Security Roundup - 2017-01-26

Some missed news from last month: an incident response worker did a 2016 review on learning from security breaches. Some high level lessons:

  • Centralized logging makes problems much easier to track down.
  • Root causes might not be found.
  • If you rely heavily on third party technology, evaluate it for risk.
  • Most organizations he visited did not have a good secrets management solution.
  • Companies with higher tech debt also correlate with companies with high security debt.

The EFF put out an update on the Technical Developments in Cryptography, covering backdoored crypto, the finalization of TLS 1.3, a review of crypto attacks in 2016, as well as the strengthening of HTTPs.

Symantec-owned certificate authorities have been found to have violated SSL Certificate issuing guidelines for 108 certificates. 9 of these certificates were issued to people that were not controllers of the domains in question. Many of these appear to be ‘test’ certificates and were promptly revoked, but could still have been used for malicious behavior, especially as browsers are generally not able to deal with issuance and revocation of certificates in real time. These violations were apparently only discovered via Google’s Certificate Transparency project.

Hack The Army started up at the end of last year, and TechCrunch provides a story of some of the initial results.

Use Cisco WebEx? You might want to check that the extension is up to date, since older versions contain a remote execution vulnerability, allowing for computers to be taken over just by browsing a specially crafted page. Sophos gives you a breakdown.

Engineers at Falliable.co recently built a tool to find secrets in Android apps. After analyzing 16K applications, they decided to write up some findings. Unsuprisingly, quite a few applications had hard coded some sort of api token in the application.

Shodan.io has released an updated Heartbleed report, indicating that 200K servers are still susceptible to CVE-2014-0160 (yes, Heartbleed is now 2 years old).

BleepingComputer reports on a banking ransomware that had its source code leaked. Initial investigation seems to indicate it has already been modified into banking trojan.

Speaking of modified versions, Checkpoint Security warns of a new version of HummingBad, called HummingWhale. They have already contacted Google to take down a number of apps, and shares their overall findings.

Finally, BleepingComputer details how members of the MalwareHuntingTeam are being harassed on VirusTotal, presumably by malware authors that MalwareHuntingTeam has exposed.

Written on January 26, 2017