Inside Security | Inside
Inside Security

David Strom's in-depth cybersecurity news and analysis

1. Increasing numbers of people are reportedly experiencing the same Instagram hack, which logs them out and changes their personal details. Analytics firm Talkwalker reports there have been more than 5,000 tweets from 900 accounts recently. Many of these accounts didn’t have MFA enabled, which is another good argument for implementing this protection. It also shows the need for improved Instagram account recovery procedures too.  -- MASHABLE


2. Voicemail hacks on MS Exchange servers could be trouble. Microsoft has a patch, and at this link you can view the exploit in a screencast video. To be affected by this vulnerability, the Exchange server needs to be configured with Unified Messaging that can be manipulated by an attacker with access to this server. Microsoft issued a patch. -- ZERO DAY INITIATIVE


3. Intel this week confirmed yet another series of CPU bugs. They are collectively called  L1 Terminal Fault or ForeShadow. There are various mitigation strategies and patches to be applied as well. It affects a wide collection of processors, various researchers from around the world started working with Intel back in January when the bugs were first discovered. -- MSSP ALERT


Subscribe to Inside Security


Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 
   
   

You probably have heard of man-in-the-middle attacks. This is where a hacker can exploit the communications flow from source to intended recipient by diverting traffic to his or her computer and spoofing the recipient’s PC. It is a bit more involved than that, but you get the basic idea. The attacker can control the entire conversation, since the source PC thinks it is talking to the right computer. Then there were man-in-the-browser attacks, where malware takes control over a browser session and accomplishes the same result.

Now Check Point has discovered a new variation, called man-in-the-disk. That awkward syntax really does get across what is going on. It all starts with Android phones that make use of external storage cards. There is a reason why iPhones don’t support this configuration: it can be inherently insecure. Part of the issue is that the external storage can be accessed by any app that is running on the device, and that the Android OS doesn’t provide any built-in safeguards for this data. Android does offer developers guidelines on proper use of this storage resource, but that doesn’t mean that anyone has to follow these guidelines.

So how does this exploit work? Some of the pre-installed and popular apps ignore the Android security guidelines and place sensitive data in the unprotected external storage area. An attacker can manipulate the data so that the next time an app wants to fetch it, it has changed but the app is none the wiser. This is done through a fake app that poses as something innocent, like a flashlight or a game, and instead is used to gain leverage in the external storage area. Think of this as a modern-day buffer overflow situation, which was common back in the first PC days before developers got smarter about including checks to prevent these situations.

The researchers were able to crash legitimate apps and then carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges for further mischief.

So who were the lazy, no-good developers that didn’t secure their storage pool? Well, look at the developers of Google Translate and Google Voice Typing apps for starters. Oops. Fortunately, they fixed the problem once the researchers let them know about it. They have found lots of other apps and are working with those developers but didn’t disclose who they were. Clearly, this is another call for better coding practices, and understanding how you validate your inputs and outputs. I am glad Check Point figured this out.

Check Point has published more technical details here.


This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site.

Finally, we note our editing team: Lon Harris (editor-in-chief at Inside.com, game-master at Screen Junkies), Krystle Vermes (Breaking news editor at Inside, B2B marketing news reporter, host of the "All Day Paranormal" podcast), and Susmita Baral (editor at Inside, recent bylines in NatGeo, Teen Vogue, and Quartz. Runs the biggest mac and cheese account on Instagram).


4. Researchers have found a browser bug in Google Chrome. It has the potential to put many web users at risk. The bug affects all browsers running the Blink engine and makes use of the Audio/Video HTML tags to gain access to personal information. Users should ensure that they are running the latest version, where Google has fixed the problem. -- IMPERVA BLOG


5. A study of IT managers found that five percent of organizations globally deploy fully mature cybersecurity risk assessment programs centered on comprehensive asset coverage. The study segmented its respondents into four categories of risk assessment: minimalist, surveyor, investigator and diligent. While not quite as sexy as Myers-Briggs, it makes for some interesting reading. -- TENABLE BLOG


6. Rogue mobile apps accounted for 28 percent of fraud attacks observed by RSA telemetry in Q2 2018 and over 70 percent of fraud transactions originated from mobile devices. Phishing also accounted for 41 percent of all fraud attacks observed. -- RSA BLOG (reg. req.)


7. My colleague Sean Gallagher goes after phishers and tracks down the relationships among various campaigns being conducted in real time around the world. He uses the open source StreamingPhish tool as part of his analysis and suggests that better and more frequent machine learning is needed to combat this scourge. -- ARS


8. IBM researchers figured out a way to weaponize neural nets and that presents a big new potential threat for how viruses will be constructed in the future. In a talk at Black Hat, they describe the DeepLocker project which creates a novel class of highly targeted and evasive attacks powered by AI.  It is designed to avoid detection until the precise moment it recognizes a specific target.   -- SECURITY INTELLIGENCE BLOG (IBM)


9. Details about the inner workings of the UK government have been accidentally leaked online, thanks to insecure use of Trello.  This information may have been available for up to four years via simple web searches. -- ITPRO


10. Fraudulent real estate transactions documents requiring electronic signatures have been discovered. They are being used to steal people’s credentials as criminals capitalize on the number of unfamiliar parties and documents involved in a typical real estate transaction. -- PROOFPOINT BLOG


Always have redundant systems. - SWIFT ON SECURITY @ TWITTER


I have a wide range of topics today. This edition includes patches for Oracle servers, new variants of Keypass and DarkHydrus, new Android security issues, and the not-so-shocking finding that a third of Congressional websites are vulnerable to attacks. 

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site.

Finally, we note our editing team: Lon Harris (editor-in-chief at Inside.com, game-master at Screen Junkies), Krystle Vermes (Breaking news editor at Inside, B2B marketing news reporter, host of the "All Day Paranormal" podcast), and Susmita Baral (editor at Inside, recent bylines in NatGeo, Teen Vogue, and Quartz. Runs the biggest mac and cheese account on Instagram).


1. DarkHydrus uses the open-source Phishery tool to create two Word documents used in the attacks. The tool is part of previous credential harvesting attempts using the same infrastructure dating back to 2017. These attacks were targeting government entities and educational institutions in the Middle East. -- PALO ALTO NETWORKS BLOG   


2. It is possible for remote attackers to take control of airborne SATCOM equipment on in-flight commercial aircrafts and other vessels. This includes those used by the US military in conflict zones. -- HELPNET SECURITY


3. Oracle has posted a security alert for two Windows versions of its database software, 11.2.0.4 and 12.2.0.1. There is a patch. All Linux versions that haven’t applied the July patch are also at risk of allowing command-line server access. -- ORACLE


4. Here is a tutorial on how to implement OAuth v2 with Spring development environment tools. There is a lot of code to write, but hopefully you will get the idea with the examples provided. -- DZONE


5. Security researchers at Defcon presented details of 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the US. -- BLEEPING COMPUTER


6. Three of every 10 candidates running for the U.S. House of Representatives have significant security problems with their websites. A group of researchers used automated scans to look for these vulnerabilities, including cert issues, according to the work by Joshua Franklin, who has studied various election-related cybersecurity topics. He presented this at Defcon and has been developing an open source tool called Election Buster that identifies malicious domains that appear to be genuine candidate websites. -- DEFCON 


 

Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 

[YOUR LOGO HERE – click for details]
 
   




 

load more stories