Security Roundup - 2016-08-03

Motherboard editor Kate Lunau recently went to a Toronto Hackerspace and learned how to pick locks. She gives an interesting analogy between physical security and digital security. We lock our doors every day, but how secure are they really? We use various websites and share our information every day, but how safe are they really? Pentesters test for digital security similar to how lock pickers have been testing locks for ages, and lock disclosure is a thing too.

Don’t forget to secure your development environment! One hacker details how he infiltrated Imgur’s dev environment and managed to find production credentials that could be utilized to escalate access.

As a follow up to last week’s LastPass exploits, it turns out that there were actually two. The first allowed a user to use javascript to extract passwords. The second is a bit more sophisticated, and requires a user to be lured to a malicious site. But once that happens, an attacker could execute a number of actions on the user’s behalf. LastPass has already addressed and asks users to upgrade accordingly.

One user has a new solution to the Internet of Things access problem. Rather than access in the clear over the internet, or route through a third party, what if you hid your things behind TOR. By using TOR’s hidden services as the access point for remote management, the software in question is able to avoid a host of problems, such as automatic enumeration by services like shodan.io. While perhaps not for the average person (yet), just wrap a fancy app around it and who knows?

Motherboard is running a video series called ‘Can I Hack It?’. The latest video is titled ‘How Hackers Could Wirelessly Bug Your Office’, where some white hat hackers demonstrate how they can update devices remotely in order to exfiltrate data unexpectedly.

The 11th HOPE Conference ran from July 22nd to July 24th. There were a lot of great talks, which are now available online. Some suggested viewing:

Last week, NIST suggested 2 factor over SMS be deprecated. DUO is on board with this change, but the U.S. Social Security Administration just rolled out two factor auth over SMS.

Cisco has released their Midyear Cybersecurity Report. A few key takeaways:

  • Ransomware is going to continue to expand. Cisco predicts that attackers will write more sophisticated ransomware that will spread across an organization and then start encrypting in parallel, maximizing the damage.
  • As the number of system vulnerabilities disclosed has grown in the last year, so has the importance of proper patching cadence. The longer a company leaves vulnerabilities exposed, the more time attackers have to use it to gain a foothold. Using their own devices as an example, they analyzed 115,000 devices and found 23% of them had vulnerabilities 5 years or older, with 92% of the devices having some known vulnerability.
  • Many attack types (ransomware, malicious ads, botnets) are increasingly using encryption, from communicating through TLS to using TOR to obfuscate network communications.

As always, Bleeping computer has the best ransomware roundup. This week includes the NoMoreRansomware initiative going public, new ransomware, more decryption, and Mischa and Petya becoming Ransomware as a Service.

Written on August 3, 2016