9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Infosec bits for week 45/17

  1. A look into the global ‘drive-by cryptocurrency mining’ phenomenon
  2. New Amazon S3 Encryption & Security Features
    - including Default Encryption, Permission Checks, Cross-Region Replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Report
  3. Google releases KRACK patches for Android
  4. Microsoft Provides Guidance on Mitigating DDE Attacks
    - technet.microsoft.com/library/security/4053440
    - Note A: “Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry”
    - Note B: “Users of the Windows 10 Fall Creator Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack Surface Reduction (ASR). Attack Surface Reduction is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious documents to execute attacks without hindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities: CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.”
  5. Half of people plug in USB drives they find in the parking lot
    - scary, but a nice (safe and non-intrusive) way to test how many get plugged in
  6. Stop relying on file extensions
  7. Honey Accounts
    - an interesting (and easy to implement) approach for early detection of malicious activity utilising AD
  8. Factsheet Post-quantum cryptography – start planning today!
    - TL;DR : use min 256 bit keys for AES; RSA, ECDSA and DH not secure when quantum comes into play; use SPHINCS-256/XMSS for stateless/stateful digital signatures

Infosec chews for geeks 45/17

  1. High-Level Approaches for Finding Vulnerabilities
  2. Reverse Engineering & Exploitation of a “Connected Alarm Clock”
    - “This article describes my journey into the Aura, from firmware image grabbing to remote buffer overflow exploitation.”
  3. Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
  4. An (un)documented Word feature abused by attackers
  5. How I hacked Google’s bug tracking system itself for $15,600 in bounties
  6. Defeating Google’s audio reCaptcha with 85% accuracy
  7. Analysing a Cryptocurrency phishing attack that earns $15K in two hours
  8. Hacking Cryptocurrency Miners with OSINT Techniques
  9. CryptoShuffler: Trojan stole $140,000 in Bitcoin
  10. Linux kernel: multiple vulnerabilities in the USB subsystem
    - should be fun to try…
  11. Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
  12. YARA: The pattern matching swiss knife for malware researchers
  13. PoC||GTFO PASTOR LAPHROAIG RACES THE RUNTIME RELINKER

WordPress 4.8.3 Security Release

  1. WordPress 4.8.3 Security Release
    - Fixes an issue leading to potential SQL injection (SQLi) (via themes/plugins)
    - “Ferrara … disputes that the WordPress core is not directly affected”
    - While you’re here:
    1. Check your WordPress site for vulnerabilities: wpscans.com/
    2. Enable/Verify automatic updates of WordPress and plugins (or at least email you when updates are available)
      1. WordPress.org: Configuring Automatic Background Updates – note: only minor updates by default
      2. WordPress Upgrade shell Script – plugins, themes, crontab and more! (at own risk – review the code before use)
    3. Other ideas for securing WordPress

DUHK Attack

  1. Don’t Use Hard-coded Keys
    - “DUHK is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key…DUHK allows attackers to recover secret encryption keys from vulnerable implementations and decrypt and read communications passing over VPN connections or encrypted web sessions.”
    - If you are using any of the following, ensure you’re on the latest firmware to mitigate:
  • Fortinet FortiOS v4 (v5 is not vulnerable)
  • Cisco Aironet
  • BeCrypt Cryptographic Library
  • DeltaCrypt FIPS Module
  • MRV LX-4000T/LX-8020S
  • Neoscale CryptoStor
  • Neopost Security Devices
  • Renesas AE57C1
  • TechGuard PoliWall-CCF
  • Tendyron OnKey193
  • ViaSat FlagStone Core
  • Vocera Cryptographic Module