A take on the security news, week 08 2015
Monday
Patches gone wrong for Microsoft
It has been reported that two of last weeks patches are causing trouble for some users.
The first report is that the patch that is suppose to close the Poodle
vulnerability have caused problem for users of Cisco AnyConnect VPN on Windows
8.1. Try run AnyConnect in Windows 7/8 compability mode to avoid problems.
The second report is that Powerpoint fails to open. If you experience this problem
try uninstall the patch.
http://windowsitpro.com/msrc/patch-tuesday-microsoft-removes-kb2920732-breaks-powerpoint
Kaspersky reveals malware infiltrated in banks
A new report about the state of financial cyberthreats last year are now available. The report have serveral findings and is worth a read. I.e "KSN statistics show that in 2014 Mac owners faced phishing attacks as often as the users of computers running Windows." and over 94% of all malware is financial malware.
https://securelist.com/files/2015/02/KSN_Financial_Threats_Report_2014_eng.pdf
Weak randomnumber generator in Wordpress
Due to x-plattform and backwards compability Wordpress have relied on the php_mt_seed to get random numbers. The php_mt_seed is not sufficient enough to get cryptographic strong random numbers. There is now a patch available to mitigate this issue.
It is important that websiteowners apply this patch because bad randomnumbers can be leveraged to bypass authentication.
http://seclists.org/fulldisclosure/2015/Feb/42
Tuesday
Mongo DB Security checklist
A list of security measures that you can take to protect your Mongo DB installation. Some of the measures are generic and you could probably use them if you are running some other nosql database.
http://docs.mongodb.org/manual/administration/security-checklist/
HTTP Strict Transport Security in Internet Explorer
HSTS protocol allow only secure connection (https) to a website. This is done with the help of a preload list, containing name of websites that the browser should connect to ONLY through https. If your site is not on the list you can serve a HSTS header to make all other subsequent connections routed to https.
The news is that Internet Explorer 10 will get support for this HSTS protocol.
Wednesday
Microsoft announces FIDO support in Windows 10
To get a step further away from passwords, Microsoft announced that Windows 10 will support the FIDO two-factor authentication scheme. The FIDO authentication scheme is normally implemented through a USB device.
http://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/
Duplicate ssh keys
Shodan did a study on how often public keys were found in the wild. The most
frequent used key found was deployed on over 250.000 devices! If you have one of
those devices you can try bruteforce the public key and extract the private key.
It turns out that the massive deployment of a single key is done by large ISPs
so they can access their equipment easily.
https://blog.shodan.io/duplicate-ssh-keys-everywhere/
Thursday
Netgear routers vulnerable to remote attacks
If you have not disabled the WAN administration interface on your router it is
now time to do so. A new vulnerability in the "Genie" application can be used to
read / write certain parameters in the router. The vulnerability is caused by lack
of proper authentication in the SOAP component.
The mitigation is to turn of the WAN administration interface, which never should
be on by default anyway.
https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR
Is your Samsung TV listening to you?
A researcher wanted to check if the Samsung Smart TV is leaking data if talked to. Capture of the network traffic showed that the TV was sending data to a third-party. The receiver of the data is Nuance, a speech-recognision company. The data was sent over port 443, but not encrypted as you would suspect. The choice of port 443 is probably due to the fact that 443 is whitelisted in most routers.
http://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you/
Friday
Android malware spies on you even if your phone is off
AVG has detected and analysed a new malware called Android/PowerOffHijack which
does as the name suggests, it hijacks the shutdown process. On an infected phone
the malware will play a fake shutdown animation and then turn of your screen.
The malware can then do outgoing calls, take pictures and more.
The malware is seen in Chinese appstores and requires root permissions to do its
job.
http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/
NSA and GHCQ to steal SIM-card encryption keys
According to top-secret documents provided by Edward Snowden American and
Brithish agencies hacked into one of the world biggest SIM-card manufacturer and
stole encryption keys used to protect cellphone traffic.
The targeted company, Gemalto, says they didnt know anything about the breach
before the Snowden doucments were published. Among its customers we find AT&T,
T-Mobile, Verizon, Sprint and 450 wireless network providers around the globe.
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/