Security Roundup - 2018-02-01

Self Destructing USB Drives. We’ve covered malicious USB drives many times, including one that will actively break. Going a step further, one budding engineer decided to build a USB drive that would deliver a payload, and then also trigger 5V internally to do something like trigger a small explosive charge.

Malicious extensions not just for Chrome. Perhaps the first instance of a Firefox plugin installing a cryptominer has recently been discovered. The addon is pushed from malicious sites as a ‘Firefox update’, but installs the malicious extension from another site instead, ‘rewarding’ users with spam pop ups as well as running a cryptocurrency miner in the background.

Google cleans out malicious android apps. Google has done a retrospective on malicious Android apps in 2017. All in all, they took down over 700K malicious android apps, and while this was more than a 70% increase over 2016 they claim they halved the chance of someone actually installing malicious apps because they are catching these apps sooner in the process.

Fitness tracker reveals all too much. Fitness tracking company Strava recently released a global ‘heat map’ of user activity. A university student in Australia was the first to point out it showed things like government military bases. Lifehacker reports on how hard it is to make your data private on Strava, though Strava has now indicated they will work on improving privacy and data protection.

All is fair in love and ransomwar? Ransomware authors themselves have raised the alarm that at least one Tor proxy service is replacing bitcoin wallet addresses from ransoms with their own. Understandably making ransomware authors angry, as well as probably frustrating ransom payers who are not getting unlock codes.

Fingerprints are not passwords. And I guess Lenovo recognized this since their fingerprint scanner for some laptops had a hardcoded password to bypass it. Lenovo has submitted an update, so if you are using one of their products be sure to upgrade!

ATM Jackpotting makes its way to America. ‘Jackpotting’ is an ATM based attack using malware to eventually trigger the ATM to spit out all its money and apparently this has now been recorded as happening in America. Initial reports indicate the malware used is targeted towards a specific manufacturer, but analysts believe that it could be modifier to work against ATMs provided by multiple manufacturers. These attacks apparently began late last year, with suspects arrested, though the attack has been known as feasible since 2010 when it was demonstrated at Black Hat.

CrossRAT Deconstruction. CrossRAT is a RAT which can run on Windows, Linux and OSX. Patrick Wardle of Objective-See breaks down the technical details of this RAT, with perhaps a slight eye on OSX.

Gitlab beefs up security for users. Gitlab is following in the footsteps of Github by working towards integrating security monitoring of project dependencies. Gitlab has aquired startup Gemnasium to further expand this initiative, which will give them an impressive roster of languages they will be checking.

Security Roundup - 2018-01-25

HackerOne 2018 Hacker Report. HackerOne has produced another version of their report around what drives hackers. Interestingly, while filing bug bounties earns hackers in some countries many times the norm of the average salary there, “to make money” is only the 4th most common reason hackers do what they do, vs first in 2016. Also interesting, 1 in 4 hackers do not report vulnerabilites without a clear channel to disclose. Perhaps similarly to Troy Hunt’s piece on breach notification, they find the hunt and lack of response frustrating, and instead opt to avoid it?

SANS Releases Enterprise Implementation of Bug Bounty Programs. Thinking of starting a bug bounty program? You may want to check out SANS Institutes Enterprise Implementation guide.

More malicious extensions found for Google Chrome. Investigating a suspicious increase in network traffic, security researchers tracked the uptick back to yet another more malicious Chrome extensions. While the extensions themselves may not have malicious, they were able to download and execute commands from some remote JSON. Additionally, another researcher has discovered an extension that is extremely difficult to remove, circumventing normal attempts to either disable or delete.

HackerOne releases Hacker101 Security Course. To further increase the talent pool, HackerOne has also released a free Web Security course. Block off some time for learning!

IoT Botnets work of the minority?. Last year marked the rise of several large botnets powered by IoT devices, and Brian Krebs has opted to talk to Allison Nixon from Flashpoint security about her perspectives on the IoT problem and where are we going.

SamSam, 2 years later. We first reported on SamSam almost 2 years ago, and Talos has an intel on the evolution of this ransomware strain.

Security Roundup - 2018-01-18

Vulnerability Breach Disclosure. Troy Hunt is apparently sitting on hundreds of potential data leaks. Biggest problem he faces here? Wanting to privately disclose the information to impacted companies before going public with the disclosure. With that in mind, he has written up a series of escalations he has in mind to streamline the process on his end.

Blockchain Graveyard. Interested in security and cryptocurrency? You may be interested in the Blockchain Graveyard a site collecting security incidents around cryptocurrencies.

Passphrase collision in blockchain network. Lisk, a minor blockchain network, has had to notify users about the possibility about collisions in passphrases and keys that could in theory lead to someone gaining control of their account and stealing funds. The security researcher behind these findings has also published a rundown of the problem.

Mozilla announces further steps in security. Mozilla has announced that all future new features will be restricted to security contexts. Secure Contexts are a feature in which there is a reasonable confidence that content has been delivered securely, rather than potentially being Man in the Middled. Firefox hopes that this will help usher in yet more increased adoption of HTTPS.

CyberSecurity exit for malware author. Cybersecurity has seen its latest exit with Exobot’s author deciding to get out of the rental business and straight up sell the source code. Security researchers are generally worried that this will lead to another Mirai type scenario where the source will end up public, lowering the bar of entry for a certain number of attacks.

Bug Bounty Triage. Thinking about running a bug bounty? HackerOne provides some tips on how to think about triage and prioritization.

Pixel Remote Exploit Chain Discovered. While the Pixel phone survived 2017’s Mobile Pwn2Own competition in 2017, the team celebrates their first remote exploit, paying out more than 100K through their bug bounty (their highest bounty yet!). The bug leverages a chain of vulnerabilities, starting with WebAssembly and managing to break out of the mobile Chrome sandbox. Full details are in the link.

Directory listing to account takeover. Or perhaps better labeled ‘Why Configuration Matters’, after one security expert finds an open directory listing which includes webhook logs for a companies email provider. Unfortunately, said logs happened to include password reset links for customers, allowing the researcher to trigger a password reset and use the logs to effectively take over any account.

Security Roundup - 2018-01-15

More Intel security woes. Last year appears to have been a rough year for Intel, with a security research from July disclosing how easy it is to gain remote access to machines with Intel’s Active Management Technology. While the attack does require physical access, it actually just involves rebooting the computer and gaining access to the bios and configuring Intel’s AMT with a default password. This could then allow an attacker to bypass Trusted Platform Module protections, or even Bitlocker disk encryption passwords. Mitigation is as simple as protecting the BIOS, and these options, with better passwords.

Lenovo fixes backdoors in network switches. After an internal firmware audit, Lenovo has fixed backdoors in 2 lines of switches. Added in 2004, when these devices were managed by Nortel and Lenovo states these were added on request from an OEM customer.

Let’s Encrypt disables TLS-SNI validation due to shared infrastructure concerns. Security researchers have discovered a way to abuse TLS-SNI validation in Let’s Encrypt to obtain TLS certificates for sites they don’t control This attack largely comes into play with shared infrastructure, where multiple accounts use the same IP, and the hosting provider doesn’t provide any checks around certificates. After reviewing potentially vulnerable providers, Let’s Encrypt has opted to remove this form of validation due to the overwhelming volume. Instead, they suggest moving to DNS and HTTP based verification.

India’s Aadhaar System. Recent weeks have contained criticism of India’s biometric database, specifically around their security. On Aadhaar’s side are plenty of comments that their system is ‘hack proof’. Offended by the concept of ‘hack proof’, Troy Hunt has done a partial rundown of their public security posture and it isn’t pretty.

EFF’s guide on vendor data security assessment. With breaches getting more and more prevalent, we should all be concerned about how our security is stored. And maybe you are someone at a SMB which doesn’t really have a security team, but want’s to think about that when vetting third parties you want to do business with. In that case, you will want to read the EFF’s guide on ‘How to Assess a Vendor’s Data Security’, covering things to think about, search for, and ask. As well a few things to make sure you find out about problems as quickly as possible.

Local network storage takeover. Seagate has fixed a problem in a series of network storage devices. A local call to the device could trick it into running commands and enabling remote access, but since these calls can be executed by the browser, there are a few attack vectors available, including phishing, malvertisements, or malicious browser extensions. Unfortunately, while Seagate has fixed the problem, they have apparently not actually responded to security researchers that contacted them about it.

Crackdown on Cybercrime celebrated with more Cybercrime. Taiwan recently celebrated a crackdown on cybercrime with a cybersecurity expo. Embarrassingly, winners of a cybersecurity knowledge quiz were awarded USB drives that has been infected by malware. Sadly, this isn’t the first time something like this has happened in the cybersecurity space, and we should keep in mind how USB drives are a security risk.

Security Roundup - 2018-01-11

Processors continue to receive security scrutiny. On the heels of Meltdown and Spectre, another CPU related security vulnerability in AMD’s Trusted Platform Module in their Secure Processor. The vulnerability would allow a crafty attacker to be able to execute code inside the processor, potentially accessing any secrets contained therein. This is similar to a vulnerability discovered last year in Intel’s Management Engine, which is also intended to manage secrets. Given the recent discoveries, expect security researchers to continue shining lights on the hardware that we use every day.

Vulnerability Rediscovery. Did you know that 4 separate researchers independently discovered Spectre and Meltdown? It is a remarkable story of convergence, and security researcher Bruce Schnier even wrote a paper on ‘Taking Stock: Estimating Vulnerability Rediscovery’ last year. The question some researchers are asking is, if they all discovered it around the same time, how likely is it that someone else found it earlier and didn’t disclose it?

Github to expand security monitoring. Github has acquired the people behind Appcanary, a service that monitors software dependencies and server packages for vulnerabilities. At Github, they will be working on expanding Github’s security tooling, like their vulnerability management program.

The breaches that did not happen in 2017. In a more positive outlook, HackerOne reviews bug bounty programs in 2017, pointing out that tens of thousands of security vulnerabilities were identified and remediated using these programs.

I’m Harvesting Sensitive Information From Your Site. While people freak out about hardware level vulnerabilities, others theorize about how to actually steal sensitive information, such as this somewhat sarcastic take on how to steal sensitive information from sites. Involving creating a helpful library with some obfuscated malicious code, and then selectively sending data back to a server. How many organizations would actually detect this? Given similar types of attacks via Chrome plugins, or Wordpress plugins, an attack like this actually could realistically live for a long time.

Extended Validation Collisions. Extended validation for SSL Certs, the process by which you certify you are a valid organization, and get some additional stuff for your certificate apparently has a problem in Organizational Collisions. The security researcher even went through the process of setting up a corporation to leverage this, suggesting that this may be possible for the low, low price of $177 dollars.

Page 4 of 23