Tag FBI

InfoSec Week 21, 2018

500,000 routers in more than 50 countries are infected with the malware targeting routers. Primarily home devices like Linksys, MikroTik, NETGEAR and TP-Link.
Cisco's Talos Security attributed malware to the future Russian cyber operations against the Ukraine. The US FBI agents seize control of the botnet.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

The Internet Archive's Wayback Machine is deleting evidence on the malware sellers. They have removed from their archive a webpage of a Thailand-based firm FlexiSpy, which offers desktop and mobile malware.
https://motherboard.vice.com/en_us/article/nekzzq/wayback-machine-deleting-evidence-flexispy

According to the McAfee team, North Korean threat actor Sun Team is targeting defectors using the malicious Android applications on Google Play.
https://securingtomorrow.mcafee.com/mcafee-labs/malware-on-google-play-targets-north-korean-defectors/

Don't use sha256crypt & sha512crypt primitives as shipped with GNU/Linux, they're leaking information about the password via time duration of a hashing operation.
Not critical vulnerability, but good to know.
https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/

The Intercept published an interesting article about the Japanese signals intelligence agency, based on Snowden's leaks.
https://theintercept.com/2018/05/19/japan-dfs-surveillance-agency/

The US FBI repeatedly overstated encryption threat figures to Congress and the public.
https://www.washingtonpost.com/world/national-security/fbi-repeatedly-overstated-encryption-threat-figures-to-congress-public/2018/05/22/5b68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

The US internet provider Comcast was leaking the usernames and passwords of customers’ wireless routers to anyone with the valid subscriber’s account number and street address number.
https://techcrunch.com/2018/05/21/comcast-is-leaking-the-names-and-passwords-of-customers-wireless-routers/

Amazon is pitching their facial recognition technology to law enforcement agencies, saying the program could aid criminal investigations by recognizing suspects in photos and videos.
https://www.nytimes.com/2018/05/22/technology/amazon-facial-recognition.html

Great blog about the SMS binary payloads and how SMS is weakening mobile security for years.
https://www.contextis.com/blog/binary-sms-the-old-backdoor-to-your-new-thing

Researchers from the Eclypsium found a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode. They have even published Proof-of-concept.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
https://electronjs.org/blog/protocol-handler-fix

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
https://www.techrepublic.com/article/10-new-vm-escape-vulnerabilities-discovered-in-virtualbox/

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
https://www.qubes-os.org/news/2018/01/22/qubes-air/

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
https://eprint.iacr.org/2018/080

Nice introduction on how to fuzz TCP servers by Robert Swiecki.
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html