A take on the security news, week 36 2015

Tue 01 September 2015

A take on the security news, week 36 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Vulnerable babymonitors, Yosemite and Linux hardening guides, Microsoft tracking users, iOS malware, OSX malware and browers soon to end support for RC4

Monday

Automating metrics using your ticketsystems API

An interesting idea is that your incident handling system automatically creates issues in your issuetracker when needed. If your ihs automatically creates tickets in your ticketingsystem when a breach, phishing attack or similar is detected, you will get aware of it a lot sooner than if you have to wait for someone create the issues manually.

An example of how it can be solved if you use the open source RTIR incident handling system can be found in the link below.

https://isc.sans.edu/forums/diary/Automating+Metrics+using+RTIR+REST+API/20087/

OWASP automatic threat handbook

The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications.

https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

FBI release information about the cost of business email compromise

The announcement points out that phishing is trending, and they also give some suggestions for protection.

According to the announcement there are 8179 victims, with a total loss of $798,897,959.25. The numbers are based on reports that businesses have given to the Internet Crime Complaint Center from okt 2013 - aug 2015.

http://www.ic3.gov/media/2015/150827-1.aspx

Tuesday

iOS malware infecting jailbroken iPhones

Paloalto and WeipTech have detected and analyzed a new family of malware that they are calling KeyRaider. The malware is targeting jailbroken iPhones and is distributed through third-party ‘appstores’. It analyze iTunes traffic to steal the victims Apple credentials. So far 225.000 accounts have been stolen and impacted users from 18 different countries.

http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

Linux foundation publish internal hardening guide

Interesting reading about how the Linux Foundation are hardening their clients. Most hardening guides are targeting servers so this comprehensive list is worth a reading. The guide is rating the different advices as ‘essential’, ‘nice’ and ‘paranoid. Implement the advices that suits your environment.

Secureboot, full disk encryption and filtering all your incoming ports are among some of the ‘essential’ advices you should consider in your environment.

https://github.com/lfit/itpol/blob/master/linux-workstation-security.md

Wednesday

How to hack, search experiment

Want to check whats popular amongst script kiddies today? Try the old trick of entering partial search into google and see what is trending at the moment. I.e “how to hack” yields: facebbok, wifi and clash of clans on top 3. Your mileage may vary based on when you do the search, your search history and country.

https://isc.sans.edu/forums/diary/How+to+hack/20093/

Microsoft backports usertracking to Windows 7 and Windows 8

The arrive of Windows 10 have brought a whole new set of usertracking tools and policies from Microsoft. It is suspected that all the datacollection on Windows 10 is one of the reason that people are not upgrading yet, but stays with their already running Windows 7 or Windows 8.

There is no reason for that anymore since Microsoft now backports the usertracking and “updates” Windows 7/8 so that users can be tracked on those platform too. KB3068708, KB3022345/KB3068708, KB3075249 and KB3080149 are updates that are relevant for usertracking on Windows 7 and Windows 8. It also seems that data goes to at least the following two adresses vortex-win.data.microsoft.com and settings-win.data.microsoft.com, which is hardcoded into the system making it difficult to bypass with the hosts file.

Its time to search for a disable usertracking on windows guide, which there are plenty of.

http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

Malware using the DYLD_PRINT_TO_FILE vulnerability on osx

This is an update of an already existing malware, but updated so it bypass the osx malware blocking list. The malware installs Genieo, VSearch, MacKeeper and point to the AppStore version of Download Shuttle, but the new trick is that when its done with the “legitimate” programs a new image (named installer) is mounted and it asks for access to your Safari Extensions List in your keychain. Instead of waiting for the user to deny this request it goes ahead and control the mouse, clicking accept and then goes ahead installing malicious plugins to your Safari browser.

Apple has now pushed XProtect signatures for OSX.Genieo.C, OSX.Genieo.B and OSX.Genieo. Also note that this malware is asking the user for administrator password as part of the process, so if you dont install unknown software on your machine you should be safe anyway.

https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/

Thursday

OSX Yosemite security and privacy guide

Following the Linux Foundation hardening guide earlier this week I stumbled upon a similar thing for Yosemite. Comprehensive and detailed, pick whatever suits your environment.

https://github.com/drduh/OS-X-Yosemite-Security-and-Privacy-Guide

Q2 Android malware report from Gdatasoftware

The report are discussing the large number of different devices, and also points out that many devices are shipped with malwares preinstalled.

https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf

Friday

Securingthehuman newsletter covers two-step verification

The september issue of the Ouch! newsletter is covering the topic of two-step verification. The newsletter are tergeting the average computer user.

Make sure that your friends and family read it and understand why they should use two-step verification.

http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201509_en.pdf

Browsers stop support for RC4

Google, Mozilla and Microsoft will stop supporting RC4 encryption starting early next year. The RC4 cipher is old and is proven unsecure in a way that make it trivial to break.

For most cases TLS will pick the strongest cipher (not RC4), but in some cases it will fallback to a less secure cipher. When browser stop support RC4 they will fail instead of downgrade the cipher.

The impact of this is minimal since a very small percentage of browserusers are actually using RC4 anymore.

http://www.infoworld.com/article/2979527/security/google-mozilla-microsoft-browsers-dump-rc4-encryption.html

Hacking babymonitors

As part of the hacking IoT rapid7 has made a casestudy on babymonitors. The casestudy discuss why babymonitors, the business impact, common vulnerabilities top 10 actual vulnerable babymonitors and more.

https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf

Comments