Inside Security | Inside
Inside Security

David Strom's in-depth cybersecurity news and analysis

You probably have heard of man-in-the-middle attacks. This is where a hacker can exploit the communications flow from source to intended recipient by diverting traffic to his or her computer and spoofing the recipient’s PC. It is a bit more involved than that, but you get the basic idea. The attacker can control the entire conversation, since the source PC thinks it is talking to the right computer. Then there were man-in-the-browser attacks, where malware takes control over a browser session and accomplishes the same result.

Now Check Point has discovered a new variation, called man-in-the-disk. That awkward syntax really does get across what is going on. It all starts with Android phones that make use of external storage cards. There is a reason why iPhones don’t support this configuration: it can be inherently insecure. Part of the issue is that the external storage can be accessed by any app that is running on the device, and that the Android OS doesn’t provide any built-in safeguards for this data. Android does offer developers guidelines on proper use of this storage resource, but that doesn’t mean that anyone has to follow these guidelines.

So how does this exploit work? Some of the pre-installed and popular apps ignore the Android security guidelines and place sensitive data in the unprotected external storage area. An attacker can manipulate the data so that the next time an app wants to fetch it, it has changed but the app is none the wiser. This is done through a fake app that poses as something innocent, like a flashlight or a game, and instead is used to gain leverage in the external storage area. Think of this as a modern-day buffer overflow situation, which was common back in the first PC days before developers got smarter about including checks to prevent these situations.

The researchers were able to crash legitimate apps and then carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges for further mischief.

So who were the lazy, no-good developers that didn’t secure their storage pool? Well, look at the developers of Google Translate and Google Voice Typing apps for starters. Oops. Fortunately, they fixed the problem once the researchers let them know about it. They have found lots of other apps and are working with those developers but didn’t disclose who they were. Clearly, this is another call for better coding practices, and understanding how you validate your inputs and outputs. I am glad Check Point figured this out.

Check Point has published more technical details here.


This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site.

Finally, we note our editing team: Lon Harris (editor-in-chief at Inside.com, game-master at Screen Junkies), Krystle Vermes (Breaking news editor at Inside, B2B marketing news reporter, host of the "All Day Paranormal" podcast), and Susmita Baral (editor at Inside, recent bylines in NatGeo, Teen Vogue, and Quartz. Runs the biggest mac and cheese account on Instagram).


I have a wide range of topics today. This edition includes patches for Oracle servers, new variants of Keypass and DarkHydrus, new Android security issues, and the not-so-shocking finding that a third of Congressional websites are vulnerable to attacks. 

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site.

Finally, we note our editing team: Lon Harris (editor-in-chief at Inside.com, game-master at Screen Junkies), Krystle Vermes (Breaking news editor at Inside, B2B marketing news reporter, host of the "All Day Paranormal" podcast), and Susmita Baral (editor at Inside, recent bylines in NatGeo, Teen Vogue, and Quartz. Runs the biggest mac and cheese account on Instagram).


Subscribe to Inside Security


Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 
   
   

1. DarkHydrus uses the open-source Phishery tool to create two Word documents used in the attacks. The tool is part of previous credential harvesting attempts using the same infrastructure dating back to 2017. These attacks were targeting government entities and educational institutions in the Middle East. -- PALO ALTO NETWORKS BLOG   


2. It is possible for remote attackers to take control of airborne SATCOM equipment on in-flight commercial aircrafts and other vessels. This includes those used by the US military in conflict zones. -- HELPNET SECURITY


3. Oracle has posted a security alert for two Windows versions of its database software, 11.2.0.4 and 12.2.0.1. There is a patch. All Linux versions that haven’t applied the July patch are also at risk of allowing command-line server access. -- ORACLE


4. Here is a tutorial on how to implement OAuth v2 with Spring development environment tools. There is a lot of code to write, but hopefully you will get the idea with the examples provided. -- DZONE


5. Security researchers at Defcon presented details of 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the US. -- BLEEPING COMPUTER


6. Three of every 10 candidates running for the U.S. House of Representatives have significant security problems with their websites. A group of researchers used automated scans to look for these vulnerabilities, including cert issues, according to the work by Joshua Franklin, who has studied various election-related cybersecurity topics. He presented this at Defcon and has been developing an open source tool called Election Buster that identifies malicious domains that appear to be genuine candidate websites. -- DEFCON 


7. Hospital central patient monitoring systems aren’t much more than a WinXP embedded computer with very weak security. This is especially true of the communications protocols to the patient devices. Attackers can readily make changes to patient stats and thereby influence care and treatment decisions. -- SECURING TOMORROW (MCAFEE)


8. Here is a helpful post that shows understanding how to deploy your legal team after a breach means understanding how to use them and knowing what privilege of their work product means. -- LAW.COM


9. Australia proposed a new law requiring technology firms to give police access to private encrypted data linked to suspected illegal activities. Warrants would be required, and fines and jail time were set for vendors that don’t comply. Some useful commentary can be found here. -- REUTERS


10. Multiple researchers have identified a dangerous new variant of KeyPass ransomware. It features a manual-control functionality. Most of the current targets are in Brazil and Vietnam. It propagates using fake installers. -- SECURELIST (KASPERSKY)


The blockchain will secure everything. -- XKCD


I apologize for all my distractions last week, but it couldn’t be helped. I had two hard drive crashes that claimed my attention. That is still no excuse to not catch this error, where I omitted the link to the Cisco/WordPress item in Friday’s newsletter. And, by my rather odd accounting, this represents the 400th edition of Inside Security. Lots to talk about today as always, including malware delivered via a fax page and Microsoft finally getting around to doing sandboxing. Enjoy.

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site.

Finally, we note our editing team: Lon Harris (editor-in-chief at Inside.com, game-master at Screen Junkies), Krystle Vermes (Breaking news editor at Inside, B2B marketing news reporter, host of the "All Day Paranormal" podcast), and Susmita Baral (editor at Inside, recent bylines in NatGeo, Teen Vogue, and Quartz. Runs the biggest mac and cheese account on Instagram).


1. Microsoft is building a new Windows 10 sandboxing feature that will let users run untrusted software in a virtualized environment that's discarded when the program finishes running. The new feature was revealed  in a bug-hunting quest for members of the Insider program and will carry the name "InPrivate Desktop." There is more information at the link above. The feature is similar to many protected browser products, such as Spikes' AirGap and Silo's Authentic8 that I once reviewed for Network World here.


2. Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU. Security researcher Christopher Domas revealed this at the Black Hat show last week. This backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. – TOMS HARDWARE


3. Samsung S7 phones have a new vulnerability. Researchers at Black Hat have figured out a way to exploit the Meltdown vulnerability. Samsung says they have issued patches earlier this year that prevents this.  -- REUTERS


4. One other highlight from last week’s Vegas security conferences. Researchers presented a new technique using faxes to take control over all-in-one HP printers using malicious image files. Since the scans are held in memory, the images are processed and can result in ransomware or cryptominers. HP has issued a fix. -- CHECKPOINT BLOG


5. The latest version of TLS, TLS 1.3/RFC 8446 was published last week. It is the first major overhaul of the protocol, bringing significant security and performance improvements. This article provides a deep dive into the changes introduced in the update and its impact on the future of internet security. –  CLOUDFLARE BLOG


 

Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 

[YOUR LOGO HERE – click for details]
 
   




 

load more stories