Security Roundup - 2017-10-27

Posted on  by

China outpaces USA in terms of Vulnerability Disclosure. When vulnerabilities are disclosed, it looks like China rounds up details faster than the USA, especially in terms of uncoordinated releases, where the China National Vulnerability Database has details almost 5.5X faster than the the US National Vulnerability database. The difference? NIST does analysis and aggregation of publically available and/or voluntarily submitted information, vs CNNVD’s more proactive stance to monitor various outlets and produce details as quickly as possible for companies to make educated decisions.

Duhk, Duhk, Goose. Another named vulnerability has made the rounds with the existence of DUHK (Don’t Use Hard-coded Keys). DUHK is made possible by the usage of hard coded (hence the name) encryption keys used in a number of security devices, including a number of VPNs. However, the firmware for these devices is usually available for download, allowing attackers to extract the keys and then compute shared secrets and decrypt what should be encrypted traffic.

Google Likes To Play…. Dangerously. Google has been dealing with a number of Play store app issues over the last year. While they have taken a number of steps to deal with malicious apps they have also just invited further scrutiny, this time by starting a bug bounty program specifically for certain apps in the app store. Interesting Android App developers are eligible to opt in to this program, to further advance Google’s goal of increased Android app security.

HaveIBeenPwned API Hackathon. Troy Hunt of HaveIBeenPwned has challenged people to build something interesting with his APIs. Check out the comments for some interesting things that have already been completed!

Massive PII Data leak from South Africa. Troy also disclosed a large leaked dataset containing PII information. His article details the various things he did (and help he received) in identifying the likely source of data (South Africa), as well as details on how bad it is (PII and records for children and teens).

CERT Guide To Vulnerability Disclosure. CERT has released a massive 121 page guide on coordinated vulnerability disclosure. Thankfully, Hacker provides a summary. The summary of the summary is that the document goes over how to ensure that the least amount of harm is done to the public, while minimizing the amount of harm attackers can provide. Ultimately, it is beneficial for vendors to run responsible disclosure programs, to ensure that researchers can report findings to the appropriate channels, confident that there will be a response, allowing vendors to quickly resolve rather than researchers feeling they should create a media sensation to drive fixes.

Bad Rabbit. The ransomware making big headlines this week was Bad Rabbit. Using a fake flash update to get itself on victim computers, Bad Rabbit uses the EternalRomance vulnerability to try to spread laterally in a network, as well as using a set of hardcoded credentials to try to brute force SMB filesystems.

IoT Botnets still threatening. Checkpoint security provides details on a new IoT botnet they have been tracking, believing millions of bots may have been recruited providing plenty of DDoS capability. Further news seems to indicate that individuals with access to this botnet may be gearing up to weaponize it.


Security Roundup - 2017-10-20

Posted on  by , and

Security Awareness Month Continues. And WeLiveSecurity is doing twitter based Q&A sessions every Thursday. You can read their expanded answers so far here and here.

Cryptography is hard, doing it right is even harder. All of us have to deal with cryptographic algorithms every day, they are used to secure our most private information like bank accounts and social security. We rely blindly on these algorithms sure that, to become a standard, they had to pass a huge amount of controls and tests. This week an important weakness has been discovered inside in a widely used library developed by Infineon. The flaw affected the prime generation algorithm for RSA keys when they are generated for many smartcards and embedded devices and makes the keys prone to factorization, and severely reducing the amount of time it would take to break them.

Yubikey promptly released a blog post communicating that they are working to resolve the issue and that they are replacing all the defective cards/keys while Github revoked all the public keys that have being found vulnerable stating “The above key was determined to be insecurely generated, possibly due to recently vulnerability in some hardware based SSH key generation and storage technology. We have removed it from your account to ensure that it cannot be used by any malicious users.”

As soon as this news propagated online a gold rush to identify weak keys kicked off. We strongly suggest everyone audit their keys and replace as needed (or be paranoid and rotate them all).

WiFi WPA2 vulnerabilities. Update your access points! A design flaw in the WPA2 (and WPA, but you shouldn’t be using that anyhow) protocol named KRACK has led to the ability to manipulate the handshake that sets up shared secrets between a client and access point (supplicant and authenticator in the RFC). These shared secrets are the basis for the math that keeps wireless connections secure.

DHS mandates stronger online security. This week, the DHS set out mandates for both improved email security measures, via the DMARC specification, as well as for all government agencies to use HTTPS for all .gov websites. The later, seems like it would really be able to enforce if the government forces the .gov TLD to be part of the HSTS preloading list, meaning that all sites MUST use HTTPS or fail to work for users.

More Malicious Chrome Extensions. Google has been busy of late, with multiple instances of malicious chrome extensions requiring cleanup. Google has now announced some new upcoming features designed to address this increase in abuse.

Bug Bountry Programs Recommended. The US Deputy Attorney General has recommended that companies use bug bounty programs, citing the success of the DoDs program for identifying and remediating vulnerabilities. But make sure you run your bug bounty properly! Cybellum writes up some of the perils of miss-managing your bug bounty program, where you need to make sure it is more than a PR stunt, or risk alienating the security researchers you are trying to attract.

Security Concerns In The Lowest (Common Denominator) Places. CSVs are the common lowest common denominator for sharing various forms of data, and all of us probably interact with variations of them on a regular basis. But have you thought about the potential dangers of loading in a CSV to a Google Sheet or Excel? This security researcher goes over some things which are possible with CSV injection attacks.

Malware and Bad Opsec. BleepingComputer gives us an interesting tale where a malware author’s real identity is discovered due to said author’s bad operational security. In an effort to sell some of his goods, the author had used his personal account, later pointing out that he was the author, linking both identities.


Security Roundup - 2017-10-13

Posted on  by an unknown author

Credit Unions Serving Malicious Ads. Equifax issues continue this week, with one of their ad providers serving malware. While it is true that Equifax itself was not hacked, this further erodes trust if their supply chain is putting visitors at risk. Not to be left out, Transunion was also noticed to have the same problem.

Supply Chain Attack Rundown. Attacks like the above leverage the supply chain of services that a vendor uses. Malvertisements are nothing new, but supply chain attacks are increasing in both sophistication and frequency. Crowdstrike provides a brief rundown for anyone needing to catch up.

KnockKnock (but quietly). A brute force attack (but a sneaky one) against Office 365 accounts was discovered by researchers. KnockKnock, as it is called, was a targeted attack against a specific set of accounts for a specific set of companies using Office 365. The attack appears to have been spread out and coordinated across a wide number of ips. Attackers also singled out senior and/or long term employees, perhaps hoping they would be more likely to have access to sensitive information.

Attackers abuse overdraft functionality to milk ATMs. Follow along with this story, of attackers that social engineered their way into a bank’s infrastructure, stuck around, and then used their privileges to create new accounts and withdraw millions of dollars by abusing overdraft protection settings.

DNS requests could compromise your machine. In this week’s terrifying news, a Windows CVE was just patched that allowed a malicious DNS response to trigger remote access to someone’s machine. This applies in a number of scenarios, like using internet from a coffee shop, or from the airport. Full details can be found here.

Magento eCommerce Roundup. Lots of Magento related news this week, including Sucuri’s deep dive into a credit card stealing malware ring, this Detectify blog about how bad patching cadence is for some Magento users,and this announcement about PoC code for two patched exploits.

Disqus customer data exposed. Company promptly addresses. Disqus was made aware customer data being available this week, compromising 17.5 million accounts from 2007 to 2012. Overall, the company has excelled in their response. In under 24 hours, Disqus had accepted a report, validated the findings, reset user passwords and contacted customers. Their expedient behavior and transparency has blown away Troy Hunt, owner of and overall raised the bar for how to handle breach disclosures. Of course, user’s should make sure they are not reusing their passwords, which would leave them open to a credential stuffing attack.


Security Roundup - 2017-10-06

Posted on  by and

October is Cybersecurity Awareness Month! And MalwareBytes starts off with some simple steps to maintain online safety.

Yahoo breaches bigger than originally thought. Last year, Yahoo had a bad year with the multiple big data breaches announces. Recent news, however, has indicated that rather than 1 billion users, Yahoo’s entire user base of 3 BILLION users was impacted by one of those breaches. If you have a Yahoo account and haven’t changed it previously, now would be a good time to do so, as well as any other places that password has been reused.

Netgear Patches 50 devices. Several security firms recently disclosed vulnerabilities to Netgear, and Netgear has been quick to patch the impacted devices. Vulnerabilities were disclosed via Netgear’s new bug bounty program, and security researchers have noticed that Netgear has been more attentive to these problems than in previous years.

Security researchers identify sophisticated ATM hacks. Trend Micro researchers detail a sophisticated network based ATM attack, where attackers did not use known attacks like skimmers to steal money. Instead, they hacked into the ATMs remotely, eventually causing them to spit out money for lurking cash mules to make off with.

Deep Dive into the Flushihoc DDoS Botnet. For those that love deep dives into malware, Arbor networks provides details on Flushihoc, a DDoS malware family which they have been tracking since 2015, having gathered 500 unique samples to date.

DNSMasq gets an audit from Google. Google has been reciewing DNS implementations for vulnerabilities, recently completing an audit of Dnsmasq. Dnsmasq is regularly installed on a variety of devices, including linux desktop systems. Google uncovered several vulnerabilities that allow for overflows, contributing fixes. Google also contributed a change that would allow for extra sandboxing of dnsmasq, allowing for improved security once fully tested.

Your Mac’s Firmware may not be receiving updates. At least, that is what DUO has discovered with some of their recent research. In particular, the EFI firmware, which controls a number of security pre-boot protections for Macbooks. DUO provides a detailed blog post, which they indicate as only scratching the surface so be prepared for more news in the coming weeks.

DNS Crypto Key Rollover Postponed. DNS Crypto keys were scheduled for a rotation on October 11th. However, this has been postponed by a quarter, due to a number of large networks not being ready for that deadline. The delays are due to some previously unnoticed configuration problems, requiring additional testing to ensure the overall stability of the system.

VMWare Hypervisor Escapes. The “Backdoor” communication channel (named by VMWare) in ESX can be abused by guests to steal clipboards from other VMs on the same hypervisor. The article also mentions that there is a potential for manipulation for attached clients over the backdoor channel (macOS with VMWare Fusion was specifically mentioned).


Security Roundup - 2017-09-29

Posted on  by and

Another year, another DerbyCon. And less than a week later, videos are already up!

Adobe PSIRT publishes their private GPG key. Sometimes you get overzealous with copy and paste, and bad things happen. This is one of those times. Adobe’s PSIRT has since published a new public key for contacting them. The article also laments the state of secure email, and the fact that the PGP creator can’t use encrypted mail on his iPhone.

NIST is looking for post-quantum computing Cryptography. High levels of research around quantum computing is helping drive conversations about what cryptography needs to look like in the future when today’s implementations could be trivially brute-forced. Announced candidate suites have now been listed.

Google makes moves to secure more of the web. HTTPS Strict Transport Security is a mechanism by which you instruct the browser to force upgrade to SSL for certain sites. While this is generally for domains and subdomains, Google has made steps to expand the scope by adding domain suffixes they control to the list, effectively stating that all content for .google, .foo and .dev must be encrypted, though sure to be rolled out to all 45 of the TLDs they control.

Car tracing data leaks online. Demonstrating that data leaks from the oddest places, records from a car tracing service has been leaked online. The archive contains vehicle identification numbers, emails, passwords and more. Additionally, all the tracking data is also accessible, meaning these users movements were available over 120 days.

ShadowPad shows increased danger of supply chain attacks. How off the tails of the CCleaner incident, Kaspersky software has identified a similar malicious payload injected into workstation management software from NetSarang. Malware authors continue to bank on legitimate apps being trusted, and abusing that trust to trojan horse in their own software. In this case, their reward proved all the greater given the tool abused happens to be able to execute commands on remote machines within the network.

Patterns are less secure than PINs when it comes to security. A new study shows that it’s easier for people to remember patterns, rather than digits when shoulder-surfing. What it fails to mention is that there is an inherent complexity reduction when using patterns- you need to move to an adjoining segment of the screen which isolates you from options that are available via PIN. For example, if you are required to keep your finger on the touchscreen, from the number ‘1’, you can’t get to 3, 6, 7, 8, 9, and 0, all of which are available when using a PIN.

New Broadcom exploit allow for Remote Code Execution. On the heels of Broadpwn, there’s a new attack for Broadcom chipsets. The subsystem that allows for rapid access point switching on the Broadcom chip does not check the bounds of the write, which allows for an out-of-bounds write, and possible remote code execution. A working example for iOS 10.3 for the iPhone 7 hardware is attached to the article.