Week in review: SLOTH attacks, JavaScript-based ransomware, and hacking medical implants

Here’s an overview of some of last week’s most interesting news and articles:


SLOTH attacks weaken secure protocols because they still use MD5 and SHA-1
Researchers Karthikeyan Bhargavan and Gaëtan Leurent from INRIA, the French national research institute for computer science, have discovered a new class of transcript collision attacks that can be leveraged against (supposedly secure) mainstream protocols such as TLS, IKE, and SSH.

Cyber crooks abuse legitimate EU Cookie Law notices in clever clickjacking campaign
Cyber crooks have set up a clever new clickjacking campaign that takes advantage of pop-up alerts that European users are (by now) accustomed to see: the “EU Cookie Law” notifications.

After two fixes, OAuth standard deemed secure
A group of researchers from University of Trier, Germany, have performed the first formal security analysis of the OAuth 2.0 standard, and have discovered two previously unknown attacks that could be mounted to break authorization and authentication in OAuth.

Demanding accountability: The need for cyber liability
Key drivers for change in any market are regulation and incentivisation, whether by legal liability or insurance cover. But in the cybersecurity market these agents of change remain immature and we’re seeing unnecessary, grave breaches as a result.

Difficult to block JavaScript-based ransomware can hit all operating systems
Ransom32 is delivered on the victims’ computer in the form of a self-extracting WinRAR archive. It uses the built-in scripting language to unpack its contents and among the files it unpacks is one called chrome.exe. This executable is a packed NW.js application.

Is the Cybersecurity Act of 2015 effective?
While many are decrying the newly signed Cybersecurity Act of 2015 for its privacy issues, DB Networks is taking the Act to task for an equally troublesome reason: It is based on erroneous assumptions, rendering it nearly completely useless at improving cybersecurity.

The Tor Project announces bug bounty program
Representatives of the Tor Project, the non-profit organization that maintains the software needed for using the Tor anonymity network and operates the Onion network, have announced the imminent creation of a bug bounty program aimed at finding and fixing security flaws in the software.

You can’t stop what you can’t see: Mitigating third-party vendor risk
As enterprise networks become further extended and include a wider net of partners, contractors and third-party vendors, their attack surface grows with it—making it harder for organizations to manage and protect their assets. It’s imperative that organizations find a new way to visualize and understand their network’s traffic and users, and, in turn, the risk to their systems.

BlackEnergy APT is back, deleting files and killing computer systems
The BlackEnergy APT – or SandWorm group, as some researchers call it – has been active since 2007 (at least). Its past exploits include cyber-espionage campaigns targeting NATO, the European Union, Ukrainian and Polish government organizations; the White House; and a variety of US ICS operators. In the last few months, they have turned their sights on Ukrainian targets.

De-anonymizing code authors by analyzing executable binaries
A group of researchers that have previously proven that it’s possible to de-anonymize programmers by analysing the source code of programs they have created, have now demonstrated that a good result can be also be achieved by analyzing executable binaries of those programs.

HTML5 Security Cheat Sheet
This OWASP cheat sheet serves as a guide for implementing HTML5 in a secure fashion.

When hacking saves lives: Hacking medical devices and implants
Of all the IoT devices out there, none are more crucial to users than the medical devices that help them simplify the management of certain medical conditions or, in the most extreme cases, actually keep living. It’s no wonder then that security researchers that depend on these devices are eager to analyze them.

An Internet of Things wish list for 2016
While there is certainly plenty of legislation out there, especially in Europe, to protect citizen’s privacy online, it will be difficult, if not impossible, to apply much of it to the kinds of data that will be collected through billions of sensors watching our every move both in the home and when out and about.

Tips for implementing a converged infrastructure
By taking things one step at a time, CIOs can begin today to prepare their IT infrastructure for tomorrow’s digital economy.

Cyber security guidelines for the shipping industry
A group consisting of several leading shipping organizations and companies has published a set of guidelines to help the global shipping industry develop good solutions for preventing cyber incidents onboard their ships.

Flaw in Comcast’s home security system lets burglars in without triggering alarm
Rapid7 researcher Phil Bosco has discovered a crucial flaw in the Comcast XFINITY Home Security system, which can be easily exploited by burglars to enter homes without triggering the alarm, and for which there is currently no mitigation and no patch.

Linode forces password reset for all users due to suspected breach
New Jersey-based virtual private server provider Linode can’t seem to catch a break. After being repeatedly hit with DDoS attacks from December 24 to early January, the company announced on Tuesday that they have reset Linode Manager passwords for all users.

EFF: T-Mobile breaks net neutrality rules with Binge On service
In February 2015, the FCC has approved net neutrality rules “to preserve the Internet as a platform for innovation, free, expression and economic growth.” Realistically, it’s to be expected that broadband providers will try to find a way around these (or parts of these) rules, and according to the EFF, T-Mobile US is currently doing just that with its Binge On service.

Five major Big Data predictions for 2016
According to MapR Technologies’ CEO John Schroeder, the industry is in the midst of the biggest change in enterprise computing in decades. Schroeder sees an acceleration in big data deployments, and has crystallized his view of market trends into these five major predictions for 2016.

HTTPS Bicycle attack reveals password length, allows easier brute-forcing
Dutch security researcher Guido Vranken has come up with a new attack that could allow attackers to discover the length of a user’s password – and therefore make it easier to brute-force it – by analyzing a packet capture of the user’s HTTPS traffic.

Bugs in Drupal’s update process could lead to backdoored updates, site compromise
Drupal’s update process is deeply flawed, says IOActive researcher Fernando Arnaboldi.

Fitbit, warranty fraud, and hijacked accounts
Online account hijackings usually end up with the account owners being the main victims, but there are fraudsters out there who are more interested in ripping off companies than end users.

Share this
You are reading

Week in review: SLOTH attacks, JavaScript-based ransomware, and hacking medical implants