How to Stop Breaches (A Special Holiday Roundup)

Having finished talking to Congress about data breaches, Troy Hunt has started a five part series of articles on how to fix them.

  • Part one is all about Education, where the majority of breaches have involved a human element, whether it is just bad coding, and the sooner a human can recognize apossible security problem and fix it, the cheaper that fix is likely to be.
  • Part two covers Reducing Breach Impact, covering the vast swaths of data companies collect but and their desire to collect as much information as necessary. However, what is initially thought of as an asset could instead be seen as a liability in the event that the data is disclosed in a breach. For example, the Expirian leak was that much more horrible since it included credit card numbers and drivers licenses. Troy argues for data minimization and expiration, to protect users data.
  • Part three covers Ease of Disclosure, making it easy for people (whether security practitioners, a reporter, or a random individual) contact you in order to disclose a security issue, with reasonable assumption that you will be receptive, rather than litigous.
  • Part four covers Bug Bounties, not just making it easy for people to report vulnerabilities, but ACTIVELY ENCOURAGING THEM TO and offering some renumeration incentive for disclosure to you vs to the black market.
  • Part five covers Penalties, making the financial impact of a data breach matter to the bottom line, such that the ROI of security becomes much more serious.

Security Roundup 2017 12 21

layout: post title: Security Roundup - 2017-12-21 author: Seanstoppable category: security-roundup date: ‘2017-12-21’ tags:

  • breaches
  • encryption
  • exploits
  • internetofthings
  • ransomware
  • wordpress

Tripwires detect potential data breaches. Security researchers released recent work they have done to monitor sites for breaches. The work is simple, but effective in said simplicity: sign up to sites with unique emails and passwords and monitor the associated email accounts for login attempts. A successful login with a password is largely indicative of some sort of data leak and the researchers did this with varying lengths of passwords to try to infer password storage practices. Finally, they set up multiple accounts across 2302 organizations. After 9 months, they had collected evidence that 19 of them had some degree of compromise.

Another batch of printers remote controllable from the internet. NewSky Security has discovered another batch of printers completely exposed to the internet, this time in the form of 1123 Lexmark devices. Attackers could conceivably do things like gain a toe hold into a network, or simply just steal copies of documents that are sent to the printer.

Firefox joins Chrome in highlighting non-HTTPS sites. The Google Chrome team announced back in April plains to start marking HTTP sites as ‘Not Secure’, and now Firefox seems to be thinking about that as revealed by a new configuration option.

On the profitability of stolen credentials. Krebs On Security dives into the resellers market of stolen credentials. Specifically focusing on a site called “Carder’s Paradise” where credential prices range from $10 to $190. More disturbingly, entire sets of identities are available, indexed by credit score.

FoxIT speaks about MitM attacks. Earlier this year, FoxIT was the victim of a man-in-the-middle attack, when an attacker took over DNS entries and pointed them at their own servers to route traffic through. Specifically, attackers targeted the portal for secure exchange of files, hoping to gain access to credentials and files of FoxIT’s customers. The attackers also intercepted mail, allowing them to obtain a legitimate SSL certificate, since they appeared as if they owned the domain. The entire attack lasted 10 hours and 30 minutes, due to FoxIT’s quick investigation. The breakdown seems to indicate the attack happened after hours, likely deliberately to avoid initial scrutiny. Additionally, FoxIT points out that there is little to no reason they should not be using two factor authorization for their DNS provider (except, for course, it turns out their DNS provider doesn’t provide 2FA yet!).

Top 25 popular passwords of 2017. Despite all the breaches of 2017, password security has not improved, as demonstrated by the top 25 most popular passwords of the year. 123456 and Password still remain popular. Of note, most of these passwords are under or just barely conforming to NIST guidelines of 8 characters in a password, partially indicating that if sites just increased minimum password lengths, they would eliminate a subset of common passwords. Granted, this doesn’t protect us from the people that do password01 or 1234567890, but any trend towards longer/stronger passwords would be a welcome one.

BrickerBot retires. The author of BrickerBot, a botnet that tried to take a number of vulnerable devices offline, has retired and published a rought timeline of their work. Among other things, they outlines the problems of exposed devices and the botnets like Mirai that have disrupted the internet, and how they felt they had no choice but to enact “Internet Chemotherapy” in order to remove bad nodes from the system. They also point out that major providers like Akamai and Cloudflare have seen a downtrend in DDoS attacks, which they attribute to their own work of removing DDoS nodes from availability.

Copyright claim accidentally exposes Wordpress backdoor. Wordpress took down a third party captcha plugin due to misuse of the ‘Wordpress’ trademark. Incidentally, when plugins are removed from the Wordpress repository, security company Wordfence, dives in to check if this is due to security and if they should take action on behalf of their users. In this case, they discovered that the takedown wasn’t due to security but still managed to discover the fact that the plugin has a backdoor. The plugin in question is one of several stories this year of plugins in various software (Chrome, Wordpress, etc), being purchased or taken over and then updated to perform malicious actions once user’s update due to now implicit trust.

Inside look into SSRF. Server side request forgery (SSRF) is an attack in which an attacker uses one service to make unexpected requests to others. Follow along as one security researcher uses this to send emails from a companies internal email server.

Security Roundup - 2017-12-15

Phishing abuses psychology of HTTPS. A recent survey from PhishLabs indicates that 80% of respondents believe that seeing the lock indicating a website is served over HTTPS means that a site is legitimate or somehow ‘safe’, despite the fact that it just means that your communication is encrypted. Phishers are abusing this misconception by increasingly using HTTPS for their sites, with 25% of known phishing sites now using HTTPS (up from 3% last year). Don’t forget to educate your users on how to avoid phishing in the first place!

New Android vulnerability abuses update mechanism. Researchers have found out how to abuse Android’s app update mechanism to execute unverified code. Based on how signatures are calculated for applications, an attacker could append a malicious app to an existing one and trick the installer into installing the second app with whatever privileges are available to the first.

Mailsploit, email vulnerabilities for all. With email having been around for 45 years and spam and malicious content being a known, one would hope that the basics have been hammered down pretty heavily here. However, one security researchers has manages to trigger an exploit leading to code execution. Dubbed ‘Mailsploit’, this actually exploits the From: field in an email by abusing unicode handling. This results in issues like web based clients being subject to XSS attacks and spoofing of email addresses, the later of which could conceivably also bypass DMARC protections.

ROBOT attack. Another witty acronym attack in the form of ROBOT (Return Of Bleichenbacher’s Oracle Threat), in which an attacker can extract private session keys from TLS sessions. Practical applications are an attacker being able to pull out encryption keys you are using to communicate to thinks like a VPN or a secure website, and decrypt your traffic. Specifically, this targets PKCS#1v1.5 with RSA encryption, and a mitigation factor would be to stop using this setup.

Deep dive into Napolean ransomware. For those that have been missing a technical deep dive into malware, Malwarebytes delivers the goods with a look into ‘Napolean’ - a variant of the Blind ransomware that they recently discovered.

Debugger could be leveraged into a keylogger. Debug code in touchpad drivers for multiple HP laptops could have been turned on to use as a keylogger. While admin access would need to be available to enable, this attack vector would be one that would have avoided anti-virus scanners, since it is an expected driver.

Extended Validation Certificate Abuse. A few recent studies have discovered flaws in the Extended Validation certificate issuance process. One used stolen identities (from the many personal data breaches that are available) and another set up a fake company with the same name as a legitimate company (since no one checks for collisions in EV certs), resulting in legitimate looking EV certificates being issued. With the total cost at under $200, and questions minimal, this is potentially more viable attack in the upcoming months.

Security Roundup - 2017-12-08

Card Skimmers On The Rise. I’ve previously posted about credit card skimmers. According to FICO, credit and debit card compromise has increased 70% YoY. Worried? Read this article on how to avoid and be aware when using your card.

Dirty COW not yet out to pasture. Last year, a major vulnerability called Dirty COW made the rounds, as a local privilege escalation problem in Linux distributions (including Android). Now, more than a year later, researchers have discovered that an edge case not covered by the original patch allows the same bug to be exploited. A patch is already available, and the flaw can also be mitigated with changes config, but the fact that it was patched incorrectly for over a year should be worrying.

Wordpress Hacks Leave Keyloggers. Hacking Wordpress sites are great for attackers to do things like host malware, run cryptocurrency miners, and now run keyloggers to try and harvest usernames and passwords. Read the article for Sucuri’s findings.

Rundown on OSX ‘root’ password problem. Apple recently fixed an issue where a user could log in to the root account with a blank password (even remotely!). If you want to know the nitty gritty of why, check out Objective-See’s deep dive on the subject.

Old Exploit for Serial-To-Ethernet devices still very prevalent. Many old serial devices have been hooked up the internet via Serial to Ethernet connectors manufactured by a number of companies. A set of these devices from Lantronix has an exploit (since 2012!) which returns the telnet password in plaintext and, since these devices have not been patched (since 2012!), means another several thousand devices exploitable on the internet.

New Mirai Variant Potentially Leverages 0-day. Yet another variant of Mirai has made waves this week, with a sudden takeover of over 100K devices. This wave of exploits appears to be targetting a port on Huawai devices which is not known to have an exploit, on top of a username/password list containing 65K entries.

Andromeda Botnet Shut Down. However, while Mirai’s family thrives, Andromeda’s family dies as law enforcement agencies coordinated with industry leaders to shut down the Andromeda botnet. This botnet has been alive since 2011 and used to deliver malware, including 80 different malware families in the last 6 months alone.

Uber breach sparks punitive bill. With the news of Uber covering up a break coming to light, some US Sentators have pushed forward the “Data Security and Breach Notification Act”, intended to unify breach notification laws across states. It also, however, entails jail time for those that willfully conceal breaches which may have impacted Uber’s decision to try to disguise their breach payout as a bug bounty.

Verizon releases 2017 Data Breach Investigation Report. Now in it’s 10th year, Verizon has again released an in depth look at breaches. This year also includes a summary report to give some highlights, which include:

  • Unsurprisingly, malware is used in just over half of all breaches
  • Still unsurprising, 43% including a social/phishing aspect
  • 61% of companies are those with less than 1000 employees
  • With the wake of many breaches involving leaked passwords, password stuffing attacks being a cause of breaches has gotten a sharp incline. The ease of which this works makes it just too easy for attackers.

Check out the full report if you are interested in details broken out by industry!

Security Roundup - 2017-12-01

DDoS Attacks get more sophisticated. Cloudflare has an interesting blog post about a decrease in network level DDoS attacks. Instead, they are seeing an increase in application layer attacks, trying to force servers to do expensive actions repeatedly to knock them offline, rather than overwhelming them with raw traffic. Cloudflare discusses the options of caching and rate limiting as methodologies by which to mitigate some of this attack vector.

Google In a Tizi over spyware. Google has found another set of spyware apps in their appstore. The backdoor, which they named Tizi, has apparently been around since 2015 but only infecting 1300 devices. They provide a transparent post about how they identified, and what steps were taken to mitigate this malicious app.

Malware Goes Encrypted. Researchers following the Terror Exploit Kit report that it has started encrypting all traffic, leveraging free certificates. This is an attempt to hide their random URLs, only ips will be available to monitoring software.

Two Unfortunate Breaches. Two breaches this week with different reaction profiles. The first was Uber, who was hacked last year, had 57 million driver and rider accounts stolen, and then proceeded to pay off the hackers and not disclose the breach. This may have violated several laws for not disclosing, as well as destruction of the data. On the other side, Imgur notified users of a breach impacting 1.7 million users. Despite being notified over the Thanksgiving weekend, Imgur managed to review the data, reset user accounts, and publically disclose in 25 hours and 10 minutes.

Expensify leaks sensitive information. In terms of leaking sensitive information, Expensify collected a lot of flack this week when it was made apparent that they were outsourcing transcription of receipts to Amazon’s Mechanical Turk. In some cases, this included full names and addresses of individuals.

Mirai makes waves again. An exploit for another modem resulted in a brief resurgence in Mirai activity, as attackers quickly moved to leverage the exploit, taking over up to 100K devices in under 60 hours. The particular variant has currently been stopped, but the modem in question still remains vulnerable.

Firefox to team up with HaveIBeenPwned. Firefox has announced their intent to integrate HaveIBeenPwned warnings into the browser. This means that when users visit a site that is part of a breach of user data they will receive notifications right in the browser, rather than have to sign up for a service, or be aware of news.

Deep Dive into MuddyWater APT. And for those that love deep dives into malware, Reaqta provides an in depth look into MuddyWater, an APT that was targeted at individuals in the middle east.

Page 5 of 23