The usual collection of exploits, tools, reports and humor round out our coverage today. One security researcher found RickRolling inside one exploit: that throwback to a simpler time seems so quaint now. Our top story has a Google exploit that can monitor your surrounding audio and video conversations without your knowledge, and apparently Google hasn't yet come up with a fix. And a couple of new products announced this week that are worth taking a closer look. Be safe out there folks.
-- David Strom, editor of Inside Security
Top story: Google chrome audio flaw
A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on. AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way. – HACKER NEWS
Attacks: shopping mall billboard
Hackers compromised a computer connected to a mall’s billboard displays at the Liverpool One shopping mall. In keeping with British cultural norms, they were incredibly polite and "friendly." -- MOTHERBOARD
This post details an example of chaining three relatively trivial vulnerabilities to achieve remote code execution on a bug bounty target. These vulnerabilities alone would have likely been of low severity, but when used together they were scored and rewarded together as a High Priority issue. It is worth reading to show exactly how clever modern exploits can be. – KERNEL PICNIC
A group of hackers have leaked personal data and photos that belong to patients of a cosmetic surgery clinic based in Lithuania. On May 30th, the bad actors published online some 25,000 private photos, including nude images, from patients of the Grozio Chirurgija clinic. They also included personal information in their dump. Those details ranged from names and addresses to passport scans and national insurance numbers. Attribution has been difficult as the hackers seem to be posing as Russians to get attention. -- TRIPWIRE
IRONSCALES just unveiled this report entitled: How Modern Email Phishing Attacks Have Organizations on the Hook. The report's findings were based on detailed analysis of more than 8,500 verified phishing attacks during 2016-2017 and inspected more than 500,000 email inboxes. It found that spear-phishing is increasingly laser-focused, with 77 percent of the verified attacks targeting fewer than 10 mailboxes or less and one-third targeting just a single mailbox. Also, blast campaigns have become micro-targeted. Operations and finance were the most remediated departments while DHL, Google & Amazon were the most frequently spoofed brands.
Here is a great post about social engineering down through history, noting Kevin Mitnick and John Draper among others. It also reviews the different types of attacks and how they work, such as pretexting, baiting, phishing and my favorite, tailgating (illustrated here). -- HACKADAY
What if quantum computing gains hold? This academic paper from computer scientists at University of Illinois at Chicago and others proposes RSA parameters for which key generation, encryption, decryption, signing, and verification are feasible on today’s quantum computers. Can RSA parameters be adjusted so that all known quantum attack algorithms are infeasible while encryption and decryption remain feasible? The short answer is yes. -- PAPER PREPRINT
Acronis Backup v12.5 is now available. The venerable utility supports more than 20 platforms. These include Windows, Office 365, Azure, Linux, Mac OS X, Oracle, VMWare, Hyper-V, Red Hat Virtualization, Linux KVM, Citrix XenServer, iOS, andAndroid. It includes new features such as SAN snapshots, delegated roles and a unified web interface. It has a complex pricing structure with workstation licenses that begin at $89 and server licenses that begin at $999.
STEALTHbits Technologies has issued a free Shadow Brokers Vulnerability Utility that helps organizations determine their risk exposure to known Shadow Broker exploits such as the WannaCry ransomware. The utility enumerates Windows hosts in the environment, identifies Windows systems that are vulnerable to Shadow Brokers exploits, and verifies that systems have been successfully patched after remediation. The Shadow Brokers Vulnerability Utility can be downloaded here.
Here are a few steps to make these bounty programs succeed: start with a small pilot program, put together proper bug reporting procedures, recruit known researchers with proven track records, and then look for the lessons learned in your data. -- TECHBEACON
How do bounties get priced? It has to do with business impact, not necessarily the severity of the bug itself, according to this post. "When a business prices vulnerabilities, they spend a lot more time considering the scarcity of the bug and how many they think they have, which is the hardest thing to try and work out [as] you can't know," said HackerOne CTO Alex Rice. -- ZDNET
Methods and tools
The latest end user comments about four networking troubleshooting products: CA Spectrum, OptiView XG, AirMagnet Survey and Observer GigaStor. IT staffers at IT CentralStation have good and bad things to say about each product and their experiences.
For most security researchers, Yara is a tool that allows them to create their own set of rules for malware tracking. It is an invaluable resource that helps automate many processes. However, despite Yara’s reliability, it shouldn’t be the only tool used to monitor new versions of malware. This article will show why it is a good idea to refrain from processing and adding Yara detections without collaborating with other tools. -- TREND MICRO BLOG
Just for fun
“Life in Russian Intelligence is really boring. Trump just tells us all the US' secrets.” says THE KB @ TWITTER (parody account). As their account says, “You don’t follow us, we follow you.”
Speaking of our president, the Twitterverse has exploded with last night’s mystery word “covfefe.” Agent Cooper and I both haven't a clue.
How likely are you to recommend Inside Security to a friend or colleague?