From Paul's Security Weekly
Recorded February 26, 2019 at G-Unit Studios in Rhode Island!
- RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Plain wrong: Millions of utility customers passwords stored in plain text - Startled, (the reseracher) fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer—and the same offer to email plain-text passwords—in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.
- Google Ditches Passwords in Latest Android Devices - Support for FIDO’s standard certification, FIDO2, gives Android users the ability to now utilize their devices’ built-in fingerprint sensors – or, if the devices don’t have them, log in to apps and browsers using other means like a PIN or a swipe pattern. While remembering long or cumbersome passwords may be a pain for users, Google opting out of passwords for Android devices has security implications as well. With an array of emerging attacks that rely on stolen credentials – including phishing, man-in-the-middle and other cyber-attacks – many apps and browsers are jumping on board when it comes to the notion of novice passwordless login methods like biometrics.
- ICANN calls for wholesale DNSSEC deployment - “ICANN has long recognized the importance of DNSSEC and is calling for full deployment of the technology across all domains. Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site,” the organization explained. ICANN’s appeal comes in the wake of the most recent attacks against key parts of the DNS infrastructure, some of which took the form of MitM intercepts.
- PDF viewers, online validation services vulnerable to digital signature spoofing attacks - Time to dust off the fax machine: The researchers developed three classes of attacks on PDF signatures: Universal Signature Forgery (USF) – The attacker can disable signature verification by providing invalid content within the signature object or removing the references to the signature object, and the document/signature shows as valid. Incremental Saving Attack (ISA) – The attacker can make an incremental saving on the document by redefining the document’s structure, all without invalidating the signature. Signature Wrapping (SWA) – The attacker can relocate the originally signed content to a different position within the document and insert new content at the allocated position, all without invalidating the signature.
- Flaws in 4G and 5G allow snooping on calls, pinpointing device location - The researchers' three-pronged attack is described in a paper to be presented at the Network and Distributed System Security Symposium in San Diego. The first attack, dubbed Torpedo, exploits a weakness in the standards' paging protocol used to notify phones of an incoming call or text message before it arrives, the researchers said. Multiple calls made in a short duration could allow a nearby attacker to pinpoint the device and send fake text messages and mount a denial-of-service attack. The paper, authored by researchers at Purdue University and the University of Iowa, contends that Torpedo sets the sage for two additional exploits, It's "plausible," they say, for an attacker to access a victim device's ISMI -- the unique number identifying the GSM subscriber's device -- with a brute-force attack called IMSI-Cracking. A third attack, called Piercer, pairs the ISMI with the victim's phone number, allowing user location tracking, they said.
- TurboTax Hit with Credential Stuffing Attack, Tax Returns Compromised - Intuit, a financial software company and creator of services Mint, QuickBooks, and TurboTax, reports the latter has been hit with a credential stuffing attack targeting specific users' tax return information. The incident was discovered during a system security review, Intuit reported in a breach disclosure letter filed with the Office of the Vermont Attorney General and shared with affected users. Officials explain how an unauthorized party targeted specific TurboTax users by taking usernames and passwords "from a non-Intuit source," which they used in a credential stuffing attack.
- New DNS Attacks Make Use of DNSSEC More Critical Than Ever - The CISA directive lists three steps that allow attackers to perform the hijacking. First, the attacker obtains credentials of an administrator that can change DNS records. This is done using techniques described here before, including phishing emails and social engineering. Next, the attacker changes the DNS records, including the address, mail exchanger and name server records, replacing them with addresses controlled by the attacker where traffic aimed at that address can be examined or manipulated. Finally, because the attacker has set the DNS record values, they can obtain valid encryption certificates for the domains being attacked, allowing traffic to be decrypted. Because the certificate is valid, users won’t receive any error messages.
Expert Commentary: Nicholas Sciberras, Acunetix
- Hackers create social media work after bug report ignored (affects Russian social network VKontakte) - taken from https://nakedsecurity.sophos.com/2019/02/20/virus-attack-hackers-unleash-social-media-worm-after-bug-report-ignored/