Security Roundup - 2017-01-18

Google has announced their intent to start recording ‘Key Transparency’. In a sense, it is a key verification idea in a similar sense as Keybase, while also preserving the privacy of the user. A writeup of the idea is available on Github.

Mobile malware is a large problem, with the likes of Gooligan and Hummingbad making the rounds. Google has written an article on a technique they use to detect apps with this kind of malware, using a combination of their Potentially Harmful Apps (PHA) detection and monitoring for devices that stop checking for these PHAs. Cross referencing downloaded apps with devices that stop reporting makes it possible to detect which apps are potentially performing malicious behavior and automatically flagging for review.

Brian Krebs has been investigating the person behind the Mirai Botnet and believes he has figured out the real world identify of the person responsible. Note: this is a long read, going over his entire investigation. It is a really interesting read on the entire DDoS ecosystem.

With last week’s MongoDB landgrab reaching the end, it looks like attackers have shifted towards publically accessible ElasticSearch clusters. Duo Security also points out that this shouldn’t be a surprise, given that reports of how much exposed data has been reported multiple times over the course of the last two years. Plenty of other datastores are still exposed, and Redis was already a victim last year. What’s next after ElasticSearch? BinaryEdge gives us a brief history of DB ransomware and says there are early signs that Hadoop is the next target. BleepingComputer points out some vandalized Hadoop servers as well as some CouchDB servers with ransom notes already.

Threatpost has a story on the Carbanak malware family, which is apparently using Google sheets as a C&C mechanism, having nodes update sheets to exfiltrate data, and read sheets to accept new commands. This joins Telecrypt as another malware strain that leverages 3rd party services rather than manage their own C&C nodes.

SchmooCon has wrapped up, and some interesting news to come out of it. Did you know that Squirrels cause more infrastructure outages than cyberattacks? Apparently some cyberattacks are actually mis-attributed animal outages.

SHA-1 Certificates should be on their way out this year, as browsers are poised to point out certificates that are not on SHA-2. In the Alexa top million, apparently only 536 sites do not offer SHA-2 at this time. Caught in the crossfire are all those devices that are hard to upgrade, but use SSL certificates. Things like routers and PoS/banking system.

Sucuri has a roundup of their December Lab Notes, which detail a number of CMS related security problems.

Checkpoint has released their Malware Most Wanted update, and there is a lot of movement on the board. Conficker is still at the top, and overall malware attacks were down over the holidays.

In other ransomware news, One of the C&C servers for Cerber was recently compromised by security researchers. They observed 700 downloads of Cerber during their observation window, which they extrapolated to 8400 downloads per day.

Also, Endgame Security goes on an in depth analysis of a ransomware strain for the latest Flare On Challenge.

Security Roundup - 2017-01-12

Bruce Schneier writes a thoughtful article on Class Breaks, where a security vulnerability doesn’t just impact one system but an entire class of systems. He feels this concept should be thought about more, as we move to a more connected world. The IoT ecosystem has shown plenty of ‘class breaks’, where one vulnerability means that a large number of systems are impacted. As we automate more technology, building security in and planning for eventual class breaks will be important, as 2016’s IoT news has demonstrated.

Krebs on Security has a detailed article of problems with cardless ATMs. In this story, an attacker was able to add another number to someone’s account, and then use a cardless ATM strategy that Chase was testing to withdraw cash. This attack was made easier, since by default the transaction lacked 2FA (of which a bank card counts).

The above article led me to Two Factor Auth, a database of all the services that allow users to enable 2FA.

Do you use autofill on web forms? You may be giving away more information than you can see, since these features can also fill in hidden fields.

Troy Hunt wrote up an interesting story where he walks us through the process of data getting into HaveIBeenPwned (note, this uses an adult site as an example).

Kaspersky Labs discovered a C&C server that was also used as a shopping portal to also sell the data. Downside is that the shopping portion had a security vulnerability that allowed a malicious user to make off with the already stolen data.

ThreatPost reports that hackers are specifically targeting Mongo databases, deleting records and leaving a ransom note for if users want their data back. It looks like there are potentially multiple attackers doing this, and they are overwriting each other’s ransom notes in an attempt to get the payout. This decreases the likelihood of victims ever getting their data back. BleepingComputer contacted one hacker, who mentioned that his process is completely automated, and he is motivated that owners of these systems ‘have to learn a lesson’. They have been following the news pretty closely, and at time of writing ~21K MongoDB instances have been hit, and one of the major players has offered up their script for sale, to anyone who wants to fight over the remains.

BleepingComputer also reports on Spora, a very sophisticated ransomware strain. Spora works offline, and the encryption looks to be based on random keys created and then secured by public key encryption, requiring the keys to be manually sent in to attackers to potentially decrypt.

Security Roundup - 2017-01-05

33c3 happened at the end of the year and videos are already up. Writers for Hackaday attended and did a number of writeups.

At the same time, the FDA announced guidance on managing medical devices in a cybersecurity world. Among the suggestions include ‘having a way to monitor devices for vulnerabilities’, which seems in and of itself a potential exploit vector? I am sure 2017 will have more news on this topic.

Filippo Valsorda, currently on the Cloudflare Security Team, published an op-ed on “Why he is giving up on PGP”. Major difficulties include ease of use, lack of trust that it is working ‘correctly’, and suspicion of use of long term keys. This was followed by a rebuttal by Neal Walfield, an engineer who works on GnuPG, who point out a number of ways to mitigate Filippo’s problems, and some future proposals that might increase usability.

Slate has a good history lesson on the 2011 Notar breach, and how TLS security has changed in the last several years as a result. Minimum security requirement approvals for Cert provides issued by the Certificate Authority Security Council, Google’s Certificate Transparency program, browsers being more willing to de-list bad actors, and more.

Troy Hunt did an ‘Ask Me Anything’ for HaveIBeenPwned’s 3rd Birthday at the start of December, and recently published the video online. He also has an article around how responsible disclosure of account breaches should happen, using the recent Etherium forum breach as an example.

A year review of CVEs in 2016 give some interesting data points. Android OS had the most reported security vulnerabilities for a single product this year, while Oracle has the most CVEs for an individual vendor.

Talos Security goes in depth on hailstorm spam, where spammers launch an email campaign so quickly that traditional detection methods only kick in after the campaign is finished. They go on to describe research into detecting these type of campaigns more quickly, by monitoring DNS traffic.

Google announced Project Wycheproof, a collection of unit tests designed to expose weaknesses in implementations of several cryptographic algorithms. To date, they have uncovered 40 security bugs, which they are working with vendors to fix.

Similarly, Duo Labs has released a tool to do fuzz testing for Microsoft Edge and HTTP/2.

More and more malware kits appear to be turning to steganography to deliver payloads and instructions via image files. This includes the DNSChanger exploit, which attempt to use the victim’s browser to identify and compromise their own router. The attacker then tries to expose the router to the internet (to allow further control/compromise) as well as can manipulate the user’s traffic. A similar concept has also been found on Android, with the Switcher Malware trojan.

MalwareTech wrote up a great article on how Open Source Malware hurts the industry. Arguments include: lowering the bar of entry to those with limited technical experience, faster evolution, and an increase in overall volume of ransomware. Other interesting observations: they point out that ransomware just does a user operation - encrypting files. This makes detection perhaps a bit harder, if antivirus is trying to distinguish between ‘good’ and ‘malicious’ encryption. Open Source Ransomware is typically being written in languages that malicious users are not actually writting malware in, thus not benefitting a lot in terms of evolving analysis.

Check Point joined the “No More Ransomware” project, and promptly identified two new ransomware variants and built decryptors.

Cerber did an update on what files it does and does over the holidays. primarily targeting Microsoft Office documents, as well as potential bitcoin locations.

Security Roundup - 2018-01-04

CPU architecture vulnerabilities plague all. The big news this week is a series of vulnerabilities for many modern CPUs, including Intel (who fared the worst in the news), AMD, and ARM. The vulnerabilities allow malicious users to read memory they would not normally be able to, allowing them to do thinks like harvest passwords and encryption keys. Even worse, this breaks out of sandboxes such that an exploit on a virtual machine could read memory from other virtual machines on the same host. For those interested, you can now read the technical details.

Major hardware as a service providers like Google and Amazon have already suggested they have instituted corrections to their systems, while operating system providers have declared that patches to protect against these flaws are forthcoming. Microsoft has unfortunately discovered some problems with AV vendors and their proposed patch.

Mozilla has indicated that this type of attack is potentially possible from the browser and are implementing features to mitigate. Chrome already has additional sandboxing features that are labelled experimental, but that they plan to roll out in an upcoming major release.

2017 Breaches in review. Troy Hunt has done an annual retrospective of his 2017, which of course includes stats from HaveIBeenPwned.com. 2017 was pretty sad, with a 50% increase in the number of breaches from all breaches previous to 2017, and total number of records more than doubling from 2 billion to 4.8 billion.

Threat Modeling Tools for 2018. Does part of your job involve threat modeling? Then you may be interested in this post by Adam Shostack enumerating some interesting new threat modeling tools developed in 2017.

Hacker Q&A With EdOverflow. EdOverflow is the person behind the security.txt RFC to make a robots.txt equivalent for hacking targets and contact information. HackerOne has a Q&A with him about his background in security and his experience with bug bounty programs.

TLS 1.3 could improve IoT security. Cloudflare points out how TLS 1.2 adds a lot of overhead for communication, to the point where IoT protocols become much more heavy. However TLS 1.3 improves on this considerably, reducing the number of round trips to make TLS more palatable. Additionally, new algorithms use smaller, more secure keys, which allows for low memory devices to be more likely to use them.

Interesting defense against ATM skimmers. We love/are horrified by reading about ATM skimmers. This week’s story comes with a twist in that it is a defense against current ATM skimmer attacks. Many ATM skimmers are still overlays, so one ATM owner printed their own card overlay so that fraudsters would have a rough time deploying their own. The author of the article finds the concept interesting, and extrapolates that to making each system have a degree of custom variability to thwart this type of attack. However, since the thing is (currently) 3D printed, it looks sketchy in and of itself and may cause users to turn away from valid ATMs.

Trackmageddon. Another alarmingly named issue is making the rounds with the name Trackmageddon. Involving a number of GPS tracking services for vehicles, this allows unauthorized and unauthenticated users api access to obtain information like location history, phone numbers, and vehicle IMEI numbers, though the researchers also found photo and audio files. Researchers later learned this might actually have been reported in 2015, but that means more than 100 sites are still vulnerable.

Security Roundup - 2016-12-16

End of the year is quickly approaching, and a number of groups are starting predictions for the new year, including:

Rapid 7 has an insightful (to me at least) article on Why Security Assessments are Often not a True Reflection of Reality, and how the scoping of security assessments can lead to a lot of caveats.

Checkpoint Labs put out their November Malware Most Wanted. Locky doesn’t quite top the list, but did manage to be the #1 malware family in 34 countries, while Conficker (still at the top) was only #1 in 28.

NakedSecurity has an end of year article around the number of records lost in breaches, totally 2.14 BILLION records, up from 480m records last year. Unfortunately, these numbers were reported before Yahoo indicated another breach of 1 billion records, a separate incident from the one reported this year.

Poor Yahoo, on top of all the bad news this year, they recently patched an XSS bug which would have allowed attackers the ability to read a user’s email.

BleepingComputer rounds up with Ransomware. Last week included: new variants, a botnet spreading ransomware that had a decryptor released in the summer (oops), a ransomware that will decrypt your files if you infect your friends (social!), and a new open source Ransomware that has already spawned at least 3 variants in the wild.

Page 12 of 23