Security Roundup - 2017-03-02

Posted on  by

The big news this week is, of course, Cloudbleed. Troy hunt provides his own take on the issue. Of note, he points out the total impact is not measurable. While Cloudflare was able to measure 0.00003% of requests, since the bug leaked information from unrelated sites it is unable to measure how many sites were actually impacted. He also points out that 0.00003% is still a huge volume of traffic, given that Cloudflare deals with trillions of requests per month, meaning millions of requests potentially leaked data. However, not all Cloudflare users are at risk, simply due to the fact that not all Cloudflare customers have sensitive data. Plenty of informational only sites use Cloudflare services, meaning there was no sensitive information to leak for those sites. Cloudflare has their own follow up on impact.

Duo Security posts a summary of the ‘The Human Exploitation Kill Chain’ talk from the RSA Conference. The talk goes over the various points of a phishing attack that we should attempt to layer security, vs just training users on identification. While humans are important, it is also important for them not to have enough individual power to allow an attacker to pivot through an entire system.

Yahoo has followed up on the report of forged browser cookies by announcing up to 32 million accounts were impacted.

605 websites were defaced recently, after attackers achieved access to the machine they were all hosted on. Any data that those sites were storing are likely to have been stolen as part of the attack.

For those familiar with the Hak5 suite of tools such as the RubberDucky, Hak5 has announced the BashBunny. It is essentially a ‘bring your own network MitM attack platform’, ala the PoisonTap that was demonstrated last year, just with the convenience and form factor closer to the RubberDucky, and including a full linux machine that allows a pentester to use all their normal security tools. Hak5 has done a handy how-to video going into detail.

Netsparker goes into depth about how lack of access control let anyone take over the Maiain Support system. While users were limited from seeing things due to roles, the backend apis themselves were not authenticated, potentially allowing someone who doesn’t even have login privileges to the application to access data.

With a recent article on data exflitration via drones and blinking LEDs, Naked Security provides a recap of exotic exfiltration methods. While many are not immediately practical without close access to a machine, they are still fairly interesting. Some highlights: Using ultrasound, smartphone sensors, measuring fan sounds, and thermal cameras.

In some fun news, one researcher breaks Google’s Recaptcha mechanism by using Google’s Speech recognition API and the audio ReCaptcha

Following up on last week’s breach notification news:

A discussion at RSA argued that the US Government’s Vulnerability Equities Process (VEP) should not be voluntary, but mandatory. The VEP has largely been criticized as allowing government agencies to stockpile, rather than disclose, vulnerabilities they find. Generally, the community is supportive of the government aiding research and finding vulnerabilities, and are pushing for more disclosure to raise the bar on security.

MalwareBytes has an article on What to do after recovering from a cyberattack. Important in the article is to promptly inform customers. In regards to the Australian breach disclosure laws,

Troy Hunt writes a critical article about it. In this article he points out that disclosure is far from mandatory, allowing companies up to 30 days to investigate, allowing them to not inform customers if there is an ‘administrative burden’, and suggesting that not ever breach should result in notification as that might result in ‘breach fatigue’. Troy points out that this just gives attackers that much extra harm to use any data they retrieved, furthering harm to any individuals that had their data stolen.

Google has been building tools that will eventually leverage their Key Transparency initiative. The latest is E2Email, a browser extension that makes it easier to use PGP keys for emails in web browsers.

Interested in attack mitigation techniques and circumvention? Endgame security discusses the Chakra exploit in Windows 10 and Edge and how it avoids some security features therein.

Exposed databases being compromised and held from ransom has continued, with Mysql being the latest victim. In all cases, these attacks could be mitigated by following simple security practices, such as not having databases on the internet and using strong passwords for database accounts.

Bleeping Computer also reports that Necurs may have added a DDoS component. Necurs is a botnet that produces spam, and BleepingComputer covers why this addition doesn’t make much sense.

Speaking of Botnets, Bruce Schnier has a long post on the subject, covering the growth of the Internet of Things based botnets.

A major version of Dridex has been detected in the wild and is apparently the first malware strain to make use of the Atombombing technique of code injection that EnSilo published last October.

Docker Janitor

Posted on  by

Using containers can be very advantageous and we’ve discovered many different possibilities with them. However, without a good cleanup strategy, you will find yourself quickly running out of disk space. This is where a Docker janitor can come in handy.

There are a couple of ones floating around GitHub/Docker Hub, but none really do cleanup in a nice compact way of dealing with systems that build images. You might have a build server that is building layers upon layers of images. Over time, you will undoubtedly have failures. Each one of these failures will have a dangling image that never got tagged, as well as volumes that are orphaned. These can eventually cause build failures or even collisions if not cleaned up properly.

During build server integration testing, you might be testing an application with several external dependencies like a data store or a message queue. We like to have repeatable processes that can be run both locally and on the build server. One benefit of this is that engineers starting their first day can pull down code from GitHub and start working right away with having to install other applications on their personal systems. This self-documenting way of keeping tracking of external dependencies allows for portability when testing on the build server. These will start to accumulate over time and likely become a blocker on your build system. The janitor will keep things tidy and allow your build system to run smoothly.

We wrote our own script that handles these cases, and our Site Reliability Engineering Team has been using this as a plain old shell script in Jenkins when running short lived containers for either building or testing. We decided to make it nice and portable by packaging it in a Docker image for easy reuse.

Feel free to fork and contribute a pull request on the repository docker-janitor, or go ahead and pull it down directly from Docker Hub docker pull securityscorecard/docker-janitor.

Enjoy! @dannygnc


Security Roundup - 2017-02-23

Posted on  by

I am sure no one missed the death knell of SHA1 as a security hash today, as Google has announced a practical SHA1 collision. Set to be unveiled in 90 days, allowing those stragglers that still haven’t updated, despite warnings from Google over the last several years, the attack is apparently 100K times faster than a brute force on a SHA1 hash making it only a matter of time before it if even cheaper.

RSA wrapped up last week, and Brian Krebs reports on an overlooked announcement with big impact. Apparently, researchers at RSA announced a breach by a company selling log management tools, where the update server was compromised for two weeks, in 2015 and clients automatically downloaded a compromised version of the software. RSA investigators discovered this in 2016 during an investigation and believe a number of organizations may still be compromised.

A frightening new persistent threat called ‘Operation Bugdrop’ was uncovered this week. The malware operates by controlling the microphone of the infected machine and uploading the data elsewhere. So far, more than 70 targets across a variety of industries, with most located in the Ukraine.

PhishingLabs has released their 2017 Phishing Trends Report. Highlights include: one million confirmed malicious phishing sites in 2016, 7800 phishing attacks investigated and/or mediated by Phishing Labs every month, and the top 5 targeted industries had an average 33% growth in attacks year over year. They expect Cloud Storage Services to be the number one target by end of year, supplanting the financial industry which is actually showing a decline. Finally, phishing attacks targeting people as the IRS in 2016 resulted in more phishing attempts than all of 2015 combined. With tax season underway, be wary!

This week Australia expanding its Breach Notification policy, while Canada is preparing new legislation requiring prompt breach notifications.

Chrome extensions can do fairly powerful things, and MalwareBytes covers how one malicious extension can abuse current abilities and make it extremely hard for the average user to uninstall. The extension in question enables a tech support scam, as well as connects to a C2C to potentially execute other code.

BleepingComputer has a nice rundown of Ramnit’s return from the 2015 takedown attempt. Unfortunately, it looks like as of 2017 it has reached the top 5 of active banking trojans.

Netflix released a project this week focused on ‘User Focused Security’. Called ‘Stethoscope’, the tool empowers users to go to a website, which will figure out some device information and provide actionable results and education for the user.

Dropbox also released a security focused product this week with SecurityBot. SecurityBot is chatbot that enables faster incident detection and resolution by automatically asking users to verify certain actions (like running sudo accidentally on a machine they don’t have permissions), allowing security to escalate quickly if the user indicates they did NOT perform said action. This allows Dropbox security to deal with false positives quickly, without necessarily requiring the security team to manually follow up on each signal, or ignore certain signals just because some individuals generate a high rate of false positives.

In ransomware, BleepingComputer provides coverage of a new ransomware family being reverse engineered live. The ransomware in question, Hermes, contained an randomization seed that could be attacked to create a decryptor for the malware.

Things to watch:

Wired reports on a newly reported memory attack that allows attackers to circumvent memory randomization efforts in modern operating systems. Being executable from Javascript in the browser, the attack relies on being able to measure operations of memory writes for a program to figure out where in memory it is, allowing them to potentially execute other memory corruption actions with greater certainty.


Security Roundup - 2017-02-15

Posted on  by

RSA is happening this week, and some interesting things are coming out of it. The most interesting to me so far is Google apparently talked about BeyondCorp their 6 year mission to allow employees to work from untrusted networks without a VPN. Rather than relying on VPNs, BeyondCorp relies on over a dozen metrics to decide access for a user for a specific resource, allowing for dynamic policies vs static policies.

As a companion piece to the above, O’reilly posts a conversation with an SRE at Stripe on Zero trust networks.

Sucuri has released their monthly lab notes, and there are some interesting gems. First is a note on bad actors masquerading malicious scripts as image files, to evade casual investigation of logs/traffic. Second, they cover some techniques malicious actors use to spread backdoors/malware/etc on shared hosts, expanding their influence quickly due to lack of security for one neighbor.

Brian Krebs follows up on the LeakedSource takedown, by assembling some clues on who might have been behind the site.

A self-healing malware strain has been found in the Magento platform which uses SQL triggers to see if it has been cleaned up and re-installs itself if so.

Another bad news day for Yahoo as they announce that some accounts might have been accessed without a password in 2015 or 2016, using forged cookies generated by a tool internal to Yahoo.

Following last week’s Wordpress API security flaw, it is reported that up to 1.5 million Wordpress sites have been defaced, despite security features that would update a percentage of sites and additional security plugins that were intended to mitigate the problem. More than a dozen different defacement campaigns have been detected as of this writing.

This week I learned that some Ransomware is delivered via brute force RDP attacks, where the attacker breaks into machines via exposed remote desktops and manually executes malware. Sadly, this method appears to be on the rise.

Akamai has released their Q4 State of the Internet Report this week. Overall DDoS attacks were down QoQ, which they attribute to the various Botnets fighting over resources vs performing actual attacks. However, web application attacks were up QoQ, with SQLi attacks growing the most in that time period. Unsurprisingly, they expect IoT botnets to increase in the near future.

Speaking of the internet of things, BleepingComputer posts an interesting story where smart devices at a university were hijacked, causing the botnet to accidentally overwhelm the network with traffic. To the university’s credit, they had the smart devices segregated in a separate network, preventing the infection from spreading out of the network.

Sophos Labs has released their Malware Forecast report. Unsurprisingly, IoT devices are ALSO at the top of this list. Also highlighted, Android malware and macOS malware being on the rise,

Finally, Talos Intel has an analysis on the AthenaGO malware strain. This malware is interesting for a few reasons. First being the language (Golang), which is not commonly used for malware. The second is its use of Tor2Web proxies, to communicate to C2C nodes on TOR without having to install TOR on the infected machine. This provides some additional anonymity to the attacker, though does allow for blocking at the proxy level.


Security Roundup - 2017-02-09

Posted on  by

Kaspersky details a sophisticated malware attack , where attackers used a variety of free tools to load programs directly into memory and grant remote access. This allowed attackers to obscure their identity, as well as made it harder for their work to be detected. Kaspersky states this is getting more common, making memory forensics something to consider.

For some more benign hacks due to devices exposed to the internet with default passwords:

IP streamers used to play music for radio stations was compromised to play a specific song for 15 minutes. Rapid 7 also did some extra digging and provides details.

One prankster caused a number printers to print out messages telling users that their device was part of a botnet.

Also a few unauthenticated API exploits were noticed this week:

The first is in McAfee ePolicy Orchestrator, which would allow an attacker to dump information from the server, or pretend to be a client in order to dump information about the client.

Honeywell SCADA controllers had a number of bugs which allowed an attacker to retrieve a password in plain text and then use it to log in.

Sophos disclosed a subtle bug in the new Wordpress API system that would allow someone without privileges to update any blog post. This vulnerability has been patched, but after the word got out plenty of Wordpress instances were defaced.

In other news:

SSL hits a big milestone, where now more than 50% of user traffic (according to telemetry data from Firefox) is now encrypted. This is, in large part, due to more large players encrypting all of their traffic by default, but indicates that using SSL only is becoming the norm, rather than the exception.

Etsy has an in depth article on the many steps they make to ensure Private TLS certificates they use are secure, which is interesting for any system where you need to keep information particularly secure.

Ars Technica has an article on how Google took on Mirai by admitting to Project Shield. The article provides some additional insight into what sorts of attacks they were seeing, once Google took over.

Meanwhile, Mirai apparently received an update, now targeting Windows! Infected Windows agents are used to figure out passwords of other systems and spread the botnet. Also apparently part of it are breaking into databases, presumably to steal information.

Following the success of bug bounty programs for public companies, reports indicate that some dark net markets are doing the same.

Checkpoint indicates they are seeing a resurgence of Slammer, the worm that was primarily active in 2013 and has been largely dormant since.