9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Infosec bits for week 24/18

Roderick Mooi

  1. Net neutrality is dead — what now? (in some states at least) [The Verge]
    - arstechnica.com/tech-policy/2018/06/first-state-net-neutrality-law-took-effect-today-countering-fcc-repeal/
  2. 74 Arrested in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes [US DOJ]
    - www.wsj.com/articles/officials-arrest-dozens-in-email-scam-aimed-at-u-s-businesses-1528747102 [paywalled]
  3. Want to Break Into a Locked Windows 10 Device? Ask Cortana [McAfee]
    - www.bleepingcomputer.com/news/security/cortana-hack-lets-you-change-passwords-on-locked-pcs/
    - www.howtogeek.com/fyi/patched-cortana-bug-let-hackers-change-your-password-from-the-lock-screen/
  4. Crypto-currency mining malware wreaks havoc in Africa [ITWeb]
    - At least $175 million worth of the Monero cryptocurrency has been stolen as part of malicious malware campaigns, according to a new study [PaloAlto Networks]
    - Backdoored images downloaded 5 million times finally removed from Docker Hub [Arstechnica]
  5. The Seven Properties of Highly Secure Devices [Microsoft]
  6. Ever wondered how those adverts manage to keep on finding you – even when you go incognito, switch devices, or never actually searched for the product in the first place? Let us count the (many, many) ways [THREAD]
    - time to think about fingerprinting again… (see last post here )
  7. Facebook confirms data sharing with Chinese companies [Reuters]
  8. Creating Quick Mass Scanning Tool with Python and ZMap [Cybrary]
    - for your own, authorised networks of course ;)
  9. The InvisiMole malware allows attackers to take control of a machine and silently allow them to here and see through the computer [WeLiveSecurity]
  10. VPNFilter Malware is Worse Than We Thought [SANS]
    - “One good defensive measure you can take is to make sure remote administration of your devices is disabled, or if it must be enabled, tightly control the access and check the logs. Be proactive checking for and applying appropriate firmware updates.” – Neely
  11. Deepfake Videos Are Getting Impossibly Good (disturbing?) [Gizmodo]
  12. MIT researchers develop frequency-hopping transmitter that fends off attackers (yay, some good and interesting news :) )

Infosec bits for week 21/18

Roderick Mooi

  1. Check that your Adobe products have been updated (as always…) [The Register]
    - and if that’s not enough:
    - PDF exploit built to combine zero-day Windows and Adobe Reader bugs [SC Magazine]
    - www.welivesecurity.com/2018/05/15/tale-two-zero-days/
  2. Preventing and recovering from ransomware: No More Ransom project
    - www.nomoreransom.org/en/prevention-advice.html
  3. Mirai botnet adds three new attacks to target IoT devices (including routers and DVRs) [ZDNet]
  4. It only took five hours to close a critical vulnerability in Signal’s desktop client [Cyberscoop]
  5. Side-Channel Vulnerability Variants 3a and 4 (aka New variants on Meltdown and Spectre) [US-CERT]
  6. Google’s Selfish Ledger ideas can also be found in its patent applications [The Verge]
  7. Is your browsing safe against tracking?
    - panopticlick.eff.org/
    - browserleaks.com/
    - amiunique.org/

Infosec bits for week 20/18

Roderick Mooi

  1. What Makes a Cybersecurity Team Successful? [SANS]
    - `The real point is “well prepared, well trained, well managed teams using mature processes will perform better, and need less ad hoc personal interaction to do so.” ‘ – Pescatore
    - `One difference between a “team” and any other group of people is a “plan.” At a minimum, a plan will say who will do what and when they will do it.’ – Murray
    - The SANReN CSIRT is here to help – talk to us :)
  2. Drupal Sites Fall Victims to Cryptojacking Campaigns [Bleeping Computer]
    - Large cryptojacking campaign targeting vulnerable Drupal websites [Bad Packets Report]
    - In case you missed it last time, we hope you’ve patched (and are maintaining) your Drupal instances…
  3. The Digital Vigilantes Who Hack Back [The New Yorker]
    - an interesting read, PG L – would’ve removed it if I was allowed to hack back ;)
  4. ‘Next generation’ flaws found on computer processors: magazine [Reuters]
    - Exclusive: Spectre-NG – Multiple new Intel CPU flaws revealed, several serious [c’t]

Infosec bits for week 17/18

Roderick Mooi

  1. Budget Conscious Information Security Resources
  2. NSA: Hackers Weaponize Known Vulnerabilities Within 24 Hours
  3. A Letter From the Future: It’s January 2019 and Hackers Are Stealing Your Data
  4. #RSAC: The Five Most Dangerous New Attacks According to SANS
  5. NIST Releases Version 1.1 of its Popular Cybersecurity Framework
  6. Unraveling the Cyber Skills Gap
  7. Internet Explorer Zero-Day Exploited in the Wild by APT Group
  8. Don’t trust Android OEM patching, claims researcher
  9. Unsafe Opcodes exposed in Intel SPI based products
  10. Uncovering Drupalgeddon 2
    - TLDR;: “The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.”
  11. U.S. pins yet another cyberattack on Russia
  12. Jobs in cybersecurity are exploding. Why aren’t women in the picture?

Infosec bits for week 13/18

Roderick Mooi

  1. Iranian Hackers Charged For Spree Of Attacks On Hundreds Of Universities
    - www.wired.com/story/iran-cyberattacks-us-universities-indictment/
    - Iranian Hackers Charged Last Week Were Actually Pretty Damn Good Phishers
  2. Facebook and Cambridge Analytica – What’s Happened So Far
    - How Cambridge Analytica used your Facebook data to help elect Trump* – the lesson here is what’s important – your convenience / privacy…
    - What lies beneath: The things Facebook knows go beyond user data
    - Facebook denies it collects call and SMS data from phones without permission
    - The Facebook Privacy Setting That Doesn’t Do Anything at All
    - Mozilla’s new Firefox extension keeps your Facebook data isolated to the social network itself
    - The Complete Guide to Facebook Privacy [or how to properly delete your account ;)]
  3. Facebook CISO Alex Stamos May Be Leaving the Company Later This Year
    - Here’s the key takeaway: “[Editor Comments] [Paller] I know of no other conflict that has caused as many CISOs to leave or be terminated than the question of how much to disclose in the aftermath of a breach. The only survival strategy we have seen is to find a way to keep the lawyer (and sometimes the communications director) out of the meetings. If that is possible, the CISO’s key job is to encourage senior executives to understand how little chance there is that the company will be able to keep a lid on the information and how much worse late disclosure is than early disclosure.”
  4. AMD Acknowledges Vulnerabilities, Will Roll Out Patches In Coming Weeks
    - community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research
  5. Administrator’s Password Bad Practice [something to pass on to your admins] – note tips at end
  6. Automatic Hunting for Malicious Files Crossing your Network – featuring useful tools like MISP, Bro, Splunk and TheHive
  7. Hackers Infect Linux Servers With Monero Miner via 5-Year-Old [Cacti] Vulnerability
  8. Did the FBI engineer its iPhone encryption court showdown with Apple to force a precedent? Yes and no, say DoJ auditors
  9. DMARC 2.0? New BIMI standard will help fight spoofing and phishing
    - Universities Lag in DMARC Adoption sadly
  10. With cryptojacking rising, exploit kits rapidly decline
    - Monero cryptocurrency: Malware’s rising star
  11. And if you made it this far, you deserve something special – 780 Days in the Life of a Computer Worm

Infosec bytes for week 10/18

Roderick Mooi

  1. Information security tops the EDUCAUSE Top 10 IT Issues list for the third year in a row.
    - Find out what higher education IT leaders are saying about it.
  2. Developing a Risk-Based Security Strategy in Higher Education
  3. How to protect Office 365 data from ransomware attacks
  4. The Trouble with Phishing
  5. Cisco Report Finds Organizations Relying on Automated Cyber-Security
    - “There are a number of different things that organizations can do to improve cyber-security, including regular patching to mitigate known threats. Artes [Security Business Group Architect] said that organizations need to get the basic “blocking and tackling” of cyber-security in place, which includes patching, to form a basis for risk mitigation.”
    - www.cisco.com/c/en/us/products/security/security-reports.html
  6. Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
    - securityintelligence.com/xmrig-father-zeus-of-cryptocurrency-mining-malware/
  7. How Did This Memcache Thing Happen?
    - blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
  8. It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’s
  9. Why Blockchain Will Serve New IT Purposes in 2018
  10. Encryption 101: a malware analyst’s primer

Infosec bits for week 02/18

Roderick Mooi

  1. Meltdown and Spectre Updates Causing Problems for Some Users
    - Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers
    - Warning: Microsoft Fix Freezes Some PCs With AMD Chips
    - Important: Windows security updates released January 3, 2018, and antivirus software
    - “We’ll display this in red so it sticks out. Do not run the .reg file unless you’ve confirmed with your AV vendor that they’re compatible with the Meltdown and Spectre patches.”
    - Intel Releases Linux CPU Microcodes To fix Meltdown & Spectre Bugs
    - Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too
    - List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates + see the US-CERT advisory
    - How to Protect Your Devices Against Meltdown and Spectre Attacks
    - You could resort to running everything on Raspberry Pi’s ;) jaxenter.com/spectre-meltdown-not-raspberry-pi-140201.html
    - And for the curious… Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
  2. WPA3 announced
    - With WPA3, Wi-Fi security is about to get a lot tougher
    - WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago
  3. MADIoT – The nightmare after XMAS
  4. The Week in Ransomware – January 5th 2018 – Slow For The Holidays
  5. Monero going after just about everything…
    - New sophisticated Malware campaign Leveraging NSA Exploits to Mine Monero on Windows and Linux Systems
    - Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
    - WebLogic Flaw Used to Install Monero Crypto Coin Miner + Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Servers
    - Miner blacklist
  6. Python-Based Botnet Targets Linux Systems with Exposed SSH Ports
  7. Hundreds of GPS Location Tracking Services Leaving User Data Open to Hackers
  8. Some news from December (worth mentioning):
    1. Stanford University executive leaves job after huge data breach
      - Stanford U. official ousted after keeping quiet about huge exposure of sensitive data
    2. Firewall Bursting: A New Approach to Better Branch Security
    3. Microsoft Word slams the door on DDEAUTO malware attacks
    4. Three More WordPress Plugins Found Hiding a Backdoor
      - www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/

Infosec bits for weeks 48-49/17

Roderick Mooi

  1. US-CERT TA14-017A: UDP-Based Amplification Attacks – updated
    - Good background, detection methods and mitigation advice
    - CLDAP attacks have moved up to no. 3
  2. Google study finds phishing attacks more efficient than data breaches
    - www.scmagazine.com/google-study-finds-250000-web-credentials-stolen-every-week/article/706810/
    - www.zdnet.com/article/google-our-hunt-for-hackers-reveals-phishing-is-far-deadlier-than-data-breaches/
  3. Intel Releases Firmware Updates for Multiple Vulnerabilities
    - www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
    - www.theregister.co.uk/2017/11/23/intel_firmware_fixes_slow_to_arrive/
    - www.bleepingcomputer.com/news/hardware/dell-other-vendors-start-shipping-laptops-with-intel-me-firmware-disabled/
  4. Patches Available for Samba Vulnerabilities
    - Patch your embedded devices (or any others using samba) and/or disable SMB1
    - blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
    - redmondmag.com/articles/2017/05/18/more-advice-on-disabling-windows-smb-1.aspx
    - Remember to check your printers!
  5. Microsoft Office Equation Editor Flaw is Already Being Exploited
  6. Malicious Document Turns Off Word Macro Protections
  7. GitHub: Introducing security alerts on GitHub
  8. AWS Bucket Misconfiguration Exposes Classified NSA Data
    - Key takeaway: Use Amazon’s free vulnerability assessment service for the first 90 days while you implement a plan to extend your own vulnerability management solution to include the new AWS bucket
  9. Enable First-Party Isolation (FPI) on FireFox to further block trackers from adding to your online profile
  10. FaceID Beaten By Mask
  11. ‘Pop-Unders’ used to Launch Hidden, Persistent Cryptocurrency Miners
    - www.bleepingcomputer.com/news/security/cryptojacking-script-continues-to-operate-after-users-close-their-browser/
    - isc.sans.edu/forums/diary/9+Fast+and+Easy+Ways+To+Lose+Your+Crypto+Coins/23071/
  12. Prison hacker who tried to free friend now likely to join him inside!

Infosec bits for week 45/17

Roderick Mooi

  1. A look into the global ‘drive-by cryptocurrency mining’ phenomenon
  2. New Amazon S3 Encryption & Security Features
    - including Default Encryption, Permission Checks, Cross-Region Replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Report
  3. Google releases KRACK patches for Android
  4. Microsoft Provides Guidance on Mitigating DDE Attacks
    - technet.microsoft.com/library/security/4053440
    - Note A: “Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry”
    - Note B: “Users of the Windows 10 Fall Creator Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack Surface Reduction (ASR). Attack Surface Reduction is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious documents to execute attacks without hindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities: CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.”
  5. Half of people plug in USB drives they find in the parking lot
    - scary, but a nice (safe and non-intrusive) way to test how many get plugged in
  6. Stop relying on file extensions
  7. Honey Accounts
    - an interesting (and easy to implement) approach for early detection of malicious activity utilising AD
  8. Factsheet Post-quantum cryptography – start planning today!
    - TL;DR : use min 256 bit keys for AES; RSA, ECDSA and DH not secure when quantum comes into play; use SPHINCS-256/XMSS for stateless/stateful digital signatures

Infosec chews for geeks 45/17

Roderick Mooi

  1. High-Level Approaches for Finding Vulnerabilities
  2. Reverse Engineering & Exploitation of a “Connected Alarm Clock”
    - “This article describes my journey into the Aura, from firmware image grabbing to remote buffer overflow exploitation.”
  3. Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
  4. An (un)documented Word feature abused by attackers
  5. How I hacked Google’s bug tracking system itself for $15,600 in bounties
  6. Defeating Google’s audio reCaptcha with 85% accuracy
  7. Analysing a Cryptocurrency phishing attack that earns $15K in two hours
  8. Hacking Cryptocurrency Miners with OSINT Techniques
  9. CryptoShuffler: Trojan stole $140,000 in Bitcoin
  10. Linux kernel: multiple vulnerabilities in the USB subsystem
    - should be fun to try…
  11. Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
  12. YARA: The pattern matching swiss knife for malware researchers
  13. PoC||GTFO PASTOR LAPHROAIG RACES THE RUNTIME RELINKER