34C3 in full swing. The 34th Chaos Communication Conference is in full swing. You can check the schedule for the remaining days, or to check out the recordings that are already available. Hackaday has a writeup of some interesting talks they have attended, the more interesting one so far being ‘Squeezing a key through a carry bit’ where one spelunker leveraged a bug in a crypto implementation to extract an entire private key one bit at a time.

Hack The World results. HackerOne has announced this year’s results to their Hack The World hackathon. This year 700+ bug bounty hunters submitted enough vulnerabilities to clear just over $750K in bounties.

Breaking HSTS and HKPK in modern browsers. HTTP Strict Transport Security (HTST) and HTTP Public Key Pinning (HPKP) are modern security functions for browsers. Security researchers recently published ways to abuse how browsers use these, to prevent protections, including mitigating protections at all or even rendering the browser unusable.

Ad trackers caught stealing usernames. At least two ad trackers were caught using hidden forms to harvest usernames from sites they were deployed on. Being able to harvest usernames would allow them to build a bigger profile and match users more reliably across sites, but also creates a bigger trove of information to steal, as well as could be used to harvest passwords.

Credit card theft targets smaller chains. Follow Brian Krebs story of a new batch of credit cards being stolen and tracking them back to impacted businesses. One of the targets happens to be a small restaurant chain in Texas, which Krebs tracked down before the company was aware of the credit card fraud, meaning that the cards were sold well before consumers could take any action.

TLS version negotiation delaying TLS 1.3. TLS 1.3 unexpectedly had new drafts at the end of this year, when the expectation was that the spec was essentially finalized. The cause? Problems in TLS version negotiation, where a sizable portion of servers (including network inspection devices) failed in unexpected ways when clients attempted to negotiate. This is, in essence, the same problem that hampered TLS 1.2s rollout, and the cause of the Poodle downgrade attack. The newer TLS 1.3 drafts have implementation details to avoid doing security downgrades (as was the solution for TLS 1.2), but the fact that this has been repeated has already caused organizations to start thinking about better ways to do TLS negotiation (or at least identifying problems well in advance).

Lastpass Authenticator app contained surprise security bypass. A security researcher published their discovery that accessing certain activities directly in Lastpass’ Authenticator app would allow someone to bypass pin/fingerprint protection. The app has been fixed since the public disclosure.

AppSec Radar. In tech, some companies use a ‘technology radar’ to track what technologies their engineers should adopt, be trialing, or stop using. One new project is experimenting on doing the same with an organizations applications, factoring in security concerns.

Having finished talking to Congress about data breaches, Troy Hunt has started a five part series of articles on how to fix them.

• Part one is all about Education, where the majority of breaches have involved a human element, whether it is just bad coding, and the sooner a human can recognize apossible security problem and fix it, the cheaper that fix is likely to be.
• Part two covers Reducing Breach Impact, covering the vast swaths of data companies collect but and their desire to collect as much information as necessary. However, what is initially thought of as an asset could instead be seen as a liability in the event that the data is disclosed in a breach. For example, the Expirian leak was that much more horrible since it included credit card numbers and drivers licenses. Troy argues for data minimization and expiration, to protect users data.
• Part three covers Ease of Disclosure, making it easy for people (whether security practitioners, a reporter, or a random individual) contact you in order to disclose a security issue, with reasonable assumption that you will be receptive, rather than litigous.
• Part four covers Bug Bounties, not just making it easy for people to report vulnerabilities, but ACTIVELY ENCOURAGING THEM TO and offering some renumeration incentive for disclosure to you vs to the black market.
• Part five covers Penalties, making the financial impact of a data breach matter to the bottom line, such that the ROI of security becomes much more serious.

layout: post title: Security Roundup - 2017-12-21 author: Seanstoppable category: security-roundup date: ‘2017-12-21’ tags:

• breaches
• encryption
• exploits
• internetofthings
• ransomware

• wordpress

Tripwires detect potential data breaches. Security researchers released recent work they have done to monitor sites for breaches. The work is simple, but effective in said simplicity: sign up to sites with unique emails and passwords and monitor the associated email accounts for login attempts. A successful login with a password is largely indicative of some sort of data leak and the researchers did this with varying lengths of passwords to try to infer password storage practices. Finally, they set up multiple accounts across 2302 organizations. After 9 months, they had collected evidence that 19 of them had some degree of compromise.

Another batch of printers remote controllable from the internet. NewSky Security has discovered another batch of printers completely exposed to the internet, this time in the form of 1123 Lexmark devices. Attackers could conceivably do things like gain a toe hold into a network, or simply just steal copies of documents that are sent to the printer.

Firefox joins Chrome in highlighting non-HTTPS sites. The Google Chrome team announced back in April plains to start marking HTTP sites as ‘Not Secure’, and now Firefox seems to be thinking about that as revealed by a new configuration option.

On the profitability of stolen credentials. Krebs On Security dives into the resellers market of stolen credentials. Specifically focusing on a site called “Carder’s Paradise” where credential prices range from $10 to $190. More disturbingly, entire sets of identities are available, indexed by credit score.

FoxIT speaks about MitM attacks. Earlier this year, FoxIT was the victim of a man-in-the-middle attack, when an attacker took over DNS entries and pointed them at their own servers to route traffic through. Specifically, attackers targeted the portal for secure exchange of files, hoping to gain access to credentials and files of FoxIT’s customers. The attackers also intercepted mail, allowing them to obtain a legitimate SSL certificate, since they appeared as if they owned the domain. The entire attack lasted 10 hours and 30 minutes, due to FoxIT’s quick investigation. The breakdown seems to indicate the attack happened after hours, likely deliberately to avoid initial scrutiny. Additionally, FoxIT points out that there is little to no reason they should not be using two factor authorization for their DNS provider (except, for course, it turns out their DNS provider doesn’t provide 2FA yet!).

Top 25 popular passwords of 2017. Despite all the breaches of 2017, password security has not improved, as demonstrated by the top 25 most popular passwords of the year. 123456 and Password still remain popular. Of note, most of these passwords are under or just barely conforming to NIST guidelines of 8 characters in a password, partially indicating that if sites just increased minimum password lengths, they would eliminate a subset of common passwords. Granted, this doesn’t protect us from the people that do password01 or 1234567890, but any trend towards longer/stronger passwords would be a welcome one.

BrickerBot retires. The author of BrickerBot, a botnet that tried to take a number of vulnerable devices offline, has retired and published a rought timeline of their work. Among other things, they outlines the problems of exposed devices and the botnets like Mirai that have disrupted the internet, and how they felt they had no choice but to enact “Internet Chemotherapy” in order to remove bad nodes from the system. They also point out that major providers like Akamai and Cloudflare have seen a downtrend in DDoS attacks, which they attribute to their own work of removing DDoS nodes from availability.

Copyright claim accidentally exposes Wordpress backdoor. Wordpress took down a third party captcha plugin due to misuse of the ‘Wordpress’ trademark. Incidentally, when plugins are removed from the Wordpress repository, security company Wordfence, dives in to check if this is due to security and if they should take action on behalf of their users. In this case, they discovered that the takedown wasn’t due to security but still managed to discover the fact that the plugin has a backdoor. The plugin in question is one of several stories this year of plugins in various software (Chrome, Wordpress, etc), being purchased or taken over and then updated to perform malicious actions once user’s update due to now implicit trust.

Inside look into SSRF. Server side request forgery (SSRF) is an attack in which an attacker uses one service to make unexpected requests to others. Follow along as one security researcher uses this to send emails from a companies internal email server.

Phishing abuses psychology of HTTPS. A recent survey from PhishLabs indicates that 80% of respondents believe that seeing the lock indicating a website is served over HTTPS means that a site is legitimate or somehow ‘safe’, despite the fact that it just means that your communication is encrypted. Phishers are abusing this misconception by increasingly using HTTPS for their sites, with 25% of known phishing sites now using HTTPS (up from 3% last year). Don’t forget to educate your users on how to avoid phishing in the first place!

New Android vulnerability abuses update mechanism. Researchers have found out how to abuse Android’s app update mechanism to execute unverified code. Based on how signatures are calculated for applications, an attacker could append a malicious app to an existing one and trick the installer into installing the second app with whatever privileges are available to the first.

Mailsploit, email vulnerabilities for all. With email having been around for 45 years and spam and malicious content being a known, one would hope that the basics have been hammered down pretty heavily here. However, one security researchers has manages to trigger an exploit leading to code execution. Dubbed ‘Mailsploit’, this actually exploits the From: field in an email by abusing unicode handling. This results in issues like web based clients being subject to XSS attacks and spoofing of email addresses, the later of which could conceivably also bypass DMARC protections.

ROBOT attack. Another witty acronym attack in the form of ROBOT (Return Of Bleichenbacher’s Oracle Threat), in which an attacker can extract private session keys from TLS sessions. Practical applications are an attacker being able to pull out encryption keys you are using to communicate to thinks like a VPN or a secure website, and decrypt your traffic. Specifically, this targets PKCS#1v1.5 with RSA encryption, and a mitigation factor would be to stop using this setup.

Deep dive into Napolean ransomware. For those that have been missing a technical deep dive into malware, Malwarebytes delivers the goods with a look into ‘Napolean’ - a variant of the Blind ransomware that they recently discovered.

Debugger could be leveraged into a keylogger. Debug code in touchpad drivers for multiple HP laptops could have been turned on to use as a keylogger. While admin access would need to be available to enable, this attack vector would be one that would have avoided anti-virus scanners, since it is an expected driver.

Extended Validation Certificate Abuse. A few recent studies have discovered flaws in the Extended Validation certificate issuance process. One used stolen identities (from the many personal data breaches that are available) and another set up a fake company with the same name as a legitimate company (since no one checks for collisions in EV certs), resulting in legitimate looking EV certificates being issued. With the total cost at under $200, and questions minimal, this is potentially more viable attack in the upcoming months.

Card Skimmers On The Rise. I’ve previously posted about credit card skimmers. According to FICO, credit and debit card compromise has increased 70% YoY. Worried? Read this article on how to avoid and be aware when using your card.

Dirty COW not yet out to pasture. Last year, a major vulnerability called Dirty COW made the rounds, as a local privilege escalation problem in Linux distributions (including Android). Now, more than a year later, researchers have discovered that an edge case not covered by the original patch allows the same bug to be exploited. A patch is already available, and the flaw can also be mitigated with changes config, but the fact that it was patched incorrectly for over a year should be worrying.

Wordpress Hacks Leave Keyloggers. Hacking Wordpress sites are great for attackers to do things like host malware, run cryptocurrency miners, and now run keyloggers to try and harvest usernames and passwords. Read the article for Sucuri’s findings.

Rundown on OSX ‘root’ password problem. Apple recently fixed an issue where a user could log in to the root account with a blank password (even remotely!). If you want to know the nitty gritty of why, check out Objective-See’s deep dive on the subject.

Old Exploit for Serial-To-Ethernet devices still very prevalent. Many old serial devices have been hooked up the internet via Serial to Ethernet connectors manufactured by a number of companies. A set of these devices from Lantronix has an exploit (since 2012!) which returns the telnet password in plaintext and, since these devices have not been patched (since 2012!), means another several thousand devices exploitable on the internet.

New Mirai Variant Potentially Leverages 0-day. Yet another variant of Mirai has made waves this week, with a sudden takeover of over 100K devices. This wave of exploits appears to be targetting a port on Huawai devices which is not known to have an exploit, on top of a username/password list containing 65K entries.

Andromeda Botnet Shut Down. However, while Mirai’s family thrives, Andromeda’s family dies as law enforcement agencies coordinated with industry leaders to shut down the Andromeda botnet. This botnet has been alive since 2011 and used to deliver malware, including 80 different malware families in the last 6 months alone.

Uber breach sparks punitive bill. With the news of Uber covering up a break coming to light, some US Sentators have pushed forward the “Data Security and Breach Notification Act”, intended to unify breach notification laws across states. It also, however, entails jail time for those that willfully conceal breaches which may have impacted Uber’s decision to try to disguise their breach payout as a bug bounty.

Verizon releases 2017 Data Breach Investigation Report. Now in it’s 10th year, Verizon has again released an in depth look at breaches. This year also includes a summary report to give some highlights, which include:

• Unsurprisingly, malware is used in just over half of all breaches
• Still unsurprising, 43% including a social/phishing aspect
• 61% of companies are those with less than 1000 employees
• With the wake of many breaches involving leaked passwords, password stuffing attacks being a cause of breaches has gotten a sharp incline. The ease of which this works makes it just too easy for attackers.

Check out the full report if you are interested in details broken out by industry!