A take on the security news, week 08 2015

Wed 18 February 2015

A take on the security news, week 08 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Patches gone wrong for Microsoft, Weak PRNG in Wordpress, HSTS in Internet Explorer 10, Vulnerable Netgear routers, and a new Snowden document.

Monday

Patches gone wrong for Microsoft

It has been reported that two of last weeks patches are causing trouble for some users. The first report is that the patch that is suppose to close the Poodle vulnerability have caused problem for users of Cisco AnyConnect VPN on Windows 8.1. Try run AnyConnect in Windows 7/8 compability mode to avoid problems.

The second report is that Powerpoint fails to open. If you experience this problem try uninstall the patch.

http://windowsitpro.com/msrc/patch-tuesday-microsoft-removes-kb2920732-breaks-powerpoint

Kaspersky reveals malware infiltrated in banks

A new report about the state of financial cyberthreats last year are now available. The report have serveral findings and is worth a read. I.e “KSN statistics show that in 2014 Mac owners faced phishing attacks as often as the users of computers running Windows.” and over 94% of all malware is financial malware.

https://securelist.com/files/2015/02/KSN_Financial_Threats_Report_2014_eng.pdf

Weak randomnumber generator in Wordpress

Due to x-plattform and backwards compability Wordpress have relied on the php_mt_seed to get random numbers. The php_mt_seed is not sufficient enough to get cryptographic strong random numbers. There is now a patch available to mitigate this issue.

It is important that websiteowners apply this patch because bad randomnumbers can be leveraged to bypass authentication.

http://seclists.org/fulldisclosure/2015/Feb/42

Tuesday

Mongo DB Security checklist

A list of security measures that you can take to protect your Mongo DB installation. Some of the measures are generic and you could probably use them if you are running some other nosql database.

http://docs.mongodb.org/manual/administration/security-checklist/

HTTP Strict Transport Security in Internet Explorer

HSTS protocol allow only secure connection (https) to a website. This is done with the help of a preload list, containing name of websites that the browser should connect to ONLY through https. If your site is not on the list you can serve a HSTS header to make all other subsequent connections routed to https.

The news is that Internet Explorer 10 will get support for this HSTS protocol.

http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

Wednesday

Microsoft announces FIDO support in Windows 10

To get a step further away from passwords, Microsoft announced that Windows 10 will support the FIDO two-factor authentication scheme. The FIDO authentication scheme is normally implemented through a USB device.

http://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/

Duplicate ssh keys

Shodan did a study on how often public keys were found in the wild. The most frequent used key found was deployed on over 250.000 devices! If you have one of those devices you can try bruteforce the public key and extract the private key.

It turns out that the massive deployment of a single key is done by large ISPs so they can access their equipment easily.

https://blog.shodan.io/duplicate-ssh-keys-everywhere/

Thursday

Netgear routers vulnerable to remote attacks

If you have not disabled the WAN administration interface on your router it is now time to do so. A new vulnerability in the “Genie” application can be used to read / write certain parameters in the router. The vulnerability is caused by lack of proper authentication in the SOAP component.

The mitigation is to turn of the WAN administration interface, which never should be on by default anyway.

https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR

Is your Samsung TV listening to you?

A researcher wanted to check if the Samsung Smart TV is leaking data if talked to. Capture of the network traffic showed that the TV was sending data to a third-party. The receiver of the data is Nuance, a speech-recognision company. The data was sent over port 443, but not encrypted as you would suspect. The choice of port 443 is probably due to the fact that 443 is whitelisted in most routers.

http://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you/

Friday

Android malware spies on you even if your phone is off

AVG has detected and analysed a new malware called Android/PowerOffHijack which does as the name suggests, it hijacks the shutdown process. On an infected phone the malware will play a fake shutdown animation and then turn of your screen. The malware can then do outgoing calls, take pictures and more.

The malware is seen in Chinese appstores and requires root permissions to do its job.

http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

NSA and GHCQ to steal SIM-card encryption keys

According to top-secret documents provided by Edward Snowden American and Brithish agencies hacked into one of the world biggest SIM-card manufacturer and stole encryption keys used to protect cellphone traffic.

The targeted company, Gemalto, says they didnt know anything about the breach before the Snowden doucments were published. Among its customers we find AT&T, T-Mobile, Verizon, Sprint and 450 wireless network providers around the globe.

https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

Comments