Listen to Headlines from Week 04!
Show notes for Security Endeavors Headlines for Week 4 of 2019
Check out our subreddit to discuss this week's headlines!
InfoSec Week 4, 2019 (link to original Malgregator.com posting)
Microsoft's mobile Edge browser on both iOS and Android begins issuing fake news warnings. Previously only available as a desktop plugin, it’s powered by news rating company NewsGuard. The feature can be toggled on via the app’s settings under "news rating." The description boasts that it's "evaluated news websites that account for 98% of online media engagements in the United States." Here's how it works: once enabled, it provides a rating icon in the address bar (red for unreliable and green for trusted). Tap it and you'll see a nutrition-styled label with more information. For instance, if a site is flagged as untrustworthy, it reads: "Proceed with caution: this website generally fails to maintain basic standards of accuracy and accountability." And, if you see a site sans label, you can submit it for review.
https://www.engadget.com/2019/01/23/microsoft-edge-mobile-fake-news
A vulnerability in the Advanced Persistent Threat management tool… Just kidding. A researcher found a vulnerability in apt, or Advanced Package Tool, a popular package manager that allows a network based man-in-the-middle to execute arbitrary code as root on a machine installing any package. There’s also risk of a bad actor exploiting this issue by standing up a malicious package mirror. The bug has been fixed in the latest versions of apt. Worried about being exploited during the update process? Protect yourself by disabling HTTP redirects while you update. A link to more information and the author’s steps are in this week’s show notes.
https://justi.cz/security/2019/01/22/apt-rce.html
The encryption mode in the well-known compression software 7-Zip uses poor randomness when generating AES or Advanced Encryption Standard initialization vectors (IV). The code uses a poor Random Number Generator (RNG) for AES initialization vector generation. What's more, the method seems to only use 8 bytes instead of the full 16, so that half of it is always zeros. This is a problem as the guarantee of AES-CBC security is based on having a 128-bit IV that is truly random, i.e. derived from a cryptographic Pseudo RNG. CBC refers to Cipher Block Chaining a cryptographic mode of operation invented in 1976. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block. Otherwise it resembles the method used in Electronic Codebook or ECB. Seen as the simplest of the encryption modes, ECB is named after conventional physical codebooks where the message is divided into blocks, and each block is encrypted separately. So lacking the proper 128-bit Initialization Vector may also decrease overall AES-CBC security since it might be easier to detect same block of plaintext in two separate ciphertexts. So maybe encrypt your packed files with another tool until this is corrected.
https://sourceforge.net/p/sevenzip/bugs/2176/ with additional background adapted from
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)
A Researcher discovered that large ecommerce and government sites got hacked via the Adminer database tool. The root cause is a protocol flaw in the MySQL database. It’s described right in the official documentation, as it says:
The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)
Attempting to read in the tone of the author, “In theory”? An Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets.
The server has to know the full path of the file on the client for it to succeed. However, by first requesting information about the system’s environment, the server can learn a great deal about the folder structure on the client.
Several clients and libraries have built-in protection for this “feature”, or disable it by default (eg Golang, Python, PHP-PDO). But not all do, as the Adminer case demonstrates. And Adminer probably won’t be the last.
https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/
A short blog post this week explores the reasons why so much software still isn’t secured after so many years. The author boils it down to explaining that, “the existence of insecure software has so far helped society far more than it has harmed it.
Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before.” The link to the posting is in the show notes, if you’re interested.
https://danielmiessler.com/blog/the-reason-software-remains-insecure/
Trend Micro engineers found applications in the Google Play store that drop Anubis banking malware after the device’s motion sensors are activated to evade initial detection. The two apps were disguised as useful tools, simply named Currency Converter and BatterySaverMobi. Google has confirmed that both these apps are no longer on the Play Store.
The battery app logged more than 5,000 downloads before it was taken down, and boasted a score of 4.5 stars from 73 reviewers. However, a close look at the posted reviews show signs that they may not have been valid. These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities.
As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.
The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/
A software bug, reported via HackerOne platform, says that “Verifying a new email address on a Twitter account in the Android app causes the "Protect your Tweets" option to be unset, resulting in the user's tweets being made publicly visible.” This can lead to a user's private tweets being exposed to anyone until they realize the change to their privacy settings. An attacker would normally need to have direct access to the user's Twitter account to change the email. In this case a user could be tricked into changing their email if an attacker sent them a phishing email, instructing them to do so.
https://hackerone.com/reports/472013
Are you interested in finding and exploiting bugs in Marvell Avastar Wi-Fi chips? This week’s show notes have a link to a great in-depth blog posting on the topic. The author seeks to answer a question that has yet to be answered for quite some time. The question? To what extent is the Marvell WiFi FullMAC System-on-a-Chip or SoC (not) secure? Since wireless devices based on this chip aren’t fully researched by the community yet, they may contain a tremendous volume of unaudited code. This code could result in severe security issues in swarming devices equipped with WLAN cards. The author clearly states that the article is based on the info presented during their presentation during ZeroNights 2018 and invites readers to have a look at the original slides. References to additional research on the subject of wireless SoC security is also linked. Worth a read if this is your rabbit hole.
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/
In case Hardware isn’t your thing, how about a Chrome extension designed For WordPress vulnerability scanning and information gathering? If that gets your attention, then maybe check out the WPintel github link on this week’s post over at securityendeavors/SEHL.
https://github.com/Tuhinshubhra/WPintel
Seeking to amplify the work of another researcher, this Twitter post compares the work to their own NetNTLMv1 to SilverTicket work, but does so only using Kerberos, which has a much larger footprint. The research post is called “Wagging the Dog: Abusing Resource-based constrained Delegation to attack ActiveDirectory” and says it contains information on new attack techniques. After reviewing the information, the Microsoft Security Response Center (or MSRC) responded that “this is not an issue which will be addressed via a security update.”
While it’s unclear if that means something more involved would be needed to address the risks outlined in the posting, what’s clear is that this is a wild toboggan ride that plumbs the depths of Kerberos Delegation, and you will come out the other side either smarter or ready for an analgesic.
https://twitter.com/NotMedic/status/1089699199891984384?s=20 &
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
A recent tweet seeks to share some notes on Resumes when looking to Get Into InfoSec. The author offers their view on just how far classes, home study, conference attendance, and practicing on sites like HackInTheBox can take you. The post lists some of the “nontrivial amount of knowledge” that can only be learned on the job. Beyond the list of included real-world experiences that contribute to growth and understanding of the work, the post goes on to share that at the end of the day, infosec is, “measuring risk from a technical perspective and remediating that risk the best and most compatible way, custom, for every customer, every time.” Best if you take a moment to read this for yourselves to get the full message.
https://twitter.com/Viss/status/1089249931552993280?s=20
A researcher found a logic flaw where waiting on a two-factor login page could allow you to log in without having to the current password on many major websites. The idea, if I’m reading this right, is to start to login to a site and then pause at the two-factor entry page, where there’s a place to enter a one-time code. The attacker then trigger’s a password change request, that will cause all active login sessions to be terminated. After waiting 10 to 15 minutes, it was possible to enter a 2FA code and it was possible to log in, without knowing the actual password. Reporting on the initial Proof of Concept didn’t get very far, since the login session expired in 20 minutes, so the researcher pressed on, testing additional scenarios. Diligence paid off when the researcher discovered a repeatable method to bypass session expiration where the 2FA code was working even when the option was disabled. Once able to expand the attack scenario on one company’s platform, curiosity lead to discovering other companies suffered from the same vulnerability. Of possibly greater concern than discovering this kind of risk, is that more than one company responded to the reported bugs as “working as intended.
https://twitter.com/x0rz/status/1089101900069384192?s=20 pointing to
https://medium.com/@lukeberner/how-i-abused-2fa-to-maintain-persistence-after-a-password-change-google-microsoft-instagram-7e3f455b71a1
Are you a visual learner, but man pages just too painful to read through? Maybe take a look at the work of cartoonist who draws out common use cases for commands? It could be the easiest way to read through the flags for using curl that I’ve ever seen.
https://twitter.com/b0rk/status/1088981000955355136?s=20
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.
Check out our subreddit to discuss this week's headlines!
InfoSec Week 4, 2019 (link to original Malgregator.com posting)
Microsoft's mobile Edge browser on both iOS and Android begins issuing fake news warnings. Previously only available as a desktop plugin, it’s powered by news rating company NewsGuard. The feature can be toggled on via the app’s settings under "news rating." The description boasts that it's "evaluated news websites that account for 98% of online media engagements in the United States." Here's how it works: once enabled, it provides a rating icon in the address bar (red for unreliable and green for trusted). Tap it and you'll see a nutrition-styled label with more information. For instance, if a site is flagged as untrustworthy, it reads: "Proceed with caution: this website generally fails to maintain basic standards of accuracy and accountability." And, if you see a site sans label, you can submit it for review.
https://www.engadget.com/2019/01/23/microsoft-edge-mobile-fake-news
A vulnerability in the Advanced Persistent Threat management tool… Just kidding. A researcher found a vulnerability in apt, or Advanced Package Tool, a popular package manager that allows a network based man-in-the-middle to execute arbitrary code as root on a machine installing any package. There’s also risk of a bad actor exploiting this issue by standing up a malicious package mirror. The bug has been fixed in the latest versions of apt. Worried about being exploited during the update process? Protect yourself by disabling HTTP redirects while you update. A link to more information and the author’s steps are in this week’s show notes.
https://justi.cz/security/2019/01/22/apt-rce.html
The encryption mode in the well-known compression software 7-Zip uses poor randomness when generating AES or Advanced Encryption Standard initialization vectors (IV). The code uses a poor Random Number Generator (RNG) for AES initialization vector generation. What's more, the method seems to only use 8 bytes instead of the full 16, so that half of it is always zeros. This is a problem as the guarantee of AES-CBC security is based on having a 128-bit IV that is truly random, i.e. derived from a cryptographic Pseudo RNG. CBC refers to Cipher Block Chaining a cryptographic mode of operation invented in 1976. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block. Otherwise it resembles the method used in Electronic Codebook or ECB. Seen as the simplest of the encryption modes, ECB is named after conventional physical codebooks where the message is divided into blocks, and each block is encrypted separately. So lacking the proper 128-bit Initialization Vector may also decrease overall AES-CBC security since it might be easier to detect same block of plaintext in two separate ciphertexts. So maybe encrypt your packed files with another tool until this is corrected.
https://sourceforge.net/p/sevenzip/bugs/2176/ with additional background adapted from
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)
A Researcher discovered that large ecommerce and government sites got hacked via the Adminer database tool. The root cause is a protocol flaw in the MySQL database. It’s described right in the official documentation, as it says:
The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)
Attempting to read in the tone of the author, “In theory”? An Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets.
The server has to know the full path of the file on the client for it to succeed. However, by first requesting information about the system’s environment, the server can learn a great deal about the folder structure on the client.
Several clients and libraries have built-in protection for this “feature”, or disable it by default (eg Golang, Python, PHP-PDO). But not all do, as the Adminer case demonstrates. And Adminer probably won’t be the last.
https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/
A short blog post this week explores the reasons why so much software still isn’t secured after so many years. The author boils it down to explaining that, “the existence of insecure software has so far helped society far more than it has harmed it.
Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before.” The link to the posting is in the show notes, if you’re interested.
https://danielmiessler.com/blog/the-reason-software-remains-insecure/
Trend Micro engineers found applications in the Google Play store that drop Anubis banking malware after the device’s motion sensors are activated to evade initial detection. The two apps were disguised as useful tools, simply named Currency Converter and BatterySaverMobi. Google has confirmed that both these apps are no longer on the Play Store.
The battery app logged more than 5,000 downloads before it was taken down, and boasted a score of 4.5 stars from 73 reviewers. However, a close look at the posted reviews show signs that they may not have been valid. These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities.
As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.
The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/
A software bug, reported via HackerOne platform, says that “Verifying a new email address on a Twitter account in the Android app causes the "Protect your Tweets" option to be unset, resulting in the user's tweets being made publicly visible.” This can lead to a user's private tweets being exposed to anyone until they realize the change to their privacy settings. An attacker would normally need to have direct access to the user's Twitter account to change the email. In this case a user could be tricked into changing their email if an attacker sent them a phishing email, instructing them to do so.
https://hackerone.com/reports/472013
Are you interested in finding and exploiting bugs in Marvell Avastar Wi-Fi chips? This week’s show notes have a link to a great in-depth blog posting on the topic. The author seeks to answer a question that has yet to be answered for quite some time. The question? To what extent is the Marvell WiFi FullMAC System-on-a-Chip or SoC (not) secure? Since wireless devices based on this chip aren’t fully researched by the community yet, they may contain a tremendous volume of unaudited code. This code could result in severe security issues in swarming devices equipped with WLAN cards. The author clearly states that the article is based on the info presented during their presentation during ZeroNights 2018 and invites readers to have a look at the original slides. References to additional research on the subject of wireless SoC security is also linked. Worth a read if this is your rabbit hole.
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/
In case Hardware isn’t your thing, how about a Chrome extension designed For WordPress vulnerability scanning and information gathering? If that gets your attention, then maybe check out the WPintel github link on this week’s post over at securityendeavors/SEHL.
https://github.com/Tuhinshubhra/WPintel
Seeking to amplify the work of another researcher, this Twitter post compares the work to their own NetNTLMv1 to SilverTicket work, but does so only using Kerberos, which has a much larger footprint. The research post is called “Wagging the Dog: Abusing Resource-based constrained Delegation to attack ActiveDirectory” and says it contains information on new attack techniques. After reviewing the information, the Microsoft Security Response Center (or MSRC) responded that “this is not an issue which will be addressed via a security update.”
While it’s unclear if that means something more involved would be needed to address the risks outlined in the posting, what’s clear is that this is a wild toboggan ride that plumbs the depths of Kerberos Delegation, and you will come out the other side either smarter or ready for an analgesic.
https://twitter.com/NotMedic/status/1089699199891984384?s=20 &
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
A recent tweet seeks to share some notes on Resumes when looking to Get Into InfoSec. The author offers their view on just how far classes, home study, conference attendance, and practicing on sites like HackInTheBox can take you. The post lists some of the “nontrivial amount of knowledge” that can only be learned on the job. Beyond the list of included real-world experiences that contribute to growth and understanding of the work, the post goes on to share that at the end of the day, infosec is, “measuring risk from a technical perspective and remediating that risk the best and most compatible way, custom, for every customer, every time.” Best if you take a moment to read this for yourselves to get the full message.
https://twitter.com/Viss/status/1089249931552993280?s=20
A researcher found a logic flaw where waiting on a two-factor login page could allow you to log in without having to the current password on many major websites. The idea, if I’m reading this right, is to start to login to a site and then pause at the two-factor entry page, where there’s a place to enter a one-time code. The attacker then trigger’s a password change request, that will cause all active login sessions to be terminated. After waiting 10 to 15 minutes, it was possible to enter a 2FA code and it was possible to log in, without knowing the actual password. Reporting on the initial Proof of Concept didn’t get very far, since the login session expired in 20 minutes, so the researcher pressed on, testing additional scenarios. Diligence paid off when the researcher discovered a repeatable method to bypass session expiration where the 2FA code was working even when the option was disabled. Once able to expand the attack scenario on one company’s platform, curiosity lead to discovering other companies suffered from the same vulnerability. Of possibly greater concern than discovering this kind of risk, is that more than one company responded to the reported bugs as “working as intended.
https://twitter.com/x0rz/status/1089101900069384192?s=20 pointing to
https://medium.com/@lukeberner/how-i-abused-2fa-to-maintain-persistence-after-a-password-change-google-microsoft-instagram-7e3f455b71a1
Are you a visual learner, but man pages just too painful to read through? Maybe take a look at the work of cartoonist who draws out common use cases for commands? It could be the easiest way to read through the flags for using curl that I’ve ever seen.
https://twitter.com/b0rk/status/1088981000955355136?s=20
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.