Tag CPU

InfoSec Week 37, 2018

Tesla model S is using a 40bit challenge response scheme broken back in 2005. Researchers stole a car in ~6 seconds with precomputed tables.
https://www.esat.kuleuven.be/cosic/fast-furious-and-insecure-passive-keyless-entry-and-start-in-modern-supercars/

Zerodium exploit acquisition program published a serious Tor Browser 7.x vulnerability leading to a full bypass of Tor / NoScript 'Safest' security level which is supposed to block all javascript.
This kind of bug is an law enforcement dream.
https://twitter.com/Zerodium/status/1039127214602641409

Very interesting read from Troy Hunt on the effectiveness of negative media coverage and shaming of bad security.
https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/

Researchers say that the developers of Adware Doctor, the fourth highest ranking paid app in the Mac App Store, have found a way to bypass Apple restrictions and sends the browsing history of its users to a server in China. Apple already removed the application from the Mac Store.
https://objective-see.com/blog/blog_0x37.html

Apple has also removed most of the popular security applications offered by cyber-security vendor Trend Micro from its official Mac App Store after they were caught stealing users' sensitive data without their consent.
https://www.bleepingcomputer.com/news/security/trend-micro-apps-leak-user-data-removed-from-mac-app-store/

European Court of Human Rights rules that GCHQ Data collection violates the human rights charter.
https://www.theguardian.com/uk-news/2018/sep/13/gchq-data-collection-violated-human-rights-strasbourg-court-rules

The Iran government, at least since 2016, is is spying on its citizens, Kurdish and Turkish natives, and ISIS supporters, using mobile applications with a malware.
The operation has been named Domestic Kitten.
https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/

Researchers introduced previously overlooked side-channel attack vector called Nemesis that abuses the CPU’s interrupt mechanism to leak microarchitectural instruction timings from enclaved execution environments such as Intel SGX, Sancus, and TrustLite.
https://github.com/jovanbulck/nemesis

India’s controversial Aadhaar identity database software was hacked, ID database compromised.
The vulnerability could allow someone to circumvent security measures in the Aadhaar software, and create new entries.
https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472

Criminals are faking Google Analytics script to steal credential and stay under the radar.
https://gwillem.gitlab.io/2018/09/06/fake-google-analytics-malware/

The OpenSSL team released version 1.1.1. There are a lots of new features like TLS 1.3 support, side-channel hardening, new RNG, SHA3, Ed25519 support.
https://www.openssl.org/blog/blog/2018/09/11/release111/

InfoSec Week 24, 2018

Yet another high severity attack against the Intel CPUs. Unpatched systems can leak SIMD, FP register state between privilege levels. These registers are used for private keys nowadays.
The cost of a patch is more expensive context switches because the fix has to unload and reload all SIMD, FP state.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

The team behind the CopperheadOS, hardened Google-free Android fork, has imploded. Guys, CEO and CTO (main and probably the only developer) are blaming each other.
https://twitter.com/DanielMicay/status/1006299769214562305

Chromium devs are planning to enforce TLS protocol invariants by rolling new TLS 1.3 versions every six weeks.
According to the developers: "Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”)."
https://www.ietf.org/mail-archive/web/tls/current/msg26385.html

The Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. With more than 5 million pulls, containers were primarily used to mine cryptocurrency.
https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

At least 74 persons, mostly Nigerians, were arrested due to crimes related to the business e-mail compromise schemes.
https://garwarner.blogspot.com/2018/06/74-mostly-nigerians-arrested-in.html

Good summary of the existing inter-service authentication schemes. Bearer, hmac based tokens etc.
https://latacora.singles/2018/06/12/a-childs-garden.html

There is an Ancient "su - hostile" vulnerability in Debian 8 & 9. Doing "su - hostile" may lead to the root privilege escalation. Default sudo -u probably is affected too.
https://j.ludost.net/blog/archives/2018/06/13/ancient_su_-_hostile_vulnerability_in_debian_8_and_9/

There is a critical command injection vulnerability in the macaddress NPM package.
https://nodesecurity.io/advisories/654

Blog about the crafting remote code execution via server-side spreadsheet injection.
https://www.bishopfox.com/blog/2018/06/server-side-spreadsheet-injections/

An implementation flaw in multiple cryptographic libraries allows a side-channel based attacker to recover ECDSA or DSA private keys. Lots of libraries affected, like LibreSSL, Mozilla NSS, OpenSSL, etc.
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.
https://arstechnica.com/information-technology/2018/03/atlanta-city-government-systems-down-due-to-ransomware-attack/

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"
https://www.elie.net/static/files/tracking-ransomware-end-to-end/tracking-ransomware-end-to-end.pdf

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.
https://blog.mozilla.org/firefox/facebook-container-extension/

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.
https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.
https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/

Facebook is tracking users' phone call information via their Android Messenger application.
https://twitter.com/i/web/status/977325434030428160

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.
https://www.qubes-os.org/news/2018/03/28/qubes-40/