Security Roundup - 2017-11-24
LavaRand - Leveraging Real World Randomness. Did you know that CloudFlare harvests randomness from lava lamps as an entropy source? Using a real world source of entropy, they augment the pseudo-random pool on their servers with actual randomness. They’ve recently posted this article on their motivations behind going through the trouble to set this up.
Fake Symantec Blog Spreading Malware. A fake security blog attempting to look like the Symantec blog has been discovered by researchers. The site has been taken down, but contained a post to attempt to incent readers to download a ‘security tool’, which is actually a variant of the Proton credentials stealer.
Vulnerability Equities Process Transparency. The Whitehouse has announced additional transparency around the factors that play into whether or not government agencies notify vendors about discovered vulnerabilities. Mozilla feels it is a step in the right direction but several severity researchers are skeptical of the announcement. Notable, Bruce Schnier who suggests this is just additional window dressing and time will tell), Adam Shostack who points out the large list of threats [which are not considered factors in the VEP]https://adam.shostack.org/blog/2017/11/vulnerabilities-equities-process-and-threat-modeling/), and Sophos Security points out that this year we have seen plenty of non-disclosed vulnerabilities stolen and weaponized.
Session Recording Tools Scoop Up Excessive Data. Use a service that records what user’s are doing on your site (for analytics and usage review)? They may be scooping up much more information than expected, since many of them record all keystrokes and mouse clicks, including stuff that user’s may not actually intend to send to the site and in some cases researchers observed these scripts scooping up passwords, credit card numbers, and PII.
New OWASP Top 10. The Open Web Application Security Project (OWASP) has released a new version of their top 10 vulnerabilities this year. Unsurprisingly, Injection attacks is still listed as the #1 risk for web applications. However, we have 3 new entries. The first is XML External Entities (XEE) attacks, where XML parsers (in APIs, or otherwise) can potentially contain instructions and load external content allowing for DoS attacks or remote code execution. The second is Insecure Deserialization, which honestly feel very similar to injection and XEE, but targeted at object de/serialization. In this scenario, attackers can target deserialization of complex objects to try and invoke remote code execution. Finally, we have Insufficient Monitoring and Logging where not knowing what is going on greatly decreases the reaction time of defenders and increases the likelihood of successful exploitation by attackers.
Leveraging Multiple Vulnerabilities To Achieve Exploitation. Now that you have familiarized yourself with the new OWASP top 10, read this article on how they leveraged a number of these to chain their way to remote code execution.
Github starts highlighting out of data software. Github has taken a major step forward in security by helping people know when they are using software packages that are out of date (‘Using Components with Known Vulnerabilities’ is #9 on the OWASP Top 10). They’ve started with Ruby and Javascript, which covers 75% of projects with detectable dependencies today.
Misconfigured API access allows for data harvesting. Security researchers have discovered that many developers using the Twilio messaging API have hard coded credentials in their apps, effectively making it possible for other apps to collect Twilio metadata without a user noticing. At time of writing, this could impact more than 600 apps for both Android and iOS. This extends to other APIs as well, such as Amazon’s S3 access.