Security Roundup - 2018-04-12

The ‘convenience’ of a bluetooth credit card. Who would have imagined that wirelessly enabling credit cards would be a problem? Several ‘consolidated’ credit cards have hit the market in the last few years and now researchers have broken into them. In particular, the FUZE card can be broken into with a only seconds of physical access (like, when you hand it over to pay), where credit card details can be downloaded over bluetooth as long as the card remains in range.

Phishing attacks can leverage email handling discrepencies. Did you know that Gmail ignores the . character in email addresses? A software engineer discovered this the other day when they received an unexpected from Netflix that a credit card had been declined. Only it wasn’t their credit card, but someone else’s account with a . in the email address. Was this an honest mistake? Or potentially a new scam to try to collect accounts being paid off by unsuspecting people?

Harmless social quiz, or tactical information harvesting? Have you even thought about how much information you are potentially giving away with small quizes on social sites? Have you even thought about these questions and felt some of them may be very similar to your password recovery questions?

2017 Hacked Website Report. Sucuri has released their annual hacked website report. There are some interesting items including:

  • Wordpress is the most prevalent CMS, and the one that is most likely to be up to date. BUT since it is so common it also ends up being the platform with the most infections over the same period.
  • Only 17% of websites Sucuri identified as compromised ended up on blacklists in the same interval.
  • The number of infected files needing cleaning almost doubled YoY, demonstrated an increase in depth of compromise.

How (not) to do session management What happens when you design session managements where sessions are timestamps and never seem to expire? This blog post for one, where one researcher noticed he could effectively gain access to any client’s files for a specific cloud data storage company.

Malware code signing abuse deep dive. We’ve talked about malware code signing recently, but Trend Micro does a further deep dive on the topic. Interestingly, they see more signed malware than signed legitimate apps.

On the lifecycle of exploit development. There is obviously much interest in how long it takes from an exploit to be known to being used in the wild. One security researcher was surprised to discover that some SQLi injection vulnerabilities he had documented had not been used and decided to find out why. This seems to be in part due to malicious actors monitoring certain sites, where if an exploit is not disclosed on those sites it might be ignored.

Written on April 12, 2018