Security Roundup - 2017-12-01

DDoS Attacks get more sophisticated. Cloudflare has an interesting blog post about a decrease in network level DDoS attacks. Instead, they are seeing an increase in application layer attacks, trying to force servers to do expensive actions repeatedly to knock them offline, rather than overwhelming them with raw traffic. Cloudflare discusses the options of caching and rate limiting as methodologies by which to mitigate some of this attack vector.

Google In a Tizi over spyware. Google has found another set of spyware apps in their appstore. The backdoor, which they named Tizi, has apparently been around since 2015 but only infecting 1300 devices. They provide a transparent post about how they identified, and what steps were taken to mitigate this malicious app.

Malware Goes Encrypted. Researchers following the Terror Exploit Kit report that it has started encrypting all traffic, leveraging free certificates. This is an attempt to hide their random URLs, only ips will be available to monitoring software.

Two Unfortunate Breaches. Two breaches this week with different reaction profiles. The first was Uber, who was hacked last year, had 57 million driver and rider accounts stolen, and then proceeded to pay off the hackers and not disclose the breach. This may have violated several laws for not disclosing, as well as destruction of the data. On the other side, Imgur notified users of a breach impacting 1.7 million users. Despite being notified over the Thanksgiving weekend, Imgur managed to review the data, reset user accounts, and publically disclose in 25 hours and 10 minutes.

Expensify leaks sensitive information. In terms of leaking sensitive information, Expensify collected a lot of flack this week when it was made apparent that they were outsourcing transcription of receipts to Amazon’s Mechanical Turk. In some cases, this included full names and addresses of individuals.

Mirai makes waves again. An exploit for another modem resulted in a brief resurgence in Mirai activity, as attackers quickly moved to leverage the exploit, taking over up to 100K devices in under 60 hours. The particular variant has currently been stopped, but the modem in question still remains vulnerable.

Firefox to team up with HaveIBeenPwned. Firefox has announced their intent to integrate HaveIBeenPwned warnings into the browser. This means that when users visit a site that is part of a breach of user data they will receive notifications right in the browser, rather than have to sign up for a service, or be aware of news.

Deep Dive into MuddyWater APT. And for those that love deep dives into malware, Reaqta provides an in depth look into MuddyWater, an APT that was targeted at individuals in the middle east.

Security Roundup - 2017-11-24

LavaRand - Leveraging Real World Randomness. Did you know that CloudFlare harvests randomness from lava lamps as an entropy source? Using a real world source of entropy, they augment the pseudo-random pool on their servers with actual randomness. They’ve recently posted this article on their motivations behind going through the trouble to set this up.

Fake Symantec Blog Spreading Malware. A fake security blog attempting to look like the Symantec blog has been discovered by researchers. The site has been taken down, but contained a post to attempt to incent readers to download a ‘security tool’, which is actually a variant of the Proton credentials stealer.

Vulnerability Equities Process Transparency. The Whitehouse has announced additional transparency around the factors that play into whether or not government agencies notify vendors about discovered vulnerabilities. Mozilla feels it is a step in the right direction but several severity researchers are skeptical of the announcement. Notable, Bruce Schnier who suggests this is just additional window dressing and time will tell), Adam Shostack who points out the large list of threats [which are not considered factors in the VEP]https://adam.shostack.org/blog/2017/11/vulnerabilities-equities-process-and-threat-modeling/), and Sophos Security points out that this year we have seen plenty of non-disclosed vulnerabilities stolen and weaponized.

Session Recording Tools Scoop Up Excessive Data. Use a service that records what user’s are doing on your site (for analytics and usage review)? They may be scooping up much more information than expected, since many of them record all keystrokes and mouse clicks, including stuff that user’s may not actually intend to send to the site and in some cases researchers observed these scripts scooping up passwords, credit card numbers, and PII.

New OWASP Top 10. The Open Web Application Security Project (OWASP) has released a new version of their top 10 vulnerabilities this year. Unsurprisingly, Injection attacks is still listed as the #1 risk for web applications. However, we have 3 new entries. The first is XML External Entities (XEE) attacks, where XML parsers (in APIs, or otherwise) can potentially contain instructions and load external content allowing for DoS attacks or remote code execution. The second is Insecure Deserialization, which honestly feel very similar to injection and XEE, but targeted at object de/serialization. In this scenario, attackers can target deserialization of complex objects to try and invoke remote code execution. Finally, we have Insufficient Monitoring and Logging where not knowing what is going on greatly decreases the reaction time of defenders and increases the likelihood of successful exploitation by attackers.

Leveraging Multiple Vulnerabilities To Achieve Exploitation. Now that you have familiarized yourself with the new OWASP top 10, read this article on how they leveraged a number of these to chain their way to remote code execution.

Github starts highlighting out of data software. Github has taken a major step forward in security by helping people know when they are using software packages that are out of date (‘Using Components with Known Vulnerabilities’ is #9 on the OWASP Top 10). They’ve started with Ruby and Javascript, which covers 75% of projects with detectable dependencies today.

Misconfigured API access allows for data harvesting. Security researchers have discovered that many developers using the Twilio messaging API have hard coded credentials in their apps, effectively making it possible for other apps to collect Twilio metadata without a user noticing. At time of writing, this could impact more than 600 apps for both Android and iOS. This extends to other APIs as well, such as Amazon’s S3 access.

Security Roundup - 2017-11-10

Digitally Signed Malware Surprisingly Common. Code signing is a method where a legitimate certificate is used to sign an application such that operating systems will trust it. However, in some cases we have seen malicious packages that are correctly signed. Originally tied to nation state attacks, and criminal enterprises, researchers have shown that this has actually happened more often than expected, having discovered 189 instances going back to 2003. 109 of the digital certificates used to sign these malicious apps are still valid. Some of these appear to have previously signed benign software, meaning that an organization may have lost control of their private keys. Related research have also published results on broken trust in digital key signing and Anti Virus. The most shocking is that something signed (even if using an expired key, or if the signature doesn’t match), will cause a number of Anti Virus programs to mark the files as benign, abusing trust. But perhaps more interesting is the ability to hijack signatures, which one researcher has demonstrated.

Mobile Pwn2Own Competition Results. Pwn2Own is a yearly competition in which hackers compete to discover zero days in browsers. Last year it expanded into Virtual Machines, and this year it has its own competition for Mobile Devices. A large number of bugs were discovered for devices including the Samsung Galaxy S8 and the iPhone 7, all of which have been privately disclosed to the manufacturers to create patches. You can read up on details for day one and day two.

Spam And Phishing Q3 Report. Want to stay on top of the latest spam and phishing techniques? Kaspersky has released their Q3 observations. Highlights are messages trying to coerce people into cryptocurrency get rich quick schemes and free stuff (from flights to phones).

Account Takeovers. Google has released research into the root cause of account takeovers. While not particularly surprising that a fair portion of it is due to credential reuse (use unique passwords everywhere!), a fair amount is gathered via phishing and keyloggers. Phishing attacks appear to increasingly try to collect other information, to help circumvent other protections.

Companies Actively Trying To Work Around Browser Security Warnings. What’s worse than a company not securing a form over HTTPS? Actively working around browser protections to try to pretend things are all right. Check out this….. Interesting story of the amount of effort one company put into evading browser checks rather than just integrate HTTPS.

Size Matters Not. At least in terms of your risk to exploit. Regardless of what your website actually does, it is valuable to an attacker in terms of resources. Even if you don’t have anything to directly steal, an attacker can leverage your infrastructure to run phishing attacks, malvertisements, or spam with less risk to themselves (and more risk to you!).

DarkVNC Deep Dive. And for those that like deep dives, check out this article going over an exploit to infect someone with ‘DarkVNC’, a malicious VNC client so attackers can view and control a machine remotely.

Security Roundup - 2017-11-03

CyberSecurity Month Wraps Up. And WeLiveSecurity has finished up their expanded coverage of Twitter conversations. You can check out Part 3, wherein they cover “CyberAwareness” and Part 4 where they talk about the Internet of Things.

Hardware Hacking. Speaking of the Internet of Things, this week brings us an interesting article from a Pentester, going over his view on hardware hacking. Covering a number of attack vectors we have seen over the last year (and no surprise that outdated software is #1 in the list), but also covers more interesting stuff for those that have physical access.

Terrifying USB Find. I know this week was Halloween, but this news about a USB drive containing plaintext files on Heathrow Airport’s security was downright terrifying. Items included, but are not necessarily limited to, details about security badges, patrol routes, and even travel routes for the Queen and other traveling dignitaries.

Google’s Recaptcha Broken. Google’s system to try and distinguish people from robots has been broken again. This time, researchers have leveraged the improvements in speech to text engines to solve ~85% of captchas in ~5.4 seconds on average.

“Smart” Locks. Amazon has recently announced a locking system that would allow people to deliver things straight into your home. This is a risky proposition, and MalwareBytes gives some good reasons why, including security vulnerabilities and accidentally getting locked out of your own home.

Chrome to remove Public Key Pinning. Chrome developers have signaled their intention to remove Public Key Pinning (PKP) support from the browser in 2018. PKP was intended to be a method in which an organization can specify which HTTPS certificated are used to serve the site. However, in practicality they have been difficult to roll out, with a misconfiguration making it possible to have an outage until the specified timeout. Google now advocates the usage of certificate transparency, which they have made mandatory, to detect miss-issuance of certificates and protect users from them.

Dell Loses Control of Update Domain. Earlier this month, we learned that Dell lost control of a domain designed to help customers recover from malware. Ironic in that it was taken over by malware devs and likely used to serve the same exploits it was meant to help customers deal with.

More Malicious Chrome Extensions. The latest appears to be spread by phishing attacks, and is used to harvest any data posted to forms, like usernames, passwords and people’s Facebook updates. Malware Analysis Via API Calls. MalwareBytes has seen more obfuscation of malware making static analysis harder for malware devs. Rather than trying to reverse engineer the outer layer, they go into a technique of using dynamic analysis of system api calls doing.

Security Roundup - 2017-10-27

China outpaces USA in terms of Vulnerability Disclosure. When vulnerabilities are disclosed, it looks like China rounds up details faster than the USA, especially in terms of uncoordinated releases, where the China National Vulnerability Database has details almost 5.5X faster than the the US National Vulnerability database. The difference? NIST does analysis and aggregation of publically available and/or voluntarily submitted information, vs CNNVD’s more proactive stance to monitor various outlets and produce details as quickly as possible for companies to make educated decisions.

Duhk, Duhk, Goose. Another named vulnerability has made the rounds with the existence of DUHK (Don’t Use Hard-coded Keys). DUHK is made possible by the usage of hard coded (hence the name) encryption keys used in a number of security devices, including a number of VPNs. However, the firmware for these devices is usually available for download, allowing attackers to extract the keys and then compute shared secrets and decrypt what should be encrypted traffic.

Google Likes To Play…. Dangerously. Google has been dealing with a number of Play store app issues over the last year. While they have taken a number of steps to deal with malicious apps they have also just invited further scrutiny, this time by starting a bug bounty program specifically for certain apps in the app store. Interesting Android App developers are eligible to opt in to this program, to further advance Google’s goal of increased Android app security.

HaveIBeenPwned API Hackathon. Troy Hunt of HaveIBeenPwned has challenged people to build something interesting with his APIs. Check out the comments for some interesting things that have already been completed!

Massive PII Data leak from South Africa. Troy also disclosed a large leaked dataset containing PII information. His article details the various things he did (and help he received) in identifying the likely source of data (South Africa), as well as details on how bad it is (PII and records for children and teens).

CERT Guide To Vulnerability Disclosure. CERT has released a massive 121 page guide on coordinated vulnerability disclosure. Thankfully, Hacker provides a summary. The summary of the summary is that the document goes over how to ensure that the least amount of harm is done to the public, while minimizing the amount of harm attackers can provide. Ultimately, it is beneficial for vendors to run responsible disclosure programs, to ensure that researchers can report findings to the appropriate channels, confident that there will be a response, allowing vendors to quickly resolve rather than researchers feeling they should create a media sensation to drive fixes.

Bad Rabbit. The ransomware making big headlines this week was Bad Rabbit. Using a fake flash update to get itself on victim computers, Bad Rabbit uses the EternalRomance vulnerability to try to spread laterally in a network, as well as using a set of hardcoded credentials to try to brute force SMB filesystems.

IoT Botnets still threatening. Checkpoint security provides details on a new IoT botnet they have been tracking, believing millions of bots may have been recruited providing plenty of DDoS capability. Further news seems to indicate that individuals with access to this botnet may be gearing up to weaponize it.

Page 6 of 23