Inside | Real news, curated by real humans
Inside Security

Inside Security (Aug 15th, 2019)

My post for RSA’s blog explores how many different C-level executives it takes to manage your own security. While it sounds like the beginning of a joke, the piece seriously goes into detail about how you can calculate the management creep and get a better handle on improving your security posture. 

The NSA’s hacking tool Ghidra was released five months ago and will get an update, based on community recommendations. It will feature new processing modules and system call support, according to this post

Finally, my premium issue yesterday featured an analysis of a major series of eight bugs in the HTTP/2 protocols that could allow DoS attacks. You can upgrade to receive these issues in the future here

-- David Strom

  • Email gray
  • Permalink gray

1. Choice Hotels suffered a major data leak on one of its test databases being used by a third-party. More than 700,000 customer records were leaked online at the end of June and only discovered recently. The leak was an unsecured MongoDB repository and contained guest names, emails and phone numbers but not payment card data. -- COMPARITECH BLOG

  • Email gray
  • Permalink gray

2. Tavis Ormandy has tracked down a major Windows issue that goes back to XP days. It has to do with the CTF subsystem that handles inter-process communications. It isn’t clear what the acronym stands for (it isn't capture the flag, which is something else entirely). "The memory corruption flaws in the CTF protocol can be exploited in a default configuration, regardless of region or language settings." The path “down the rabbit hole” that he took, and how hard he had to work to expose this vulnerability, is obscure but important to understand. -- GOOGLE PROJECT ZERO BLOG

  • Email gray
  • Permalink gray

3. Valve’s Steam gaming Windows client has a zero-day vulnerability. The company initially denied the issue when a researcher went public, then posted a patch. Unfortunately the patch still leaves Steam clients vulnerable. The bug has to do with privilege escalation on Windows PCs. Steam has 90M active users. -- THREATPOST

  • Email gray
  • Permalink gray

4. More than 100,000 Air New Zealand customers may be at risk, thanks to a phishing attack on accounts of two staffers at the airline. Customer names and email addresses were leaked, but not any payment card data. Ironically, two weeks ago the airline received accolades from the government’s privacy regulators. -- INFORMATION AGE

  • Email gray
  • Permalink gray

5. Throwback Thursday. This week in 2004, the second generation of Tor was described in a Usenix Security Symposium conference paper by Roger Dingledine, Nick Mathewson and Paul Syverson. Tor was described as a “distributed overlay network designed to anonymize TCP-based applications like web browsing, secure shell, and instant messaging.” The second generation of the protocol added secrecy elements and a more practical design for hiding location services. The trio was eventually recognized in the November 2012 list of top global thinkers by Foreign Policy magazine for “making the web safe for whistleblowers."

The paper spawned the Tor Project, Inc. which was eventually established in December 2006 by two of the authors among others and with the support of the Electronic Frontier Foundation. Shari Steele, who was the former executive director of EFF, went on to take a similar position at the project for several years. The project gets most of its funding from U.S. government sources.  The Tor Browser is its most notable product, which allows for privacy-enhanced browsing and opened up what is now known as the Dark Net of secretive websites, many of whom are selling illegal items, drugs and porn. It is used by between two and three million users daily. (Here are other stats for its use.)

  • Email gray
  • Permalink gray

6. Versions of Windows since 7 have four major bugs in Remote Desktop Services that has been classified as CVE-2019-1181/1182. Microsoft has issued patches this week. The bugs concern how RDP can be used as leverage to move laterally across a network. Microsoft is doing this proactively, it has not found anyone using these exploits. What is interesting is that the RDP protocol stack itself is fine. -- MICROSOFT BLOG

  • Email gray
  • Permalink gray

7. Cloudflare is introducing a new tool to monitor your SSL certs. Called Certificate Transparency Monitoring, it competes with various log tracking services and is available now for all of its customers. The service will send you an email notice when a cert is issued for one of your domains, so you can track abuses by bad actors. -- CLOUDFLARE BLOG

  • Email gray
  • Permalink gray

8. AT&T employees were bribed to unlock millions of phones and install keylogging malware on them. They were paid more than $1M by two Pakastanis back in 2012. The exploit lasted at least five years. The U.S. Department of Justice charging documents were unsealed this week, when one of the men was extradited to the U.S. -- USDOJ

  • Email gray
  • Permalink gray

9. If you are looking for love your precise location could be tracked in near real time. This is according to researchers who have analyzed the dating apps from Grindr, Romeo, Recon and 3fun. Nearly 10M users are at risk “from stalkers, exes, criminals, and nation states.” The post explains the vulnerabilities and the inadequate and in some cases misleading responses from the four vendors. -- PEN TEST PARTNERS

  • Email gray
  • Permalink gray

10. Canon’s EOS 80D digital SLR camera has flaws in its file transfer software that can be exploited for a variety of attacks. The entry points are either a connected computer or via a rogue Wifi access point. While these exploits haven’t been observed in the wild, Canon posted this explanation and urged users to avoid risky behavior and untrusted networks. This post links to firmware updates. -- CHECK POINT BLOG

  • Email gray
  • Permalink gray

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).

  • Email gray
  • Permalink gray

Subscribe to Inside Security