Security Roundup - 2016-11-11

Posted on  by

A few good IoT related articles:

  • Mirai may be imploding as competing hackers fight over the resources. As these botnets are also designed to keep out the competition, the botnets may be fracturing into smaller and smaller groupings.
  • Rapid 7 has been tracking Mirai, and also noticed a drop in overall active nodes.
  • Several people sent me “IoT Goes Nuclear”, a research paper that illustrates a proof of concept worm for the Philip’s Hue. They were able to develop a technique to force a bulb in proximity to update its firmware. From there, the infected device was able to spread through the network. Assuming a critical mass of similar devices, the entire network could be shut down or repurposed for malicious activity.
  • Wired has a story of a researches that built a stingray device that looks like an office printer. Since the device is indoors, it is that much easier to overwhelm outside cell towers, to monitor your traffic and perform malicious things.

Sucuri has published their October Lab Notes recap. Lots of eCommerce related maliciousness, where they believe attackers are preparing for the holiday season. Additionally, two notes on tricks backdoors are using to avoid casual detection.

Google has expanded their HTTPS Transparency Report, demonstrating an upwards trend in Chrome users interacting with sites over HTTPS. Additionally, they have rolled out a new Safe Browsing site.

Rapid 7 has developed a new Honeypot network and has a writeup of some early observations. They spread their pots across a number of cloud providers, and noticed a decidedly uneven distribution of attacks. They also noticed that inter-cloud communication was heavier in AWS to AWS public traffic than expected, a possible indicator of companies using AWS Classic, vs using VPCs to keep traffic internal.

Can your password survive 100 guesses? This is the question posed by recent research, which found that, with a little bit of PII, they has a one in five chance of guessing a password before reaching NIST’s lockout guidelines.

Endgame Security researcher Bobby Flair provides a writeup of AISec, where they also presented their paper on “DeepDGA: Adversarially-Tuned Domain Generation and Detection”. Effectively automating better ways to avoid DGA detection, to be used to automate better detection of generated domains.

Talos does a deep dive on the RIG Exploit Kit. RIG apparently has a number of configurable variants, and various levels of obfuscation to make tracking difficult. It tends to try to infect with various scripts, so where one might fail another may succeed. This includes ActionScript, Flash, JavaScript, and VBScript. MalwareBytes also has an Exploit Kit Retrospective for the last few months, giving some highlights on how these operate and are changing.

BleepingComputer rounds up the ransomware, detailing several new ransomware variants.


Security Roundup - 2016-11-03

Posted on  by

The first O’Reilly Security Conference just wrapped up in NYC. I opted to attend last minute and was glad I chose to, due to a number of really good conversations with other attendees. I plan to share a separate write up of some of the highlights in the near future.

Let’s keep following the Mirai after effects:

Google has indicated that Chrome will only trust certificates that participate in the certificate transparency standard. Google intends this to encourage Certificate Authorities to tighten up their own security, and cut down mis-issues certificates that can be used maliciously. One downside, however, is this would require certificates for inside corporate networks to be part of Certificate Transparency, which would leak internal networking details. Additionally, Google has indicated that they will stop trusting certificates signed by WoSign and StartCom due to certificate misuse.

Google has also disclosed the existence of a Windows zero day vulnerability being exploited, ahead of an announcement by Microsoft. While Google is acting under a long standing disclosure policy for ‘critical flaws under active exploitation’, but Microsoft suggests they are not being responsible for ‘coordinated vulnerability disclosure’ and putting customers at risk. Coincidentally, Rapid 7 has an article on Coordinated Vulnerability Disclosure Advice for Researchers.

A new named exploit called Atombombing has been detailed. The exploit rely’s on ‘atom tables’, an area of Windows where apps can share data. Researchers have discovered a way in which malware can share malicious code, and then trick legitimate apps into loading and executing the payload.

Sophos tells the tale of the recent Paypal 2FA bypass. It appears that the client side was submitting the questions AND the answers, and simply deleting both could bypass 2FA.

Breakpoint Labs continues their series on ‘How We Get Into Your System’. This week features Multicast Name Resolution Poisoning, which takes advantage of some local networking protocols to harvest username/password hashes.

Troy Hunt tells us how an anonymous user happened to find a chunk of Australian Red Cross blood donor records online, where they happened to have accidentally been exposed via a database backup that was accidentally exposed on a partner’s website. Troy tells the whole story, as well as why he decided NOT to load the data into Have I Been Pwned.

This week’s Ransomware Roundup by BleepingComputer contains more variants (including one that makes you fill out a survey!) and a malware developer who tried to sell security researchers decrypt keys when the researcher had already exploited the C&C to harvest decryption keys.


Security Roundup - 2016-10-27

Posted on  by

Biggest news this week is, of course, the big DDoS attacks against Dyn from Mirai infected electronic devices. Dyn has provided some details of the attacks, the first which lasted ~2 hours, and the second of which lasted ~3.5 hours. Initial analysis leads them to say there were traffic surges 40-50x higher than normal. They are not able to confirm independent reports of the size and volume of the attack at this time.

The rest of the internet is abuzz with commentary:

In related news, another DDoS mitigation provider has noticed a growing number of LDAP servers participating in DDoS attacks. As some LDAP server variants work over UDP, this allows attackers to perform UDP amplification attacks, while hiding the source of the overall attack.

In other news:

Dirty Cow also landed on Friday. A nine year old Linux vulnerability that is based on a race condition that allows people to write to files they don’t normally have permissions for. This, of course, includes files for usernames and passwords to gain more access to the machine.

Mozilla has already baked in TLS 1.3 support into Firefox, but they have also announced that they will turn it on by default March 2017. They join Cloudflare and Google in being proactive about pushing this new standard forward.

Sucuri has covered a number of credit card stealers for eCommerce sites, and goes into depth for a specific version they found infecting Prestashop instances, as well as one that impacts Magento. The latter is interesting in that it dumps data into image files, and legitimate looking image files as well, making it harder for people to detect the data being collected, as well as the data being exfiltrated via a regular file access.

Breakpoint labs continues their series on how they break into networks. This week is Web Application Vulnerabilities. Sadly standard fare, such as failing to update software and plugins, as well as not sanitizing user inputs.

The DoD is apparently expanding on the ‘Hack the Pentagon’ initiative and launching a more long term bug bounty program.

Security researchers have demonstrated bit flipping attacks on Android. Labelled ‘Drummer’, it relies on continuously accessing memory to induce an error state and flip a bit to produce undesired behaviour, enabling apps to do things like break out of security sandboxes and obtain root permissions on a device. The research indicates this could even be triggered by javascript in a browser.

Checkpoint has released the September edition of ‘Most Wanted’ Malware. Conficker is still #1. Locky has made it to #3, making the first time ransomware has been in the top 3. ThreatPost indicates that Locky has at least 10 downloader variants as of this writing, and still evolves in the way in which it evades detection and infects systems.

BleepingComputer provides the rest of the Ransomware Roundup. Some minor new players, but one variant that includes a game, and Talos Intel providing a tool to block updates to the Master Boot Record to mitigate ransomware attacks that use this strategy.


Security Roundup - 2016-10-20

Posted on  by

Not quite as much IoT news this week. The highlight is that Mirai has evolved to infect cellular modems, including ones that connect automotive and industrial equipment.

Firefox’s data collection has indicated that their users see roughly 50% of the internet encrypted, in comparison to 40% at the end of 2015. This is at least partially attributed to free SSL provider’s like Let’s Encrypt.

Security researchers have discovered a vulnerability in some Foxconn hardware used to power several phones. This vulnerability, dubbed “Pork Explosion”.

HTML5 potentially adds additional threat vectors to the browser, in this article that highlights some CORS vulnerabilities, as well as how XSS can enable attacks on local browser storage.

Sophos breaks down DNS hijacking, including how easy it could be to just social engineer a hijack. The comparison is to recent SIM card hijacks, with a simple phone call transfering ownership until the actual owner takes steps to recover.

Breakpoint labs details 5 ways in which they break into a network. Phishing, unpatched applications, and poor account policies are no surprise. Poisoning netbios name resolution to collect user and password hashes? That is a bit different. They appear to be going in depth into these topics, with the first being phishing.

Facebook recently celebrated the 5th anniversary of their bug bounty program. Some interesting stats: More than $5 million paid to 900 researchers over those 5 years. ~$612K of that was this year, due to no fewer than 9K reports since January 1st.

Bleeping computer provides the ransomware roundup. This week includes a number of new variants, including VenisRansomware which not only encrypts files but includes modules for things like remote access and password stealing. On the defensive side, Talos Group has developed a program that dumps the configuration of several variants of Locky.


Security Roundup - 2016-10-13

Posted on  by

Stories about hacking the internet of things continue to roll out.

Speaking of SSL, a few months ago I mentioned nonce reuse. Cloudflare has a great article on the concept as well as going into how various versions of TLS manage nonces, and what future versions are doing to reduce the ability for nonce misuse.

Researchers warn that 1024 bit keys in the Diffie-Hellman key exchange can be trapdoored, allowing attackers to decrypt data. While NIST has recommended 2048 bit keys since 2010, some big areas still use 1024 bit keys, including a number of SSL certs, Java 8 only supporting 1024 bit keys, and DNSSEC limiting keys to a maximum of 1024 bits as well. At this time, while the researchers are able to create a trapdoor, they don’t have a way to identify what published primes might actually be trapdoored.

Amazon has joined the group of companies that analyze data leaks and proactively reset customer passwords.

Researches at Checkpoint have written a whitepaper on sandbox evasion, specifically targeting the Cuckoo Sandbox, to educate sandbox makers on the evolving field of sandbox evasion. Among other things, I have now learned that malware takes advantage of some specific malware detection/virtual environment processes to actually make itself crash before doing anything malicious, to avoid detection.

Today I learned of the existence of Sucuri’s Lab Notes, due to them now starting to put together a monthly recap. The last month has included exploiting various CMSes (Drupal, Magento, vBulletin), how to target mobile devices for malware, and an attacker attempting to hijack Paypal donations.

BinaryEdge has published their own Internet Security Exposure report. Similar to other reports, key findings include slow to be updated software, which leaves potential security flaws to be exploited, as well as plenty of databases, smart devices and other systems not using authentication mechanisms.

A former NSA staffer has demonstrated how malware can leverage your camera by piggybacking on any recording that is already happening. Since on OSX, the video light will already be on, users won’t realize that other programs are making use of the camera. The researcher has also published a program that will identify and alert when an application goes to make use of the camera, to mitigate this problem.

Checkpoint has an interesting article on “Crypto Failures in Malware”. From ransomware that used default values and was easily decrypted, to not really random seeds, to rolling your own encryption (never a good idea) complete with real world examples of where malware authors did the wrong thing.

Bleeping Computer rounds up the ransomware. This week features lots of new variants, but it appears that many are really just spins on existing versions, rather than in increase of sophistication.