’s Friday Security Roundup – May 8, 2015


SSL_com_logo Happy birthday, Harry S Truman! And it’s the 45th anniversary of the release of the Beatle’s last album. In this weeks’ Friday Security Roundup, we can’t decide whether to give ’em hell or let ’em be – maybe a bit of both? Either way, reviews some of the security issues that we’ve been following this week.

Great DANE Adoption (Also TLS 1.1)

Recommended, by the US Computer Emergency Response team : Defense-in-depth methods to protect against man-in-the-middle attacks. US-CERT notes: “Employing multiple network and browser protection methods forces an attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration,” and lists solutions including DNS-based Authentication of Named Entities (DANE), certificate pinning and setting TLS 1.1 as your minimum allowed protocol.

Status: A hearty shhhyeah. SSL is a big part of how to protect your information, but the more layers of security you set up the more likely it is for J. Random Haxxor to bounce off and go seek less challenging targets.

Quick and Easy Anti-Virus . Maybe TOO Quick and Easy?

Stripped of their rankings by major ratings firms: Chinese antivirus vendors Qihoo 360 and Tencent. Both stand accused of gaming the ratings systems used by Virus Bulletin, AV‐Comparatives and AV-Test. Qihoo was spanked for using an AV engine other than their own in the software submitted for testing. Qihoo then used the well-known “But Timmy does it too!” defense, ratting out fellow vendor Tencent for using selective whitelisting to get faster AV checks and higher grades. (Qihoo also implicated Chinese web services company Baidu – no results yet from the ratings organizations there.)

Status: Not angry, just very, very disappointed. Not just currency exchange rates getting (allegedly) manipulated, perhaps.

…And Here’s Why you WANT Solid A/V Software…

Reported, by Cisco researchers Ben Baker and Alex Chiu: Rombertik, snooping malware that kills the host computer upon detection.  “‘Rombertik is unique in that it actively attempts to destroy the computer” (by trashing the Windows master boot record) when discovered or analyzed, and it also tries mighty hard to obfuscate how it operates when not detected.

Status: Impressed despite ourselves – beyond stealing data, Rombertik definitely wants to remind you who’s boss (the boot record gets replaced with code to print out a rude message). However, the vector of infection is (alas) all too typical – opening an attachment from a supposedly trusted source. Scan those files first, folks.

…Except When It’s the AV Software ITSELF That’s Harshing Your Workflow

Misflagged, by a recent update to Avast AV software: Assorted dynamically linked libraries (DLLs) on Windows boxes, which were subject to rough treatment at the hands of older versions of Avast. The DLLs were subject to blockage and quarantine, with the fun result of breaking any programs using those libraries (reportedly including TeamViewer and Corel products).

Status: Tsk-tsks aplenty to Avast for the initial mistake, but moderate kudos for catching and correcting the issue quickly (and another case where robust forums helped catch and mitigate the issue earlier than would’ve otherwise been the case).

Password Alert Alert

Easily broken, by infosec consultant Paul Moore: That spiffy Google Password Alert extension we reported on last week. The extension, designed to warn when Google passwords were being entered on non-Google pages, proved trivial to bypass (requiring eight lines of Javascript) – but has as of this writing been patched to address the hack.

Status: Diffident. While certainly not a bad idea, Password Alert shouldn’t be the only arrow in your quiver – Moore himself recommends Google pushing password managers rather than simple-to-use (and, apparently, simple-to-break) tools like this extension.

2560 Stream Processors, 4GB 512-Bit GDDR5, Undetectable Malware

Developed as a proof of concept: Malware that works by controlling a computer’s graphics card instead of the usual CPU. No current malware detection programs even look for any such exploit, and the developers note other strengths , including persistence in the GPU memory and of course the ability to use it for heavy number crunching as required.

Status: Watching with interest for the next leg of this arms race, and wondering if anyone’s actively exploiting this already. (Remember that hacking hard drive firmware was what the “Equation Group” used – and they were able to dodge detection for some 14 years.)

And What’s Threatening Your WordPress Site *Today?*

Reported, by security company Sucuri: A fairly dire cross-site scripting exploit found in the genericons package of the widely-installed (default, even) WordPress theme Twenty Fifteen, and already found in the wild.

Status: Sigh. Fixed in update 4.2.2. Update, then watch this space for the next WP issue.

a safer internet is a better internet.