A take on the security news, week 36

Mon 08 September 2014

A take on the security news, week 36 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

Monday:

Grindr app has privacy issues

This article describes two potential pricacy issues in the dating app.

First, the location functionality is distance based, so if you measure the distance from you to the victim in three different locations you can then triangulate the victims "exact" position.

Second, the message service in the app is vulnerable to spoofing since the "from" field is adjustable.

http://nakedsecurity.sophos.com/2014/09/01/grindr-app-has-privacy-issues-whos-surprised/

Tuesday:

Change browser often to stay away from 0-days

What to do when there is a disclosed 0-day in your favourite browser? You just switch to another browser until your favourite browser is patched, then switch back.

Playing catch-and-release anyone?

The story suggest that your deployment workflow allows for quick-changes of "default browser" to mitigate 0-days.

https://isc.sans.edu/diary/Dodging+Browser+Zero+Days+-+Changing+your+Org%27s+Default+Browser+Centrally/18601

Continuing reports of UPNP used in DDoS Attacks, Check your equipment for open ports

There have been an increase in scans on port 1900/UDP (SSDP) in the last weeks. SSDP is part of the UPNP protocol. In the same testinterval there have been an decrease in NTP based DDOS attacks. Maybe the hackers are switching over to SSDP (30) reflection instead of NTP reflection (600).

The amount of vulnerable SSDP systems can be viewed here: https://ssdpscan.shadowserver.org/

If your equipment can be secured or patched, do it now, or replace it with new less insecure equipment.

https://isc.sans.edu/forums/diary/1900UDP+SSDP+Scanning+and+DDOS/18599

iCloud Suszeptible to Password BruteForcing via Mobile API

No ratelimit on the Mobile API leads to brutforce attacks. Combine this with weak passwords and you might have a databreach. Apple has now created a ratelimit for the Mobile API, and the account owners have maybe learned a lesson about creating good, secure passwords.

http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/

Firefox 32 releasenotes

This update fixes a few known security advesories, removes and turned of trust for some 1024 bit root certificates and added certificate pinning for a few public domains. Certificate pinning is also on by default from this release.

https://www.mozilla.org/en-US/firefox/32.0/releasenotes/

Wednesday:

More on the Backoff POS trojan

Sinkholing some of the C&C servers that Backoff communicates gives more information about its victims. Most victims are located in the US, and range from home users to big major players (no name is mentioned). The article concludes that POS systems are prime targets for malware attacks, and that the security is not as good as it should be.

https://securelist.com/blog/research/66305/sinkholing-the-backoff-pos-trojan/

DirCrypt reverse engineered and explained

Interesting read about how the DirCrypt ransomware works. The DirCrypt is a angry version of ransomware because it does not only encrypt your files at infection time, but it detects any new files that you create and encrypt them as well.

http://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf

Hackers attacking homerouters in Brazil

A malicious e-mail and a bit of social engineering is used to attack home-routers in Brazil. If you click the link in the e-mail the attackers tries to reconfigure your routers DNS. The attacking script will try to guess your routers admin/password and then tries to change your DNS settings.

So remember to change the default admin / password on your homerouter.

https://securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/

Thursday:

Microsoft prenotification about next weeks updates

One critical and two important. IE,. NET Framework and Lync server is among the products that is patched next week.

https://technet.microsoft.com/library/security/ms14-sep

Adobe prenotification about next weeks Reader and Acrobat updates

Several critical issues will be fixed in Adobe Reader and Adobe Acrobat.

http://helpx.adobe.com/security/products/reader/apsb14-20.html

WordPress release security update

Wordpress 3.9.2 is released, addressing multiple vulnerabilities. This fixes a potential denial of service issue in PHPs XML processing. This is the first joint security release (Wordpress and Drupal) as the XML-RPC issue also affects Drupal.

https://www.us-cert.gov/ncas/current-activity/2014/09/04/WordPress-Releases-Security-Update

http://wordpress.org/news/2014/08/wordpress-3-9-2/

https://www.drupal.org/SA-CORE-2014-004

Friday:

Facebook with a new privacy checking tool

The "privacy dinosaur" is now rolled out to all FB users. The privacy dinosaur walks you trough 3 steps to make sure you are sharing with the right people.

nakedsecurity.sophos.com/2014/09/05/review-your-settings-with-facebooks-new-privacy-checkup-tool/

Remember to also block all UDP traffic

There is much information for an attacker if he can scan your ports. A successful scan could yield information about your device's operatingsystem, version, and structure of your internal network. Remember do deny everything, and open up only whats needed. If you do "deny tcp any any", you should also do "deny udp any any" or "deny ip any any". Log all denied packets if possible.

https://isc.sans.edu/forums/diary/Identifying+Firewalls+from+the+Outside-In+Or+There+s+Gold+in+them+thar+UDP+ports+/18617

Comments