Click here to listen to the headlines from Week 03 of 2019!
Show notes for Security Endeavors Headlines for Week 3 of 2019
Check out our subreddit to discuss this week's headlines!
InfoSec Week 3, 2019 (Link to original Malgregator.com posting for this week)
A 35-year-old vulnerability has been discovered in the Secure Copy Program (or SCP) file transfer utility. Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and remote copy program (rcp), on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.
The page says the Tectia SSH’s scpg3 is not affected since it exclusively uses secure ftp (or sftp) protocol. The page goes on to suggest mitigations include switching to OpenSSH, switch to sftp if possible. There is a patch, but it doesn’t cover all use cases, PuTTY doesn’t have a fix yet, and users of WinSCP should upgrade to v5.14 or later.
According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
History of SCP and it’s use: https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access
Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.
With federal employees currently furloughed, more than 80 Transport Layer Security (TLS) certificates used by .gov websites have so far expired without the ability to be replaced or updated. To compound the situation, some of these sites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.
Don’t forget that in Chrome, it’s possible to bypass the warning by typing in ‘this is unsafe’ all together and please use this with caution and awareness that this could potentially expose you the risk of whatever’s on the site.
https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html
Researchers have found a new kind of Windows malware that receives "encrypted" instructions by way of messaging app Telegram. What’s really interesting is that analysts from Forcepoint Labs were able to retroactively scrape and correlate all the messages issued by the malware operator because telegram messages have unique IDs and malware.
The researchers described their newly discovered malware, dubbed GoodSender, as a “fairly simple” Windows-based malware that’s about a year old, which uses Telegram as the method to listen and wait for commands. Once the malware infects its target, it creates a new administrator account and enables a remote desktop — and waits. As soon as the malware infects, it sends the username and randomly generated password to the attacker through Telegram.
It’s not the first time malware has used a commercial product to communicate commands; bad actors have been known to embed instructions in pictures posted to Twitter or in comments left on celebrity Instagram posts.
The theory must be that using an encrypted messenger makes it far harder to detect. Forcepoint published in its research on Thursday, that it only stumbled across the malware after it found a vulnerability in Telegram’s “notoriously bad encryption”.
The messages are encrypted using the app’s proprietary MTProto protocol, long slammed by cryptographers for leaking metadata and having flaws, and likened to “being stabbed in the eye with a fork.” Its bots, however, only use traditional TLS — or HTTPS — to communicate. The leaking metadata makes it easy to man-in-the-middle the connection and abuse not only the bots’ API to read bot-sent and received messages, but also allows the recovery of the full messaging history of the target bot, the researchers say.
https://techcrunch.com/2019/01/17/decrypted-telegram-bot-windows-malware
In March of this year, researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge, which will include a Tesla Model 3 on-site as a target for the automotive category, with six different focal points for in-scope research. The first successful researcher can also drive off in their own brand new Model 3 after the competition ends. Definitely check out the the rules on their page for details.
Microsoft returns, leading the virtualization category for a successful Hyper-V Client guest-to-host escalation. VMware has VMware ESXi alongside VMware Workstation as a target as well as Oracle VirtualBox, rounding out the tools that Cloud Computing relies so heavily on.
In addition to web browsers, where Chromium engine has an even larger focus now that Microsoft is transitioning the Edge browser over from their own, there are still entries for Firefox and Safari.
https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman was among 400 Navajos who helped defeat the Japanese during World War II by developing an unbreakable code for military transmissions using the Dine language. The Code Talkers have been celebrated in books, movies and poems for their vital role in the war, their courage in combat and the unusual encryption system that stymied enemy intelligence.
https://eu.azcentral.com/story/news/local/arizona/2019/01/14/alfred-k-newman-among-last-navajo-code-talkers-has-died/2570535002/
Security researcher Troy Hunt has updated his Have I Been Pwned after finding 87GB of leaked passwords and email addresses on cloud storage provider, MEGA. The total number of unique password and email combinations now nears 773 million records. The raw dump, called collection #1 in his posting is a set of email addresses and passwords totalling well over two billion rows (2,692,818,238) which is a sizeable amount more than a 32-bit integer can even hold. It's made up of many different individual data breaches from literally thousands of different sources. Hunt himself says he found his own older, but accurate information. What cause him a “sense of dismay” was that the data contains "dehashed" passwords which have been cracked and converted back into plain text. There's a link to an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless. In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
There was a massive data breach at the Oklahoma Securities Commission exposing millions of documents containing decades worth of confidential case file intelligence both from the agency and from sensitive FBI investigation source materials.
“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” read a report summary released by California-based cybersecurity firm UpGuard.
The big data disclosure, involving major corporations like AT&T, Goldman Sachs and Lehman Brother released Wednesday suggests that its Data Breach Research team confirmed that a server for the Oklahoma department, tasked with keeping tabs on all financial securities business in the state, was “publicly accessible” on Nov. 30 of last year.
The report found that in the three terabytes worth of vulnerable data at the fingertips of cyber pirates included spreadsheets “documenting the timeline for investigations by the FBI and people they interviewed” as well as training documents, emails and supporting files for Department of Securities investigations.
https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-investigations-report-1293862
Attackers broke into an SEC database and made millions from insider information.
Federal prosecutors unveiled charges in an international stock-trading scheme that involved breaking into the Securities and Exchange Commission’s EDGAR corporate filing system.
The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website. The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. The attackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where it was either used or distributed. The incident, when it occurred, sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.
https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html
A malicious former employee installed a Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation. This story is a good read about discovering the kind of device you do not want to find inside your company’s network. The positive thing is how much help the community of Reddit offered to unravel the mysteries of what it was and what it was (supposedly) meant to be used for. Interesting stuff to be sure!
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html
Do you have experience with authentication? Can you tell the difference between AuthN and and AuthZ? That’s Authentication vs. Authorization, just in case. If you’ve been looking for a resource that describes the concept of authentication factors and how enrollment gets increasingly complex the more factors you add, a recent blog post by Apenwarr goes into what the factors are and explains the difference between multi-factor vs. multiple single-factors. Hint: multi-factor requires methods from different categories. The article also talks about the current state of enrollment processes and why U2F seems to make domain validation “like magic”. Happy reading!
https://apenwarr.ca/log/20190114
Noise Protocol Framework Explorer, the tool created by Nadim Kobeissi, now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern. The author of the code invites people to try out the beta code at noiseexplorer.com.
The blurb from the page says it’s possible to: Instantly generate full symbolic models in the applied pi calculus for any Noise Handshake Pattern that you enter. Using ProVerif, these models can be analyzed against passive and active attackers with malicious principals. The model's top-level process and sophisticated queries are specifically generated to be relevant to your Noise Handshake Pattern, including tests for strong vs. weak forward secrecy and resistance to key compromise impersonation. Noise Explorer also automatically generates a secure implementation of your chosen Noise Handshake Pattern design, written in Go.
https://twitter.com/i/web/status/1085629955202011136
CERT Poland (CERT Polska) opens access to its malware database (MWDB).
Analysis of current threats is one of the most common challenges facing almost any organization dealing with cybersecurity. From year to year, it also becomes a harder nut to crack, being undoubtedly influenced by the growing scale of activities undertaken by criminals and the degree of their advancement. In the face of this situation, efficient exchange of information between researchers is a key issue.
The MWDB system (also known as the “Malware Database”) is a repository for storing malware samples and information acquired during their analysis. The simplest example of this type of data can be the relation of a specific sample with a given malware family, or the addresses of the C&C servers used by it.
Each user, after logging into the system, can see samples of malicious software in reverse chronological order. Of course it only applies to samples available for particular person (uploaded or derived objects). Each object has the so-called tags that refer to the classification used by CERT Poland during analyzes (e.g. assignment to malware families, specific phishing campaigns, etc).
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/
Windows 10 Mobile is really dead this time… Parrot Sketch not included
https://www.thurrott.com/windows/windows-10/197932/windows-10-mobile-is-dead-dead
Posted on 18 January 2019, sourced with permission from malgregator.com
Some sources adapted for on-air readability.
Lastly, Did you know that pressing CTRL + ? on a Chromebook will bring up a list of keyboard shortcuts? I stumbled across it by accident and thought it was worth sharing.
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines as source material and show notes. Visit them at Malgregator.com.
Additional supporting sources for this week’s stories will also be included in our show notes
Why not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHL
Thanks for listening and we'll see you next week!
Check out our subreddit to discuss this week's headlines!
InfoSec Week 3, 2019 (Link to original Malgregator.com posting for this week)
A 35-year-old vulnerability has been discovered in the Secure Copy Program (or SCP) file transfer utility. Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and remote copy program (rcp), on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.
The page says the Tectia SSH’s scpg3 is not affected since it exclusively uses secure ftp (or sftp) protocol. The page goes on to suggest mitigations include switching to OpenSSH, switch to sftp if possible. There is a patch, but it doesn’t cover all use cases, PuTTY doesn’t have a fix yet, and users of WinSCP should upgrade to v5.14 or later.
According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
History of SCP and it’s use: https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access
Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.
With federal employees currently furloughed, more than 80 Transport Layer Security (TLS) certificates used by .gov websites have so far expired without the ability to be replaced or updated. To compound the situation, some of these sites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.
Don’t forget that in Chrome, it’s possible to bypass the warning by typing in ‘this is unsafe’ all together and please use this with caution and awareness that this could potentially expose you the risk of whatever’s on the site.
https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html
Researchers have found a new kind of Windows malware that receives "encrypted" instructions by way of messaging app Telegram. What’s really interesting is that analysts from Forcepoint Labs were able to retroactively scrape and correlate all the messages issued by the malware operator because telegram messages have unique IDs and malware.
The researchers described their newly discovered malware, dubbed GoodSender, as a “fairly simple” Windows-based malware that’s about a year old, which uses Telegram as the method to listen and wait for commands. Once the malware infects its target, it creates a new administrator account and enables a remote desktop — and waits. As soon as the malware infects, it sends the username and randomly generated password to the attacker through Telegram.
It’s not the first time malware has used a commercial product to communicate commands; bad actors have been known to embed instructions in pictures posted to Twitter or in comments left on celebrity Instagram posts.
The theory must be that using an encrypted messenger makes it far harder to detect. Forcepoint published in its research on Thursday, that it only stumbled across the malware after it found a vulnerability in Telegram’s “notoriously bad encryption”.
The messages are encrypted using the app’s proprietary MTProto protocol, long slammed by cryptographers for leaking metadata and having flaws, and likened to “being stabbed in the eye with a fork.” Its bots, however, only use traditional TLS — or HTTPS — to communicate. The leaking metadata makes it easy to man-in-the-middle the connection and abuse not only the bots’ API to read bot-sent and received messages, but also allows the recovery of the full messaging history of the target bot, the researchers say.
https://techcrunch.com/2019/01/17/decrypted-telegram-bot-windows-malware
In March of this year, researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge, which will include a Tesla Model 3 on-site as a target for the automotive category, with six different focal points for in-scope research. The first successful researcher can also drive off in their own brand new Model 3 after the competition ends. Definitely check out the the rules on their page for details.
Microsoft returns, leading the virtualization category for a successful Hyper-V Client guest-to-host escalation. VMware has VMware ESXi alongside VMware Workstation as a target as well as Oracle VirtualBox, rounding out the tools that Cloud Computing relies so heavily on.
In addition to web browsers, where Chromium engine has an even larger focus now that Microsoft is transitioning the Edge browser over from their own, there are still entries for Firefox and Safari.
https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman was among 400 Navajos who helped defeat the Japanese during World War II by developing an unbreakable code for military transmissions using the Dine language. The Code Talkers have been celebrated in books, movies and poems for their vital role in the war, their courage in combat and the unusual encryption system that stymied enemy intelligence.
https://eu.azcentral.com/story/news/local/arizona/2019/01/14/alfred-k-newman-among-last-navajo-code-talkers-has-died/2570535002/
Security researcher Troy Hunt has updated his Have I Been Pwned after finding 87GB of leaked passwords and email addresses on cloud storage provider, MEGA. The total number of unique password and email combinations now nears 773 million records. The raw dump, called collection #1 in his posting is a set of email addresses and passwords totalling well over two billion rows (2,692,818,238) which is a sizeable amount more than a 32-bit integer can even hold. It's made up of many different individual data breaches from literally thousands of different sources. Hunt himself says he found his own older, but accurate information. What cause him a “sense of dismay” was that the data contains "dehashed" passwords which have been cracked and converted back into plain text. There's a link to an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless. In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
There was a massive data breach at the Oklahoma Securities Commission exposing millions of documents containing decades worth of confidential case file intelligence both from the agency and from sensitive FBI investigation source materials.
“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” read a report summary released by California-based cybersecurity firm UpGuard.
The big data disclosure, involving major corporations like AT&T, Goldman Sachs and Lehman Brother released Wednesday suggests that its Data Breach Research team confirmed that a server for the Oklahoma department, tasked with keeping tabs on all financial securities business in the state, was “publicly accessible” on Nov. 30 of last year.
The report found that in the three terabytes worth of vulnerable data at the fingertips of cyber pirates included spreadsheets “documenting the timeline for investigations by the FBI and people they interviewed” as well as training documents, emails and supporting files for Department of Securities investigations.
https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-investigations-report-1293862
Attackers broke into an SEC database and made millions from insider information.
Federal prosecutors unveiled charges in an international stock-trading scheme that involved breaking into the Securities and Exchange Commission’s EDGAR corporate filing system.
The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website. The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. The attackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where it was either used or distributed. The incident, when it occurred, sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.
https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html
A malicious former employee installed a Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation. This story is a good read about discovering the kind of device you do not want to find inside your company’s network. The positive thing is how much help the community of Reddit offered to unravel the mysteries of what it was and what it was (supposedly) meant to be used for. Interesting stuff to be sure!
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html
Do you have experience with authentication? Can you tell the difference between AuthN and and AuthZ? That’s Authentication vs. Authorization, just in case. If you’ve been looking for a resource that describes the concept of authentication factors and how enrollment gets increasingly complex the more factors you add, a recent blog post by Apenwarr goes into what the factors are and explains the difference between multi-factor vs. multiple single-factors. Hint: multi-factor requires methods from different categories. The article also talks about the current state of enrollment processes and why U2F seems to make domain validation “like magic”. Happy reading!
https://apenwarr.ca/log/20190114
Noise Protocol Framework Explorer, the tool created by Nadim Kobeissi, now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern. The author of the code invites people to try out the beta code at noiseexplorer.com.
The blurb from the page says it’s possible to: Instantly generate full symbolic models in the applied pi calculus for any Noise Handshake Pattern that you enter. Using ProVerif, these models can be analyzed against passive and active attackers with malicious principals. The model's top-level process and sophisticated queries are specifically generated to be relevant to your Noise Handshake Pattern, including tests for strong vs. weak forward secrecy and resistance to key compromise impersonation. Noise Explorer also automatically generates a secure implementation of your chosen Noise Handshake Pattern design, written in Go.
https://twitter.com/i/web/status/1085629955202011136
CERT Poland (CERT Polska) opens access to its malware database (MWDB).
Analysis of current threats is one of the most common challenges facing almost any organization dealing with cybersecurity. From year to year, it also becomes a harder nut to crack, being undoubtedly influenced by the growing scale of activities undertaken by criminals and the degree of their advancement. In the face of this situation, efficient exchange of information between researchers is a key issue.
The MWDB system (also known as the “Malware Database”) is a repository for storing malware samples and information acquired during their analysis. The simplest example of this type of data can be the relation of a specific sample with a given malware family, or the addresses of the C&C servers used by it.
Each user, after logging into the system, can see samples of malicious software in reverse chronological order. Of course it only applies to samples available for particular person (uploaded or derived objects). Each object has the so-called tags that refer to the classification used by CERT Poland during analyzes (e.g. assignment to malware families, specific phishing campaigns, etc).
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/
Windows 10 Mobile is really dead this time… Parrot Sketch not included
https://www.thurrott.com/windows/windows-10/197932/windows-10-mobile-is-dead-dead
Posted on 18 January 2019, sourced with permission from malgregator.com
Some sources adapted for on-air readability.
Lastly, Did you know that pressing CTRL + ? on a Chromebook will bring up a list of keyboard shortcuts? I stumbled across it by accident and thought it was worth sharing.
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines as source material and show notes. Visit them at Malgregator.com.
Additional supporting sources for this week’s stories will also be included in our show notes
Why not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHL
Thanks for listening and we'll see you next week!