InfoSec Week 20, 2018

Major (probably not only) US cell carriers are selling access to the real-time phone location data.
Because, you know the Electronic Communications Privacy Act only restricts telecommunication companies from disclosing data to the government, it doesn't restrict disclosure to other companies. Which can resell back to the gov. Hacker News discussion on a topic is quite informative.

Guardian wrote that according to the Oracle findings, Android devices send detailed information on searches, what is being viewed and also precise locations to the Google. Even if location services are turned off and the smartphone does not have a Sim card or application installed.

A new report details a widespread campaign targeting several Turkish activists and protesters by their government, using the government malware made by FinFisher.

A new set of vulnerabilities affecting users of PGP and S/MIME were published. The main problem lies in how email clients handle the output of the encryption tool, the protocol itself is not vulnerable, GnuPG should be fine.

Cryptocurrency mining malware was found in the Ubuntu Snap Store.

Essential reading on how spies are able to shape narrative of a journalistic pieces by document leaking.

The US media has learned the identity of the prime suspect in the Vault7 WikiLeaks CIA breach. Should be a 29-year-old former C.I.A. software engineer, government malware writer.

Great blog post about math behind and existing implementations of the homomorphic encryption.

There is an article about the common encryption workarounds in the criminal investigations written by Orin S. Kerr and Bruce Schneier.

Sunder is a new desktop application for dividing access to secret information between multiple participants using Shamir's secret sharing method.

DARKSURGEON is a Windows packer project to empower incident response, malware analysis, and network defense.

InfoSec Week 19, 2018

There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.

Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.

Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.

There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.

Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.

The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.

Source code of TreasureHunter Point-of-Sale malware leaks online.

The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).

Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.

There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.

The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.

InfoSec Week 18, 2018

Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.

There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.

Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.

Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.

There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.

According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.

Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.

Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.

Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.

Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.

InfoSec Week 17, 2018

A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.

Signal for iOS, version and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.

Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.

A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.

The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.

BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake cryptocurrency website.

Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.

The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.

The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.

There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.

New Android P enables users to change default DNS server, it will also support DNS over TLS.

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.

InfoSec Week 15, 2018

The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.

Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.

A new Android P version will enforce applications to communicate over TLS secured connection by default.

Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.

In depth article about stealing FUZE credit card content via Bluetooth.

Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.

There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.

Several vulnerabilities have been found in the Apache HTTPD server. Update now.

Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.

There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.

Snallygaster - a Tool to Scan for Secrets on Web Servers

Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.

InfoSec Week 14, 2018

There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.

Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.

An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.

The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.

Cloudflare announced consumer DNS service sitting on a address. Supports DNS-over-TLS, also DNS-over-HTTPS.

Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.

There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.

LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.

VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.

MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.

Facebook is tracking users' phone call information via their Android Messenger application.

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.

InfoSec Week 11, 2018

A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind. They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.

There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.

A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.

Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.!topic/kubernetes-announce/6sNHO_jyBzE

Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.

Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.

CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.

Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.

Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.

To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.

Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.

Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication

Page 1 / 8