Security Roundup - 2016-11-23
Happy Thanksgiving! I just found out that DerbyCon 2016 videos have been up for over a month, and DefCon 24 videos went up in the last week, so I know what I am going to be filling SOME of my time this weekend.
Some internet of things news:
Several Siemen’s branded CC TV cameras are vulnerable to a bug that would allow attackers to gain admin credentials.
Similarly, security researcher Robers Stevens recently purchased an IP based camera and decided to see how quickly it was compromised. In under 2 minutes he had details on how some attackers were exploiting and what they were doing once they gained control.
Some phone related problems were mentioned this week including:
An insecure update mechanism for a number of phones which could operate as a rootkit to execute arbitrary system commands.
An unknown set of phones regularly sends user data to servers in China. The company responsible declares it was a mistake, intended for Chinese devices, but it unfortunately impacts some US ones as well. The company in question has also suggested they have taken steps to correct, including distruction of the data, but as of this time they have not detailed which devices might actually be impacted.
Qualcomm has opened up a bug bounty program for their Snapdragon processors used to power multiple mobile devices.
In a follow up on a previous article on how he validates data breaches, Troy Hunt reiterates why alleged data breaches need to be validates, before being shared as such. It all comes down to publicity, who wants it and how easy it might be to just make up/relabel data to gain it.
In a somewhat similar vein, O’Reilly hosts an article on the challenges of validating attack detection methods. Challenges include tainted data, a variety of datasets, attacks in the wild being perhaps detected so rarely as to provide too small a sample set, and no incentive for defenders to share their overall raw data to provide data scientists better data.
Akamai released their Q3 State of the Internet Report. Unsurprising at this point, DDoS attacks are up with a 138% increase of attacks
100 Gbps YoY and a 58% increase QoQ. They have also noticed a downward trend of NTP reflection attack volume, from upwards to 40 Gbps in 2014 to 700 Mpbs in 2016, this decrease is attributed to organizations patching their servers to mitigate known problems that allowed these attacks.
CheckPoint labs provides their ‘October Most Wanted Malware List’, where they see a 5% growth in families and distribution over the course of the month. Zeus and Locky continue to be prevalent in the ranks, though Conficker is still #1 after several months.
Ars Technica reports on one researcher’s discovery of subtle bugs in a linux audio processing library. With it, the researcher was able to craft specific audio files that could be used to bypass some standard linux security constraints.
BleepingComputer provides plenty of interesting ransomware news again this week. This week: The CrySiS ransomware had its encryption keys released, ransomware writers seeking help from security researchers to fix their crypto to ‘help victims ensure their files can be decrypted’, an uptick in distribution channels, and plenty of new variants.