InfoSec Week 17, 2018

A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.

Signal for iOS, version and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.

Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.

A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.

The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.

BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake MyEtherWallet.com cryptocurrency website.

Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.

The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.

The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.

There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.

New Android P enables users to change default DNS server, it will also support DNS over TLS.

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.

InfoSec Week 14, 2018

There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.

Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.

An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.

The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.

Cloudflare announced consumer DNS service sitting on a address. Supports DNS-over-TLS, also DNS-over-HTTPS.

Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.

There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.

LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.

VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.

MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.

InfoSec Week 17, 2017

A team of researchers from New York University said they identified a severe flaw in General Electric Multilin protection relays, which are widely deployed in the US energy sector.

Kaspersky labs analyzed Backdoor.Win32.Denis, malware using DNS tunneling as a communication infrastructure. Base64 is not an encryption, tough.

Check Point researchers have discovered a new Mac malware family that uses nag screens to obtain admin privileges, Tor to hide traffic diverted to a remote proxy, and a rogue certificate to intercept encrypted browser traffic. It's spreading via email spam.

A critical vulnerability (CVE 2017-5135) in the implementation of the SNMP protocol allows an attacker to take over at least 78 cable modem models.

Wired wrote about the research of Android applications that turns the smartphone into a file server, exposing open ports to the internet, and why is it dangerous. https://www.wired.com/2017/04/obscure-app-flaw-creates-backdoors-millions-smartphones/

CIAs document tracking program Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA.

The Antminer, bitcoin mining hardware, has a backdoor that can disable miner remotely. http://www.antbleed.com/ https://www.reddit.com/r/Bitcoin/comments/67qwqv/antbleed_exposing_the_malicious_backdoor_on/dgsk6cf/

Troy Hunt published blog about some of the most insane password reset schemes, security questions, and corporate responses he saw through the career.