Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
This week, Facebook dodged a pretty serious cybersecurity bullet. A couple of reports showed interesting links between stress and email data beaches, as well as the effects of vulnerability disclosure on exploitation and remediation. And a researcher described a relatively novel ransomware attack leveraging SEO.
Read on for details!
Notable Security News
Salesforce released JARM, a TLS fingerprinting tool that has multiple applications. It can determine whether a group of servers have the same TLS configuration, whether they belong to the same cloud provider, and whether they are part of a malware command & control infrastructure. This is helpful to both defenders who want to identify malicious servers, and network engineers who want to verify the consistency of their TLS configuration.
Facebook Messenger bug allowed Android users to spy on each other
Facebook fixed a vulnerability in Facebook Messenger for Android that allowed callers to connect video and audio calls before callees accepted the call. This allowed for spying on people without their knowledge or permission. Natalie Silvanovich who is part of Google’s Project Zero reported the bug through Facebook’s bug bounty program and was rewarded with a $60,000 bounty, reflecting the severity of the bug.
Malware creates scam online stores on top of hacked WordPress sites
Search Engine Optimization (SEO) scams are not new, but they might be a new type of ransomware. An Akamai researcher heard of criminals poisoning search engine results for companies, then demanding ransoms to reverse the effects. He shows how such malware works by detailing a real attack against his WordPress honeypot.
Egress surveyed IT security leaders in the UK and US across different industries on data breach risks related to email use. The findings are interesting: 93% have experienced data breaches via outbound email in the last 12 months, with the most common root cause cited being “an employee being tired or stressed.”, followed by “remote working”. So, phishing training awareness is important, but stress also plays a significant role. The more stressed, the more likely to click on the wrong file or link!
Responsible Exposure and What It Means for the Industry
Kenna Security analyzed 473 vulnerabilities from 2019 looking for links between their public disclosure and exploitation by criminals. Considering the ongoing debate on this topic, their findings are very interesting. For instance, attackers have a 47-day head start in average once an exploit is published. Also, disclosing exploits before a vulnerability is patched makes it harder for security teams to remedy it (even after patch publication!). This shows that publishing exploits isn’t the expected motivator for improving security, and responsible disclosure yields better results.
Other Interesting News
Cybercrime
- Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names
- Alert: Multiple actors are attempting to exploit MobileIron vulnerability CVE 2020-15505
- Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
- OK Google, Build Me a Phishing Campaign
- New Grelos skimmer variant reveals overlap in Magecart group activities, malware infrastructure
Vulnerabilities
- Drupal sites vulnerable to double-extension attacks
- Belgian security researchers from KU Leuven and imec demonstrate serious flaws in Tesla Model X keyless entry system
- LidarPhone attack converts smart vacuums into microphones
- VMware urges sysadmins to apply workarounds after critical Workspace command execution vuln found
- The smart video doorbells letting hackers into your home
Reports
- Verizon Cyber-Espionnage Report
- Sophos identifies top three security trends for 2021
- DDoS attacks more numerous, diverse, but smaller in Q3 of 2020
Responsible disclosure
- Ethereum bumps up bug bounty payouts ahead of 2.0 release
- Google Project Zero to form ‘crystal ball’ forecast panel to help improve vulnerability disclosure
- Facebook: Marking the 10th Anniversary of Our Bug Bounty Program
Tech
- Fearing drama, Mozilla opens public consultation before worldwide Firefox DoH rollout
- Google is rolling out end-to-end encryption for RCS in Android Messages beta
- Microsoft’s new ‘Pluton’ security processor gets buy-in from Intel, AMD
- Websites that use mix of HTTP, HTTPS schemes may break under new Chrome SameSite rules
Misc.
- IoT Cybersecurity Improvement Act Passed, Heads to President’s Desk
- Romanian Duo Arrested For Running Malware Encryption Service To Bypass Antivirus Software
- Baidu’s Android apps caught collecting sensitive user details
- How the U.S. Military Buys Location Data from Ordinary Apps
Intigriti News
Yesterday it was announced that Intigriti has won the Rising Star award. The Rising Star 2020 by Deloitte ranks the fastest-growing tech companies in Belgium, based on their level of innovation, growth potential and scalability. Read more…
