TLS 1.3 – Internet Security Gets a Boost

TLS 1.3 updates the most important security protocol on the Internet, delivering superior privacy, security, and performance.

10. august marks the formal publication of an overhaul of the Transport Layer Security (TLS) protocol. TLS is an Internet standard used to prevent eavesdropping, tampering, and message forgery for various Internet applications. It is probably the most widely deployed network security standard in the world. Often indicated by the small green padlock in a web browser’s address bar1, TLS  is used in financial transactions, by medical institutions, and to ensure secure connections in a wide variety of other applications.

We believe the new version of this protocol, TLS 1.3, published as RFC 8446, is a significant step forward towards an Internet that is safer and more trusted.

TLS 1.3 represents a significant security win for the Internet and its users. We look forward to using it and tracking its adoption on the Internet.

An Overview of TLS 1.3 – Faster and More Secure

 

Top 5 Security links

 

BF-SIRT Newsletter 2018-32

A new method has been found to make cracking WPA/WPA2 easier

The makers of Hashcat found a simpler way to gather the Pairwise Master Key Identifier (PMKID) from WPA/WPA2-secured wifi network. Before this method was discovered an attacker would have to wait for a user to authenticate, and then steal the 4-way handshake of the user. This new method is a “client-less attack”, meaning it can gather all the information needed without anyone using the network. This can significantly speed up the process of obtaining the PMKID.

The good news is that the passwords still needs to be cracked by brute force or dictionary attack, so if you are using a secure password this is still a non-trivial process. It also only works on Pre-Shared Key (PSK), meaning using other authentication methods should be safe.

Top 5 Security links

 

BF-SIRT Newsletter 2018-31

Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally

Carrier-grade MikroTik routers are delivering potentially millions of daily cryptomining pages to the attacker.

A massive hacking campaign has been uncovered, compromising tens of thousands of MikroTik routers to embed Coinhive scripts in websites using a known vulnerability.

So far, Censys.io has reported more than 170,000 active MikroTik devices infected with the CoinHive site-key used in this campaign (the site-key is the same across infections, indicating a single entity behind the attacks). The campaign is mainly targeting Brazil – but infections are growing internationally, according to Trustwave’s Secure Web Gateway (SWG) team, indicating much larger ambitions.

“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote a posting today. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”

 

Top 5 Security Links

How to defend yourself against SamSam ransomware

Backdoors keep appearing in Cisco’s routers

Reddit breach highlights limits of sms-based authentication

Attacks on industrial enterprises using RMS and Teamviewer

Amnesty International targeted by Nation-state spyware

Photo by Charles Deluvio ???????????????? on Unsplash

BF-SIRT Newsletter 2018-26

Gentoo shows off prompt and professional security response after minor breach

A weak administrator password allowed an unknown attacker to gain access to the Gentoo Linux distribution’s GitHub account and lock developers out of it. The GitHub repositories of Gentoo are only downstream mirrors from the self-hosted Gentoo.org infrastructure.

From an organizational standpoint, Gentoo’s handling of the incident was prompt and professional. Gentoo released official statements promptly detailing the nature of breach. This should be considered the standard against which organizations are judged for handling security breaches.

Top 5 Security links

Programmer tried to sell cyberweapon on dark web for $50M: Reminder to secure employees
Gartner Identifies the Top Six Security and Risk Management Trends
UK Banks Told To Show Their Backup Plans For Tech Shutdowns
Google tries to calm controversy over app developers having access to your Gmail
Why LTE and 5G networks could be affected by these new security vulnerabilities

 

(Blogpost image by Charles Deluvio ????????????????, “Front-End Development“, “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-25

Ticketmaster chat feature leads to Credit-Card Breach

Tens of thousands of people have been caught up in a data breach at Ticketmaster UK, which exposed credit-card and personal information for UK and some international customers.

The ticket-selling giant said that on Saturday it found malware within a customer chat function for its websites, hosted by Inbenta Technologies. Worryingly, the malicious code was found to be accessing an array of information, including name, address, email address, telephone number, payment details and Ticketmaster login details.

The malware managed to stay under the radar for months as well, Ticketmaster said. The breach affects those who purchased, or attempted to purchase, event tickets between September 2017 and June 23 of this year. About 5 percent of its customer base is affected, the company noted, which according to the BBC’s calculations works out to 40,000 or so victims.

Ticketmaster has since disabled the feature, which was running on Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites. It also said in a website notice that “forensic teams and security experts are working around the clock to understand how the data was compromised,” and said that it has notified the affected customers.

Top 5 Security links

Top 10 most abused top level domains
Google to Fix Location data leak in Google Home, Chromecast
Marketing firm Exactis leaked a personal info database with 340 million records
Botnets evolving to mobile devices
ANNOUNCING : STARTTLS everywhere: Securing hop-to-hop email delivery

BF-SIRT Newsletter 2018-24

Launching VirusTotal Monitor, a service to mitigate false positives

A new service from VirusTotal enables software developers to privately check and monitor application code against antivirus engines, in a bid to reduce false positives.
 
VirusTotal announced a new Monitor service on June 19 that could help to reduce malware false positives in software.
Since the site was founded in 2004, VirusTotal has enabled developers and antivirus vendors to check files against malware detection engines. With the new VirusTotal (VT) Monitor, software developers can now benefit from a private system where they can upload new files and have them continuously checked to see if they will be flagged as malware. The VirusTotal Monitor service is an attempt to help software developers limit false positive malware detection.

 

Top 5 Security links

“Huge” Browser Bug Enabled Malicious Websites to Retrieve Data from Other Sites You Visited
New North Korea Cyberattack Launches
Sneaky Web Tracking Technique Under Heavy Scrutiny by GDPR
New phishing scam reels in Netflix users to TLS_certified sites
Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

BF-SIRT Newsletter 2018-23

New Vulnerability Found in All Modern Intel CPUs

Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology. Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw.

Unlike other chip vulnerabilities, this one does not reside in the hardware layer, so this can be fixed by new microcode from Intel. As always, keep your software up to date.

Top 5 Security links
Startup Working on Contentious Pentagon AI Project Was Hacked
Tens of Thousands of Android Devices Are Exposing Their Debug Port
Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’
Feds Bust Dozens of Email Scammers, but Your Inbox Still Isn’t Safe
What got breached this week? Ticket portals, DNA sites, and Atlanta’s police cameras

 

(Blogpost image by Alexandru-Bogdan Ghita, “CPU in Socket”, “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-22

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.

Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Top 5 Security links

Another flash update
Shipping industry cybersecurity: A shipwreck waiting to happen
Widespread Google groups misconfiguration exposes sensitive information
Destructive and MiTM capabilities of VPNFilter Malware revealed
When cybercriminals are rubbish at cybersecurity

BF-SIRT Newsletter 2018-21

BUG in GIT opens developers systems up to attack.

Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.

Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).

“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.

Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.

The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.

“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.

Top 5 Security links

European Commission “doesn’t plan to comply with GDPR” – well, sort of
PCI Security Standards Council publishes PCI DSS 3.2.1
Google patches 34 browser bugs in chrome67, adds spectre fixes
How to turn PGP back on as safely as possible
Research shows 75% of ‘open’ Redis servers infected

BF-SIRT Newsletter 2018-20

VIRGINIA TECH AND DASHLANE ANALYSIS FIND RISKY, LAZY PASSWORDS THE NORM

Dashlane analyzed over 61 million passwords and uncovered some troubling password patterns. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech.

The Virginia Tech project, described as “the first large-scale empirical analysis of password reuse and modification patterns…” resulted in a landmark research paper: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services.” Dr. Wang granted Dashlane’s Analytics Team access to the anonymized version of the 61.5 million passwords from the project so they could conduct further research into password trends.

Top 5 Security links

Amazon comes under fire for facial recognition platform
New VPNFilter malware targets at least 500K networking devices worldwide
Why not to use sha256crypt  or sha512crypt they’re dangerous
Intel’s ‘virtual fences’ spectre fix won’t protect against variant 4
The good and bad news about blockchain security