Security Roundup - 2017-11-24

Posted on  by

LavaRand - Leveraging Real World Randomness. Did you know that CloudFlare harvests randomness from lava lamps as an entropy source? Using a real world source of entropy, they augment the pseudo-random pool on their servers with actual randomness. They’ve recently posted this article on their motivations behind going through the trouble to set this up.

Fake Symantec Blog Spreading Malware. A fake security blog attempting to look like the Symantec blog has been discovered by researchers. The site has been taken down, but contained a post to attempt to incent readers to download a ‘security tool’, which is actually a variant of the Proton credentials stealer.

Vulnerability Equities Process Transparency. The Whitehouse has announced additional transparency around the factors that play into whether or not government agencies notify vendors about discovered vulnerabilities. Mozilla feels it is a step in the right direction but several severity researchers are skeptical of the announcement. Notable, Bruce Schnier who suggests this is just additional window dressing and time will tell), Adam Shostack who points out the large list of threats [which are not considered factors in the VEP], and Sophos Security points out that this year we have seen plenty of non-disclosed vulnerabilities stolen and weaponized.

Session Recording Tools Scoop Up Excessive Data. Use a service that records what user’s are doing on your site (for analytics and usage review)? They may be scooping up much more information than expected, since many of them record all keystrokes and mouse clicks, including stuff that user’s may not actually intend to send to the site and in some cases researchers observed these scripts scooping up passwords, credit card numbers, and PII.

New OWASP Top 10. The Open Web Application Security Project (OWASP) has released a new version of their top 10 vulnerabilities this year. Unsurprisingly, Injection attacks is still listed as the #1 risk for web applications. However, we have 3 new entries. The first is XML External Entities (XEE) attacks, where XML parsers (in APIs, or otherwise) can potentially contain instructions and load external content allowing for DoS attacks or remote code execution. The second is Insecure Deserialization, which honestly feel very similar to injection and XEE, but targeted at object de/serialization. In this scenario, attackers can target deserialization of complex objects to try and invoke remote code execution. Finally, we have Insufficient Monitoring and Logging where not knowing what is going on greatly decreases the reaction time of defenders and increases the likelihood of successful exploitation by attackers.

Leveraging Multiple Vulnerabilities To Achieve Exploitation. Now that you have familiarized yourself with the new OWASP top 10, read this article on how they leveraged a number of these to chain their way to remote code execution.

Github starts highlighting out of data software. Github has taken a major step forward in security by helping people know when they are using software packages that are out of date (‘Using Components with Known Vulnerabilities’ is #9 on the OWASP Top 10). They’ve started with Ruby and Javascript, which covers 75% of projects with detectable dependencies today.

Misconfigured API access allows for data harvesting. Security researchers have discovered that many developers using the Twilio messaging API have hard coded credentials in their apps, effectively making it possible for other apps to collect Twilio metadata without a user noticing. At time of writing, this could impact more than 600 apps for both Android and iOS. This extends to other APIs as well, such as Amazon’s S3 access.


Security Roundup - 2017-11-17

Posted on  by and

Face ID Defeated? On the heels of the conjecture in the latest SecurityScorecard podcast comes the claim that Face ID has already been defeated. The technique to defeat FaceID involved a 3D print of a face, overlaid with 2D printed features.

Social login attacks. Social logins, like via Facebook, are everywhere. And now attackers are trying to leverage them for their own gain. Abusing browser extensions (again), an attacker can have code that waits for you to log into a social account, and use those credentials to try to create an account on other services. They can then use these services as they see fit, including some forms of fraud, or spreading their malware even further. InfoSecurity covers in more detail, as well as gives some tips on how to combat this type of attack.

Inside The Mind of a Bug Bounty Hunter. Bugcrowd has released their annual “Inside the Mind of a Hacker” report. This year indicates that 71% of their bug bounty hunters are between the ages of 18 and 29, and primarily driven by the challenge. US took the top spot for total number of researchers from India, who is number two this year.

Your Website is ALWAYS a Target. Think that your website isn’t really a target because you don’t collect user information? Think again! This week brings us two stories, one by Troy Hunt, going over how attackers can breach your system and use your domain reputation to reduce the likelihood of their malicious activity being shut down, and one by Malware tech, where malware authors are exploiting the same concept of reputation to host proxy servers to hide their actual C2 machines.

Pop-Unders Make Their Way To Mobile (Apps). Pop-unders, where a malicious ad redirects you to another site to coerce you into downloading some malicious app, is a technique that has been around for a number of years. This same concept has made its way to mobile apps, with one app being a payload to download a malicious app and prompting a user to install, avoiding a set of protections in app stores.

The operating system for your operating system. News broke this week that some Intel chipsets have a hidden operating system running on them. Part of Intel’s ‘Management Engine’, which had several exploits discovered back in May. The recent discovery however, is that it is running its own network stacks as well as a web server. More terrifying, because it is so low level, an exploit could have a persistent place to stay, invisible to the regular user. Even worse, this can potentially even make modifications when a machine is powered off (but still plugged in).

Antivirus abused to install malware. Antivirus is still just software, and subject to bugs like any other program. A recent news story shows how attackers can leverage these bugs to install malware that has already been quarantined, by abusing the ability of a user to restore it. The researchers combined this with other techniques to even trick the Antivirus code to restore the file in another location, like privileged and sensitive directories on Windows.

2018 Predictions. With 2017 nearing its end, some companies are starting to think about what 2018 will bring. Kaspersky starts things off with their 2018 Predictions. It should be no surprise for those following along this year that things like supply chain attacks, and hardware hacks are likely to continue, but a good review of current trends.


Security Roundup - 2017-11-10

Posted on  by

Digitally Signed Malware Surprisingly Common. Code signing is a method where a legitimate certificate is used to sign an application such that operating systems will trust it. However, in some cases we have seen malicious packages that are correctly signed. Originally tied to nation state attacks, and criminal enterprises, researchers have shown that this has actually happened more often than expected, having discovered 189 instances going back to 2003. 109 of the digital certificates used to sign these malicious apps are still valid. Some of these appear to have previously signed benign software, meaning that an organization may have lost control of their private keys. Related research have also published results on broken trust in digital key signing and Anti Virus. The most shocking is that something signed (even if using an expired key, or if the signature doesn’t match), will cause a number of Anti Virus programs to mark the files as benign, abusing trust. But perhaps more interesting is the ability to hijack signatures, which one researcher has demonstrated.

Mobile Pwn2Own Competition Results. Pwn2Own is a yearly competition in which hackers compete to discover zero days in browsers. Last year it expanded into Virtual Machines, and this year it has its own competition for Mobile Devices. A large number of bugs were discovered for devices including the Samsung Galaxy S8 and the iPhone 7, all of which have been privately disclosed to the manufacturers to create patches. You can read up on details for day one and day two.

Spam And Phishing Q3 Report. Want to stay on top of the latest spam and phishing techniques? Kaspersky has released their Q3 observations. Highlights are messages trying to coerce people into cryptocurrency get rich quick schemes and free stuff (from flights to phones).

Account Takeovers. Google has released research into the root cause of account takeovers. While not particularly surprising that a fair portion of it is due to credential reuse (use unique passwords everywhere!), a fair amount is gathered via phishing and keyloggers. Phishing attacks appear to increasingly try to collect other information, to help circumvent other protections.

Companies Actively Trying To Work Around Browser Security Warnings. What’s worse than a company not securing a form over HTTPS? Actively working around browser protections to try to pretend things are all right. Check out this….. Interesting story of the amount of effort one company put into evading browser checks rather than just integrate HTTPS.

Size Matters Not. At least in terms of your risk to exploit. Regardless of what your website actually does, it is valuable to an attacker in terms of resources. Even if you don’t have anything to directly steal, an attacker can leverage your infrastructure to run phishing attacks, malvertisements, or spam with less risk to themselves (and more risk to you!).

DarkVNC Deep Dive. And for those that like deep dives, check out this article going over an exploit to infect someone with ‘DarkVNC’, a malicious VNC client so attackers can view and control a machine remotely.


Security Roundup - 2017-11-03

Posted on  by

CyberSecurity Month Wraps Up. And WeLiveSecurity has finished up their expanded coverage of Twitter conversations. You can check out Part 3, wherein they cover “CyberAwareness” and Part 4 where they talk about the Internet of Things.

Hardware Hacking. Speaking of the Internet of Things, this week brings us an interesting article from a Pentester, going over his view on hardware hacking. Covering a number of attack vectors we have seen over the last year (and no surprise that outdated software is #1 in the list), but also covers more interesting stuff for those that have physical access.

Terrifying USB Find. I know this week was Halloween, but this news about a USB drive containing plaintext files on Heathrow Airport’s security was downright terrifying. Items included, but are not necessarily limited to, details about security badges, patrol routes, and even travel routes for the Queen and other traveling dignitaries.

Google’s Recaptcha Broken. Google’s system to try and distinguish people from robots has been broken again. This time, researchers have leveraged the improvements in speech to text engines to solve ~85% of captchas in ~5.4 seconds on average.

“Smart” Locks. Amazon has recently announced a locking system that would allow people to deliver things straight into your home. This is a risky proposition, and MalwareBytes gives some good reasons why, including security vulnerabilities and accidentally getting locked out of your own home.

Chrome to remove Public Key Pinning. Chrome developers have signaled their intention to remove Public Key Pinning (PKP) support from the browser in 2018. PKP was intended to be a method in which an organization can specify which HTTPS certificated are used to serve the site. However, in practicality they have been difficult to roll out, with a misconfiguration making it possible to have an outage until the specified timeout. Google now advocates the usage of certificate transparency, which they have made mandatory, to detect miss-issuance of certificates and protect users from them.

Dell Loses Control of Update Domain. Earlier this month, we learned that Dell lost control of a domain designed to help customers recover from malware. Ironic in that it was taken over by malware devs and likely used to serve the same exploits it was meant to help customers deal with.

More Malicious Chrome Extensions. The latest appears to be spread by phishing attacks, and is used to harvest any data posted to forms, like usernames, passwords and people’s Facebook updates. Malware Analysis Via API Calls. MalwareBytes has seen more obfuscation of malware making static analysis harder for malware devs. Rather than trying to reverse engineer the outer layer, they go into a technique of using dynamic analysis of system api calls doing.


Security Roundup - 2017-10-27

Posted on  by

China outpaces USA in terms of Vulnerability Disclosure. When vulnerabilities are disclosed, it looks like China rounds up details faster than the USA, especially in terms of uncoordinated releases, where the China National Vulnerability Database has details almost 5.5X faster than the the US National Vulnerability database. The difference? NIST does analysis and aggregation of publically available and/or voluntarily submitted information, vs CNNVD’s more proactive stance to monitor various outlets and produce details as quickly as possible for companies to make educated decisions.

Duhk, Duhk, Goose. Another named vulnerability has made the rounds with the existence of DUHK (Don’t Use Hard-coded Keys). DUHK is made possible by the usage of hard coded (hence the name) encryption keys used in a number of security devices, including a number of VPNs. However, the firmware for these devices is usually available for download, allowing attackers to extract the keys and then compute shared secrets and decrypt what should be encrypted traffic.

Google Likes To Play…. Dangerously. Google has been dealing with a number of Play store app issues over the last year. While they have taken a number of steps to deal with malicious apps they have also just invited further scrutiny, this time by starting a bug bounty program specifically for certain apps in the app store. Interesting Android App developers are eligible to opt in to this program, to further advance Google’s goal of increased Android app security.

HaveIBeenPwned API Hackathon. Troy Hunt of HaveIBeenPwned has challenged people to build something interesting with his APIs. Check out the comments for some interesting things that have already been completed!

Massive PII Data leak from South Africa. Troy also disclosed a large leaked dataset containing PII information. His article details the various things he did (and help he received) in identifying the likely source of data (South Africa), as well as details on how bad it is (PII and records for children and teens).

CERT Guide To Vulnerability Disclosure. CERT has released a massive 121 page guide on coordinated vulnerability disclosure. Thankfully, Hacker provides a summary. The summary of the summary is that the document goes over how to ensure that the least amount of harm is done to the public, while minimizing the amount of harm attackers can provide. Ultimately, it is beneficial for vendors to run responsible disclosure programs, to ensure that researchers can report findings to the appropriate channels, confident that there will be a response, allowing vendors to quickly resolve rather than researchers feeling they should create a media sensation to drive fixes.

Bad Rabbit. The ransomware making big headlines this week was Bad Rabbit. Using a fake flash update to get itself on victim computers, Bad Rabbit uses the EternalRomance vulnerability to try to spread laterally in a network, as well as using a set of hardcoded credentials to try to brute force SMB filesystems.

IoT Botnets still threatening. Checkpoint security provides details on a new IoT botnet they have been tracking, believing millions of bots may have been recruited providing plenty of DDoS capability. Further news seems to indicate that individuals with access to this botnet may be gearing up to weaponize it.