Security Roundup 2016-03-16

Posted on  by


In an amusing example of ‘trust but verify’, there is a story of data collection UIs not sanitizing input when displaying to users.

Last year Google Research apparently published “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google”, and I have discovered a quick summary of the paper. Summary of the summary: online guessing attacks can be fairly effective and cheap.

Security company Staminus Communications was hacked last week. Hackers dumped the data and started with a list of “TIPS WHEN RUNNING A SECURITY COMPANY”

After last week’s mention that Google open sourced their vendor survey system, my co-worker Bennet pointed out that Facebook has a program called ‘Facebook for Work’ and they are considering how to do vendor risk assessment.

Interested in hacking your vehicle? BoingBoing has a short review of the new edition of The Car Hacker’s Handbook.

For those who love dashboards, I just discovered the Kaspersky Cyberstat board.

Security Roundup 2016-03-09

Posted on  by


Big batch of interesting things this week.

Enjoy!

  • Sean

Checkpoint has a nice article on ‘Why Visibility Is Critical To Your Security Management Program, where I feel there are a lot of overlaps on ‘Why Visibility Is Critical To Your Third Party Risk Management Program’.

Google just open sourced their Vendor Security Assessment Questionnaire system, which they use to automate their vendor survey process of hundreds of vendors each year.

For those interested in a VPN, one reddit user has compiled a giant list of datapoints on over 100 VPN services.

High Scalability has an article on backdoors and code reviews.

Use your fingerprint to unlock your smartphone? You might want to watch this video.

My co-worker Bennet has pointed out that Akamai has released their Q4 State of the Internet report, detailing the attacks they are seeing on their customers. Overall DDOS was up 150% YoY. Application level attacks increased 28% QoQ, with 59% of application level attacks targeted retailers.

Following up on the previous Locky news, Checkpoint has some more information, including volume (100K attempts on their clients in 2 weeks), data collection analysis, server identification and some DGA analysis.

Because it is tax season, phishing scams are going after W-2 forms. And unfortunately companies are forking them out by the thousands, including Seagate.

Wordpress powers tens of millions of websites, and hacking them is big business. Recently, Sucuri noticed that popular, but largely abandoned plugins have been taken over to inject vulnerabilities. Of course, not upgrading plugins means you are open to being attacked by old vulnerabilities like this old RevSlider vulnerability. Google dorking is being used to find this vulnerability, and the culprit is leveraging Google’s large number of TLDs to get around the captcha search limits.

Security Roundup 2016-03-02

Posted on  by


Yesterday a new TLS vulnerability called DROWN was revealed, using weaknesses in SSLv2 to attack TLS. Cloudflare has already announced that anyone using their platform is protected.

Speaking of Cloudflare, they have decided to become their own registrar, with extra security built in. They have also built a handy ‘best practices’ checker for DNS security, which contains some interesting things people might want to consider doing.

In the growing trend of hospital hacks, the Independent Security Auditors group recently released a report on Hacking Hospitals. They found that the primary focus is on protecting PII and PHI information, and less on protecting devices that are keeping lots of people alive.

When everything is connected, can you even trust your car? Nissan Leaf owners who use a companion app were open to hijack of some functions, retrieve trip logs and user identities. The app used the VIN for identification, so bad actors can even do drive by detection. Nissan has currently [shut down the app while they work on a fix]http://engt.co/1TeB4mf). In a recent report, car manufacturers are three years behind current cybersecurity threats.

security-roundup

Security Roundup 2016-02-26

Posted on  by


A ‘few’ things I missed Wednesday.

  • Sean

Krebs mentions some increasingly sophisticated phone scams to Dell customers. These calls allegedly involve the caller correctly providing unique service tags of Dell equipment, as well as historical service records. Dell currently says their customer data has not been breached.

I think biometric security is a big miss, but that isn’t stopping HSBC from rolling out “Voice ID” to 15 million customers. Meanwhile, looks like the FBI could potentially use fingerprints of dead people to unlock devices.

Checking input is important! Even barcode scanners can be subject to string injection attacks.

Wordpress is the new botnet. Simple exploitation of the pingback XMLRPC command allows attackers to flood some target with HTTP requests.

Akamai is rolling out a tool to allow users to better monitor and analyze bot traffic and take whatever action they want.

security-roundup

Security Roundup 2016-02-26

Posted on  by


Using a default password for your device sucks. TP-LINK chose not to do this, but ended up using a unique password that their device broadcasts. I actually have one of these, and did not make the connection when originally setting it up.

Default app on LG G3 phone doesn’t validate data, allowing arbitrary Javascript to run code, including system code. Demonstrates the importance of validating user supplied data.

Patchwork Security tries monitoring Heroku dynos for security upgrades. Initial findings are things are not upgraded quickly, but overall observation window is quite small.

Norse Corp seems to be imploding, and Krebs has a some details, including a History of Norse Corp. Some fun comments on this Hacker News thread.

NSA TAO Chief talks about [Disrupting Nation State Hackers] (https://www.youtube.com/watch?v=bDJb8WOJYdA) at Engima 2016. He goes into ways at which they will exploit networks, which he generalizes as ‘knowing a network better than the people who set it up’, ‘Poke and prod it, just like an adversary would do’

User figures out [how Shodan.io is discovering and scanning IPv6 addresses](http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html>.Looks like they have added nodes to the NTP pool, and are harvesting IP addresses for requesting servers to figure out what ones to scan. Looks like Check Point has classified Shodan as a threat and has made attempts to thwart scans.