Mr. Robot Hacked? – Daily Security Byte EP. 262

The popular TV show, Mr. Robot gets hacking so right. Unfortunately, the folks that made the show’s web site haven’t gotten the message. In this video, I share the ironic story of this web vulnerability, and talk about how you can protect your site from cross-site scripting (XSS) flaws.

(Episode Runtime: 2:39)

Direct YouTube Link: https://www.youtube.com/watch?v=DS_Km38nu7g

EPISODE REFERENCES:

• Researcher finds XSS flaw in Mr. Robot web site – Forbes
• A great XSS prevention cheat sheet for developers – OWASP

— Corey Nachreiner, CISSP (@SecAdept)

0Day WordPress XSS – Daily Security Byte EP.71

A really, really long comment could allow an attacker to hijack your WordPress blog. Watch today’s quick video to learn about the zero day XSS flaw reported by a Finnish security researcher, and what you can do about it.

 

(Episode Runtime: 1:48)

Direct YouTube Link: https://www.youtube.com/watch?v=H2XR2tnm0yQ

EPISODE REFERENCES:

• Researchers blog post on 0day WordPress XSS – Klikki.fi
• Long comments can hijack WordPress blogs – Motherboard
• WordPress has since released an update to fix this – Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

SSL FREAK Out – WSWiR Episode 142

Did you catch all the important information security news this week? Do you know what you might learn from it? If not, watch our weekly security recap video to catch up.

Today’s episode covers yet another SSL vulnerability, explores a new Android worm, and mentions a controversy around Turbo Tax-related fraud. Watch the video for the details and check out the Reference section for more.

(Episode Runtime: 8:37 for main video with an extra at the end)

Direct YouTube Link: https://www.youtube.com/watch?v=y5dryp9wFhE

EPISODE REFERENCES:

• Daily Security Bytes:
  • Monday: TurboTax Doesn’t Stop Fraud? – Daily Security Byte EP.35
  • Tuesday: Don’t FREAK Out – Daily Security Byte EP.36
  • Wednesday: Gazon Android Worm – Daily Security Byte EP.37
  • Thursday: CSI: Cyber? NOPE! – Daily Security Byte EP.38
  • Friday: FREAK affects Windows – Daily Security Byte EP.39

• FREAK SSL Vulnerability
  • Official FREAK page and description – Freakattack
  • CVE listing for FREAK vulnerability –  Mitre
  • Good Ars Technica write-up on the FREAK flaw – Ars Technica
  • FREAK affects Windows too – Microsoft Advisory
• Turbo Tax fraud controversy
  • Whistleblowers claim Intuit doesn’t do enough to stop fraud – KrebsOnSecurity
  • Intuit’s response to fraud handling allegations – Intuit
  • Earlier interview with Intuit’s CISO – KrebsOnSecurity
  • Original TurboTax Fraud Security Byte – WatchGuard Blog
• Gazon: Android malware SMSs Amazon card scam – AdaptiveMobile
• CSI: Cyber reviews
  • CSI: Cyber website – CBS
  • Space Rogue’s review of CSI: Cyber – Space Rogue

EXTRAS:

• Audience does not accept that NSA Director is a Libertarian – The Intercept
• Researcher finds 0day in Seagate’s 2-Bay NAS device – Beyond Binary
• A couple data/account breaches and disclosure:
  • Toys ‘R US warns about fraudulent account access – SC Magazine
  • Uber data breach leaks 50K drivers’ PII – Uber
  • Someone stored Uber’s secret key on Github – Ars Technica
• Legally watch CitizenFour for free – ThoughMaybe
• GoPro WiFi reset mechanism exposes others’ passwords – IBTimes
• Device found in German Parliament Chairman’s mobile might illustrate interdiction – The Local
• Latest Chrome update fixes a lot of security flaws – Threatpost
• Malicious Blu-ray’s infect PCs and players – Ars Technica
  • The Register’s article on the Blu-ray hack – The Register
• Malware authors hide C&C with Domain Shadowing – Help Net Security
• Criminals use Apple Pay to leverage stolen CCs – Ars Technica
• uTorrent uses your computer to mine Bitcoin – Independent
• D-Link fixes a bunch of consumer router vulnerabilities – Naked Security
• Apparently the FAA sucks at information security – Engadget
• US mad when other governments want backdoors too – Techdirt
• Do you play video games? You’ll probably become a hacker (whatever) – Huffpo
• Java installs adware on macs too (no thanks Oracle) – Gizmodo
• UK’s NCA shutdown 57 cyber criminals – Engadget
• Canadian arrested for not handing over his password at the Border – The Register

— Corey Nachreiner, CISSP (@SecAdept)

Snowden, PowerOffHijack, and Router Phishing – WSWiR Episode 141

From nation state espionage, to Internet rights, to router hijacking emails, each week is packed full on information security (infosec) news. Even if you don’t have time to follow it in depth, you can’t afford to miss the latest intelligence. Let our weekly summary video fill you in.

Today, we cover Snowden’s public interview on Reddit, a dangerous sounding Android threat that’s not so bad, and a spam campaign that’s hijacking Brazilian routers. Press play to learn more, and check out the References for details.

NOTE: Embarrassingly, I wrote this and posted the video on Friday, but forgot to actually publish the blog post. If you subscribe to the YouTune channel you probably already noticed it, but I apologize to blog readers for publishing this post late. 

(Episode Runtime: 9:52)

Direct YouTube Link: https://www.youtube.com/watch?v=ri8Sg1V8Y7k

EPISODE REFERENCES:

• Daily Security Bytes:
  • Monday: Snowden Goes to the Oscars – Daily Security Byte EP.29
  • Tuesday: PowerOffHijack’s a Dud – Daily Security Byte EP.30
  • Wednesday: Anthem & SIM Heist Updates – Daily Security Byte EP.31
  • Thursday: Net Neutrality Wins – Daily Security Byte EP.32
  • Friday: Phishing Pops Routers – Daily Security Byte EP.33

• Snowden, Poitras, and Greenwald do a Reddit AMA – Reddit
• PowerOffHijack is not so bad:
  • PowerOffHijack spies when you phone is “off” – Slashgear
  • AVG’s source research on PowerOffHjiack – AVG
  • The Android PowerOffHijack isn’t as bad as it sounds – Tech Republic
• Anthem & SIM Heist updates:
  • Anthem breach affects 8-18M other non-customers – Reuters
  • OTA key from the SIM heist allows NSA to plant backdoors – The Verge
  • Gemalto says a breach happened, but SIM keys not stolen – Gemalto
• Net Neutrality pass the FCC:
  • FCC votes to pass Net Neutrality changes – Ars Technica
  • Long form article on why provides don’t like Net Neutrality – Ars Technica
  • Is the Net Neutrality battle over… nope – Gizmodo
  • Security implications of Net Neutrality – SANS
• Spam leads to hijacked routers:
  • Spam campaign targets routers of specific carrier customers with XSS – KrebsonSecurity
  • ProofPoint’s blog post on this Brazilian phish-pharm campaign – ProofPoint

EXTRAS:

• Suit against Lenovo for Superfish – Tech Radar
• Almost half (44%) of attacks use 2 to 4 yr old vulnerabilities – Computing
• Is the TurboTax fraud related to the Anthem breach – Forbes
• PrivDog similar to Superfish – Tech Week
• More products affected by the Superfish issue – Ars Technica
• Yahoo exec grills NSA director on built in “golden keys” – BBC
  • More on the NSA/Yahoo showdown – Network World
  • NSA Director is grilled about “backdooring” encryption – Tech Dirt
• Chrome continues to warn you of shady web stuff – PC World
• Need an extra $3M? Find this Russian hacker – Times
  • This bounty is for the Zeus/Cryptolocker botherder – SC Magazine
  • More on why this guy has a $3M bounty – The Telegraph
• Google releases a beta web app scanner – Google
• Hacking Telegraph’s (iOS app) encryption – Zimperium
• Israeli defense suffers from a spear phishing attack – Xedie
• $162M = The cost of the Target breach so far – Techcrunch
• Al Jazeera says they have hundreds of nation state intelligence documents – Business Insider
• NCA claims to have taken down the Ramnit botnet – BBC
• Remote code execution flaw found in Samba server – Redhat
• Another WordPress plug-in flaw imperils millions – Ars Technica
• Wired goes more in depth on NSA firmware hack –  Wired
• UK parking ticket payment site suffers from a customer data breach – Neowin
• Trend Micro’s Arid Viper report cause claimed innocent to run – Forbes
  • Trend Micro shares updates on Arid Viper – Trend Micro
• Lizard Squad takes credit for Lenovo site hack – Winbeta
  • The Lenovo hijack accomplished via an upstream registrar – Ars Technica
• Moxie Marlinspike is over GPG – Thoughtcrime
• This password reset is too easy – CNET
• Latest threat attaching malware to PNG images – Cisco
• Clapper says Iran was behind the Las Vegas Sands cyber attack – Bloomberg
• Firefox 36 fixes 16 vulnerabilities; three critical – Threatpost

— Corey Nachreiner, CISSP (@SecAdept)

Phishing Pops Routers – Daily Security Byte EP.33

Can a simple link in a phishing email allow hackers to pwn hundreds of consumer routers in an automated attack. Find out why some Brazilian organizations know the answer to that question in today’s Daily Byte video.

(Episode Runtime: 1:47)

Direct YouTube Link: https://www.youtube.com/watch?v=9hdrE93lID8

EPISODE REFERENCES:

• Spam campaign targets routers of specific carrier customers with XSS – KrebsonSecurity
• ProofPoint’s blog post on this Brazilian phish-pharm campaign – ProofPoint

— Corey Nachreiner, CISSP (@SecAdept)

Printer Doom Hack – WSWiR Episode 122

Apple Patches, Kindle XSS, and Doom Printer Hack

If you want to stay current with the Internet “threatscape,” our weekly video can help. It summarizes each week’s top information and network security news in one convenient place. Subscribe today!

Today’s episode covers, Apple and Adobe security updates, a cross-site scripting flaw that affects Kindle users, and an interesting printer hack that allowed an attacker to run doom on a printer. Watch the video for details and see the Reference section below for more info.

Enjoy your weekend!

(Episode Runtime: 5:39

Direct YouTube Link: https://www.youtube.com/watch?v=aZ7-LdlMYHc

Episode References:

• Software Updates:
  • Lots of Apple security updates in September– Apple Security Page
  • Adobe releases Reader update to fix eight flaw – ZDNet
  • Microsoft pulls the Lync update – ZDNet
• XSS flaw in Kindle Library can compromise your Amazon account – F17.de
• Hacker’s run Doom on Canon Pixma printers – Ars Technica
  • Blog post about Doom printer hack – Contextis

Extras:

• FBI targeting Tor users and hacking suspects – The Register
• Home Depot numbers are in; 56m credit cards – The Guardian
• A couple of Android pick-pocketing Russian hackers arrested – IB-Group blog
• Next version of Android will encrypt your data by default – Business Insider
• More malicious advertising via Zido and Google’s Ads – PC World
• CryptoWall hits Australia hard (XTM GAV can catch it) – PC Advisor
• Recently phishing campaigns using Apple hype as a lure –  ZDNet
• Latest U.S government report blames China for more hacking – Phys.org
• “Bitcoin Jesus” offers bounties for Bitcoin hackers – Wired
• NATO says we all face a high “cyber threat” level for the next decade – Computer Weekly
• Some iPhone eBay listings contain XSS attacks –  Tamebay
• Hacker breached Goodwill for 18 months – Computer World
• Audible security flaw lets pirates steal audiobooks – Gizmodo
• One researcher says Home Depot malware was different than BlackPoS/Backoff – SC Magazine

— Corey Nachreiner, CISSP (@SecAdept)

SQL Server Update Fixes XSS and DoS Vulnerability

Severity: Medium

Summary:

• These vulnerabilities affect: Most current versions of SQL Server
• How an attacker exploits it: Various, including enticing someone to click a specially crafted link
• Impact: In the worst case, an attacker can steal your web cookie, hijack your web session, or essentially take any action you could on the SQL server
• What to do: Deploy the appropriate SQL Server updates as soon as possible

Exposure:

SQL Server is Microsoft’s popular database server. According to Microsoft’s security bulletin, SQL Server suffers from both a Cross-site Scripting (XSS) and Denial of Service (DoS) vulnerability.

The XSS flaw poses the most risk. The SQL Master Data Services (MDS) component suffers from a Cross-site Scripting (XSS) vulnerability due to its inability to properly encode output. By enticing someone to click a specially crafted link, an attacker could leverage this flaw to inject client-side script into that user’s web browser. This could allow the attacker to steal web cookie, hijack the web session, or essentially take any action that user could on your SQL Server’s associated web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

The DoS flaw poses less risk, but is worth patching too. Essentially, if an attacker can send specially crafted queries to you SQL server, he could lock it up. However, since most administrator block SQL queries from the Internet, the attacker would have to reside on the local network to launch this attack.

Solution Path:

Microsoft has released SQL Server updates  to correct this vulnerability. You should download, test, and deploy the appropriate update as soon as possible. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s SQL Server bulletin.

As an aside, the Cross-site Scripting (XSS) protection mechanisms built into many modern web browsers, like Internet Explorer (IE) 8 and above, can often prevent these sorts of attacks. We recommend you enable these mechanisms, if you haven’t already.

For All WatchGuard Users:

Since attackers might exploit some of these attacks locally, we recommend you download, test, and apply the SQL Server patches as quickly as possible.

Status:

Microsoft has released updates to fix this vulnerability.

References:

• MS Security Bulletin MS14-048

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Hardware Malware – WSWiR Episode 112

Tons of Patches, Facebook Botnets, and Infected Hand Scanners

After a couple weeks of hiatus, we’re finally back with our weekly security news summary video. If you want to learn about all the week’s important security news from one convenience resource, this is the place to get it.

This episode covers the latest popular software security updates from the last two weeks, and interesting Litecoin mining botnet that Facebook helped eradicate, and an advanced attack campaign that leverages pre-infected hardware products. Watch the video for the details, and check out the Reference’s for more information, and links to many other interesting InfoSec stories.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=oAHYUW1KkM0

Episode References:

• Microsoft’s July Patch Day
  • Microsoft July Patch notification – Microsoft
  • Microsoft IE alert fixes over 20 vulnerabilities – WGSC
  • Windows updates fix Journal flaw and more –  WGSC
  • Minor Service Bus issue likely only affects few –  WGSC
  • Microsoft SSL certificate security advisory – Microsoft
• Apple’s June Patches
  • Apple security updates summary page – Apple
  • Apple’s June OS X security updates – Apple
  • Apple’s June Safari security update – Apple
  • iOS 7.1.2 security update – Apple
  • Apple TV June security update – Apple
• Adobe Patch Day
  • Adobe patches Rosetta Flash – WGSC
  • Michele Spagnuolo blog post on Rosetta Flash – Miki.it
• Facebook helps thwart Lecpetex Litecoin botnet – Facebook
• Zombie Zero: Malware found in Chinese Inventory Scanners – Network World
  • TrapX report or Hand Held Scanners attack campaign – TrapX
  • Dark Reading covers Zombie Zer0 – Dark Reading

Extras:

• US arrests accused Russia CC hacker; Russia claims kidnapping – Krebs on Security
• Microsoft botnet shutdown had collateral damage on No-IP – SC Magazine
• EFF sues NSA for using 0day – Network World
• The NSA gathers far more info from general Internet users than it does targeted foreign national – The Washington Post
• HotelHippo shut down after discovery of security flaws on site – SC Magazine
• Accused UK hacker jailed for refusing to hand over his password and crypto keys – The Register
• Google Glass can steal passwords from 10ft away (hyperbole?) – We Live Security
• DoHS accuses Chinese attackers of hacking records from Office of Personnel Management – NY Times
  • Kerry says Chinese hackers didn’t get any sensitive info – NBC News
• New PoS botnet surfaced on the underground in May – The Register
  • PoS Botnet leverages RDP – SC Magazine
• Google patched a Drive file leaking vulnerability – Naked Security
• Flaw in smart bulbs could leak Wifi passwords – Ars Technica
• Google blocks a lot of unauthorized digital certificates from India – Google
• Dragonfly ICS malware affects global energy companies – IT Portal
  • Older F-Secure story – The Register
  • Gizmodo also covers this story – Gizmodo
• Latest iOS jailbreak supports iOS 7.1.2 – CNET
• Hijack Hunter; a comparable tool to HijackThis – Ghacks
• Cloud Remote Access and common password allowed attacker in – Computer World
• Cisco Unified Communications have hard coded SSH key (backdoor) – The Register
  • Patch for Cisco UC backdoor – Cisco
• MiniDuke authors seem to target drug dealers – The Guardian
• CosmicDuke targets drug dealers and military contractors – Techweek
• Dailymotion hijacked to serve Drive-by Download… again! – Network World
• Zeus will never die (re-emerges after a takedown) – Ars Technica
• Tinba malware source code leak – CSIS
  • Tinba malware analysis – Trend Micro

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Service Bus DoS Mostly Affects Enterprise Web Developers.

Among this week’s Microsoft security bulletins is one that likely only affects a small subset of Microsoft customers, and thus not worth a full security alert.

Microsoft Service Bus is a messaging component that ships with server versions of Windows, providing enterprise developers with the means to create message-driven applications. According to Microsoft’s bulletin, Service Bus suffers from a denial of service (DoS) vulnerability involving it’s inability to properly handle a sequence of specially crafted messages. If you have created an application that uses Service Bus, an attacker who could send specially crafted messages to your application could exploit this flaw to prevent the application from responding to further messages. You’d have to restart the service to regain functionality.

Windows itself doesn’t really use Service Bus for anything, but if you have internal applications that do, this vulnerability may be significant to you. If you use Service Bus, be sure to check out the bulletin to get your updates. — Corey Nachreiner, CISSP (@SecAdept)

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:

• Adobe & Microsoft Patch Day
  • Microsoft’s June Summary – WGSC
  • Huge IE Update– WGSC
  • Consolidated Windows Bulletin for June– WGSC
  • Microsoft fixes Word Flaw – WGSC
  • Adobe patches Flash – WGSC
  • Mozilla fixes seven flaws in Firefox 30 vulnerabilities – Threatpost
• TweetDeck suffers from new XSS flaw – Wired
• P.F. Changs suffers a credit card breach – Krebs on Security
  • UPDATE: P.F. Changs confirms their network breach – Krebs on Security

Extras:

• Feedly and Evernote suffer from DDoS attack extortion – Slate
• New Pandemiya trojan (botnet) sold on underground for around 2K – RSA Blog
• Russian iOS ransomers arrested (related to last week’s iOS ransom) – The Guardian
• Mobiles phones used to hack air-gapped networks with acoustic and electromagnetic emanations – SoftPedia
• Great Motherboard video on hacking mobile phones – Motherboard
• President Bush’s email hacker sent to prison for four years – IBTimes
• ICS-CERT warns of pranksters hacking traffic road signs – CBR Online
• Cryptolocker like ransomware hit’s Android devices (Android/Simplelocker) – Ars Technica
• Aether vulnerability may allow attackers to hijack SmartTVs – Yossi Oren’s Blog
• Anonymous threatens #OpHackingCup hacktivist campaign against World Cup sponsers – The Register
• Latest report claims annual loss of $445M due to cyber crime – Mcafee
• Two teens (14) use operator’s manual and default password to hack ATM – Ars Technica
• Phishme warns of a Dropbox phishing scheme – Phishme
• Yet another iOS lockscreen bypass flaw (yawn) – BGR
• Play Google’s game to test your XSS skills – Appspot.com
• Use F-Secure’s “one click” test to find Zeus on your computer – F-Secure
• Hackers use bad passwords too – Technology Tell
• New video game, Watch Dogs, already used as hacking scapegoat – Techdirt
• Spam campaign preying on the public’s fear of CryptoLocker – Betanews
• Older Android banking trojan (Svpeng) adds ransomware – Securelist blog
• TED talk on Hacker’s being the “immune system” of the Internet – TED

— Corey Nachreiner, CISSP (@SecAdept)