From Paul's Security Weekly
- Texas Instruments flicks Armis' Bluetooth chip vuln off its shoulder - At Black Hat London last week, Ben Seri and Dor Zusman from research house Armis went into full detail about their November discovery of how to pwn TI-made Bluetooth Low Energy (BLE) chips. The two affected chips – CC2640 and CC2650 – are used in several models of Cisco and Aruba wireless APs. What gave Armis a way in was the method of updating the chip's firmware, which consisted of uploading firmware over an unencrypted connection, though the upload was authenticated. They also triggered a memory corruption vulnerability to be able to load custom firmware. TI has issued firmware updates to address these issues.
- Latest Google+ Flaw Leads Chocolate Factory To Shut Down Site Early - The Chocolate Factory maintains that it has no evidence that the vulnerability, which was found in the API for Google+, was ever actively exploited. According to Google's G-Suite VP of product management David Thacker, over a six-day period in November developers would have been able to access profile information that users had not made public. Google said the vulnerability shows up when the user allows an app to connect with their Google+ profile. Rather than only see information the user had opted to share, the application would have been able to see all data about the user. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019.
- Over 40,000 Credentials For Government Portals Found Online - A Russian cyber-security firm says it discovered login credentials for more than 40,000 accounts on government portals in more than 30 countries. The data includes usernames and cleartext passwords, and the company believes they might be up for sale on underground hacker forums. Lots of speculation here: the accounts could allow attackers access to both commercial or state secrets accessible through those accounts. Furthermore, the accounts could be used for other reconnaissance operations, or as an entry point inside a government agency's internal network from where hackers can execute other attacks, such as cross-site scripting or SQL injections.
- Secure Messaging Applications Prone to Session Hijacking - So here's the issue: The instant messaging apps also support the major mobile device platforms and a desktop version, and Talos discovered that an attacker could use malware to hijack a session from a desktop version and access the data without the user knowing or before they would realize a hijack has been performed. And here's the statement about the vulnerability from Cisco's research team: Secure instant messaging applications have a solid track record of protecting the information while in transit, even going as far as protecting the information from their own servers. However, they fall short when it comes to protecting application state and user information, delegating this protection to the operating system. I completely disagree, to expect that any application would go to great lengths to detect operating system or other attacks is insane. This means that apps are vulnerable because someone could install a keystroke logger and an attacker could steal your key. Okay, not the same thing as this attack, but pretty close. Just because you have a secure messaging app doesn't mean you can just forget about opsec completely.
- This One Windows Tweak Can Save You From NotPetya - Interesting observations: The unnamed NCC customer "had configured within Active Directory the 'Account is sensitive and cannot be delegated' flag prior to NotPetya for their domain administrator accounts. We found that this configuration would have hindered NotPetya propagation significantly using the token impersonation route for domain admin accounts," said the infosec firm. As a Microsoft Technet post stated, the "account is sensitive" flag means that "an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application," something NCC summed up as "this is now your favourite setting".
- This Phishing Scam Group Built A List Of 50,000 Execs To Target - Some email targeting, and this should be expected: The security company said it came across the list of execs as part of its research. The scammers had generated the list in early 2018 to be used in future BEC phishing campaigns. Of the names on the list, 71 percent were CFOs, two percent were executive assistants, and the remainder were other finance leaders. Several of the world's biggest banks each had dozens of executives listed, the company said. The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments. Over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the US; other countries commonly targeted included Spain, the United Kingdom, Finland, the Netherlands and Mexico.
- ESET Discovers 21 New Linux Malware Variants - Yea, this should be easy to spot: In a report published yesterday by cyber-security firm ESET, the company details 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions. ESET said that "18 out of the 21 families featured a credential-stealing feature, making it possible to steal passwords and/or keys" and "17 out of the 21 families featured a backdoor mode, allowing the attacker a stealthy and persistent way to connect back to the compromised machine.
- Hackers defaced Linux.org with DNS hijack - Lame attack, but the funniest description of goatse ever: Attackers changed the defacement page a few times, they protested against the new Linux kernel developer code of conduct in a regrettable way with racial slurs and the image of an individual showing the anus. The defacement page also includes links and a Twitter account (@kitlol5) believed to be under the control of the attacker. The person who was operating the Twitter account posted a screenshot showing that they had access to the Network Solutions account of Michelle McLagan, who evidently owns linux.org, and modified the DNS settings.
- Expert devised a new WiFi hack that works on WPA/WPA2 - Unlike other WiFi hacking techniques, this attack doesn’t require the capture of a full 4-way authentication handshake of EAPOL. Instead, the new WiFi hack is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point. “This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”