Inside
Inside Security

Inside Security (Jan 12th, 2018)

David’s take

If you aren't yet a Premium subscriber, you missed yesterday's analysis about a potential flaw in several secure messaging group chats, and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

Another person associated with the SecureDrop service has died. James Dolan, who worked on the program with Aaron Swartz, was 36. Dolan's cause of death was suicide. SecureDrop is an offering from the Freedom of the Press Foundation and used by many journalists all over the world for secure communication with their sources. Dolan was the foundation’s first full-time staffer. Dolan left the foundation two years ago to work on a San Diego startup. The foundation’s website has more details.

I am a big supporter and user of password managers, but here is a new twist on how they can be exploited. Technically, it isn’t the managers’ fault. Third-party scripts can inject invisible login forms that can capture a username and password, which the attacker uses for credential theft. While this vulnerability has been long known, this is the first time that such abuse has been documented. Take a closer look at the attack on the link and understand how you and your users can avoid it.

-- David Strom, Editor of Inside Security

  • Email gray
  • Permalink gray

Top Story:  Malware found in numerous SCADA Android apps

Researchers took a closer look at 34 vendors of SCADA apps and identified 147 security issues in the applications and their backend programs. These vulnerabilities including unauthorized physical access to the device or its data, compromised communications channels and application flaws. – IOACTIVE BLOG

  • Email gray
  • Permalink gray

Attacks and vulnerabilities

Researchers have found malicious code hiding inside 60 different Android gaming apps. Some of the apps are targeted at kids. Across this portfolio, the apps have been downloaded at least three million times. The code can display ads for porn sites, trick users into installing fake security apps, or register a user for a premium service without their permission. – CHECKPOINT BLOG

Email x1 diagram 3
  • Email gray
  • Permalink gray

A sneaky new injection technique called Flokibot delivers LockPoS malware straight into the kernel of Windows-based POS machines according to new research. Given that Windows 10 kernel functions aren’t easily monitored by security tools, this could be hard to detect. – CYBERBIT BLOG

  • Email gray
  • Permalink gray

Google Drive had a vulnerability that allows attackers to automatically download malware to a victim’s computer, and researchers demonstrated a proof of concept script. Google has fixed the flaw since being notified However, they warn that “it is likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.”  – PROOFPOINT BLOG  

  • Email gray
  • Permalink gray

D̵̛̗̗͈̝̠͈͕͕̱̑͌̏̕͢a̝̻͇̬̘̼͓̿́̾̔́͋̎v̷̢̻̯̟̬̪̗̍̌͒̈́͑͑͊́̚ͅì̸̢̮̠̥̦̹̆͛̓͆͜͠ͅď̸̨̛̯̦̜̓̐̀̀̈́͜ S̸̩͉̘̼̬͗̒͛̊̓̈́̕̚t̺͉̱̰͐͒́̆͋̈͢͠ȑ̛̞̘̲̲̞͆̃̍͊͋́̇̈́͢ͅồ̭̬͖̪̥̤̎̏͗͌͡͡m͉̙̺͇͕̜͑̒̀̉͘̕͘͡ Į̸̧̙͉̟̘͗̆͆̆̍͘̕͘n̷̞̱͔͉̥̞̫͐̈̍͌̌͒͟͜͜ś͓̠̬͓̿̍̈̚̚̕̚͢ȉ̛̜̠͙̠͚̞̳́̃̈̒̿̿͟͜d̸̰͓̥̮̬̥͆́̽̉͠ȇ̸̦͇̻̺̪͍͎̋̾͌̄̓̈̚͠ Ș̷̭̯̳͈̬̆͗̽́͛͝͡͝e̸̡̮̫̹̊͆̃͆̂̃͗͘̚͜͜͢͡ͅc̖̝͓̪͕̞̐͌̓̌͐͜ũ̷̘̗̫̘͉͗̌͐̇̇͆͟ř̶͙̜̲͓̗̐̐̅̅͌̂̃̏͜͠ì̧̡̩͕̦̮͍͑̎̑͂͆͜t̡̨̪̳̭̹̱͗͊̍̍̒̌͟͞ỹ̶̧͕̹̝̺͎͎͊͆̀̒̒̅̒̂͂͟ͅ

Researchers have found a way to cause Gmail servers to crash after a user retrieves a specially-encoded email called a Zalgo text (shown above). The text makes extensive use of Unicode and other special character sets. Google has a fix. -- SECURITY AFFAIRS

  • Email gray
  • Permalink gray

Let's Encrypt has disabled TLS-SNI-01 validation after the discovery of an attack able to hijack certificates using the protocol. It was possible to exploit a number of servers in order to obtain certs for someone else’s domains. This post has the details. -- ZDNET

  • Email gray
  • Permalink gray

Tools

My colleague Lori MacVittie explains why the Facebook “security questions” aren’t really effective, and makes the argument for multi-factor authentication. And yes, her favorite color is black. – DARK READING

  • Email gray
  • Permalink gray

Reports

Spamhaus reports a 37 percent increase in botnet listings last year, and that the majority of botnet controllers were hosted on servers maintained by bad actors. The report has lots of additional insight into these networks. -- SPAMHAUS

  • Email gray
  • Permalink gray

Krebs reports on a serious vulnerability between Coinbase and Overstock.com that allowed customers to buy items using bitcoin and reap the benefits when items were returned. A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time.” Overstock has fixed the problem. – KREBS ON SECURITY

  • Email gray
  • Permalink gray

Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. This post provides some tips on formulating your strategy for a breach before the next one happens to you. – SECURITY INTELLIGENCE BLOG

  • Email gray
  • Permalink gray

The Docket

Phillip R. Durachinsky has been indicted in an Ohio U.S. District Court. He allegedly masterminded a scheme by which he accessed protected computers without their owners’ permission for more than 13 years using Mac-based malware. -- TRIPWIRE

  • Email gray
  • Permalink gray

The U.S. Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points. The directive states circumstances when travelers may be asked to provide passcodes to unlock a device. If the border agent is unable to inspect the device because it is passcode or encryption-protected, the agent may detain the device for up to five days. -- THREATPOST

  • Email gray
  • Permalink gray

Mexico’s attorney general’s office is investigating an attempt to hack and rob Bancomext, the government-run export bank. The hackers weren’t successful at stealing any funds and the bank suspended operations on Tuesday while they investigated the attack. -- REUTERS

  • Email gray
  • Permalink gray

Cheesy, I know. -- DEVHUMOR

  • Email gray
  • Permalink gray

Subscribe to Inside Security

MORE NEWSLETTERS

Small x2 shutterstock 173668979 680x400

Inside Dev

Breaking news and info for developers

WEEKLY
Small x2 giphy %282%29

Inside Dev

WEEKLY

SUBSCRIBED!

Share via

Small x2 photo

Inside Trump

Digging into the Trump Presidency, issue by issue

TWICE WEEKLY
Small x2 trump

Inside Trump

TWICE WEEKLY

SUBSCRIBED!

Share via

Small x2 screen shot 2017 02 01 at 2.23.49 pm

Inside Real Estate

For those in the business of buying, selling, and developing real estate.

TWICE WEEKLY
Small x2 tumblr mfpcr391jj1rqigtoo1 400

Inside Real Estate

TWICE WEEKLY

SUBSCRIBED!

Share via

Small x2 screen shot 2016 08 18 at 5.09.47 pm

Inside Automotive

Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

TWICE WEEKLY
Small x2 giphy 1

Inside Automotive

TWICE WEEKLY

SUBSCRIBED!

Share via