This Week In Security #7
Security is looking past what you know. With new threats and vulnerabilities found every day we’ll try to give you an organized weekly dose of security news. This is Koda Ops TWIS#7
Microsoft issued 14 bulletins, with 6 critical vulnerabilities and 8 important. This included a 0Day being actively exploited in the wild. This vulnerability was located in the Window’s Kernel mode driver and used in conjunction with a recently patched Adobe flaw. Adobe patched nine critical vulnerabilities in Flash player. Impacting Windows, Mac, Linux, Chrome. Google is aggressively pushing Microsoft to fix the 0Day
1 Billion Mobile App Accounts can be hijacked because of faulty OAuth Implementation
Think of Facebook, Google, LinkedIn, Twitter when you sign into apps. Security researchers have discovered widespread failure to properly implement OAuth 2.0, the open standard for authorization allowing users to sign in for other 3rd party services. With no additional username or password required. But this doesn’t protect when the app does not properly check the validity of the information sent from the source of the ID i.e Facebook. Attackers can download the vulnerable app, log in with their own information and then change the credentials to whatever they wish. Over 2.4 billion downloads across iOS and Google are vulnerable.
The Year of Cyber Elections
After all the cyber hoopla from the US elections, Germany is gearing up for its own controversy. Angela Merkel is postulating that Russia may try to influence the outcome through cyber attacks. The past year has been rife with political unrest globally, and that tends to play well for attackers, offering them a convenient distraction or smokescreen. Ironically, the attackers offer politicians a handy diversion as well. The accusation bandwagon is loading up.
Tesco Bank attacks linked to Retefe Trojan
Numerous banks around the globe will need to be checking their security after the attack on Tesco this past weekend. Security experts warn that the attack may have started back as early as February 2016. Palo Alto flagged the Trojan after it hit Sweden, Switzerland, and Japan earlier this year. Some other UK banks on the list include Halifax, HSBC, Barclays. Retefe infects in the form of a malicious email attachment that masquerades as an invoice etc (like phishing). Sophisticated. Armed with several components to ensure success.
- Uses TOR to configure the proxy server to mimic target bank site. MiTM
- Install fake root certificate. This prevents warning notices that the site is not genuine
- Mobile component to bypass 2FA. Intercepts one-time passwords
Russian Banks Hit by DDoS attacks
Over 5 Russian banks were targets of DDoS attacks this week beginning Tuesday and lasting at least 2 days. Yet again, an army of IoT devices were harnessed to do the dirty work. Mirai is the likely source code. And default passwords will be everyone’s undoing. The failure to build in security rests at the helm of manufacturers.
China tightens grip around the internet and its censorship
China a country known for its strict censorship policies, which has made it difficult for foreign companies to do business in the world’s most populous country, has now taken another stab at its ability to censor the internet. The Chinese government has approved a broad new controversial cybersecurity regulations that would further strengthen the country’s censorship regime, making it more difficult for technology companies to operate in the country. This past Monday the legislation which is set to take effect June 2017 was passed. China’s goal for this is to combat the growing threats of hacking and terrorism, but it comes with the price of higher surveillance. Data localization and real-name requirements will be seeing their way into messaging services and will force users to keep their data within the country and use their real name. How will outside cloud services or backup providers feel? and how will china combat leakage of information to outside sources? Well, it seems the new legislation also covers some new requirements for cyber security, forcing companies to provide “technical support” to government agencies for investigations involving national security and crime and to censor contents that are “prohibited.” Although this technical support is not clearly defined in the law, experts believe that authorities could ask companies for or other surveillance assistance in the name of tech support. The benefit is Under this law, companies and network operators should report “security incidents” to the government and inform consumers of data breaches something that should be a part of anyone’s cyber security plan.
This is this week in security I hope you enjoyed reading, please comment below and stay tuned for more TWIS.