Tag week

RIP weekly news

Dear friends,
I have been publishing weekly mailing list for more than two years, starting in December 2016 and as of today, the few hundreds people signed.
As I have only one life and it's moving way too fast, I have decided to stop working on the weekly news and focus more on building things and writing meaningful articles about them.

I want to thank you for following my list, despite the ugly static page I have used and never improved :) Most of you probably do care about the security, so thank you in making the world a better place.
Cyberwarfare gone mainstream years ago and so should our field.
Please, continue.

PS: Slovak subscribers, I hope you will come over my other security related projects and publications soon.

Sincerely yours,
Arthur Rainwater

4766e21349b3b1622a5d3de78b7ae348e1028969d27930d04d110cd1a3d1ed33

InfoSec Week 8, 2019

Dutch security researcher Victor Gevers found misconfigured MongoDB database containing facial recognition and other sensitive information about the Uyghur Muslim minority in China. Looks like the company behind the database is Chinese surveillance company SenseNets.
https://www.zdnet.com/article/chinese-company-leaves-muslim-tracking-facial-recognition-database-exposed-online/

The UK's GCHQ intelligence agency subsidiary, the National Cyber Security Centre, evaluated Huawei devices with the vendor and unofficially decided that the risk using Huawei devices in the infrastructure can be managed.
This is a quite interesting turning point as other US allies are banning Huawei devices from their networks.
https://www.bbc.com/news/business-47274643

If you want to know the alternatives for the PGP functionality, George Tankersley wrote a nice list for that.
https://blog.gtank.cc/modern-alternatives-to-pgp/

Open Privacy Research Society released an alpha version of Cwtch, decentralized, privacy-preserving, asynchronous multi-party messaging protocol that can be used to build other applications.
https://openprivacy.ca/blog/2019/02/14/cwtch-alpha/

Linux kernel through 4.20.10 version contain use after free arbitrary code execution vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912

Check Point researchers have discovered 19 years old critical vulnerability in the WinRAR software that can be exploited just by extracting an archive.
https://research.checkpoint.com/extracting-code-execution-from-winrar/

Tavis Ormandy discovered old stack buffer overflow vulnerability in the MatrixSSL implementation used primarily by the embedded devices.
https://www.openwall.com/lists/oss-security/2019/02/15/1

Really in-depth article about the discovery and exploitation of the local privilege elevation vulnerability in the LG kernel driver (CVE-2019-8372).
http://www.jackson-t.ca/lg-driver-lpe.html

Microsoft is finally deprecating weak SHA-1 hash family in their Windows update mechanism.
https://arstechnica.com/gadgets/2019/02/mandatory-update-coming-to-windows-7-2008-to-kill-off-weak-update-hashes/

Brian Krebs wrote an article about the recent widespread DNS hijacking attacks attributed to the Iranian hackers.
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Independent Security Evaluators published a security comparison of the top five password managers which are working on Windows 10.
https://www.securityevaluators.com/casestudies/password-manager-hacking/

InfoSec Week 7, 2019

Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.
https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/

Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".
https://arxiv.org/abs/1902.03256

Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.
https://mailarchive.ietf.org/arch/msg/cfrg/4PmssKzCBsxTmLCieDgqD7Nynwg

Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.
https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html

Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.
https://www.exploit-db.com/exploits/46362

Phones running Android OS can be compromised remotely by viewing malicious PNG image.
https://source.android.com/security/bulletin/2019-02-01.html

A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.
https://www.openwall.com/lists/oss-security/2019/02/11/2

NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/

Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.
https://github.com/sgayou/subaru-starlink-research/tree/master/doc

According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.
https://www.reddit.com/r/typescript/comments/aofcik/38_of_bugs_at_airbnb_could_have_been_prevented_by/

You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.
https://onlinevote-pit.ch/details/

Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.
https://opensource.googleblog.com/2019/02/open-sourcing-clusterfuzz.html

InfoSec Week 6, 2019

Insurance Company says to the Mondelez customer that the NotPetya ransomware attack was an act of cyber war and therefore not covered by the policy.
https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html

Hackers breached Norway's Visma IT company to steal client secrets. Many large Norwegian companies are using Visma for accounting.
Attackers are attributed by Reuters sources as backed by the Chinese government.
https://www.reuters.com/article/us-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUSKCN1PV141

Researchers demonstrated a new privacy attack against all variants of the Authentication and Key Agreement (AKA) protocol that impacts 5G, 4G, and 3G telephony protocols. The attack compromises users' privacy more than current known location privacy attacks do.
https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/

Looks like Go language had vulnerabilities in the Elliptic Curve Cryptography implementation which could allow attackers to cause a denial of service or possible private key recovery attacks.
https://www.debian.org/security/2019/dsa-4380

It is possible to trick Evolution email application users into trusting a phished mail via adding a forged UID to a OpenPGP key that has a previously trusted UID. It's because Evolution extrapolates the trust of one of OpenPGP key UIDs into the key itself.
https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html

Good long-form story about the young cyber criminals and young girlfriend that followed their lies to her death. It does not have a happy ending.
https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go

Security researchers were assaulted by a casino technology vendor Atrient after responsibly disclosed critical vulnerabilities to them.
https://www.secjuice.com/security-researcher-assaulted-ice-atrient/

Article 13, the new European Union copyright law is back and it got worse, not better. https://juliareda.eu/2019/02/article-13-worse/

Researchers from Google Project Zero evaluated Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS. There are bypasses possible, but the conclusion says it is still a worthwhile exploitation mitigation technique.
https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html

There is a dangerous, remote code execution flaw in the LibreOffice and OpenOffice software.
https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html

Nadim Kobeissi is discontinuing his secure online chat Cryptocat. Thanks for service, it had nice user interface.
https://twitter.com/i/web/status/1092712064634753024

Malware For Humans is a conversation-led, independent documentary about fake news, big data, electoral interference, and hybrid warfare.
https://www.byline.com/column/67/article/2412

InfoSec Week 5, 2019

According to a Reuters investigation, United Arab Emirates used former U.S. intelligence operatives to hack into the iPhones of activists, diplomats and foreign politicians using so-called Karma spyware.
https://www.reuters.com/investigates/special-report/usa-spying-karma/

The Russia also has it's own Wikileaks. Called Distributed Denial of Secrets, the website aims to "bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web."
https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked

The Japanese government will run penetration tests against all the IoT devices in the country in preparation for the Tokyo 2020 Summer Olympics. They want to map vulnerable devices and find out how to harden infrastructure.
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

Researchers analyzed 6000 router firmware images and the result is quite depressing. The home router software safety hygiene deteriorated over the past 15 years.
https://the-parallax.com/2019/01/24/wi-fi-router-security-worse-citl-shmoocon/

A Samsung Galaxy Apps Store bug allowed an attacker to inject arbitrary code through the interception of periodic update requests made by the Apps Store.
https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/

Vulnerable Cisco RV320/RV325 routers are being exploited in the wild. Thousands of routers are exposed on the internet with the web-based management interface vulnerability that could allow an unauthenticated, remote attacker to retrieve sensitive configuration information.
https://securityaffairs.co/wordpress/80363/hacking/cisco-rv320-rv325-hack.html

US National Institute of Standards and Technology (NIST) announced the second-round candidates for quantum resistant public-key encryption and key-establishment algorithms.
https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/bBxcfFFUsxE

The vulnerability in the Apples' FaceTime application enables caller to hear called person without accepting a call. Apple decided to turn off FaceTime conference servers before the fix is released.
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

Luke Berner found out interesting method how to maintain persistence after a password change using the two-factor authentication (2FA) no mayor websites.
https://medium.com/@lukeberner/how-i-abused-2fa-to-maintain-persistence-after-a-password-change-google-microsoft-instagram-7e3f455b71a1

InfoSec Week 4, 2019

Microsoft's mobile Edge browser begins issuing fake news warnings. It is powered by news rating company NewsGuard. It gives you fake news warning for Wikileaks, so decide for yourself.
https://www.engadget.com/2019/01/23/microsoft-edge-mobile-fake-news

A vulnerability in the apt package allows a network man-in-the-middle or malicious mirror to execute arbitrary code as root on a machine installing any packages.
https://justi.cz/security/2019/01/22/apt-rce.html

Encryption mode in the well-known compression software 7-Zip uses poor randomness when generating AES initialization vectors.
https://sourceforge.net/p/sevenzip/bugs/2176/

Turns out that the MySQL server has access to all client local files. Patched server can upload clients' files like SSH keys.
https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/

Daniel Miessler published a short blog about the reasons why software remains insecure.
TLDR: "Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before."
https://danielmiessler.com/blog/the-reason-software-remains-insecure/

Trend Micro engineers found applications in the Google Play store that drop Anubis banking malware after the device motion sensors are activated to evade initial detection.
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/

Interesting Twitter bug was filled via HackerOne platform - changing email address on Twitter for Android unsets “Protect your Tweets” flag and make protected tweets public.
https://hackerone.com/reports/472013

Great in-depth blog about the finding and exploiting bugs in Marvell Avastar Wi-Fi.
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/

WPintel - Chrome extension designed For WordPress vulnerability scanning and information gathering.
https://github.com/Tuhinshubhra/WPintel

InfoSec Week 3, 2019

35-year-old vulnerability has been discovered in the SCP file transfer utility. According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Multiple U.S. government websites SSL certificates have expired and some sites are inaccessible due to properly used HTTP Strict Transport Security.
There's nobody there to renew them due to a government shutdown.
https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html

Researchers found a new kind of Windows malware using encrypted messaging app Telegram to receive "encrypted" instructions. Nothing innovative with the malware sample, but what is really interesting is, that telegram messages are coupled with unique IDs and malware analysts from the Forcepoint Labs were able to retroactively scrape all the messages issued by the malware operator.
Not sure what kind of channel was used by the bot, but it looks really suspicious to be able to scrape old messages.
https://techcrunch.com/2019/01/17/decrypted-telegram-bot-windows-malware

The researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge. This year also in car hacking as Tesla Model 3 will be available.
https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more

One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman, with many others, developed during World War II an unbreakable code for military transmissions using the unwritten Navajo language.
https://eu.azcentral.com/story/news/local/arizona/2019/01/14/alfred-k-newman-among-last-navajo-code-talkers-has-died/2570535002/

Security researcher Troy Hunt updated his service Have I Been Pwn with 772,904,991 new email addresses and lots of passwords after finding 87GB of leaked passwords and email addresses by the MEGA cloud storage provider.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

There was a massive data breach at the Oklahoma Securities Commission with millions of files containing decades worth of confidential case file intelligence from the agency and sensitive FBI investigation source materials leaked.
https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-investigations-report-1293862

Hackers broke into an SEC database and made millions from inside info.
https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html

Malicious former employee installed Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation.
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html

Great blog post about the factors in authentication. The more factors to be used, the bigger headache from the enrollment procedures.
https://apenwarr.ca/log/20190114

Noise Protocol Framework Explorer created by Nadim Kobeissi now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern.
https://twitter.com/i/web/status/1085629955202011136

CERT Poland (CERT Polska) opens access to its malware database (MWDB).
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/

InfoSec Week 2, 2019

Personal information of many German politicans were published online. Since then, Police arrested 20 years old suspect.
https://www.thelocal.de/20190108/suspect-20-arrested-over-massive-german-politician-data-hack

Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald. They have two working exploits already.
https://lwn.net/Articles/776404/

Samsung Phone Users Perturbed to Find They Can't Delete Facebook.
According to a Hacker News comment (2nd link), it should be possible to delete application via cable using ADB. I didn't try it.
https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-a-shock-they-can-t-delete-facebook
https://news.ycombinator.com/item?id=18864354

Australian government issued a warning regarding WhatsApp hoax that is promoting installation of a ‘gold’ version of the application. Installation leads to a malware infection.
https://cyber.gov.au/individual/news/whatsapp-gold-hoax/

After Motherboard's article about US carriers selling customers location data, senators call on FCC to investigate T-Mobile, AT&T, and Sprint.
https://motherboard.vice.com/en_us/article/j5z74d/senators-harris-warner-wyden-fcc-investigate-att-sprint-tmobile-bounty-hunters

Trial of a Mexican drug lord Joaquín "El Chapo" Guzmán started and it looks like his IT security guy gave encryption keys for a SIP communication service to investigators long time ago.
El Chapo also spyied on his wife and fiancées using Flexi-spy spyware which provider was subpoenaed by FBI.
https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.html
https://twitter.com/alanfeuer/status/1083033189956964353

Singapore's ministry of communications and information published "Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database".
If you are into incident response, this report is really great source.
https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20into%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf?la=en

Back in 2015, Facebook filed patent request describing how to track user relations using the dust on camera lens.
https://gizmodo.com/facebook-knows-how-to-track-you-using-the-dust-on-your-1821030620

If your computer rely on BitLocker in TPM mode (boot without PIN), it is possible to extract cryptographic material data out of your computer and decrypt the hard drive.
https://twitter.com/marcan42/status/1080869868889501696

Zerodium platform wants to pay you $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp / iMessage / SMS / MMS remote code execution exploit, and $500,000 for Chrome remote exploit.
https://twitter.com/Zerodium/status/1082259805224333312

Security engineer Chris Palmer published blog about the state of software security in 2019.
https://noncombatant.org/2019/01/06/state-of-security-2019/

The NSA has so far open-sourced 32 projects on Github, as part of its Technology Transfer Program.
https://github.com/nationalsecurityagency

Research paper on a new hardware-agnostic side-channel attack which is targeting the operating system page cache was published.
https://arxiv.org/abs/1901.01161

Interesting paper from the last October a long-term secure storage proposal:
"ELSA: Efficient Long-Term Secure Storage of Large Datasets".
https://arxiv.org/abs/1810.11888

InfoSec Week 1, 2019

Let's Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019.
They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.
https://letsencrypt.org/2018/12/31/looking-forward-to-2019.html

According to the consultant Nathan Ziehnert, "CenturyLink 50 hour outage at 15 datacenters across the US — impacting cloud, DSL, and 911 services was caused by a single network card sending bad packets."
https://twitter.com/GossiTheDog/status/1079144491238469638

Great blog by Artem Dinaburg, where he is resurrecting 30 years old fuzzing techniques from the famous research papers to run them on on the current Linux distro. Successfully.
https://blog.trailofbits.com/2018/12/31/fuzzing-like-its-1989/

An article by Wired about the fake murder for hire services on dark web and a freelance security researcher that took them down. As it turned out, some clients killed their targets themselves.
https://www.wired.co.uk/article/kill-list-dark-web-hitmen

Multiple newspaper publishers in the US were hit by a ransomware attack, delaying their operations.
https://www.latimes.com/business/technology/la-fi-tn-ryuk-hack-20190101-story.html

The European Union starts running bug bounties on Free and Open Source Software.
https://juliareda.eu/2018/12/eu-fossa-bug-bounties/

Foxit Readers' proof of concept exploit for the Use-After-Free vulnerability (CVE-2018-14442) was published on Github.
https://github.com/payatu/CVE-2018-14442

Attacker launched multiple servers that return an error message to the connected Electrum clients, which then turn them into a fake update prompt linking to a malware.
https://github.com/spesmilo/electrum/issues/4968

Adam Langley published blog about the zero-knowledge attestation when using FIDO based authentication. It could prevent a single-vendor policy some sites started to require.
https://www.imperialviolet.org/2019/01/01/zkattestation.html

Interesting blog post by Wouter Castryck on "CSIDH: post-quantum key exchange using isogeny-based group actions".
https://www.esat.kuleuven.be/cosic/csidh-post-quantum-key-exchange-using-isogeny-based-group-actions/

The security researcher Bruno Keith published a a proof of concept for a remote code execution vulnerability in Microsoft Edge browser (CVE-2018-8629).
https://securityaffairs.co/wordpress/79264/hacking/microsoft-edge-poc-exploit.html

If you are interested in older car hacking/tuning, check this article about overcoming the speed limitation on an old Japanese Subaru Impreza STi.
https://p1kachu.pluggi.fr/project/automotive/2018/12/28/subaru-ssm1/

Jonathan “smuggler” Logan published study on the future of black markets and cryptoanarchy named "Dropgangs, or the future of darknet markets".
https://opaque.link/post/dropgang/

InfoSec Week 52, 2018

The Chinese battery expert is charged with stealing trade secrets from US employer, as he prepared to return home. Forensics found deleted research materials not related to his contract on a USB voluntarily provided to a supervisor.
https://beta.scmp.com/news/world/united-states-canada/article/2179192/chinese-battery-expert-hongjin-tan-charged-stealing

The New York Times published an article about the insecurity of the mobile networks' Signaling System 7 (SS7) and the unwillingness to address mobile network vulnerabilities in general.
https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

Iraq government took down unlicensed towers used for illegal internet bandwidth smuggling operation in the disputed province of Kirkuk.
http://www.kurdistan24.net/en/news/09d4b5aa-6638-42fe-bbb1-b2ef48b4401b

Indias' Ministry of Home Affairs has issued a notification authorizing 10 agencies to tap, intercept and decrypt all personal data on computers and networks.
https://twitter.com/i/web/status/1075954903279943681

Yet another article from NY Times, this time on how Facebook uses 7500 moderators around the world to keep content "normal".
https://www.nytimes.com/2018/12/27/world/facebook-moderators.html

Hackers are infecting Linux servers with JungleSec ransomware using IPMI remote console, manually running encryption program, then asking for ransom.
https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/

The beta version of the WireGuard next gen VPN for iOS was released into the App Store.
https://lists.zx2c4.com/pipermail/wireguard/2018-December/003694.html

Someone from the France uploaded a new sample of Shamoon wiper malware to VirusTotal. The sample is signed with Baidu digital certificate expired back in 2016.
https://securityaffairs.co/wordpress/79248/malware/shamoon-3-france.html

The Wired magazine published a list of articles they have published on a security topic in 2018. Some of them are really good.
https://www.wired.com/gallery/the-most-read-security-stories-of-2018/

Amazon sends 1700 Alexa voice recordings to a random person.
https://threatpost.com/amazon-1700-alexa-voice-recordings/140201/


Page 1 / 12