Breaches and leaks
It's not so bad this week!
Or, maybe I missed some? I was lying sick in bed most of the week. But still, jeej positive thoughts \o/
- HSBC Bank: about 1% of customers might have been breached, showing account details, transaction history, etc. It was most likely a credential stuffing attack, using logins obtained from other breaches.
- FIFA: they were hacked again, and they are gearing up for another round of confidential documents to come out and raise scandals.
Interesting kind of attack, where one thread can extract information about the other thread running on the same CPU. The proof of concept was able to steal an OpenSSL private key from a TLS server. Shared hosting environments could be the biggest victim. It's unclear right now if AMD is affected too.
There's a vulnerability in the Session Initiation Protocol (SIP) inspection engine which can be used to trigger a DoS attack. It's being exploited in the wild, but no patch is available. If you run Cisco devices, maybe check if you need to take some mitigating actions.
Many plugins use cURL to make connections to payment gateways and the likes, but disable certificate validation because it generates scary security notices. This leaves them open to man-in-the-middle attacks among other problems.
The notices happen because cURL can't find a list of known Certificate Authorities. You might want to check your own codebase to see if you're impacted, and maybe use the library that the researcher made available to give cURL the list it needs.
This is about as horrible as opsec gets. A double agent showed Iran a site that the CIA used to communicate to their agents. Using Google they found similar sites and used them to intercept communications and identify agents.
There's a vulnerability present where an attacker can break out of the guest OS and into the host OS, although with low privileges. But coupled with a privilege escalation exploit it could do definite damage. The researcher published the zero day out of frustration with Oracle's "responsible disclosure" process.
It only took a few hours after its release, and was discovered by the same researcher who discovered the last few. It can make the contact list and contact information readable to the attacker. No patch available yet.
The workload for researchers at NIST who assign CVSS scores is getting too much. They've teamed up with Watson, and results seem promising. It does very well in scoring common vulnerabilities, but has issues on more novel or complex ones.
I haven't done any Windows work in my career, but even I know of Sysinternals. Although, maybe that's because Mark Russinovich, its creator, also became a great fiction writer whom I've read :)
Anyway, Microsoft is starting to port Sysinternals to Linux, starting with the ProcDump utility, which allows you to create core dumps of processes based on criteria like high CPU utilization, memory usage and time intervals.
Stethoscope checks your device for things like firewall settings, disk encryption and more. The desktop version works as a standalone checklist, it doesn't even need an Internet connection. Pretty useful to help employees self-check on their security.
It's a newsletter kind of like this one, but targeted specific to API security. Check it out! (But also please stay subscribed to this one.)
Very cool project, aiming to make it free and easy to test your employee's resilience against phishing attacks.