Security Roundup - 2017-07-27

Posted on  by and

BSidesLV, BlackHat and Defcon may all be this week, but if you aren’t there and need to kill time waiting for the videos to go up, feel free to check out some security talks from SteelCon.

Check out our very own Scott Walsh’s write up of Cisco’s mid-year cybersecurity report. Overall, Exploit kits are down, being replaced by spam. This is thought to be due to Flash’s more robust patching. Business email compromise(BEC), aka phishing, costs billions per year- train your financial people to verify transactions. Ransomware continues to grow, and is now targeting medical devices. In unsurprising news, vulnerability disclosures are followed by an uptick in attacks targeting the vulnerabilities disclosed.

Store your passwords in the cloud? Security Researcher Adam Shostack puts together a dialogue around the threat model of trusting a third party with your passwords. Unsurprisingly, a big fat target of passwords is just that, but eventually every user has to decide for themselves “What is your threat model?”

Vulnerabilities come in many shapes and sizes. One pentester goes over how his discovery of a misconfigured web server on a non-traditional port allowed him access to the machine and ultimately to the internal network of the company.

SambaCry has spread into the IoT world, with the existence of a similar exploit dubbed Shellbind. Still leveraging EternalBlue, Shell bind seems to be targeting Network Attached Storage (NAS) devices, themselves running Samba and effectively a tiny computer. Whether hackers use it to just try and mine CryptoCurrency, or pivot into another wave of attacks remains to be seen.

What happens when a security researcher decides to test the certificate revocation workflow of Certificate Authorities? This story covers how one security researcher started by testing revocation response time to testing what sort of validation CAs do before revoking. Testing two free cert providers, the researcher ‘forged’ a private key and hid it in a list of actually compromised keys to see what the CAs would do. While one detected something wrong with the fake key, the other CA did not. The researcher noticed that the vast majority of documents on how to check a private key matching a public key are actually wrong in many cases. The CA in question has indicated they have tightened up their workflow to prevent this issue going forward.

Some interesting malware news in Statinko. Recent analysis has discovered a malware strain that has been in circulation since 2012. Statinko has largely been used for ad fraud, but is a full fledged back door with remote capabilities that have been observed in CMS brute force attacks. The ESET community has a more detailed breakdown on how Statinko works and the interesting ways it avoids detection.

As more strains of malware become prevalent, as Microsoft has stated continued efforts in post-infection detection, under the premise that pre-infection detection will at some point fail, and defense in depth should help mitigate more advanced threats.

antivirus conferences malware passwords ransomware reports threatmodel