Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 25th, 2019)

A word or two about our publishing schedule. My Wednesday premium edition of this newsletter covered a new development of the Bluekeep vulnerability and what it means to your security. You can upgrade your subscription here for $10/month. Also, there will be no newsletter tomorrow due to my travel plans.

I wrote earlier about the government of Kazakhstan with its browser certificates enabling MITM attacks. Here is additional analysis from Censored Planet, a relatively new operation from the University of Michigan. Our news item #5 points out another use of certs by bad actors.  

Centrify is introducing an enterprise-grade password management solution for SMBs with a Free Tier Password Vault, available immediately from AWS. Its Privileged Access Service can manage up to 50 registered systems and associated service accounts free of charge. In my reviews of single sign-on tools, Centrify has done well and I would recommend taking a look if cost has been an issue for your smaller business. 

Finally, our Throwback Thursday commemorates the first BSides conference, held ten years ago this week in Las Vegas. 

-- David Strom

  • Email gray
  • Permalink gray

1. More than 60 colleges who use the Ellucian Banner ERP software were recently targeted by hackers. They exploited a web services authentication bug (CVE-2019-8978) which was discovered earlier this year and fixed in May. The hackers specifically scanned for unpatched installations, and were successful at creating thousands of phony accounts on the ERP systems. However, no private data was compromised. -- DEPT OF EDUCATION ALERT

  • Email gray
  • Permalink gray

2. The popular open source FTP server ProFTPd has a remote code execution bug (CVE-2019-12815). It can be exploited by authenticated users only. If you are using an older version or have recently installed this software, you need to re-install v.1.3.6 which has been patched. (The advisory is in German). -- GERMANY CERT

  • Email gray
  • Permalink gray

3. A study of 500 recent data breaches concludes the effects are felt for years afterwards. Deliberate breaches cost $1 million more than accidental ones. Companies who tested their incident response plans experienced a savings of $1.2 million on average than those who didn’t have these plans. American breaches cost twice the average of foreign ones. -- IBM/ PONEMON REPORT (reg. req.)

  • Email gray
  • Permalink gray

4. Be careful when using the ‘--privileged’ command switch on your containers. It can cause security issues and allow bad actors to escape containers to do damage elsewhere. This proof of concept is explained in detail, along with a set of tips to keep your containers more secure. -- TRAIL OF BITS BLOG

  • Email gray
  • Permalink gray

5. Mozilla has banned its browsers from using root certificates owned by the questionable entity DarkMatter of the UAE. The company is accused of selling hacking services. Google is planning on following suit for Chrome and Android users. These certs could be used to conduct MITM attacks. -- ZDNET

  • Email gray
  • Permalink gray

6. The malware BrushaLoader is still being used by attackers. This was first discovered a year ago. This post dissects its multi-stage operation and how it is linked to the Danabot banking Trojan. It appears to be highly infectious and can be used to deploy a variety of malware payloads, including ransomware. -- PROOFPOINT BLOG

  • Email gray
  • Permalink gray

7. Google has increased its bug bounties recently, and Microsoft has added a new bounty program. This week, Google has raised the maximum award to $15,000 for “baseline” issues and $30,000 for higher quality bugs. There are other increases as well. Microsoft has created a new program for Dynamics ERP and CRM bugs, with a maximum of $20,000.  -- HELP NET SECURITY

  • Email gray
  • Permalink gray

8. Britain's National Cyber Security Centre has been using a technique called synthetic DMARC to thwart email phishing attempts. This assigns DMARC records to all gov.uk domains so it can identify phony websites and block their access. The one problem: not everyone implements this feature consistently. -- NCSC REPORT

  • Email gray
  • Permalink gray

10. Throwback Thursday: BSides

Ten years ago, the first BSides conference was held in Las Vegas. It was the result of some hard work with several security researchers and staff members of security vendors, most notably Jack Daniel and Chris Nickerson. The conference, then and now, was held in conjunction with the annual Black Hat event and designed as an alternative for "the list of people who visit for the after parties or never planned on attending" Black Hat, and the first event was held in a private home. Some of the topics from that first show are still relevant, such as using Metasploit, doing better pentesting, and "foolish password storage in Microsoft and Cisco products."

There are now dozens of conferences held across the world: just in August, you can attend ones in Vancouver; Manchester, England and Lagos, in addition to the Vegas anniversary celebrations. It is a testimonial to the determination of some intrepid volunteers committed to high-quality self-education of our community.   

  • Email gray
  • Permalink gray

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).

  • Email gray
  • Permalink gray

Subscribe to Inside Security