Security Roundup - 2016-05-18
With the new season of Mr. Robot on the way, fans are giving the site some additional security scrutiny. One user found an XSS vulnerability that would allow a malicious actor to harvest Facebook profile information, while another found a blind sql injection allowing access to a collected mailing list.
Who hacks the hackers? I am not sure, but hacker forum Nulled.io was hacked recently and their information dumped. On initial review, it appears that the software powering their site might have suffered from numerous vulnerabilities that were not addressed.
Cloudflare has an article on blind sql injection via User Agent parameter. In this case, the injection vector asks the database to sleep for a period of time. An attacker knows that the injection has worked if the web request returns after the period of time in which they have tried to make the database sleep. Once sql injection is confirmed, an attacker can use things like try to enumerate users passively or, if something like blogging software with a known DB structure, do a query to inject database values into a comments table for retrieval.
DarkReading has an interesting article on ‘10 Years Of Human Hacking’, further detailing how easy it is to get users to plug in malware laden USB drives. One story involves a marketing department taking a box worth of infected USB devices (part of a pen test) to a conference to use as giveaways.
IBM is teaching Watson to fight crime. Cybercrime, that is. Teaming up with a number of universities, the plan involves feeding security datapoints into Watson, so that Watson can learn, and start to detect patterns and emerging threats.
Biometrics followup. The FBI doesn’t feel that privacy laws should apply to their ever growing biometrics database. Meanwhile, some researchers from Binghamton University have designed a new biometric, brainwaves. Their technique involves the brain response to a series of images, which they currently feel is 100% accurate. As this biometric is influenced by external stimuli, it has the added advantage in that it can be changed. The downside? Currently needing at least 27 images (at one image per second), oh and having to wear a cap of electrodes in order to measure the response.
Those interested in learning more about ‘ransomware-as-a-service’ will probably be interested in Checkpoint’s great rundown of the Nuclear Exploit Kit. Nuclear allows anyone willing to pay to launch ‘malware campaigns’, complete with fancy dashboards and statistics.
Attackers continue to exploit point of sale terminals, starting with Wendy’s owning up to a major data breach targeting their POS system. Said breach ‘only’ impacted a secondary POS system at 5% of their North American restaurants, but had major impact to several credit unions who had previously reported fraud stemming from Wendy’s customers. Meanwhile, Fireye recently discovered an exploit for Windows based POS terminals, which they dub ‘Punchbuggy’, which would have allowed full access to the PoS system. Is it any surprise that the PCI Security Standards Council will be requiring better security measures for companies that accept payment information.