Security Roundup - 2017-11-17

Posted on  by and

Face ID Defeated? On the heels of the conjecture in the latest SecurityScorecard podcast comes the claim that Face ID has already been defeated. The technique to defeat FaceID involved a 3D print of a face, overlaid with 2D printed features.

Social login attacks. Social logins, like via Facebook, are everywhere. And now attackers are trying to leverage them for their own gain. Abusing browser extensions (again), an attacker can have code that waits for you to log into a social account, and use those credentials to try to create an account on other services. They can then use these services as they see fit, including some forms of fraud, or spreading their malware even further. InfoSecurity covers in more detail, as well as gives some tips on how to combat this type of attack.

Inside The Mind of a Bug Bounty Hunter. Bugcrowd has released their annual “Inside the Mind of a Hacker” report. This year indicates that 71% of their bug bounty hunters are between the ages of 18 and 29, and primarily driven by the challenge. US took the top spot for total number of researchers from India, who is number two this year.

Your Website is ALWAYS a Target. Think that your website isn’t really a target because you don’t collect user information? Think again! This week brings us two stories, one by Troy Hunt, going over how attackers can breach your system and use your domain reputation to reduce the likelihood of their malicious activity being shut down, and one by Malware tech, where malware authors are exploiting the same concept of reputation to host proxy servers to hide their actual C2 machines.

Pop-Unders Make Their Way To Mobile (Apps). Pop-unders, where a malicious ad redirects you to another site to coerce you into downloading some malicious app, is a technique that has been around for a number of years. This same concept has made its way to mobile apps, with one app being a payload to download a malicious app and prompting a user to install, avoiding a set of protections in app stores.

The operating system for your operating system. News broke this week that some Intel chipsets have a hidden operating system running on them. Part of Intel’s ‘Management Engine’, which had several exploits discovered back in May. The recent discovery however, is that it is running its own network stacks as well as a web server. More terrifying, because it is so low level, an exploit could have a persistent place to stay, invisible to the regular user. Even worse, this can potentially even make modifications when a machine is powered off (but still plugged in).

Antivirus abused to install malware. Antivirus is still just software, and subject to bugs like any other program. A recent news story shows how attackers can leverage these bugs to install malware that has already been quarantined, by abusing the ability of a user to restore it. The researchers combined this with other techniques to even trick the Antivirus code to restore the file in another location, like privileged and sensitive directories on Windows.

2018 Predictions. With 2017 nearing its end, some companies are starting to think about what 2018 will bring. Kaspersky starts things off with their 2018 Predictions. It should be no surprise for those following along this year that things like supply chain attacks, and hardware hacks are likely to continue, but a good review of current trends.