A take on the security news, week 07 2015

Mon 09 February 2015

A take on the security news, week 07 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Online Windows binary file analyzer, Apple blocks Flash again, Honeyhashing, PCI deprecates SSL, MS Patch tuesday and a unsecure weatherstation.

Monday

Anthem spam

Insurance company Anthem is warning their customers to be aware of scam. This happens after hackers have accessed records of about 80 million people. The stolen information include name, social security numbers and email addresses.

Anthem is the second largest insurer in the US.

http://abcnews.go.com/Technology/wireStory/anthem-warns-phishing-emails-massive-hack-28780111

Online Windows binary file analyzer

Need to check a windows binary for the most obvious flaws? Use the webbased file analyzer provided by NCC Group.

If you dont like web guis you can also use their analyzer API.

https://labs.nccgroup.com/NCCGroupWindowsBinaryAnalyzer/

https://labs.nccgroup.com/NCCGroupWindowsBinaryAnalyzer/Help/

Tuesday

Apple blocks flash again

Due to 0-days exploit in Adobe Flash, Apple has again blocked Flash through XProtect. All version prior to the latest version is blocked, andhe latest version is now 16.0.0.305.

http://www.intego.com/mac-security-blog/apple-updates-safari-adobe-flash-player-web-plugin-disables-all-flash-player-versions-prior-to-16-0-0-305/

https://discussions.apple.com/thread/4788923

Netflix opensource security tools

A 45 minutes long talk titled “The Joy of Intelligent Proactive Security”.

https://ia801509.us.archive.org/5/items/shmoocon-2015-videos-playlist/The%20Joy%20of%20Intelligent%20Proactive%20Security%20%5BSC2015%5D.mp4

Wednesday

Honeyhashing in an Windows environment

A great diary and video on how you can use honeyhashing / honeytokens to detect mimikatz use in your network.

https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/

https://www.youtube.com/watch?v=v2IVRcktKZs&feature=youtu.be

Microsoft patch tuesday

This month we got 9 bulletins where 3 of them is marked as critical by Microsoft. The most important bulletins are listed below.

  • Internet Explorer har 39 vulnerabilites patched where some of them is rated as “might already be exploited”.
  • Windows kernelmode drivers has patched 6 vulnerabilities.
  • Group policy is patched for remote code execution.
  • MS Office is patched for remote code execution and security feature bypass.

One of the patches (Visual C) is causing problems and is already withdrawed by Microsoft.

https://technet.microsoft.com/library/security/ms15-feb

PCI standard deprecate SSL

PCI DSS will update their standards due to several vulnerabilities found in SSL. SSL no longer meets the definition of “strong encryption” and if you want to stay compliant you must use TLS.

This was stated in a newsletter from the Payment Card Industry council and was misinterpreted as “https is not consider good enough”. However, SSL is not TLS and TLS is still considered safe to use when transmitting creditcard information.

The deprecation is in the PCI standard, version 3.1.

https://www.darasecurity.com/article.php?id=31

Thursday

Google Play Store UXSS attack in metasploit

A module for metasploit is released that let the attacker install any content from the Google Play Store on the victims device.

The attack leverages two vulnerabilities, one in the Android’s open source stock browser, and one in the Google Play Store webinterface. To stay secure of this exploit you can use a browser not suspectible to UXSS attacks, like Firefox, Chrome or Dolphin.

https://community.rapid7.com/community/metasploit/blog/2015/02/10/r7-2015-02-google-play-store-x-frame-options-xfo-gaps-enable-android-remote-code-execution-rce

Internet exposed gaspump systems hacked

With help of the searchengine shodan and the portscanner tool nmap attackers have gathered a list of Internet exposed gas-pump monitoring systems. Attacerks have also hacked some of the systems to prove that they have been there.

This is just another example of the new trend in unsecured IoE.

http://blog.trendmicro.com/trendlabs-security-intelligence/is-anonymous-attacking-internet-exposed-gas-pump-monitoring-systems-in-the-us/

Forbes compromised and used in targeted waterhole attack

A Flash widget (“thought of the day”) on forbes.com was compromised late last year. The special about this attack is that only a small targeted number of visitors (US Defence and large fiancial firms) got infected when visiting forbes.com. All the other visitors got the innocent Flash code that it was supposed to receive.

The attack chained two 0-day vulnerabilities, one in Adobe Flash and one in Internet Explorer, and has been attributed to Chinese actors.

http://www.isightpartners.com/2015/02/codoso/

http://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/

Friday

Project Zero release proof-of-concept for Flash vulnerability CVE-2015-0318

This is proof-of-concept for the Flash vulnerability that was patched last week. The vulnerability is caused by a bug in the PCRE regex engine, and if you didnt patch last week you should do it now.

http://googleprojectzero.blogspot.no/2015/02/exploitingscve-2015-0318sinsflash.html

Weatherstation sends your WiFi password unencrypted to the cloud

Its found that Netatmo weatherstations sends your WiFi password back to the cloud on initial setup. And to make it worse all data (including sensor data) is transmitted without encryption.

The manufacturer claimed that this was a “debug” feature that they forgot to turn off before shipping the product. An firmware update has been issued that seems to fix the information leakage vulnerability.

This raise (again) some concerns about the security of all the new IoE devices that are being shipped. It seems that very few of them have been designed with any form of security in mind.

https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/

https://gigaom.com/2015/02/12/researcher-discovers-security-flaw-in-netatmo-weather-station/

Virustotal to add whitelist

Virustotal has started an initiative to reduce the number of false positives created by anti -virus/-malware software. The whitelist is a collection of hashes of known files (in known good state).

So far they have worked with Microsoft and claim that the number of false positives are reduced with 6000 items. They are encouriging other large software companies to get in contact and submit metadata that can be used for whitelisting.

http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

Comments