Security Roundup - 2016-02-24

Sara “Scout” Sinclair Brody, previous product manager at Google and Executive Director of the new Simply Secure organization has an interesting article on how security software should be more usable for the average person.

Fraud! Ever interested about how banks figure out whether activity is fraudulent? Art forgery is fairly prevalent, and one scientist has come up with a method of ‘synthetic DNA authentication’ where they hide unique one time codes in DNA.

Thanks to my co-worker Marcello for pointing out the severity of CVE-2015-7547. Dan Kaminsky has a detailed explanation of why it is bad to have a bug like this in such a low library, as so much that uses DNS is built on top of it.

The Linux Mint’s server was hacked this week, resulting in their distribution being backdoored before the maintainers shut things down. The hacker responsible apparently did an interview, indicating they were hoping to build a botnet.

As a consumer of threat intelligence, I find Netflix’s FIDO Automatic Security Incident Response system super interesting.

Comodo, the ‘leading Internet Security Provider’, has been found to not only have disabled some security protections in their custom browser, but more recently been found to bundle a VNC server with a discoverable password.

There is a new ransomware package on the loose named Locky. Here is a detailed breakdown on the phishing, social engineering, and technical steps that it takes to take over your system.

Security Roundup - 2016-02-17

Hackers adapting to address related fraud checks by going after rewards programs. Hack account, buy lots of stuff and send it to account holder, drain their rewards and convert it to items in store.

Bruce Schneier has an updated Encryption Products Survey, a follow up of a similar survey done in 1999.

Given a recent news item about the lack of security in hospital devices, is it really any suprise that a Hollywood Hospital is currently the victim of a ransomware attack? At time of article, the hospital had computer systems shut down for a week, and had to transfer some patients to other locations. Somewhat related, Checkpoint has a nice writeup on the ecosystem of healthcare security.

Microsoft has been using a third party to manage their mobile careers site, and it turns out it was misconfigured and leaked user information.

For those who love CVEs or visualizations of statistical data, here is something that covers both.

Hackers have leaked 17.8 GB of data from the Turkish national police database. According to the article, the culprit had access to systems for ~2 years.

Security Roundup - 2016-02-10

The Underhanded C Contest has posted results of the 2015 competition. 1/3 of entries apparently used a concept called NaN poisoning in their solutions. Full details/write ups of some clever solutions.

The Federal Government seems prepared to fund a dedicated CISO role.

Backchannel is hosting a virtual security round table. Security officers from Dropbox, Box, Twitter, Google and more are answering questions on the future of security.

Why bother with skimmer plates when you can just MitM the unsecured ATM communications? I am never using a free standing ATM again.

Kaspersky’s Security Analyst Summit is currently ongoing, meaning there should be another round of security related videos in the near future.

The group behind the Neutrino Exploit Kit are upping the game slightly by performing passive OS fingerprinting to try to prevent security researchers from collecting samples.

Wordpress is apparently becoming a popular vector to deliver ransomware to unsuspecting users.

Security Roundup - 2016-02-05

Security breach causes woes for TalkTalk, as 95K subscribers tied to last year’s attack have cancelled their service.

Robin Hood hacking continues, as part of the Dridex network has apparently been hacked to serve up anti-malware. On the flip-side, Malwarebytes has announced a vulnerability in their Anti-malware server such that an attacker could insert arbitrary code on client machines.

More network security hardware news as arbitrary upload and path traversal problems have been discovered in Netgear’s Prosafe system.

Archive.org has opened up their Malware Museum, a collection of output of malware from the 80s and 90s.

Schmoocon recently wrapped up, and presentation videos are now available.

The Magento e-commerce platform has become a major target for hackers. Common attacks attempt to harvest credit card numbers, as Magento checkout isn’t PCI compliant by default.

Security Roundup - 2016-01-27

More hardware security issues, like this IoT doorbell that can provide wireless network details by unscrewing the faceplate, pressing a reset button, and then connecting to it. Princeton researchers have found out a bunch of issues with a variety of devices. And then there are these stories of people taunting babies through hacked baby monitors. AMX recently also released an update to some of their videoconferencing products to remove a backdoor. Shodan.io has enough scan data that they are essentially a search engine for open IoT devices.

It is one thing for a user to be using a password from the worst password’s list, or to have a hard coded password in your software, but Lenovo managed to combine the two in one of their products.

Hot on the heels of Let’s Encrypt, Amazon adds AWS Certificate Manager for free SSL certs for your AWS apps.

Security researchers are worried about GCHQ’s MIKEY-SAKKE system for telecommunications is basically key escrow and allow the government to unencrypt all communications.

One Amazon user goes into detail about the ultimate system backdoor, customer support.

CyberSecurity Startup Growth In Isreal is very big. Interestingly, Isreal’s Electric Authority is apparently subject to between 4 and 20 ‘cyber events’ per month.

Cool visualization of TOR traffic flowing across the world.

Schmoocon was earlier this month, and one of the interesting topics was using GPUs and FPGAs to better identify malware.

Page 22 of 23