Security Roundup - 2016-12-16

Posted on  by

End of the year is quickly approaching, and a number of groups are starting predictions for the new year, including:

Rapid 7 has an insightful (to me at least) article on Why Security Assessments are Often not a True Reflection of Reality, and how the scoping of security assessments can lead to a lot of caveats.

Checkpoint Labs put out their November Malware Most Wanted. Locky doesn’t quite top the list, but did manage to be the #1 malware family in 34 countries, while Conficker (still at the top) was only #1 in 28.

NakedSecurity has an end of year article around the number of records lost in breaches, totally 2.14 BILLION records, up from 480m records last year. Unfortunately, these numbers were reported before Yahoo indicated another breach of 1 billion records, a separate incident from the one reported this year.

Poor Yahoo, on top of all the bad news this year, they recently patched an XSS bug which would have allowed attackers the ability to read a user’s email.

BleepingComputer rounds up with Ransomware. Last week included: new variants, a botnet spreading ransomware that had a decryptor released in the summer (oops), a ransomware that will decrypt your files if you infect your friends (social!), and a new open source Ransomware that has already spawned at least 3 variants in the wild.


Security Roundup - 2016-12-08

Posted on  by

Botnets might get a big influx in nodes this holiday season as researchers have discovered hard coded credentials in 80 Sony IP cameras. Sony has released a fix to remove this ‘debugging code’, but user’s still have to apply the updates.

A mobile malware strain called Gooligan has been making the rounds. Using unpatched exploits on older versions of Android, it roots the device to gain admin access, allowing it to download additional applications in the background to do things like steal information, install adware, and interact in the Google ecosystem as the user. Checkpoint has indicated that over 1 million accounts are impacted.

Duo does an analysis of their data to see if 2FA over SMS has decreased since NIST suggested it is insecure. Overall, it appears that in the 2 months since the announcement there has been no marked decrease so far, but overall SMS as a factor seems to be declining over the year in favor of methods like Universal 2 Factor (U2F) and Duo Push.

Researchers have discovered some attack vectors for credit cards which would allow attackers to repeatedly guess at details by distributing hundreds of guesses across eCommerce systems, allowing them to figure out information in seconds. MasterCard users will apparently have fraudulent activity lockdowns that occur after 100 tries. Visa, unfortunately, does not apparently have a similar lockdown.

The FBI has apparently stuck a major blow against the Avalanche botnet, taking ownership of 800K domains used by the DGA as well as seizing and shutting down servers suspected of being C&C nodes.

DeepDotWeb dives into the latest Locky mechanism where a specially crafted SVG image can direct users to malware, exploring the image itself and the browser extension it prompts users to install.

Similarly, Ars Technica explores some malware that was hidden in pixel ad banners on a variety of sites. The malware resides in a heavily obfuscated javascript file, but the actual malicious payload occurs when it loads an ad image that contains hidden malicious instructions.

BleepingComputer rounds up the ransomware. New this week: Screen lockers, tech support scams, new ransomware variants, including one that uses GPG to encrypt files.


Security Roundup - 2016-12-01

Posted on  by an unknown author

cURL, an open source program/library used by many open source projects, recently underwent a security audit from Mozilla’s Secure Open Source initiative. Overall 23 issues were proactively identified and fixed, prior to a ‘Heartbleed’ like event the initiative was created in reaction to.

In a post Mirai world, Fortinet delves in to managing the attack surface of Smart Cities in the world of tomorrow.

Deutsche Telekom customers have had their modems targeted this week, knocking users off the internet. Researchers from the SANS institute indicate that left unchecked these routers could be compromised and become part of a botnet. Deutsche Telekom has apparently already pushed out a fix. Rapid7 has a summary of some of the raw data.

Firefox user’s should update, as Mozilla has fixed a 0-Day that was used to de-anonymize users. While this is important for TOR users specifically, researchers indicate the payload could also have been used to execute malware. Endpoint Security provides an in-depth technical writeup.

On the importance of maintaining and monitoring your third party accounts, it appears as though a small number of MailChip accounts were broken into and used to send malicious attachments. Mailchimp does offer 2FA, making it easier for user’s to secure their accounts.

Proving that pretty much anyone can be a victim of Ransomware, SF MUNI was a victim to HDDCryptor. MUNI suggests that there was no actual breach, and no data was stolen, nor were actual transit systems impacted. KrebsOnSecurity has already been provided some information on the hacker in the form of emails from his email account, which someone has hacked. These provide details into the number of companies impacted, as well as the techniques the attacker used.

BleepingComputer brings the rest of the Ransomware Roundup. Nothing particularly ‘new’ this week, but still plenty of variants, new versions, and decryptors.


Security Roundup - 2016-11-23

Posted on  by an unknown author

Happy Thanksgiving! I just found out that DerbyCon 2016 videos have been up for over a month, and DefCon 24 videos went up in the last week, so I know what I am going to be filling SOME of my time this weekend.

Some internet of things news:

Several Siemen’s branded CC TV cameras are vulnerable to a bug that would allow attackers to gain admin credentials.

Similarly, security researcher Robers Stevens recently purchased an IP based camera and decided to see how quickly it was compromised. In under 2 minutes he had details on how some attackers were exploiting and what they were doing once they gained control.

Some phone related problems were mentioned this week including:

An insecure update mechanism for a number of phones which could operate as a rootkit to execute arbitrary system commands.

An unknown set of phones regularly sends user data to servers in China. The company responsible declares it was a mistake, intended for Chinese devices, but it unfortunately impacts some US ones as well. The company in question has also suggested they have taken steps to correct, including distruction of the data, but as of this time they have not detailed which devices might actually be impacted.

Qualcomm has opened up a bug bounty program for their Snapdragon processors used to power multiple mobile devices.

In a follow up on a previous article on how he validates data breaches, Troy Hunt reiterates why alleged data breaches need to be validates, before being shared as such. It all comes down to publicity, who wants it and how easy it might be to just make up/relabel data to gain it.

In a somewhat similar vein, O’Reilly hosts an article on the challenges of validating attack detection methods. Challenges include tainted data, a variety of datasets, attacks in the wild being perhaps detected so rarely as to provide too small a sample set, and no incentive for defenders to share their overall raw data to provide data scientists better data.

Akamai released their Q3 State of the Internet Report. Unsurprising at this point, DDoS attacks are up with a 138% increase of attacks

100 Gbps YoY and a 58% increase QoQ. They have also noticed a downward trend of NTP reflection attack volume, from upwards to 40 Gbps in 2014 to 700 Mpbs in 2016, this decrease is attributed to organizations patching their servers to mitigate known problems that allowed these attacks.

CheckPoint labs provides their ‘October Most Wanted Malware List’, where they see a 5% growth in families and distribution over the course of the month. Zeus and Locky continue to be prevalent in the ranks, though Conficker is still #1 after several months.

Ars Technica reports on one researcher’s discovery of subtle bugs in a linux audio processing library. With it, the researcher was able to craft specific audio files that could be used to bypass some standard linux security constraints.

BleepingComputer provides plenty of interesting ransomware news again this week. This week: The CrySiS ransomware had its encryption keys released, ransomware writers seeking help from security researchers to fix their crypto to ‘help victims ensure their files can be decrypted’, an uptick in distribution channels, and plenty of new variants.


Security Roundup - 2016-11-17

Posted on  by an unknown author

Following up on the ‘Hack The Pentagon’ bug bounty program, the Army announced ‘Hack The Army’ on Veteran’s Day.

The Verge reports an unfortunate cause of user’s Skype accounts being compromised. Despite urging customer’s to migrate their accounts to Microsoft accounts for stricter security, user’s original Skype accounts could be used to log in, potentially leaving accounts vulnerable due to leaked credentials. User’s are urged to ‘complete’ the migration.

‘Pwnfest’, a security bug finding festival wrapped up this week. Among the systems available, VMWare was exploited (and subsequently fixed), as well as Microsoft Edge exploits found, as well as the new Pixel phone being exploited.

Talos goes in depth on how they do triage for some vulnerabilities for binaries, specifically stack based buffer overflow and heap based buffer overflow/heap overflow bugs.

I imagine everyone has heard of PoisonTap at this point, but for those who haven’t…. PoisonTap is an exploit device based on the Raspberry Pi that emulates a network device. Once connected, it convinces the laptop that all traffic should be routed to it. This allows the device to intercept traffic, harvest cookies, and poison the browser. The later allows the device to open up a websocket to allow remote control of the browser. The engineer behind the device suggests simple security measures be added for usb devices: simply prompt the user when (most/all) when connected if they would like the device to be allowed.

Chinese researchers have revealed that poor OAuth 2.0 (used to do single sign on via services like Facebook and Google) implementations cam be hijacked. Based on their analysis of top performing apps, they believe more than 1 billion accounts could be subject to compromise. The attack relies on a a malicious app being installed on the device, allowing the attacker to MitM connections.

Fortinet has been working to identify the author of several strains of malware and gives an inside view of what sorts of information they look for in order to find relationships.

BleepingComputer wraps us up with the Ransomware Roundup. Among the regular variants, some interesting news: Multiple new versions of Cerber, which has expanded the ip subnets they use to communicate back information and statistics to C&C nodes; A ransomeware variant that is marketed as a Paysafe (Prepaid money card) number generator, asking people who are trying to ‘generate’ money to pay money; proof of concept PHP ransomware which could use another exploit to encrypt web servers; a new variant dubbed ‘Telecrypt’ due to the fact that it uses the Telegram service as its C&C channel.