Posted by Kevin on September 22, 2014.
The ITsecurity daily security briefing: Monday, September 22, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Yahoo SQL Injection to Remote Code Exection to Root Privilege
Yahoo still hasn’t quite got the hang of this bounty concept. The firm started, just about a year ago, by offering a tee-shirt. Then it announced it would introduce a proper scheme with bounties starting at $150; but in reality reduced it to $50. On Friday, Egyptian researcher Ebrahim Hegazy blogged about a SQLi flaw he had found (and reported) in a Yahoo service. Yahoo declined to offer a bounty, telling Hegazy it wasn’t eligible for a reward. “I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it fall outside the scope, Yahoo pays for Critical vulnerabilities in Out of Scope domains, if a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!” The danger in such an attitude from Yahoo is that researchers who find such critical bugs might decide to sell them elsewhere.
Two reports: breakability of smartphones & cost of broken smartphones
Squaretrade has released two separate reports. The first tests the brakability of different phones (video here). “Overall Apple’s iPhone 6 scored the best at 4 (the best score yet achieved); the iPhone 6 Plus scored a 5; the iPhone 5s a 6; and Samsung Galaxy S5 a 6.5.”
The second quantifies the amount spent on repairing broken phones. “As Apple releases its latest iPhones, an international study has found that repairs to hand-held devices have cost British owners a staggering £4.6 billion in the last two years. The eye-watering sum puts Britain top of the European league table for repair costs to mobile devices.”
Debit card’s hacking risk undermines its convenience
“So, it happened. I was hacked… I don’t know how or when the thieves got my information, whether it was 10 days or 10 weeks ago. I haven’t shopped at Home Depot this year and scratched that as the possible source. But there are a multiple ways that criminals hook your information, according to security specialists. They include attaching fake card readers, called skimmers, onto ATMs, gas pumps, and restaurant payment systems to capture your data, and installing tiny cameras at debit machines to watch you plug in your PIN number.
“Whatever their method, they decided to use my information in Rockville, Md. last Saturday, draining $989 over three withdrawals from the savings account.”
The Boston Globe:
AppLock Vulnerability Leaves Configuration Files Open for Exploit
“When a user tries to “lock” or “hide” a file, the app just moves from its original location into specific location on the SD card, which is a subpath under /sdcard/.MySecurityData/dont_remove/. The “hidden” file is neither encrypted nor encoded in any way. Information related to the file, such as the file name, the extension and the timestamp, will be inserted in a world-readable database in the SD card, with the path /sdcard/.MySecurityData/dont_remove/ 6c9d3f90697a41b. And because this database is world-readable, any app can actually read or access this database. Bad guys can use this access to manipulate the app’s configuration files.”
Large malvertising campaign involving DoubleClick and Zedo
Malwarebytes blogged Thursday, “It appears that this is a much larger and ongoing campaign that is affecting a number of other popular websites. The reason this is really big is because it involves doubleclick.net (a subsidiary of Google for online ads) and Zedo (a popular advertising agency).” The campaign appeared to stop by Friday. “It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary.”
Australia rushes in new terror laws
The methods used by David Cameron to get new anti-terror laws onto the statute books without due process (that is, adequate discussion in parliament) have now been adopted in Australia. “The ABC reports it has seen draft amendments to a range of legislation including the Criminal Code and Crimes Act. New legislation would allow the national security service, ASIS, to share foreign intelligence with the domestic security intelligence agency, ASIO.” Queensland Barrister Stephen Keim QC commented, “That causes me real concern because this type of legislation shouldn’t be rushed through the parliament and if we are talking about passing something through parliament within weeks then that meets my definition of rushing it through parliament.”
Radio New Zealand News:
Justice Department Proposal Would Massively Expand FBI Extraterritorial Surveillance
“A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable. The result? Possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.”
Cloud Security Alliance Survey Finds IT Professionals Underestimating How Many Cloud Apps Exist in the Business Environment
“Users believe that few cloud apps are used by employees and BYOD devices, while other studies noted show that hundreds of cloud apps are in use within each enterprise today. This tells us that cloud application discovery tools and analytical tools on cloud app policy use and restrictions are crucial in the workplace, especially when it comes to sensitive data being used by these cloud applications. With sensitive data being uploaded and shared by these apps with authorized and unauthorized users, policy enforcement becomes a major role in protecting your data.”
Cloud Security Alliance:
Reducing Cyber Risk in Industrial Control Systems with Advanced Network Segmentation
“The ISA99/IEC 62443 portfolio of standards has emerged as a leading framework for cybersecurity in ICS and SCADA and was referenced in the recent Presidential Framework. Its concepts around segmentation and least-privilege access were developed specifically for SCADA/control system applications. They are simple yet extremely powerful in helping to reduce the risk of compromised uptime and safety due to malicious or unintentional cyber incidents. Join ISA99 Managing Director Joe Weiss, Palo Alto Networks SCADA Product Marketing Manager, Del Rodillas, and an Oil & Gas SCADA security practitioner.”
September 24, 11:00 am – 12:00 PST
12th annual Hack in the Box conference in Malaysia. Keynote speakers Richard Thieme (Founder, ThiemeWorks) and Katie Moussouris (Chief Policy Officer, HackerOne). Late registration rates begin 1 October. Closing keynote from Marcia Hoffman.
Kuala Lumpur, 13-16 October 2014
CoreGraphics Information Disclosure – CVE-2014-4378
NIST describes this vulnerability: “CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document.”