Security Roundup - 2016-10-13
Stories about hacking the internet of things continue to roll out.
- Hackaday goes into how cheap devices open up security holes via UPnP.
- Cloudflare has their own analysis on a large attack, specifically ones using HTTP to eat up server resources.
- As does Akamai, who points out one form of attack labelled SSHowDowN Proxy.
- The European Union is looking to draft stern laws requiring security for devices.
- Meanwhile, MITRE has launched a competition/bounty to uniquely identify IoT devices that are on a network, in a non-intrusive fashion.
- Krebs On Security (a recent victim of IoT DDoS) has an article detailing some findings from an IoT honeypot, where devices are being turned into SOCKS proxies and rented out for various malicious activities.
- A security researcher recently investigated MatrixSSL, an SSL stack for IoT devices. and found three vulnerabilities, similar to how closer scruitiny of OpenSSL has uncovered a number of vulnerabilities in the last year.
Speaking of SSL, a few months ago I mentioned nonce reuse. Cloudflare has a great article on the concept as well as going into how various versions of TLS manage nonces, and what future versions are doing to reduce the ability for nonce misuse.
Researchers warn that 1024 bit keys in the Diffie-Hellman key exchange can be trapdoored, allowing attackers to decrypt data. While NIST has recommended 2048 bit keys since 2010, some big areas still use 1024 bit keys, including a number of SSL certs, Java 8 only supporting 1024 bit keys, and DNSSEC limiting keys to a maximum of 1024 bits as well. At this time, while the researchers are able to create a trapdoor, they don’t have a way to identify what published primes might actually be trapdoored.
Amazon has joined the group of companies that analyze data leaks and proactively reset customer passwords.
Researches at Checkpoint have written a whitepaper on sandbox evasion, specifically targeting the Cuckoo Sandbox, to educate sandbox makers on the evolving field of sandbox evasion. Among other things, I have now learned that malware takes advantage of some specific malware detection/virtual environment processes to actually make itself crash before doing anything malicious, to avoid detection.
Today I learned of the existence of Sucuri’s Lab Notes, due to them now starting to put together a monthly recap. The last month has included exploiting various CMSes (Drupal, Magento, vBulletin), how to target mobile devices for malware, and an attacker attempting to hijack Paypal donations.
BinaryEdge has published their own Internet Security Exposure report. Similar to other reports, key findings include slow to be updated software, which leaves potential security flaws to be exploited, as well as plenty of databases, smart devices and other systems not using authentication mechanisms.
A former NSA staffer has demonstrated how malware can leverage your camera by piggybacking on any recording that is already happening. Since on OSX, the video light will already be on, users won’t realize that other programs are making use of the camera. The researcher has also published a program that will identify and alert when an application goes to make use of the camera, to mitigate this problem.
Checkpoint has an interesting article on “Crypto Failures in Malware”. From ransomware that used default values and was easily decrypted, to not really random seeds, to rolling your own encryption (never a good idea) complete with real world examples of where malware authors did the wrong thing.
Bleeping Computer rounds up the ransomware. This week features lots of new variants, but it appears that many are really just spins on existing versions, rather than in increase of sophistication.