Tag certificate

InfoSec Week 48, 2018

Sennheiser's HeadSetup software is installing a root certificate into the OS Trusted CA Certificate store.
They have also put a private key on a device, the same one for all users, which allows any user to perform a man-in-the-middle SSL attacks against SSL communication.
https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/

German chat platform Knuddels.de (Cuddles) has been fined 20k€ for storing user passwords in plain text.
What is interesting is that the regional GDPR data watchdog wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances".
https://www.theregister.co.uk/2018/11/23/knuddels_fined_for_plain_text_passwords/

Crooks are using new attack vector to spread malware, they are requesting maintainer access to a widely-used open source projects on github, then pushing compromised version to millions of people.
https://github.com/dominictarr/event-stream/issues/116

Two international cybercriminal Rings dismantled and eight defendants indicted for causing tens of millions of dollars in losses in the digital advertising fraud.
They have produced Boaxxe/Miuref & Kovter malware.
https://www.us-cert.gov/ncas/alerts/TA18-331A

Cisco Talos has discovered DNSpionage malware targeting governments and companies in the Middle East using phishing attack.
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin ransomware scheme SamSam.
They have basically put Bitcoin addresses on the Office of Foreign Assets Control’s (OFAC) sanctions list.
https://home.treasury.gov/news/press-releases/sm556

Scammers are changing the contact details for banks on Google Maps.
http://blog.abhijittomar.com/2018/10/19/google-business-claim-scam/

Almost all VPN browser extensions are in fact just a proxy and are vulnerable to a different level of IP leaks and DNS leaks.
https://blog.innerht.ml/vpn-extensions-are-not-for-privacy/

Google, Mozilla are working on letting web apps edit local user files despite warning it could be really dangerous.
https://www.techrepublic.com/article/google-mozilla-working-on-letting-web-apps-edit-files-despite-warning-it-could-be-abused-in-terrible/

The German Federal Office for Information Security, BSI, publishes Microsoft Windows 10 telemetry analysis.
https://www.ghacks.net/2018/11/23/german-federal-office-bsi-publishes-telemetry-analysis/

BlackBerry purchased Cylance, the machine-learning based anti-malware company for $1.4 billion dollars.
They plans to integrate Cylance's anti-malware solution into the BlackBerry Spark platform.
https://www.csoonline.com/article/3321746/security/blackberrys-acquisition-of-cylance-raises-eyebrows-in-the-security-community.html

The Sequoia team introduced the first release of a new Rust implementation of the OpenPGP licensed under GPL 3.0.
https://sequoia-pgp.org/blog/2018/11/26/initial-release/

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
https://ghostbin.com/paste/q2vq2

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1470

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
https://reaqta.com/2017/12/mavinject-microsoft-injector/

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/device-security/auditing

InfoSec Week 48, 2017

The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.
https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/

According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/

Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.
https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/

Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.
https://mobile.nytimes.com/2017/11/29/technology/dji-china-data-drones.html

Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.
https://medium.com/avahowell/bitsquatting-npm-packages-533c988d568f

Swiftype written a good blog about their infrastructure risk assessment and threat modeling.
https://swiftype.engineering/threat-modelling-and-infrastructure-risk-assessment-at-swiftype-6c1b337c7df1

Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.
https://devblogs.nvidia.com/parallelforall/malware-detection-neural-networks/

Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
https://github.com/eth0izzle/bucket-stream

Sysdig Inspect – a powerful interface for container troubleshooting and security investigation
https://github.com/draios/sysdig-inspect/