Week 32 In Review – 2015

Events Related

• Black Hat USA 2015
  • From The Black Hat Keynote Stage: Jennifer Granick – www.darkreading.com
  • Recap of Black Hat 2015, Day 1 – www.webroot.com

• DEF CON 23 (2015)
  • DEFCON Talk Slides – colinoflynn.com
  • DEF CON 23 presentations/Speaker & Workshop Materials – media.defcon.org

Resources

• Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned – blog.checkpoint.com
  Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider.

• BRIEFINGS: AUGUST 5-6 – www.blackhat.com

• Server-Side Template Injection – blog.portswigger.net
  Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely.

Tools

• routerkeygen – github.com

• Gone in Less Than a Second – threatpost.com
  Kamkar has built a new device that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on her key or remote, the device grabs the unique code sent by the remote and stores it for later use.

• SSH Weak Diffie-Hellman Group Identification Tool – blog.gdssecurity.com
  The LogJam attack against the TLS protocol allows a man-in-the-middle attacker to downgrade a TLS connection such that it uses weak cipher suites (known as export cipher suites). More precisely, the attack forces a Diffie-Hellman (DH) key exchange based on a weak group.

• Lockheed Open Sources Its Secret Weapon In Cyber Threat Detection – www.darkreading.com
  The cybersecurity team at Lockheed Martin will share some defensive firepower with the security community at Black Hat this week with the open source release of an internal advance threat tool it has been using in house for three years now.

• Hacking A Phone’s GPS May Have Just Got Easier – www.forbes.com
  A team of researchers at Chinese Internet security firm Qihoo 360 claim they’ve found a way to make a GPS emulator that can falsify the GPS location of smartphones and in-car navigation systems, more cheaply.

• BLEKey Device Breaks RFID Physical Access Controls – threatpost.com
  A device the size of a quarter that can be installed in 60 seconds on a proximity card reader could potentially be used to break physical access controls in 80 percent of deployments. The device, dubbed BLEKey, is used to read cleartext data sent from card readers to door controllers to either clone cards or feed that data to a mobile application that can be used to unlock doors at any number of installations.

Techniques

• Zimperium releases Stagefright detection tool and vulnerability demo video – betanews.com
  Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.

• Mass ‘Dark Web’ Scanning With PunkSPIDER – alex.hyperiongray.com
  A while back we did some work in scanning Tor hidden services for vulnerabilities. We did a massive scan of the Tor network for web app vulnerabilities as part of our PunkSPIDERproject and released these as part of our PunkSPIDER Community Edition.

Vulnerabilities

• Manipulating WSUS to Own Enterprises – threatpost.com
  Two researchers this week at the Black Hat conference, however, point out that WSUS can be a significant weakness that can lead to the complete compromise of any server or desktop in an organization hooked up to the automated update service.

• Web’s random numbers are too weak, researchers warn – www.bbc.com
  The data scrambling systems used by millions of web servers could be much weaker than they ought to be, say researchers. A study found shortcomings in the generation of the random numbers used to scramble or encrypt data.

• Welcome to The Internet of Compromised Things – blog.codinghorror.com
  It’s becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level. Routers have become quite capable, powerful little computers in their own right over the last 5 years, and that means they can, unfortunately, be harnessed to work against you.

• Design flaw in Intel processors opens door to rootkits, researcher says – www.itworld.com
  A design flaw in the x86 processor architecture dating back almost two decades could allow attackers to install a rootkit in the low-level firmware of computers, a security researcher said Thursday. Such malware could be undetectable by security products.

• Attack on Macs
  Researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.
  • DYLD_PRINT_TO_FILE exploit found in the wild – blog.malwarebytes.org
  • Researchers Create First Firmware Worm That Attacks Macs – www.wired.com

• Man-In-The-Cloud Owns Your DropBox, Google Drive — Sans Malware – www.darkreading.com
  Using no malware or stolen credentials, attackers could obtain complete access to a user’s Google Drive or DropBox account, steal data, and corrupt legitimate files with malicious code to infect target users. It’s called a man-in-the-cloud attack, and is undetectable by both perimeter and endpoint security tools.

Other News

• Tech Firm Ubiquiti Suffers $46M Cyberheist – krebsonsecurity.com
  Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.

• Rush to Put Death Records Online Lets Anyone be ‘Killed’ – www.securityweek.com
  A rush to go digital with the process of registering deaths has made it simple for maliciously minded folks to have someone who is alive declared dead by the authorities.

• How Safe Are Gas Pumps From Hackers? – asia.pcmag.com
  A pair of researchers from Trend Micro set up honeypots to look at what kind of attacks are targeting gasoline pumps and related technology.

• Tesla Model S Hacked In Low-Speed Driving; Patch Issued, Details Tomorrow: UPDATED – www.greencarreports.com
  According to a report in Britain’s Financial Times, two hackers will explain at the DefCon conference in Las Vegas how they took control of a Tesla Model S electric car and switched it off while the car was running at low speeds.

• Russia hacks Pentagon computers: NBC, citing sources – cnbc.com
  U.S. officials tell NBC News that Russia launched a “sophisticated cyberattack” against the Pentagon’s Joint Staff unclassified email system, which has been shut down and taken offline for nearly two weeks.

• Hackers Exploit ‘Flash’ Vulnerability in Yahoo Ads – bits.blogs.nytimes.com
  For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday.

• Effect of Hacking on Stock Price, Or Not? – taosecurity.blogspot.com
  This is a terrible crime that I would not wish upon anyone. My interest in this issue has nothing to do with Ubiquiti as a company, nor is it intended as a criticism of the company. The ultimate fault lies with the criminals who perpetrated this fraud.