Security Roundup - 2017-08-11

Posted on  by and

SHA2017 happened over the past several days, and videos have been going straight to their YouTube channel. There were a wide range of talks over the 4 days, meaning there is a little something for everyone, whether that is physical security, the blockchain, voting, IoT and more.

HackerOne has released their Hacker-Powered Security Report, highlight the growth of bug bounties in non-technology verticals, with financial services and banking leading the growth, followed by media and entertainment, though the vast majority of big players in these areas do not have programs. The study goes on to show that bug bounties are leading to higher rate of disclosure, as well as higher rate and lower time to resolve of issues.

Talos Intel goes over how important it is to give actionable information, and how they try to handle it when a urgent situation is evolving in real time.

For those that love to see a teardown of potentially unwanted apps, ObjectiveSee provides a breakdown of a new adware variant called Mugthesec. Mugthesec masquerades as a Flash installed (and indeed installs flash), but goes on to do things like install browser extensions and inject content into browser sessions.

SpiderLabs also provides the goods, with writeups on Trickbot, a banking malware, and Nitol, a malware with DDoS and backdooring capabilities.

Recent NIST guidelines have suggested that service providers should check for commonly used, or compromised credentials, which may come from existing breaches. Troy Hunt has flipped this into allowing people to query by passwords and password hashes, so that users can learn if said passwords are part of a breach. This is provided as a web interface, an API for integrating with, and a list of hashed passwords that can be downloaded offline to integrate with. At time of writing, this consists of 320 million passwords.

Last week, a typosquat attack on NPM packages was launched, relying on people making typos when installing packages. The malicious packages intended to try and steal secrets when installed, while also depending on the package the user actually wanted, to avoid initial detection. Duo Security followed up by doing analysis on install scripts, noting a number of privacy concerns, as well as security concerns for some packages. These techniques are not limited to node packages, but other software packages as well.

Bleeping Computer takes us in Italy where the US conducted an investigation that led to the arrest of 5 people. The group was leveraging Shellshock to exploit QNAP NAS devices, creating a backdoor in the system and emulate legitimate human activity in order to boost revenues through advertising. When researchers started to track the moves of the group they soon noticed some rookie OpSec mistakes like registering domains used in the fraud with the personal email of their leader; this allowed to reveal the identity of the attacker with a simple password reset request. Soon followed a joint investigation by the FBI, Dutch and Italian police that led to the arrest of the group.

Wikileaks revealed another Hollywood-style hacking tool able to detect and disable webcams and microphones connected physically or wirelessly to a computer. Project ‘Dumbo’ involves a USB thumb drive equipped with a Windows hacking tool; once the detection takes place the malware mutes all the recording devices, disables network adapters and selectively corrupts or deletes recordings. The software needs to operate with SYSTEM level permissions and needs the USB stick to be plugged in during the whole operation.