Tag breach

InfoSec Week 8, 2019

Dutch security researcher Victor Gevers found misconfigured MongoDB database containing facial recognition and other sensitive information about the Uyghur Muslim minority in China. Looks like the company behind the database is Chinese surveillance company SenseNets.
https://www.zdnet.com/article/chinese-company-leaves-muslim-tracking-facial-recognition-database-exposed-online/

The UK's GCHQ intelligence agency subsidiary, the National Cyber Security Centre, evaluated Huawei devices with the vendor and unofficially decided that the risk using Huawei devices in the infrastructure can be managed.
This is a quite interesting turning point as other US allies are banning Huawei devices from their networks.
https://www.bbc.com/news/business-47274643

If you want to know the alternatives for the PGP functionality, George Tankersley wrote a nice list for that.
https://blog.gtank.cc/modern-alternatives-to-pgp/

Open Privacy Research Society released an alpha version of Cwtch, decentralized, privacy-preserving, asynchronous multi-party messaging protocol that can be used to build other applications.
https://openprivacy.ca/blog/2019/02/14/cwtch-alpha/

Linux kernel through 4.20.10 version contain use after free arbitrary code execution vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912

Check Point researchers have discovered 19 years old critical vulnerability in the WinRAR software that can be exploited just by extracting an archive.
https://research.checkpoint.com/extracting-code-execution-from-winrar/

Tavis Ormandy discovered old stack buffer overflow vulnerability in the MatrixSSL implementation used primarily by the embedded devices.
https://www.openwall.com/lists/oss-security/2019/02/15/1

Really in-depth article about the discovery and exploitation of the local privilege elevation vulnerability in the LG kernel driver (CVE-2019-8372).
http://www.jackson-t.ca/lg-driver-lpe.html

Microsoft is finally deprecating weak SHA-1 hash family in their Windows update mechanism.
https://arstechnica.com/gadgets/2019/02/mandatory-update-coming-to-windows-7-2008-to-kill-off-weak-update-hashes/

Brian Krebs wrote an article about the recent widespread DNS hijacking attacks attributed to the Iranian hackers.
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Independent Security Evaluators published a security comparison of the top five password managers which are working on Windows 10.
https://www.securityevaluators.com/casestudies/password-manager-hacking/

InfoSec Week 3, 2019

35-year-old vulnerability has been discovered in the SCP file transfer utility. According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Multiple U.S. government websites SSL certificates have expired and some sites are inaccessible due to properly used HTTP Strict Transport Security.
There's nobody there to renew them due to a government shutdown.
https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html

Researchers found a new kind of Windows malware using encrypted messaging app Telegram to receive "encrypted" instructions. Nothing innovative with the malware sample, but what is really interesting is, that telegram messages are coupled with unique IDs and malware analysts from the Forcepoint Labs were able to retroactively scrape all the messages issued by the malware operator.
Not sure what kind of channel was used by the bot, but it looks really suspicious to be able to scrape old messages.
https://techcrunch.com/2019/01/17/decrypted-telegram-bot-windows-malware

The researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge. This year also in car hacking as Tesla Model 3 will be available.
https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more

One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman, with many others, developed during World War II an unbreakable code for military transmissions using the unwritten Navajo language.
https://eu.azcentral.com/story/news/local/arizona/2019/01/14/alfred-k-newman-among-last-navajo-code-talkers-has-died/2570535002/

Security researcher Troy Hunt updated his service Have I Been Pwn with 772,904,991 new email addresses and lots of passwords after finding 87GB of leaked passwords and email addresses by the MEGA cloud storage provider.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

There was a massive data breach at the Oklahoma Securities Commission with millions of files containing decades worth of confidential case file intelligence from the agency and sensitive FBI investigation source materials leaked.
https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-investigations-report-1293862

Hackers broke into an SEC database and made millions from inside info.
https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html

Malicious former employee installed Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation.
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html

Great blog post about the factors in authentication. The more factors to be used, the bigger headache from the enrollment procedures.
https://apenwarr.ca/log/20190114

Noise Protocol Framework Explorer created by Nadim Kobeissi now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern.
https://twitter.com/i/web/status/1085629955202011136

CERT Poland (CERT Polska) opens access to its malware database (MWDB).
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/

InfoSec Week 50, 2018

According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
https://research.checkpoint.com/50-adobe-cves-in-50-days/

The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
https://blog.talosintelligence.com/2018/12/secureim.html

Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
https://jenkins.io/security/advisory/2018-12-05/

Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
https://informnapalm.org/en/seared-by-napalm-russian-state-duma-advances-legislation-banning-russian-servicemen-from-publishing-personal-information-online/

Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html

Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
https://github.com/alfiedotwtf/AABillFAQ

InfoSec Week 49, 2018

Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/

Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/evict/poc_CVE-2018-1002105

British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
https://www.bbc.com/news/technology-46453425

Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
https://mobile.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944

US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-12-04/cyber-brief-cryptolog

Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
http://cat.eyalro.net/

Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
https://movaxbx.ru/2018/12/05/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/

It looks like 13 years old Virut botnet is resurrected in the wild.
https://chrisdietri.ch/post/virut-resurrects/

Great blog on how guy scammed the scammer to send him photo of his ID.
https://medium.com/@hackerfantastic/scamming-the-scammers-2fb934099ccc

Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
https://motherboard.vice.com/en_us/article/59vwez/nearly-250-pages-of-devastating-internal-facebook-documents-posted-online-by-uk-parliament

A User Data of the question-and-answer website Quora were compromised.
https://help.quora.com/hc/en-us/articles/360020212652

The records of 500 million customers of the Marriott International hotel group were compromised.
https://www.bbc.com/news/technology-46401890

Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
https://eprint.iacr.org/2018/450

GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
https://github.com/mthbernardes/GTRS

InfoSec Week 35, 2018

Google started selling their Titan Security Key bundle that support FIDO standards for secure authentication. They have written the firmware by themselves, but the price should be lower for this kind of hardware.
https://store.google.com/us/product/titan_security_key_kit

Interesting three month research on hacking Australian law firms by registering expired domain names. Thousands of emails received with sensitive material.
https://medium.com/@gszathmari/hacking-law-firms-abandoned-domain-name-attack-560979e0b774

Researchers systematically retrieved 3500 AT controlling commands from over 2000 Android smartphone firmware images across 11 vendors and "demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices."
https://atcommands.org/

Fortnite Installer created by Epic Games allowed to install anything on the customer Android phone. An Epic security engineer requested Google to delay public disclosure for the 90 days period, to allow time for the update, but Google refused.
https://m.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently

US T-Mobile Database was breached, 2 millions of customers' data exposed.
https://www.databreachtoday.com/t-mobile-database-breach-exposes-2-million-customers-data-a-11420

Ars Technica published a good introductory review of the WireGuard next generation VPN software.
https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen/

WhatsApp has warned users that by using a free backup service offered by Google, messages will no longer be protected by end-to-end encryption.
https://www.zdnet.com/article/whatsapp-warns-free-google-drive-backups-are-not-encrypted/

Assured researchers published an article which provides a brief overview of the new TLS 1.3.
https://assured.se/2018/08/29/tls-1-3-in-a-nut-shell/

If you wanted to know how to use PGP in an organization of 200 people, read this blog about OpenPGP key distribution.
They are now turning the lessons learned into an Internet standard.
https://tech.firstlook.media/keylist-rfc-explainer

Mozilla Firefox 62 and newer support a new TLS API for WebExtensions.
There is now a certificate viewer leveraging new API called Certainly Something (Certificate Viewer).
https://addons.mozilla.org/en-US/firefox/addon/certainly-something/

In-depth blog spot by voidsecurity about the VirtualBox code execution vulnerability.
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html

Mark Ermolov and Maxim Goryachy researchers have published a detailed walk-through for accessing an Intel's Management Engine (IME) JTAG feature, which provides debugging access to the processor.
https://github.com/ptresearch/IntelTXE-POC

InfoSec Week 31, 2018

Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591

According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/

A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob

FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124

Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt

InfoSec Week 26, 2018

A reverse shell connection is possible from an OpenVPN configuration file. So be cautious and treat ovpn files like shell scripts.
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da

Mozilla integrates Troy Hunts' Have I Been Pwned (HIBP) database of breached passwords into Firefox. They will make breach data searchable via a new tool called Firefox Monitor.
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/

The suspected ringleader behind the well known Carbanak malware is under arrest, but of course, his malware attacks live on.
https://www.bloomberg.com/news/features/2018-06-25/the-biggest-digital-heist-in-history-isn-t-over-yet

It is possible to attack resources in the private network from the Internet with DNS rebinding attack.
"Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats and more."
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

Wi-Fi Alliance Introduces Wi-Fi Certified WPA3 Security. Again with a questionable cryptography, but we will see. That's how industrial alliances with expensive membership works.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security

IETF published draft of Issues and requirements for Server Name Indication (SNI) encryption in TLS.
The draft lists known attacks against SNI encryption, discusses the current "co-tenancy fronting" solution, and presents requirements for future TLS layer solutions.
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-03

The unpatched WordPress vulnerability allows code execution for authors. Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation or any other file the PHP process user has the proper permissions to delete.
https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Researchers identified three attack vectors against LTE (Long-Term Evolution, basically 4G) on layer 2 - an active attack to redirect network packets, a passive identity mapping attack, and website fingerprinting based on resource allocation.
https://alter-attack.net/

Cisco Talos team releases ThanatosDecryptor, the program that attempts to decrypt certain files encrypted by the Thanatos malware.
https://github.com/Cisco-Talos/ThanatosDecryptor

DEDA is a tool that gives the possibility to read out and decode color tracking dots which encode information about the printer. It also allows anonymisation to prevent arbitrary tracking.
https://github.com/dfd-tud/deda

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
https://www.bloomberg.com/features/2018-palantir-peter-thiel/

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.
https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
https://www.forbes.com/sites/thomasbrewster/2018/04/16/russia-accused-of-hacking-network-infrastructure/

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/

New Android P enables users to change default DNS server, it will also support DNS over TLS.
https://www.androidpolice.com/2018/04/14/google-explains-new-private-dns-setting-android-p/

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
https://www.w3.org/TR/2018/CR-webauthn-20180320/

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
https://mta.openssl.org/pipermail/openssl-announce/2018-April/000122.html

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.
https://github.com/endgameinc/ember

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/

InfoSec Week 50, 2016

"Popcorn Time" ransomware promises free decryption keys to victims who infect others. To get their important files back, victims can pay a ransom to the cyber criminal or infect two other people and have them pay the ransom to get a free decryption key. https://threatpost.com/ransomware-gives-free-decryption-keys-to-victims-who-infect-others/122395/

Nymaim malware family is using a combination of techniques like MAC address, custom file and string hashes, to uncover virtual environment. https://nakedsecurity.sophos.com/2016/12/13/nymaim-using-mac-addresses-to-uncover-virtual-environments-and-bypass-antivirus/

Customers of Liechtenstein banks blackmailed after data breach. "The cyber criminals are allegedly demanding up to 10 per cent of account balances in order to avoid disclosing customers’ information." Do not know if somebody actually paid. http://securityaffairs.co/wordpress/53891/data-breach/liechtenstein-banks-ransomware.html

Yahoo massive breach - 1 billion accounts were exposed. The breach took place back in August 2013, and "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers". Maybe it's worth to mention, that Yahoo execs installed linux backdoor within infrastructure in 2015 https://diracdeltas.github.io/blog/surveillance/ https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users