Week 10: Web Application Hacking

A 15-year-old security researcher, Saleem Rashid has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a company which designs products to protect the user’s private keys from malicious software that might try to gather those credentials from the user’s computer. Rashid mentions that if the attacker has the physical access to the device, who could update the devices with malicious code that would wait for a potential buyer to use it, and then route the private key and drain the user’s cryptocurrency account, when the user goes to use it. The major problem with ledger device is that it contains a secure processor chip and a non- secure microcontroller chip, where the attackers use the insecure microcontroller chip to run the malicious software.

– The authentication to the microcontroller should be strong enough so that any insecure element cannot authenticate to microcontroller.

– Ledger should include tamper protection seal which warns the customers that the device has been physically opened or modified prior to its first use by customer.

– One of the chances where attackers gain the physical access to the device is when the products frequently outrun the company’s ability to produce them and this lead the chief of the company state that their products can be purchased from the third party sellers. I feel it’s a good idea to purchase this kind of devices directly from the source.

– In Ledger device the secure processor chip and in-secure microcontroller chip still passes the information with each other, while the attacker can use the in-secure microcontroller chip and generates the displayed receive address using the code running on the machine

– The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.

– New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

https://community.mis.temple.edu/mis5211sec001fall2018/2018/11/26/5965/

https://threatpost.com/threatlist-dead-web-apps-haunt-70-percent-of-ft-500-firms/138659/

This article has very interesting statistics. Based on the study of abandoned websites owned by leading global corporations hammers home the point that old web applications need to be properly mitigated or retired. Otherwise, these resources often haunt a firm long after they have been forgotten. 

Key findings:

70% of FT 500 can find access to some of their websites being sold on Dark Web

92% of external web applications have exploitable security flaws or weaknesses

19% of the companies have external unprotected cloud storage

2% of external web applications are properly protected with a WAF

Every single company has some non-compliances with GDPR

 

https://thehackernews.com/2018/11/virtualbox-zero-day-exploit.html

Here is an interesting story on Oracles Virtual box. It turns out researchers have found a weakness that allows attackers to gain root access from the guest OS and execute code on the host OS.

According to the researchers, the vulnerability allows an attacker or a malicious program with root or administrator rights in the guest OS to escape and execute arbitrary code in the application layer (ring 3) of the host OS, which is used for running code from most user programs with the least privileges.

Following successful exploitation, the researcher believes an attacker can also obtain kernel privileges (ring 0) on the host machine by exploiting other vulnerabilities.

https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

Many of you may have seen the commercials with bank customers accessing ATM’s with just their phones.  All it takes is a debit card added to a digital wallet and an NFC capable ATM.  Well, it didn’t take long for the fraudsters to exploit this new fraud channel.  This is a good article detailing one of the methods they use to accomplish this.  Let me emphasize that this is only one of many methods they can use.

 

A team of security researchers has discovered another serious side-channel vulnerability in Intel CPUs that could allow an attacker to sniff out sensitive protected data, like passwords and cryptographic keys, from other processes running in the same CPU core with simultaneous multi-threading feature enabled.

The vulnerability, codenamed PortSmash (CVE-2018-5407), has joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, and Foreshadow. The new side-channel vulnerability resides in Intel’s Hyper-Threading technology, the company’s implementation of Simultaneous MultiThreading (SMT).

The simple fix for the PortSmash vulnerability is to disable SMT/Hyper-Threading in the CPU chip’s BIOS until Intel releases security patches. OpenSSL users can upgrade to OpenSSL 1.1.1 (or >= 1.1.0i if you are looking for patches).

https://thehackernews.com/2018/11/portsmash-intel-vulnerability.html

Interesting news about two critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in millions of access points and networking devices used by enterprises around the world. BleedingBit, the set of two vulnerabilities could allow remote attackers to execute arbitrary code and take full control of vulnerable devices without authentication, including medical devices such as insulin pumps and pacemakers, as well as point-of-sales and IoT devices.
Armis discovered BleedingBit vulnerabilities earlier this year and responsibly reported all affected vendors in June 2018, and then also contacted and worked with affected companies to help them roll out appropriate updates to address the issues.

https://thehackernews.com/2018/11/bluetooth-chip-hacking.html

U.S customers have bad habits in digital security. 51 percent admit to reusing passwords/PINs across multiple accounts such as email, computer log in, phone passcode, and bank accounts. 17 percent customers are concerned that they could fall victim to a physical security breach. 27 percent customers do not shred paper or physical documents containing sensitive information before throwing them away. There are additional information that consumers are unsure how to determine if they were victims of fraud and do not understand how to report and remediate fraud and theft. In addition, 72 percent customers believe that they can identify fraudulent emails or calls. Furthermore, consumers store paper documents containing sensitive information in risky ways. around 30 percent customers store the paper documents contain personal information in a box or desk.drawer. Finally, baby boomers have some of the safest information security habits, despite stereotypes suggesting otherwise.

 

https://www.securitymagazine.com/articles/89564-us-consumers-security-habits-make-them-vulnerable-to-fraud

Threat hunting is the active search for “unknown unknowns,” which describes new and novel attack behaviors that aren’t detected by current automated methods of prevention and detection. It is, by nature, a “hands-on-keyboard activity,” driven by humans. Just like hunting in nature, anyone can do it, but the right experience and tools can make you much more effective.

https://securityledger.com/2018/11/managed-threat-hunting-bridges-the-talent-gap/

 

The organization surveyed 6,000 technology users across six countries — the US, UK, France, Germany, Italy, and Australia — to determine how their personal actions could introduce cybersecurity vulnerabilities within the organizations they work for.

The results show that users’ WiFi and virtual private network (VPN) use remain suspect. Of particular concern is the fact that home WiFi networks are often left fully unprotected, opening the door for remote workers to be compromised — and for their employers to be compromised in turn.

 

https://www.wombatsecurity.com/blog/user-risk-report-44-of-workers-dont-password-protect-home-wifi

Researchers at Radboud University in the Netherlands have revealed today vulnerabilities in some solid-state drives (SSDs) that allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password.

The vulnerabilities only affect SSD models that support hardware-based encryption, where the disk encryption operations are carried out via a local built-in chip, separate from the main CPU.

But in a new academic paper published today, two Radboud researchers, Carlo Meijer and Bernard van Gastel, say they’ve identified vulnerabilities in the firmware of SEDs.

The only way users would be safe was if they either changed the master password or if they ‘d configure the SED’s Master Password Capability setting to “Maximum,” which effectively disables it.

 

https://thehackernews.com/2018/11/self-encrypting-ssd-hacking.html