Weekly news

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
https://www.bloomberg.com/features/2018-palantir-peter-thiel/

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.
https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
https://www.forbes.com/sites/thomasbrewster/2018/04/16/russia-accused-of-hacking-network-infrastructure/

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/

New Android P enables users to change default DNS server, it will also support DNS over TLS.
https://www.androidpolice.com/2018/04/14/google-explains-new-private-dns-setting-android-p/

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
https://www.w3.org/TR/2018/CR-webauthn-20180320/

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
https://mta.openssl.org/pipermail/openssl-announce/2018-April/000122.html

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.
https://github.com/endgameinc/ember

InfoSec Week 15, 2018

The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/

Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.
https://phys.org/news/2018-04-russian-block-telegram-messaging-app.html

A new Android P version will enforce applications to communicate over TLS secured connection by default.
https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html

Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.
https://research.kudelskisecurity.com/2018/04/05/breaking-rsa-oaep-with-mangers-attack/

In depth article about stealing FUZE credit card content via Bluetooth.
https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html

Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.
https://blog.trendmicro.com/trendlabs-security-intelligence/understanding-code-signing-abuse-in-malware-campaigns/

There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.
http://seclists.org/fulldisclosure/2018/Apr/6

Several vulnerabilities have been found in the Apache HTTPD server. Update now.
http://seclists.org/bugtraq/2018/Apr/6

Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.
https://isc.sans.edu/diary/rss/23517

There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.
https://eprint.iacr.org/2018/318

Snallygaster - a Tool to Scan for Secrets on Web Servers
https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html

Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.
https://github.com/a13xp0p0v/linux-kernel-defence-map

InfoSec Week 14, 2018

There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1543&desc=2

Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.
http://latacora.singles/2018/04/03/cryptographic-right-answers.html

An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.
https://www.hackread.com/phishing-scam-italian-football-club-scammed/

The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.
https://github.com/google/wycheproof/tree/master/testvectors

Cloudflare announced consumer DNS service sitting on a 1.1.1.1 address. Supports DNS-over-TLS, also DNS-over-HTTPS.
https://blog.cloudflare.com/announcing-1111/

Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.
https://freedom-to-tinker.com/2018/04/02/a-privacy-preserving-approach-to-dns/

There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.
https://mta.openssl.org/pipermail/openssl-announce/2018-March/000119.html

LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.
https://mail.python.org/pipermail/python-dev/2018-April/152624.html

VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.
http://blog.virustotal.com/2018/04/meet-virustotal-droidy-our-new-android.html

MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.
https://github.com/mesalock-linux/mesalink

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.
https://arstechnica.com/information-technology/2018/03/atlanta-city-government-systems-down-due-to-ransomware-attack/

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"
https://www.elie.net/static/files/tracking-ransomware-end-to-end/tracking-ransomware-end-to-end.pdf

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.
https://blog.mozilla.org/firefox/facebook-container-extension/

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.
https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.
https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/

Facebook is tracking users' phone call information via their Android Messenger application.
https://twitter.com/i/web/status/977325434030428160

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.
https://www.qubes-os.org/news/2018/03/28/qubes-40/

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
https://datatracker.ietf.org/doc/draft-omara-mls-architecture/

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
https://www.elie.net/blog/security/taking-down-gooligan-part-1-overview

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
https://www.schneier.com/blog/archives/2018/03/israeli_securit.html

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
https://www.theverge.com/2018/3/20/17142482/russia-orders-telegram-hand-over-user-encryption-keys

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
https://opnsec.com/2018/03/stored-xss-on-facebook/

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.
https://syscall.eu/blog/2018/03/12/aigo_part1/
https://syscall.eu/blog/2018/03/12/aigo_part2/

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
https://theintercept.com/2018/03/20/the-nsa-worked-to-track-down-bitcoin-users-snowden-documents-reveal/

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
https://www.hyperiongray.com/dark-web-map/

InfoSec Week 11, 2018

A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind. They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.
https://thehackernews.com/2018/03/credssp-rdp-exploit.html

A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.
https://www.samba.org/samba/security/CVE-2018-1057.html

Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.
https://groups.google.com/forum/m/#!topic/kubernetes-announce/6sNHO_jyBzE

Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.
https://www.schneier.com/blog/archives/2018/03/two_new_papers_.html

Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.
https://usa.kaspersky.com/about/press-releases/2018_chinese-speaking-apt-actor-caught-spying-on-pharmaceutical-organizations

Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.
https://protonmail.com/blog/turkey-online-censorship-bypass/

CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.
https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond

Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.
https://www.imperialviolet.org/2018/03/10/tls13.html

Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.
http://www.zdnet.com/article/adrian-lamo-hacker-dies/

To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.
http://www.wral.com/to-find-suspects-police-quietly-turn-to-google/17377435/

Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.
https://github.com/KasperskyLab/klara/

Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication https://eprint.iacr.org/2017/339

InfoSec Week 10, 2018

Google is contracted by the US Defense Department to apply its artificial intelligence solutions to drone strike targeting.
https://theintercept.com/2018/03/06/google-is-quietly-providing-ai-technology-for-drone-strike-targeting-project/

PacketLogic Deep Packet Inspection (DPI) devices manufactured by Sandvine are being used to deploy government spyware in Turkey and Syria, and redirect Egyptian Users to affiliate advertising networks and browser cryptocurrency miners.
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/

The researchers from Purdue University and the University of Iowa have discovered new attacks against the 4G LTE wireless data communications technology for mobile devices. The attack an be used to for impersonating existing users, device location spoofing, fake emergency and warning message delivery, eavesdropping on SMS communications, and more.
https://www.helpnetsecurity.com/2018/03/05/lte-attacks/

Blog about the irresponsible handling of the sensitive data by airlines on-line booking system.
https://medium.freecodecamp.org/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b

Wire messenger application passed an extensive application level security audit by X41 D-Sec and Kudelski Security. No critical vulnerabilities were found in the iOS, Android or the web part.
https://www.x41-dsec.de/security/report/2018/03/06/projects-x41-wire-phase2/

With the older firmware, it was possible to extract private keys from the cryptocurrency Ledger Nano hardware wallet.
https://twitter.com/i/web/status/970977060134023168

password_pwncheck is an enterprise Kerberos, Windows AD and Linux PAM password quality checking tool. It is able to check against breached lists like Have I Been Pwned and others.
https://github.com/CboeSecurity/password_pwncheck

The Harpoon is a command line tool to automate threat intelligence and open source intelligence tasks.
https://github.com/Te-k/harpoon

InfoSec Week 9, 2018

Wandera security researchers spotted a new sophisticated Android RedDrop malware hidden in at least 53 Android applications. It can intercept SMS, record audio and exfiltrate data to the remote server.
https://www.wandera.com/blog/reddrop-malware/

There is an experimental support for forward secure post-quantum Extended Hash-Based Signatures (XMSS) in the OpenSSH protocol.
https://marc.info/?l=openbsd-cvs&m=151940152732492&w=2

Blog by Matthew Green on the probable encryption key handling by Apple in the China mandated cloud. Not really satisfied explanation, only guesses, as Apple is silent about the exact key handling methodology.
https://blog.cryptographyengineering.com/2018/01/16/icloud-in-china/

Cloudflare detected new Memcached based amplification DDoS attack vector. The attacker just implants a large payload on an exposed memcached server, then, the attacker spoofs the "get" request message with target Source IP address. The memcached server could be really huge - around 1MB.
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

A group of computer scientists from the US and China published a paper proposing the first-ever trojan for a neural network. It's called PoTrojan and is triggered by special network input. After that, the network start to work differently.
https://www.outerplaces.com/science/item/17872-neural-networks-ai-trojan-AMPED

The Cisco Talos team analyzed attribution claims around Olympic Destroyer malware. The result is to not imply blindly to Russia. Attribution is hard.
http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html

New KeePassXC version 2.3.0 was released. There are lots of new features, like new Argon2 key derivation function, SSH agent integration, browser plugin.
https://keepassxc.org/blog/2018-02-28-2.3-released/

Trustico SSL certificate reseller revoked 23000 customer certificates by sending private keys(?!) over email to the Digicert certification authority.
http://blog.koehntopp.info/index.php/3075-how-not-to-run-a-ca/

There are rumors that major U.S. government contractor Cellebrite is able to unlock all current iPhone models.
https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/

An advertising network has been using a well-known malware trick, a Domain Generation Algorithm (DGA), to bypass ad blockers and deploy in-browser cryptocurrency miners since December 2017.
https://www.bleepingcomputer.com/news/security/ad-network-uses-dga-algorithm-to-bypass-ad-blockers-and-deploy-in-browser-miners/

A novel technique is using hardware branch predictor side channel attack to bypass ASLR protection:
"Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR"
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.
https://securityaffairs.co/wordpress/69100/hacking/bitmessage-zero-day.html

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.
https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.
http://seclists.org/fulldisclosure/2018/Feb/33

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.
https://gizmodo.com/do-not-i-repeat-do-not-download-onavo-facebook-s-vam-1822937825

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.
https://twitter.com/Gabriel__Lewis/status/963121814166630400

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.
https://cyber.wtf/2018/02/13/in-debt-to-retpoline/

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.
https://blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure


Page 1 / 7