Security Roundup - 2018-01-25

HackerOne 2018 Hacker Report. HackerOne has produced another version of their report around what drives hackers. Interestingly, while filing bug bounties earns hackers in some countries many times the norm of the average salary there, “to make money” is only the 4th most common reason hackers do what they do, vs first in 2016. Also interesting, 1 in 4 hackers do not report vulnerabilites without a clear channel to disclose. Perhaps similarly to Troy Hunt’s piece on breach notification, they find the hunt and lack of response frustrating, and instead opt to avoid it?

SANS Releases Enterprise Implementation of Bug Bounty Programs. Thinking of starting a bug bounty program? You may want to check out SANS Institutes Enterprise Implementation guide.

More malicious extensions found for Google Chrome. Investigating a suspicious increase in network traffic, security researchers tracked the uptick back to yet another more malicious Chrome extensions. While the extensions themselves may not have malicious, they were able to download and execute commands from some remote JSON. Additionally, another researcher has discovered an extension that is extremely difficult to remove, circumventing normal attempts to either disable or delete.

HackerOne releases Hacker101 Security Course. To further increase the talent pool, HackerOne has also released a free Web Security course. Block off some time for learning!

IoT Botnets work of the minority?. Last year marked the rise of several large botnets powered by IoT devices, and Brian Krebs has opted to talk to Allison Nixon from Flashpoint security about her perspectives on the IoT problem and where are we going.

SamSam, 2 years later. We first reported on SamSam almost 2 years ago, and Talos has an intel on the evolution of this ransomware strain.

Security Roundup - 2018-01-18

Vulnerability Breach Disclosure. Troy Hunt is apparently sitting on hundreds of potential data leaks. Biggest problem he faces here? Wanting to privately disclose the information to impacted companies before going public with the disclosure. With that in mind, he has written up a series of escalations he has in mind to streamline the process on his end.

Blockchain Graveyard. Interested in security and cryptocurrency? You may be interested in the Blockchain Graveyard a site collecting security incidents around cryptocurrencies.

Passphrase collision in blockchain network. Lisk, a minor blockchain network, has had to notify users about the possibility about collisions in passphrases and keys that could in theory lead to someone gaining control of their account and stealing funds. The security researcher behind these findings has also published a rundown of the problem.

Mozilla announces further steps in security. Mozilla has announced that all future new features will be restricted to security contexts. Secure Contexts are a feature in which there is a reasonable confidence that content has been delivered securely, rather than potentially being Man in the Middled. Firefox hopes that this will help usher in yet more increased adoption of HTTPS.

CyberSecurity exit for malware author. Cybersecurity has seen its latest exit with Exobot’s author deciding to get out of the rental business and straight up sell the source code. Security researchers are generally worried that this will lead to another Mirai type scenario where the source will end up public, lowering the bar of entry for a certain number of attacks.

Bug Bounty Triage. Thinking about running a bug bounty? HackerOne provides some tips on how to think about triage and prioritization.

Pixel Remote Exploit Chain Discovered. While the Pixel phone survived 2017’s Mobile Pwn2Own competition in 2017, the team celebrates their first remote exploit, paying out more than 100K through their bug bounty (their highest bounty yet!). The bug leverages a chain of vulnerabilities, starting with WebAssembly and managing to break out of the mobile Chrome sandbox. Full details are in the link.

Directory listing to account takeover. Or perhaps better labeled ‘Why Configuration Matters’, after one security expert finds an open directory listing which includes webhook logs for a companies email provider. Unfortunately, said logs happened to include password reset links for customers, allowing the researcher to trigger a password reset and use the logs to effectively take over any account.

Security Roundup - 2018-01-15

More Intel security woes. Last year appears to have been a rough year for Intel, with a security research from July disclosing how easy it is to gain remote access to machines with Intel’s Active Management Technology. While the attack does require physical access, it actually just involves rebooting the computer and gaining access to the bios and configuring Intel’s AMT with a default password. This could then allow an attacker to bypass Trusted Platform Module protections, or even Bitlocker disk encryption passwords. Mitigation is as simple as protecting the BIOS, and these options, with better passwords.

Lenovo fixes backdoors in network switches. After an internal firmware audit, Lenovo has fixed backdoors in 2 lines of switches. Added in 2004, when these devices were managed by Nortel and Lenovo states these were added on request from an OEM customer.

Let’s Encrypt disables TLS-SNI validation due to shared infrastructure concerns. Security researchers have discovered a way to abuse TLS-SNI validation in Let’s Encrypt to obtain TLS certificates for sites they don’t control This attack largely comes into play with shared infrastructure, where multiple accounts use the same IP, and the hosting provider doesn’t provide any checks around certificates. After reviewing potentially vulnerable providers, Let’s Encrypt has opted to remove this form of validation due to the overwhelming volume. Instead, they suggest moving to DNS and HTTP based verification.

India’s Aadhaar System. Recent weeks have contained criticism of India’s biometric database, specifically around their security. On Aadhaar’s side are plenty of comments that their system is ‘hack proof’. Offended by the concept of ‘hack proof’, Troy Hunt has done a partial rundown of their public security posture and it isn’t pretty.

EFF’s guide on vendor data security assessment. With breaches getting more and more prevalent, we should all be concerned about how our security is stored. And maybe you are someone at a SMB which doesn’t really have a security team, but want’s to think about that when vetting third parties you want to do business with. In that case, you will want to read the EFF’s guide on ‘How to Assess a Vendor’s Data Security’, covering things to think about, search for, and ask. As well a few things to make sure you find out about problems as quickly as possible.

Local network storage takeover. Seagate has fixed a problem in a series of network storage devices. A local call to the device could trick it into running commands and enabling remote access, but since these calls can be executed by the browser, there are a few attack vectors available, including phishing, malvertisements, or malicious browser extensions. Unfortunately, while Seagate has fixed the problem, they have apparently not actually responded to security researchers that contacted them about it.

Crackdown on Cybercrime celebrated with more Cybercrime. Taiwan recently celebrated a crackdown on cybercrime with a cybersecurity expo. Embarrassingly, winners of a cybersecurity knowledge quiz were awarded USB drives that has been infected by malware. Sadly, this isn’t the first time something like this has happened in the cybersecurity space, and we should keep in mind how USB drives are a security risk.

Security Roundup - 2018-01-11

Processors continue to receive security scrutiny. On the heels of Meltdown and Spectre, another CPU related security vulnerability in AMD’s Trusted Platform Module in their Secure Processor. The vulnerability would allow a crafty attacker to be able to execute code inside the processor, potentially accessing any secrets contained therein. This is similar to a vulnerability discovered last year in Intel’s Management Engine, which is also intended to manage secrets. Given the recent discoveries, expect security researchers to continue shining lights on the hardware that we use every day.

Vulnerability Rediscovery. Did you know that 4 separate researchers independently discovered Spectre and Meltdown? It is a remarkable story of convergence, and security researcher Bruce Schnier even wrote a paper on ‘Taking Stock: Estimating Vulnerability Rediscovery’ last year. The question some researchers are asking is, if they all discovered it around the same time, how likely is it that someone else found it earlier and didn’t disclose it?

Github to expand security monitoring. Github has acquired the people behind Appcanary, a service that monitors software dependencies and server packages for vulnerabilities. At Github, they will be working on expanding Github’s security tooling, like their vulnerability management program.

The breaches that did not happen in 2017. In a more positive outlook, HackerOne reviews bug bounty programs in 2017, pointing out that tens of thousands of security vulnerabilities were identified and remediated using these programs.

I’m Harvesting Sensitive Information From Your Site. While people freak out about hardware level vulnerabilities, others theorize about how to actually steal sensitive information, such as this somewhat sarcastic take on how to steal sensitive information from sites. Involving creating a helpful library with some obfuscated malicious code, and then selectively sending data back to a server. How many organizations would actually detect this? Given similar types of attacks via Chrome plugins, or Wordpress plugins, an attack like this actually could realistically live for a long time.

Extended Validation Collisions. Extended validation for SSL Certs, the process by which you certify you are a valid organization, and get some additional stuff for your certificate apparently has a problem in Organizational Collisions. The security researcher even went through the process of setting up a corporation to leverage this, suggesting that this may be possible for the low, low price of $177 dollars.

Security Roundup - 2017-12-28

34C3 in full swing. The 34th Chaos Communication Conference is in full swing. You can check the schedule for the remaining days, or to check out the recordings that are already available. Hackaday has a writeup of some interesting talks they have attended, the more interesting one so far being ‘Squeezing a key through a carry bit’ where one spelunker leveraged a bug in a crypto implementation to extract an entire private key one bit at a time.

Hack The World results. HackerOne has announced this year’s results to their Hack The World hackathon. This year 700+ bug bounty hunters submitted enough vulnerabilities to clear just over $750K in bounties.

Breaking HSTS and HKPK in modern browsers. HTTP Strict Transport Security (HTST) and HTTP Public Key Pinning (HPKP) are modern security functions for browsers. Security researchers recently published ways to abuse how browsers use these, to prevent protections, including mitigating protections at all or even rendering the browser unusable.

Ad trackers caught stealing usernames. At least two ad trackers were caught using hidden forms to harvest usernames from sites they were deployed on. Being able to harvest usernames would allow them to build a bigger profile and match users more reliably across sites, but also creates a bigger trove of information to steal, as well as could be used to harvest passwords.

Credit card theft targets smaller chains. Follow Brian Krebs story of a new batch of credit cards being stolen and tracking them back to impacted businesses. One of the targets happens to be a small restaurant chain in Texas, which Krebs tracked down before the company was aware of the credit card fraud, meaning that the cards were sold well before consumers could take any action.

TLS version negotiation delaying TLS 1.3. TLS 1.3 unexpectedly had new drafts at the end of this year, when the expectation was that the spec was essentially finalized. The cause? Problems in TLS version negotiation, where a sizable portion of servers (including network inspection devices) failed in unexpected ways when clients attempted to negotiate. This is, in essence, the same problem that hampered TLS 1.2s rollout, and the cause of the Poodle downgrade attack. The newer TLS 1.3 drafts have implementation details to avoid doing security downgrades (as was the solution for TLS 1.2), but the fact that this has been repeated has already caused organizations to start thinking about better ways to do TLS negotiation (or at least identifying problems well in advance).

Lastpass Authenticator app contained surprise security bypass. A security researcher published their discovery that accessing certain activities directly in Lastpass’ Authenticator app would allow someone to bypass pin/fingerprint protection. The app has been fixed since the public disclosure.

AppSec Radar. In tech, some companies use a ‘technology radar’ to track what technologies their engineers should adopt, be trialing, or stop using. One new project is experimenting on doing the same with an organizations applications, factoring in security concerns.

Page 4 of 23