Tag WireGuard

InfoSec Week 45, 2018

A default VirtualBox virtual network device has a vulnerability allowing an attacker with root privilege to escape guest OS, execute commands in ring3 on a host.
All operating systems affected.
https://github.com/MorteNoir1/virtualbox_e1000_0day

Researchers at Radboud University in the Netherlands have revealed encryption vulnerabilities in the solid-state drives (SSD).
Samsung nor Crucial manufacturers are producing buggy firmware where anybody who steals your drive is able to decrypt it on their own.
https://www.ru.nl/publish/pages/909275/draft-paper_1.pdf

Police in the Netherlands were able to decrypt more than 258,000 messages sent using proprietary IronChat end-to-end (probably not) encrypted messaging application.
Lessons learned: do not use custom, proprietary, "exclusive" application nobody else except your gang members have...
https://www.politie.nl/en/news/2018/november/02-apeldoorn-police-have-achieved-a-breakthrough-in-the-interception-and-decryption-of-crypto-communication.html

The first release of 5G (3GPP Release 15) includes protection against an active IMSI catching.
"But in a typical case where 5G UE also supports LTE, it is still vulnerable to LTE IMSI catchers."
https://arxiv.org/abs/1811.02293

New "PortSmash" CPU side channel vulnerability impacts all CPUs that use a Simultaneous Multithreading (SMT).
The vulnerability has been discovered by researchers from the Tampere University of Technology in Finland and Technical University of Havana, Cuba.
https://github.com/bbbrumley/portsmash

Troy Hunt published blog on how passwords are superior to many alternative methods, primarily because "everyone understands how to use it".
https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/

US Cyber Command (USCYBERCOM) starts uploading unclassified foreign APT malware samples to VirusTotal.
https://www.cybercom.mil/Media/News/News-Display/Article/1681533/new-cnmf-initiative-shares-malware-samples-with-cybersecurity-industry/

Iran found CIA spies by Googling their online communication channels after double agent told them modus operandi.
https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html

Some explanation by Doug Madory of Oracle on how and when China Telecom hijacked BGP routing to send US-to-US traffic via mainland China.
https://internetintel.oracle.com/blog-single.html?id=China+Telecom%27s+Internet+Traffic+Misdirection

Early version of an open source, free WireGuard for iOS VPN tunneling implementation is in public testing.
https://lists.zx2c4.com/pipermail/wireguard/2018-November/003526.html

Microsoft releases a Linux version of their ProcDump Sysinternals Tool.
https://github.com/Microsoft/ProcDump-for-Linux

InfoSec Week 35, 2018

Google started selling their Titan Security Key bundle that support FIDO standards for secure authentication. They have written the firmware by themselves, but the price should be lower for this kind of hardware.
https://store.google.com/us/product/titan_security_key_kit

Interesting three month research on hacking Australian law firms by registering expired domain names. Thousands of emails received with sensitive material.
https://medium.com/@gszathmari/hacking-law-firms-abandoned-domain-name-attack-560979e0b774

Researchers systematically retrieved 3500 AT controlling commands from over 2000 Android smartphone firmware images across 11 vendors and "demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices."
https://atcommands.org/

Fortnite Installer created by Epic Games allowed to install anything on the customer Android phone. An Epic security engineer requested Google to delay public disclosure for the 90 days period, to allow time for the update, but Google refused.
https://m.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently

US T-Mobile Database was breached, 2 millions of customers' data exposed.
https://www.databreachtoday.com/t-mobile-database-breach-exposes-2-million-customers-data-a-11420

Ars Technica published a good introductory review of the WireGuard next generation VPN software.
https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen/

WhatsApp has warned users that by using a free backup service offered by Google, messages will no longer be protected by end-to-end encryption.
https://www.zdnet.com/article/whatsapp-warns-free-google-drive-backups-are-not-encrypted/

Assured researchers published an article which provides a brief overview of the new TLS 1.3.
https://assured.se/2018/08/29/tls-1-3-in-a-nut-shell/

If you wanted to know how to use PGP in an organization of 200 people, read this blog about OpenPGP key distribution.
They are now turning the lessons learned into an Internet standard.
https://tech.firstlook.media/keylist-rfc-explainer

Mozilla Firefox 62 and newer support a new TLS API for WebExtensions.
There is now a certificate viewer leveraging new API called Certainly Something (Certificate Viewer).
https://addons.mozilla.org/en-US/firefox/addon/certainly-something/

In-depth blog spot by voidsecurity about the VirtualBox code execution vulnerability.
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html

Mark Ermolov and Maxim Goryachy researchers have published a detailed walk-through for accessing an Intel's Management Engine (IME) JTAG feature, which provides debugging access to the processor.
https://github.com/ptresearch/IntelTXE-POC

InfoSec Week 31, 2018

Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591

According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/

A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob

FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124

Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
https://electronjs.org/blog/protocol-handler-fix

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
https://www.techrepublic.com/article/10-new-vm-escape-vulnerabilities-discovered-in-virtualbox/

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
https://www.qubes-os.org/news/2018/01/22/qubes-air/

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
https://eprint.iacr.org/2018/080

Nice introduction on how to fuzz TCP servers by Robert Swiecki.
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

InfoSec Week 28, 2017

Porn spam botnet consisting of more than 80,000 automated female Twitter accounts has been prompting millions of clicks from Twitter users to the various affiliate dating schemes (known as "partnerka").
https://krebsonsecurity.com/2017/07/porn-spam-botnet-has-evil-twitter-twin/

Two malware families, NemucodAES ransomware and Kovter trojan are being distributed via email, pretending to be a delivery notice from the United Parcel Service.
https://isc.sans.edu/forums/diary/NemucodAES+and+the+malspam+that+distributes+it/22614/

Reyptson ransomware is using victim’s configured Thunderbird email account to execute spam distribution campaign against its contacts.
http://www.securitynewspaper.com/2017/07/18/reyptson-ransomware-spams-friends-stealing-thunderbird-contacts/

Android spyware targeting Iranians is using Telegram bot API to exfiltrate data to the remote server.
https://blog.avast.com/spyware-targets-iranian-android-users-by-abusing-messaging-app-telegram-bot-api

Trustwave SpiderLabs researchers discovered a zero-day vulnerability in Humax HG-100R WiFi Router, that could be exploited by attackers to compromise the WiFi credentials and obtain the router console administrative password.
https://www.trustwave.com/Resources/SpiderLabs-Blog/0-Day-Alert--Your-Humax-WiFi-Router-Might-Be-In-Danger/

Proofpoint analyzed Ovidiy Stealer, undocumented credential stealer, which is sold on the Russian-speaking forums.
https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses

Guido Vranken fuzzed FreeRADIUS source code and found 15 issues, four exploitable, and one of which is a remote code execution bug (RCE). Compile and upgrade now.
http://freeradius.org/security/fuzzer-2017.html

Humble Bundle is selling for next 12 days a lots of DRM-free cybersecurity books very cheaply.
https://www.humblebundle.com/books/cybersecurity-wiley

WireGuard, fast, modern, secure VPN tunnel is now formally verified with the Tamarin equational theorem prover. Really powerful software.
https://www.wireguard.com/formal-verification/

Interesting USENIX paper on the security (and analysis) of bootloaders in mobile devices:
BootStomp: On the Security of Bootloaders in Mobile Devices
http://cs.ucsb.edu/~yanick/publications/2017_sec_bootstomp.pdf

PyREBox is a Python scriptable Reverse Engineering sandbox developed by Cisco Talos. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
https://github.com/Cisco-Talos/pyrebox