Security Roundup - 2016-09-02

RC4 being deprecated is old news, but researchers are set to demonstrate that 3DES and Blowfish have met their end as well, with a demonstrable collision attack. OpenSSL seems poised to drop 3DES from default installs, and OpenVPN already plans a new version that warns against Blowfish.

Inversoft, a provider of moderation and DB SSO tools, recently released a guide to User Data Security. They set up a server using those guidelines, and challenged attackers to break in. Read one team’s chronicle of completing this challenge.

Anyone using Opera’s built in password manager and sync service, had all their passwords compromised this week.

Yet another historical breach has come to light, with Dropbox password data coming to light from 2012. It looks like the data contains a mix of SHA1 and BCRYPT hashes. Dropbox is forcing password resets for a certain set of users, but it probably doesn’t hurt to change your own.

Troy Hunt does an in depth exploration on what using Cloudflare to provide encrypted content means. Summary: If you are not encrypting between Cloudflare and your own servers, you are subject to MitM attacks anyway. Even then, having Cloudflare in the middle opens things up to potentially leaking information, or having Cloudflare as an intercept point. You have to ask yourself, “What is my risk model?”. He also suggests a few things Cloudflare could do to increase overall security, while also offering some transparency.

Steganography AND C&C control? The EndGame blog has an article on this specific combination using public image hosting. Included is a proof of concept using Instagram, called Instegogram.

I imagine a number of bad actors want to break into Facebook, and one researcher recently found an exploit in Facebook’s password reset functionality, relying on the fact that reset tokens had a keyspace of 1 million entries, and being able to initiate enough password reset requests would mean you could find out the token for a specific user.

Botnets leveraging IoT devices continues to trend, with BASHLITE being the latest version, having grown from 74 observed instances to 120000 instances fairly rapidly. Interestingly, this doesn’t seem to be very sophisticated, with payloads running through a list of things to try until something works, and no C&C rotation as such, relying on the ability to re-compromise if a move ever needs to occur.

Naked Security has an article on, not if a CA goes rogue, but what happens if a CA has a sloppy bug and doesn’t clean up their mistakes rapidly.

Duo Security was performing some research on exposed Redis servers, and noticed that a number of them all used the same SSH key. They learned that attackers that are able to send CONFIG directives can essentially overwrite keys on the server and gain complete SSH access, which was actually pointed out by the developer almost a year ago. Duo went so far as to set up a HoneyPot and caught an attacker ‘faking’ ransomware by just deleting data and leaving a notice.

I stumbled upon this interesting article about usage around target=”_blank” attribute for links, where apparently misuses can open up users to phishing attacks due to the referring site able to manipulate the opening window.

As always BleepingComputer has the best ransomware roundup. This week features 6 new ransomware including one that pretends to be a windows update screen.

Security Roundup - 2016-08-25

Like free beer? One developer found a “Loyalty Program” app, and realized the system was subject to replay attacks, such that one could (theoretically) cash in on loyalty perks without even making a purchase.

Last week’s news of NSA hacker tools has led to a few of these tools being evaluated. So far, it looks like Cisco PIX routers were exploitable allowing VPN communications to be eavesdropped on, prompting Cisco to review their product line. Fortinet has also been auditing their code and has discovered at least one similar vulnerability. Juniper has been doing their own analysis to check their own products. Meanwhile, one security researcher has been auditing some code, and finds some of it to be sloppy.

Apparently, researchers have used Facebook photos to hack face recognition systems. Thankfully a bit more complex than just showing a picture, determined researchers used Facebook photos to 3D print heads to fool the systems in question.

Security firm Praetorian has published a report on insights from 100 penetration tests. Essentially, in the majority of cases, they were able to compromise security due to weak passwords/password security, rather than relying on software vulnerabilities.

With great openness comes great malware. Wikileaks provides dumps of leaked information, and security researchers have discovered malware in these data caches. To be fair, since bad actors are probably also trying to exploit the companies in question, we should be more surprised if there was no malware in some of their email dumps.

With the DNC being hacked, the fact that at least part of the election process being hacked should seem fairly real. In particular, a group of researchers continue to advocate against voting machines regularly pointing out vulnerabilities in them, as well as pointing out other points of attack in the electronic voting process.

Plenty of online bulletin boards have been compromised, many of which are using vBulletin. Troy Hunt picks apart how some of these sites are using old versions of software, and suggests that for some services it would be better to use managed hosting, as the host will probably update packages much more quickly than your organization would.

United Airlines has rolled out ‘security’ updates to their site, but Krebs feels this are security efforts circa 2009. Amazingly, ‘secret questions’ use a drop down for all the answers, among other things.

NIST is working on a new draft on password recommendations and Sophos has a nice writeup. Minimum length recommendations are 8 characters, minimum max length is 64 characters, emphasis is on password length vs traditional password complexity rules and get rid of password hints, as studies are showing these decrease security.

Malware tech has an update on the Kelihos botnet, which had a sudden surge of new nodes. Based on their research, it looks like Kelihos is joining other groups in doing ransomware spam campaigns.

As always BleepingComputer has the best ransomware roundup. This week features Pokemon Go malware, new variants of TorrentLocker, the Shark Ransomware as a Service platform, and Cerber apparently earned $195K in July as well as continues to evolve to evade researchers.

Security Roundup - 2016-08-18

Researchers have discovered a vulnerability in an RFC5961. While designed to prevent a number of attacks, the disclosed vulnerability opens up new forms of attacks, where users could disconnect traffic, as well as inject content into unencrypted communications.

Blackhat 2016 videos are starting to trickle online, as is material from the 25th USENIX Security Symposium.

O’reilly posts an interesting article on “Patrolling the dark net”, where they go over the deep web, the dark web, and monitoring to check for the worst case scenario, your information is up for sale on the dark web.

For those companies that require absolute control of their encryption keys, Amazon and Google now allow you to provide your own keys for use on their services, rather than relying on third party key generation.

Interested in banking malware? You might enjoy this article on Automatic Transfer Systems by MalwareTech.

Rapid 7 has some interesting articles this week, including a writeup of how small companies have a great opportunity to set up a security foundation while they are small, as this inevitably gets harder as the organization grows.

The creators of Mayhem, the bot that won Darpa’s Grand Slam challenge, did an AMA on Reddit!

Attackers use a variety of methods to exfiltrate data from their targets. PhishLabs has apparently seen a recent attempt that uses XMPP to push data out.

Troy Hunt has an other article on security (or lack thereof). This time features account enumeration and some examples where sites leak far too much information due to enumeration techniques.

Checkpoint has released their latest Malware Top 10. Conficker still reigns supreme, but most of the other spots are in flux. They also have a nice expose on ransomware as a service, staring Cerber.

DDoSes frequently use DNS ANY queries to perform reflection attacks on the victims. Savvy attackers are turning to DNSSEC supported servers, as their signed responses can be up to 30x larger, thus increasing the impact of reflection by just choosing the right target. Just like any service exposed to the internet, failing to properly secure DNSSEC makes it potentially exploitable. Cloudflare has been actively trying to deprecate the ANY query for DNS in general, to minimize the ability for DNS to be exploitable for reflection to the extent it currently is.

Open source GPG libraries have had vulnerabilities discovered in the random number generator, allowing an attacker that obtains enough data to predict the outcome.

Security Roundup - 2016-08-11

Several major security conferences wrapped up in the last week, prompting many interesting articles.

This year’s Pwnie Awards added a few new awards, including ‘Best Cryptographic Attack’ (awarded to DROWN) and ‘Best Backdoor’ (awarded to Juniper).

The Cyber Grand Slam was won by ‘Mayhem’, built by ForAllSecure.

Imperva has discovered a number of vulnerabilities in HTTP/2 implementations, some of which are similar to vulnerabilities that existed in HTTP/1.x.

Checkpoint announced Quadrooter, a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Many popular Android devices use this chipset, and the exploits allow malicious apps to escalate privileges and gain root access to the device.

In another SSL vulnerability with a catchy name, HEIST makes other attacks like BREACH and CRIME easier because it enables the use of malicious javascript to measure HTTPS responses, skip the need to perform a MitM attack.

Two large companies launched bug bounty programs this week. The first being Kaspersky Lab, who wants everyone to report as many bugs as possible. The second being Apple, who continues their efforts to embrace the security community. Their payouts of up to $200K make it one of the largest paying programs available. Despite that, these programs still pale in comparison to the zero day bounties that black hat groups currently advertise, including $500K for iOS 9.3+ exploits.

Who has their hands in the (session) cookie jar? Two academic researchers set out to find out, simply by listening to traffic on wifi networks. Using simple traffic sniffing tools, they were able to discover large amounts of data including usernames, email addresses, and occasionally even address information.

A security researcher has written a tool called ‘OnionScan’, which is used to find vulnerabilities and data leaks for TOR hidden services. Their goal is to help increase anonyminity on TOR by helping some operators further secure their sites.

Security researchers have discovered a very persistent malware platform dubbed ProjectSauron. While found on a number of targets, the fingerprints for every version are unique enough that no overall patterns have emerged. Due to the overall sophistication, it is currently believed to be at least funded by a nation state. Given that it had gone undetected for 5 years, what level of sophistication is possible today?

Rapid7 has apparently discovered a timing attack with chip and pin cards, where an attacker can make small changes to PoS terminals to clone cards, and then use them with a recorded pin for a small window of time. While the window is in the range of minutes, this potentially still allows for some quick withdrawals.

Have you thought about the fact that your monitor uses a computer and it is insecure? One security researcher did and figured out a method to exploit. Who monitors your monitor? Somewhat similarly, researchers have demonstrated a way to hijack a phone’s ability to export HDMI to tap in and record screen content over USB. They set up some fake charging stations at DefCon to demonstrate.

Industrial automakers use common communication standards across a variety of devices (including transport trucks and buses). University of Michigan researchers have done an audit, and found it is easy to take control of most of these vehicles systems. While they relied on physical access, there is no reason to believe a wireless attack wouldn’t be possible in the future. In other news - Charlie Miller and Chris Valasek, who have been pioneers in automotive hacking, have delivered their final DefCon talk on the subject. Their latest research involved tricking systems into diagnostics mode, in order to bypass some protections.

You would think digital locks would be locked down, but security researchers find that is far from the case after doing analysis of 16 smart locks. They were able to unlock 75% of them, ranging from finding passwords passed in plaintext, replay attacks, and sending bad data to trigger an error state.

Following up on SMS again, looks like a number of Telegram accounts have been compromised due to a weakness in using SMS to activate new devices.

As always, BleepingComputer has the best ransomware roundup. This week includes a number of ‘educational’ ransomware variants, and many new variants in general.

Security Roundup - 2016-08-03

Motherboard editor Kate Lunau recently went to a Toronto Hackerspace and learned how to pick locks. She gives an interesting analogy between physical security and digital security. We lock our doors every day, but how secure are they really? We use various websites and share our information every day, but how safe are they really? Pentesters test for digital security similar to how lock pickers have been testing locks for ages, and lock disclosure is a thing too.

Don’t forget to secure your development environment! One hacker details how he infiltrated Imgur’s dev environment and managed to find production credentials that could be utilized to escalate access.

As a follow up to last week’s LastPass exploits, it turns out that there were actually two. The first allowed a user to use javascript to extract passwords. The second is a bit more sophisticated, and requires a user to be lured to a malicious site. But once that happens, an attacker could execute a number of actions on the user’s behalf. LastPass has already addressed and asks users to upgrade accordingly.

One user has a new solution to the Internet of Things access problem. Rather than access in the clear over the internet, or route through a third party, what if you hid your things behind TOR. By using TOR’s hidden services as the access point for remote management, the software in question is able to avoid a host of problems, such as automatic enumeration by services like shodan.io. While perhaps not for the average person (yet), just wrap a fancy app around it and who knows?

Motherboard is running a video series called ‘Can I Hack It?’. The latest video is titled ‘How Hackers Could Wirelessly Bug Your Office’, where some white hat hackers demonstrate how they can update devices remotely in order to exfiltrate data unexpectedly.

The 11th HOPE Conference ran from July 22nd to July 24th. There were a lot of great talks, which are now available online. Some suggested viewing:

Last week, NIST suggested 2 factor over SMS be deprecated. DUO is on board with this change, but the U.S. Social Security Administration just rolled out two factor auth over SMS.

Cisco has released their Midyear Cybersecurity Report. A few key takeaways:

  • Ransomware is going to continue to expand. Cisco predicts that attackers will write more sophisticated ransomware that will spread across an organization and then start encrypting in parallel, maximizing the damage.
  • As the number of system vulnerabilities disclosed has grown in the last year, so has the importance of proper patching cadence. The longer a company leaves vulnerabilities exposed, the more time attackers have to use it to gain a foothold. Using their own devices as an example, they analyzed 115,000 devices and found 23% of them had vulnerabilities 5 years or older, with 92% of the devices having some known vulnerability.
  • Many attack types (ransomware, malicious ads, botnets) are increasingly using encryption, from communicating through TLS to using TOR to obfuscate network communications.

As always, Bleeping computer has the best ransomware roundup. This week includes the NoMoreRansomware initiative going public, new ransomware, more decryption, and Mischa and Petya becoming Ransomware as a Service.

Page 16 of 23