Tag Signal

InfoSec Week 50, 2018

According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
https://research.checkpoint.com/50-adobe-cves-in-50-days/

The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
https://blog.talosintelligence.com/2018/12/secureim.html

Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
https://jenkins.io/security/advisory/2018-12-05/

Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
https://informnapalm.org/en/seared-by-napalm-russian-state-duma-advances-legislation-banning-russian-servicemen-from-publishing-personal-information-online/

Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html

Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
https://github.com/alfiedotwtf/AABillFAQ

InfoSec Week 43, 2018

A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206

A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to

Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
https://securelist.com/darkpulsar/88199/

Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027

The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government's line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
https://www.nytimes.com/2018/10/20/us/politics/saudi-image-campaign-twitter.html

Companies building "Smart home" products refuse to say whether law enforcement is using their products to spy on citizens.
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/

Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
https://blog.mozilla.org/futurereleases/2018/10/22/testing-new-ways-to-keep-you-safe-online/

The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications

That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
https://gizmodo.com/hackers-allegedly-caught-on-video-stealing-tesla-model-1829905478

An insightful review of Android's secure backup practices published by NCC Group.
https://www.nccgroup.trust/us/our-research/android-cloud-backuprestore/?research=Public+Reports

Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
https://www.qubes-os.org/news/2018/10/25/the-next-chapter/

Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/

Signal Desktop leaves message decryption key in the plain text.
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/

Trail of Bits published a useful guide to the post-quantum cryptography.
https://blog.trailofbits.com/2018/10/22/a-guide-to-post-quantum-cryptography/

InfoSec Week 18, 2018

Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.
https://www.zdnet.com/article/coalition-of-tech-giants-hit-by-nsa-spying-slams-encryption-backdoors/
https://github.com/rayozzie/clear/blob/master/clear-rozzie.pdf

There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.
http://seclists.org/oss-sec/2018/q2/71

Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.
http://blog.seekintoo.com/chimay-red.html

Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/

There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.
http://seclists.org/oss-sec/2018/q2/82

According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.
https://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever/

Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.
https://matrix.org/blog/2018/04/26/matrix-and-riot-confirmed-as-the-basis-for-frances-secure-instant-messenger-app/

Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.
https://signal.org/blog/looking-back-on-the-front/

Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.
https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

InfoSec Week 17, 2018

A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.
https://www.bleepingcomputer.com/news/technology/loud-sound-from-fire-alarm-system-shuts-down-nasdaqs-scandinavian-data-center/

Signal for iOS, version 2.23.1.1 and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.
http://nint.en.do/Signal-Bypass-Screen-locker.php

Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.
https://atadiat.com/en/e-introduction-counterfeit-ics-counterfeiting-detection-avoidance-methods/

A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.
https://securityboulevard.com/2018/04/python-based-malware-uses-nsa-exploit-to-propagate-monero-xmr-miner/

The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.
https://medium.com/@Asher_Wolf/the-australian-bureau-of-statistics-tracked-people-by-their-mobile-device-data-and-didnt-tell-them-16df094de31

BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake MyEtherWallet.com cryptocurrency website.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.
https://embedi.com/blog/first-glance-on-os-vrp-by-huawei/

The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.
https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html

The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.
https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/

There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.
https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 38, 2017

The ZNIU Android malware is exploiting Linux kernel "Dirty COW" vulnerability to install itself on a device and collect money through the SMS-enabled payment service.
http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/

Good introduction blog into the art of binary fuzzing and crash analysis demonstrated by fuzzing famous open-source Mimikatz software.
https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html

Security researcher Inti De Ceukelaire has gained access to company team pages by exploiting faulty business logic in popular third-party on-line helpdesks.
https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Server part of the Wire end-to-end encrypted instant messenger application is now open-source, but there are lots of external dependencies and no documentation yet.
https://medium.com/@wireapp/wire-server-code-now-100-open-source-the-journey-continues-88e24164309c

A brief description behind the technology of a private contact discovery used in Signal messenger.
https://signal.org/blog/private-contact-discovery/

X41 IT Security company has released an in-depth analysis of the three leading enterprise web browsers Google Chrome, Microsoft Edge, and Internet Explorer.
https://github.com/x41sec/browser-security-whitepaper-2017

A nice list of a various open-source honeypot projects available on-line.
https://www.smokescreen.io/practical-honeypots-a-list-of-open-source-deception-tools-that-detect-threats-for-free/

SigThief - The script that will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. It's not a valid signature BUT it's enough for some anti-viruses to flag the executable as trustworthy.
https://github.com/secretsquirrel/SigThief

InfoSec Week 34 - 35, 2017

Autodesk A360 cloud-based online storage misused as a delivery platform for multiple malware families.
http://blog.trendmicro.com/trendlabs-security-intelligence/a360-drive-adwind-remcos-netwire-rats/

Brian Krebs has done a good open source intel work on a shadowy past of Marcus Hutchins, author of the popular cybersecurity blog MalwareTech.
https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/

Wikileaks has published documents about the CIA Angelfire - "persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7)"
https://wikileaks.org/vault7/#Angelfire

ESET has published a research paper about a Gazer, stealth cyberespionage trojan, attributed to the notoriously known Turla group. The group was spreading malware using watering hole and spearphishing campaigns. I cannot find any more direct attribution except the fact that it is targeting "embassies and consulates" which, I believe, are a very common target for every intelligence actor...
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Zimperium Researcher Adam Donenfeld published a proof-of-concept for iOS Kernel Exploit.
https://github.com/doadam/ziVA

Very good analysis of a group chat vulnerabilities in a popular IM applications:
"Insecurities of WhatsApp's, Signal's, and Threema's Group Chats"
https://web-in-security.blogspot.ch/2017/07/insecurities-of-whatsapps-signals-and.html

Cloudflare's blog post about a quantum resistant supersingular isogeny Diffie-Hellman key agreement used in TLS 1.3.
https://blog.cloudflare.com/sidh-go/

A Phrack-style paper on research into abusing Windows token privileges for escalation of privilege. Deep down the rabbit hole.
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

Security researchers at Positive Technologies have discovered an undocumented configuration setting that disables the Intel Management Engine.
http://securityaffairs.co/wordpress/62470/hacking/intel-management-engine-kill-switch.html

Secure communication: Pond

The Pond is asynchronous, encrypted, forward-secure messaging application written by Adam Langley in Go programming language.