Tag U2F

InfoSec Week 46, 2018

Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
https://www.networkworld.com/article/3321036/data-center/gpus-are-vulnerable-to-side-channel-attacks.html

Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.
https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.
https://motherboard.vice.com/en_us/article/xwjd4w/im-possibly-alive-because-it-exists-why-sleep-apnea-patients-rely-on-a-cpap-machine-hacker

In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.
https://edition.cnn.com/2018/11/10/world/russian-hacker-wanted-by-the-united-states-arrested-in-bulgaria/index.html

The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.
https://www.privateinternetaccess.com/blog/2018/11/ai-based-lie-detection-system-at-eu-borders-will-screen-travellers-for-biomarkers-of-deceit

Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/

Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.
https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.
https://twitter.com/nikitab/status/1062161234173288449

Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.
https://ia.cr/2018/1087
https://ia.cr/2018/1090

There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.
https://github.com/Bo0oM/PHP_imap_open_exploit

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/

InfoSec Week 46, 2017

Multiple critical vulnerabilities were found in the Intel Management Engine, Trusted Execution Engine and Server Platform Services by Intel audit after 3rd party researchers reported the privilege escalation vulnerability.
http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

If you have a vulnerable F5, basically attackers can sign anything with your RSA private key. An F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages.
https://support.f5.com/csp/article/K21905460

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware. It uses hardcoded RSA keys and can work offline.
https://securityaffairs.co/wordpress/65716/malware/cryptomix-ransomware-2.html

Attackers are using Microsoft’s Office documents Dynamic Data Exchange protocol to download and install malware. Microsoft does not consider it a vulnerability.
https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks

Nice step by step guide on how to put shellcode into a legitimate PE file, and make it undetectable.
https://haiderm.com/fully-undetectable-backdooring-pe-files/

Extensive review of U2F hardware devices.
https://github.com/hillbrad/U2FReviews

al-khaser is a PoC malware with good intentions that aims to stress your anti-malware system. It performs a bunch of nowadays malware tricks and the goal is to see if you stay under the radar.
https://github.com/LordNoteworthy/al-khaser

Puffs is a domain-specific language and library for parsing untrusted file formats safely. Examples of such file formats include images, audio, video, fonts and compressed archives.
https://github.com/google/puffs

InfoSec Week 41, 2017

SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/

A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob

Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Blog about the "Exploding Git Repositories" that will crash your git process.
https://kate.io/blog/git-bomb/

MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
https://lirias.kuleuven.be/bitstream/123456789/547640/1/usenix2016-wifi.pdf

How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/

Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9 https://github.com/LongSoft/UEFITool

A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
https://github.com/vanhoefm/krackattacks-test-ap-ft

The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
https://tonyarcieri.com/introducing-miscreant-a-multi-language-misuse-resistant-encryption-library
https://github.com/miscreant/miscreant