Security Roundup - 2017-09-15

Posted on  by and

FaceID and a Calculable Risk. Troy Hunt dives into an in-depth analysis on the new FaceID technology and some support for the numbers that Apple presented. This mostly distills down to the trust of the people around you, and the likelihood of a random person being able to unlock your phone (it’s very, very low). My primary concern that wasn’t addressed in the article is the “fuzzy-logic” inside that enables a lesser match in the name of usability.

More insecure D-Link Routers. Another month, another entry into routers having critical vulnerabilities. This month it is a model provided by D-Link, which has a number of remotely exploitable vulnerabilities, and of which it appears ~100K units are exposed on the internet.

Critical bluetooth vulnerabilities impact billions of devices. Even more critical than exploitable routers is a recent series of vulnerabilities in Bluetooth. Dubbed “BlueBorne”, this group of 8 vulnerabilities allows for a variety of attacks, from remote code execution to man in the middle attacks, even without the target bluetooth device being paired or even discoverable. Among other things, researchers believe this could leave to a wormable exploit, where the number of existing vulnerable devices could be as much as 8.2 BILLION devices. For Android users, you can use this app to not only check if your device is impacted, but also scan for other impacted devices around you.

ShadowBrokers return. The Shadowbrokers have returned, leaking the manual for UNITEDRAKE, a trojan platform developed by the NSA to infect windows machines with one or more payloads. The Shadowbrokers have also announced they will be providing exploits twice a month, for paying for their service presumably releasing the manual for UNITEDRAKE as a sort of marketing activity.

Sophos Catches Kedi The Rat. Sophos writes up a breakdown of a new RAT found in the wild, dubbed Kedi. Kedi is pretty sophisticated, looking like a legitimate Citrix update to hide its intentions. Of further interest is the fact that one of its capabilities is using Gmail as a method to to receive instructions and exfiltrate data, making it a bit harder to block.

To infect a CMS. What is a great way to infect a CMS with malware? Store it in the database! Sucuri writes of some infections they have seen due to out of date themes and maintenance tools being exploited to write malicious data into the database, potentially infecting multiple pages and making cleanup difficult. In particular, Wordpress allows for serialized content, which improper cleanup can actually break a site, introducing additional risk during remediation.

Bashware bypasses security solutions. Microsoft has been rolling out the Windows Subsystem for Linux for Windows 10, and now security researchers at Checkpoint have realized that existing security solutions do not monitor Linux processed well, allowing an attacker to leverage that fact to potentially bypass anti-virus protections.

POS Malware hosted in ElasticSearch with skipped security configurations. The ability to skip security configurations on AWS for ElasticSearch means that people skip the security configurations on AWS for ElasticSearch. This recently resulted in several thousand ElasticSearch clusters becoming the home of malware. This is another case of security taking a back seat to usability. When you skip security configurations, you invite malware to take up residence.

biometrics dumps exploits malware securityfail