A take on the security news, week 47 2015

Mon 16 November 2015

A take on the security news, week 47 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Lets encrypt beta soon, free dnssec, bad barcode, malware using steganography and amazon now offering two-factor authentication.

Monday

Lets encrypt public beta to launch in desember

The Lets encrypt project is going to open their public beta 3.desember 2015. Lets encrypt is going to provide a free and easy to implement SSL service. The limited beta that has been running since 12.september 2015 has already issued 11.000 free SSL-certificates.

https://letsencrypt.org/2015/11/12/public-beta-timing.html

Cloudflare to offer free DNSSEC for customers

Cloudflare is launching what they call Universal DNSSEC, which should make it easier for domainowners to protect their domain.

If you are a Cloudflare customer there should be an option in your dashboard to turn on DNSSEC.

https://www.cloudflare.com/dnssec/universal-dnssec/

Vulnerability in libPNG

Multiple buffer overflow vulnerabilities are found in the common libPNG library.

http://www.openwall.com/lists/oss-security/2015/11/12/2

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126#VulnChangeHistoryDiv

Police bodycamera delievered with virus

The 6 year old win32/conficker worm is found to be preinstalled on a range of bodycameras intended for use by official police forces.

http://www.goipower.com/?pageId=40

Tuesday

Bad barcode

Leveraging the fact that many barcodescanners are emulating keyboard devices, and that some of the involved protocols ( i.e Code 128) supports ASCII control characters it is shown how to open dialogboxes by just scan a barcode.

http://www.slideshare.net/PacSecJP/hyperchem-ma-badbarcode-en1109nocommentfinal

A breakdown of FDE on mobile devices

NCC group presented a paper on the challenges that mobile app developers face in securing data stored on devices.

https://www.blackhat.com/eu-15/briefings.html#faux-disk-encryption-realities-of-secure-storage-on-mobile-devices

Wednesday

Thursday

First beta of NTPSec

The NTPSec project is announcing the first beta of NTPSec, “a secure, hardened, and improved implementation of Network Time Protocol derived from NTP Classic”.

So far the project has focused on removing obsolete code, hardening the code to prevent buffer overruns, fixed bugs and other modern development best practices.

https://www.ntpsec.org/

DNSCat2 now supports encrypted communication

The dnscat2 tool is used by malware command & control centers, or other that wants to communicate stealthy. The tool now supports encrypted communication (encrypted by default) to make it even harder to detect and analyze the traffic.

The tool creates a DNS tunnel which is an effective way to pass through most firewalls.

https://blog.skullsecurity.org/2015/dnscat2-now-with-crypto

https://github.com/iagox86/dnscat2

Malware using steganography to hide data

A breakdown of advances in malware using covert communcation channels.

https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels.pdf

Friday

Python honeypot

HoneyPy a honeypot writtein in python is intended to be easy: to deploy, to extenden and to apply custom configurations. It depends on twisted, and a twitter plugin (if you want alerts sent to twitter).

If you want to see what is going out there on the Internet, you could try this on one of your test appliances.

https://github.com/foospidy/HoneyPy/blob/master/README.md

Amazon now offers 2FA

It seems that Amazon quietly have enabled the possibility to use two-factor authentication.

https://twofactorauth.org/

SiverPush, a sneaky system to target ads to users

Silverpush uses a system that consist of inaudible audio signals to target users across pc, phone, tv and tablets. This sounds a bit like badBIOS where researcher claimed that his comuputer was infected through ultrasonic sounds.

https://github.com/MAVProxyUser/SilverPushUnmasked

http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

Comments