potential cause of worry since they could result in persistent threats outside of the regular operating system.

More Enigma 2018 Roundup. Lots of content from Enigma and just had to share some more!

  • Anatomy of Account Takeover from Google Security. They apparently collected 4K data breach dumps with 3.3B credits in 2016. In comparison, at time of writing, HaveIBeenPwned has ~5B credentials from 271 breaches sites over all time. They break down the risk from breaches vs keyloggers vs phishing, as well as investigate the low adoption of additional security measures by users, and go over what additional steps they do to try to protect their millions of users.
  • Insecurity In Information Technology. About moving beyond a culture of blame or overwhelming people with information of varying actionability and engaging and empowering developers such that they embrace “Security is Everyone’s Job”.
  • Surfing the Motivation Wave to Create Security Behavior Change. More on understanding and trying to influence positive vs negative behavioral changes within a company.

Mobile malware adopts sandbox evasion. At a recent security conference a member of Google Play’s security team went into how mobile apps are trying to avoid detection. The examples decribed appear to be similar to sandbox evasion, where depending on the environment the malware will perform different actions.

NSA tools reveal known unknowns. One security researcher has been fascinated with exploring the tools leaked by the Shadow Brokers last year. In particular, he is trying to figure out what threats the NSA may have known about, compared to what threats we currently know about. So far, he has found references to malware we know about, but NSA’s knowledge predates public knowledge significantly, as well as some references he is currently unable to match against public samples.

Security Roundup - 2018-03-09

USENIX Enigma 2018 videos. Missed USENIX Enigma 2018? Videos started showing up on YouTube, so you can catch up on the latest privacy and security research, including (but not limited to) topics like:

How to break encryption. Want to know more about how researchers break ransomware? You may want to start reading MalwareBytes Encryption 101 series, where this week they go over identifying crypto and finding weaknesses in its usage.

Breaking down a RAT. And for even more malware breakdown, ObjectiveSee breaks down a remote access trojan that (at time of writing) was not picked up by AV. This happened due to looking at VirusTotal for references to a database that was previously exploitable in OSX (now patched), where several malware authors still check for this exploit.

Are voting machines truely divorced from the internet? This is the question that a Princeton professor explores in this article, since voting machines still have modems. Since this is more like a voice call, it is possible that there is insulation from the internet, but one problem will always exist: this communication is still routed, opening the possibility of some exploit in the pathway allowing an attacker to tap into the communication, which the US-CERT has called attention to. But the researchers point out there is an easier way, just use the concept behind the Stingray to act as a cell tower and MitM the communication path, putting you much closer to your intended target and more likely for a successful interception.

New 4G vulnerabilities discovered. Speaking of mobile network vulnerabilities, researchers from Purdue and Iowa University have built a tool to scan for 4G vulnerabilities and published some of their results. Spoilers: attacks exist, and there are several.

WebUSB undermines physical token security. WebUSB is a feature that allows websites to access USB content, ostensibly for things like VR and 3D printers. However, researchers have used it to trigger a query to connected 2FA tokens and, if combined with tricking the user into entering their password, could be used to take over accounts otherwise secured by 2FA.

The history of L0pht. L0pht was one of the early and influencial hacker groups of the last 25 years, and Duo has a 4 part expose on their history. In the beginning, it all started with people dialing into BBSes and sharing information, and then moved to in person to a shared loft space…

Security Roundup - 2018-03-01

Biggest DDoS attack to date hits Github. And Github (relatively) came through with only minor bruises, despite traffic being measured at 1.35 terabits per second. Akamai technologies thwarted the attack, having planned for 5x traffic volume from the last major DDoS attack at 1.2 terabits/second. The attack leveraged memcached, a service used as a key value store to improve data lookups, of which Shodan.io indicates ~90k instances open on the internet and Rapid7 indicates similar numbers at around 100K instances.

Trustico or trust no more?. TLS certificate reseller Trustico hit the limelight this week when they attempted to revoke 50K TLS certificates they had issued and, as proof, emailed Digicert 23K private keys. Certificate Authorities are not supposed to store private keys, since they can be used to MitM traffic/allow someone to masquerade as a legitimate site if they happen to be leaked or stolen and Trustico is in some hot water over this revelation as security researches have found certificates for companies like banks.

Conterfeit code certificates more common than expected. Researchers at Recorded Future have indicated that an increase in legitimately signed malware isn’t due to stolen certificates, but actually due to stolen corporate identities allowing criminals to create new signing certificates effectively on demand (and thus undermining their value). While costs are still high, a determined and/or sophisticated user could use these certificates to lower the likelihood that their malware payload is detected as a malicious app.

Password leak checking. Checking for bad passwords got a lot of attention this week due to Troy Hunt releasing v2 of his Pwned Passwords list, designed to allow companies to build in better password checks (now at half a BILLION hashes and including counts for uniqueness checks), as well as news that 1Password was integrating this list into their service to let users know if a new password they would like to use has already been part of a breach.

Alexa top one million header analysis. Scott Helme has completed his by-annual analysis of security header adoption for the Alexa top million. In good news, adoption is increasing, mostly by double digits! Bad news, adoption is still in single to low double digit ranges.

To disclose, or not to disclose. This is the question more and more security researchers are starting to have to ask themselves as a number of companies have initiated lawsuits against security researchers that have publically revealed their findings. In the age of bug bounty programs like HackerOne and BugCrowd, this seems like two giant steps back.

Security Roundup - 2018-02-16

Telegram 0-day used to install malware. Security researchers at Kaspersky go into a Telegram 0-day, where attackers used special non-printing characters to convince users they were opening images, when they were in fact executing malicious javascript. The resulting malware then used Telegram as a C&C as well as launching bitcoin miners, the monitization strategy du jour.

Low powered encryption chip solution to IoT woes?. Part of the reason a number of connected devices are insecure is the power usage associated with running cryptographic functions, and device providers primary focus on utility over security. One of those reasons may dissapear soon as MIT is working on a new low power crytopgraphic processor, which uses less energy and is faster than software solutions.

DoubleDoor penetrates DoubleDeep. Botnets are evolving with the existence of DoubleDoor, a botnet that uses two exploits to more fully compromise the target. The first is an exploit to gain access to the firewall, giving the attacker internal access. The second uses their vntage point to exploit the target’s modem, in an attempt to be more persistent.

Thousands of websites impacted by domain hijack. Web hosting provider Newtek landed in some trouble, when three of their core domains hijacked, including one that customers used to manage their own sites.

Jumping the (air)gap. There are a number of interesting/esoteric ways in which someone can exfiltrate data off of computers, but using magnetic signals to breach faraday cages is a new one. While some extreme closeness to the device is still necessary, it is interesting in the ways that researchers are leveraging all the hardware and the physical properties they exert to do the unexpected.

Security Roundup - 2018-02-08

How To Stop Me From Harvesting Sensitive Information From Your Site. In January, we posted about a hypothetical plan to steal sensitive information via pervasive javascript plugins. The author has now followed up with what things you can do to mitigate the potential threat. It is partially a threat modeling exercise, with the key takeaway being “perhaps you shouldn’t use third party javascript in cases where you are collecting sensitive information”.

Cryptominers the new Malware?. More and more reports surface of malware authors installing cryptominers, rather than engaging in activities like ransomware. For last year we had Adylkuzz, a cryptominer that spread vua the EternalBlue vulnerability. Fast forward to this week where we have Smominru a mining malware that is reported to have made its authors millions in Monero, again leveraging EternalBlue. Not to mention DDG a mining botnet targeting database servers (presumably with the expectation of more resources to mine). What makes this much more attractive for attackers is simple - cryptocurrency requires no action on behalf of the user, is much more stealthy than encrypting stuff, and yet still has a payoff via Cryptocurrency.

Flash 0-day makes the rounds. Still using Flash? Be aware of a Flash 0-day currently being exploited. The twist is that the Flash content is being delivered via specially crafted Microsoft Office documents, rather than directly in the browser. The browser still comes into play once the content is executed, so the simplest defense is to disable flash everywhere, especially since many users have out of date versions installed.

Tech support scammers spam AV company. MalwareBytes experienced a bit of forum spam last week, and ended up tracking it back to a tech support scam. A dive into tech support scams ensues.

Abusing TLS extensions for fun and exfiltration. When is a TLS handshake not a handshake? When it is being used to exflitrate data proved some security researchers. By leveraging TLS extensions, a malicious user would potentially be able to pass information and avoid the types of perimiter checks that currently exist.

Don’t forget the small vulnerabilities! Why is it important to limit attack surface? Because even ‘small’ vulnerabilities could be chained to create bigger vulnerabilities, as Detectify blogs about a few examples.

Why I won’t whitelist your site. Use an ad-blocker? VP of Content Strategy for O’reilly Media Mike Loukides goes into why he used an ad-blocker and won’t whitelist sites. It all comes down to malware via ads and no one in the industry wanting to take responsibility for any damages.

Page 3 of 23