Week of August 10, 2018


Week of August 10, 2018

More Security Flaws at Comcast Left Customer Data Vulnerable*:

Portions of the home addresses and Social Security numbers of more than 26 million Comcast Xfinity customers were exposed thanks to two security flaws.

The vulnerabilities were discovered by a security researcher and reported by BuzzFeed News on Wednesday.

Comcast emphasizes that it has fixed the problems, and they do not believe the vulnerabilities were ever used against Comcast customers.

The first flaw exposed customers’ partial home addresses on an “in-home authentication” page—a feature that allows customers to pay bills online without signing in if using a device connected to their home IP address (a numeric designation that identifies a computer’s location on the internet).

All customers would have to do to verify their identity was select their correct partial home address from one of four options displayed.

This was easily exploitable because a hacker could have spoofed a customer’s IP address and then refreshed the page repeatedly to find their home address, since the correct answer would not change with each refresh.

That would give the hacker the first digit of the street number and the first three letters of the street name—enough to find the city, state, and postal code of the partial address, meaning that the hacker could determine the person’s specific location.

Comcast has since changed the page so it requires customers to provide more information to log in.

The second flaw exposed the last four digits of customers’ Social Security numbers on the sign-up page for Comcast’s Authorized Dealer website, which helps customers find sales agents.

There was no limit on the number of times someone could submit the form, so a bad actor could have put in random four-digit combinations until they discovered the correct combination.

Comcast has since limited the number of attempts.

*Source: Slate, August 09, 2018


Black Hat Researchers Show Why Air Gaps Won’t Protect Your Data*:

More industries are employing air gaps to protect devices that store critical information on internal networks.

When you store your personal, sensitive data on a computer disconnected from the internet, you are said to have protected your data behind an air gap.

But even without a connection to the internet, your secrets aren't necessarily safe, as security researcher Mordechai Guri demonstrated at the Black Hat conference.

Air Gaps are an exotic topic, mostly because it’s mostly government or military organizations that resort to such radical lengths to protect their secrets.

Guri has been working on jumping air gaps for several years now and has compiled an impressive list of tactics that could be used to access data which is protected behind an air gap.

The below examples show him attempting to extract the private key to a bitcoin wallet from an air-gapped computer.

After infecting the computer with a malware called BeatCoin that transmits the key to a nearby smartphone using near ultrasonic sound. The sound is transmitted via the speakers of the computer.

Removing the speakers is not a solution, as he then shows another app called Fansmitter that alternated the speed of the computer’s fans to change the blade pass frequency and thus transmit the data.

Likewise, data can be transmitted acoustically via the hard disk, or to a secondary computer within the room or electromagnetically.

The bottom line is, an air gap is not as secure today as it seemed to be.

However, the caveat to this argument is that the target computer needs to be physically infected with the said malware in order to do any of these methods mentioned above.

This means, that the air gaps are safe, but you always run the risk of losing your data to a motivated attacker if they choose to exploit the data in your possession.

*Source: PCMag, August 10, 2018


New Wi-Fi Attack Cracks WPA2 Passwords With Ease*:

A new way to compromise the WPA/WPA2 security protocols has been accidentally discovered by a researcher investigating the new WPA3 standard.

The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled.

Security researcher and developer of the Hashcat password cracking tool Jens "Atom" Steube made the discovery and shared the findings on the Hashcat forum earlier this month.

At the time, Steube was investigating ways to attack the new WPA3 security standard. Announced in January by industry body the Wi-Fi Alliance, WPA3 is the latest refresh of the Wi-Fi standard.

WPA3 aims to enhance user protection, especially when it comes to open Wi-Fi networks and hotspots commonly found in public spaces, bars, and coffee shops. The new standard will utilize individualized data encryption to scramble connections – as well as new protections against brute-force attempts to crack passwords.

However, the aging WPA2 standard has no such protection.

Currently, the most popular method to attack is to wait until a user connects to Wi-Fi, wait for the four-way authentication handshake to take place, and capture this information in order to brute-force the password in use.

The new technique, however, is performed on the Robust Security Network Information Element (RSN IE) of a single EAPOL frame.

The attack is clientless and does not require regular users to be involved at any stage. Information gathered is translated in regular hex encoded strings, which means that no special translation or output formats will thwart attackers or cause delays.

If a Wi-Fi network is compromised through the technique, cyber-attackers may be able to steal pre-shared login passwords, eavesdrop on communications and perform Man-in-The-Middle (MiTM) attacks.

WPA3 is due to be released en masse this year, and once the protocol becomes firmly established, it will be far harder across the board for cyber-attackers to compromise Wi-FI systems in order to extract passwords.

The attack will not work against WPA3, as it will be "much harder to attack because of its modern key establishment protocol," and the use of "Simultaneous Authentication of Equals" (SAE).

*Source: ZDNet, August 08, 2018


Leaked GitHub API Token Exposed Homebrew Software Repositories*:

A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories.

Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.

On July 31, 2018, security researcher Eric Holmes discovered that an exposed token provided him with commit access to Homebrew/brew, Homebrew/homebrew-core, and Homebrew/ repositories.

With hundreds of thousands of people using Homebrew, the potential impact of the compromise was disastrous.

By modifying a highly popular package, such as openssl, the researcher could have pushed the malicious code directly to a large number of users.

The issue, which was addressed the same day that it was discovered, did not result in compromised packages.

The exposed token had elevated scopes, but the GitHub Support team has verified that it hasn’t been used to perform any pushes to Homebrew/brew or Homebrew/homebrew-core.

Within a few hours the credentials had been revoked, replaced and sanitised within Jenkins so they would not be revealed in future. Homebrew/brew and Homebrew/homebrew-core were updated so non-administrators on those repositories cannot push directly to master.

In addition to enabling branch protection and requiring reviews on additional repositories, the Homebrew team also required all maintainers to review and prune their personal access tokens and disable SMS fall back for 2FA.

*Source: Security Week, August 09, 2018


RiskRecon Raises $25 million to Grow Third-Party Cyber Risk Management Business*:

Salk Lake City-based RiskRecon, which offers solutions to help companies manage third-party cyber risk, has raised $25 million in Series B financing, the company announced Wednesday.

The Series B round brings the total amount raised by RiskRecon to more than $40 million.

RiskRecon helps its customers control third-party risk by providing assessments of each third-party’s security practices, which can be used to establish a base level of trust and identify specific areas for further discussion and investigation.

The company, which has nearly tripled its customer base in the last twelve months, says the additional funding will be used to support increasing demand for its third-party cyber risk management solutions.

Conducting thorough due diligence on a prospective vendor’s security is essential.

*Source: Security Week, August 08, 2018


New G Suite Alerts Provide Visibility Into Suspicious User Activity*:

After bringing alerts on state-sponsored attacks to G Suite last week, Google is now also providing administrators with increased visibility into user behaviour to help identify suspicious activity.

Courtesy of newly introduced reports, G Suite administrators can keep an eye on account actions that seem suspicious and can also choose to receive alerts when critical actions are performed.

Admins can set alerts for password changes, and can also receive warnings when users enable or disable two-step verification or when they change account recovery information such as phone number, security questions, and recovery email.

By providing admins with visibility into these actions, Google aims at making it easier to identify suspicious account behavior and detect when user accounts may have been compromised.

Should an admin notice that a user has changed both the password and the password recovery info, which could be a sign that the account has been hijacked, they can leverage the reports to track time and IP address and determine if the change indeed seems suspicious.

Based on the findings, the G Suite administrator could then take the appropriate action to mitigate the issue and restore the user account, such as password reset and disable 2-step verification.

Admins can also use the new reports to gain visibility into an organization's security initiatives, such as the monitoring of domain-wide initiative to increase the adoption of two-step verification.

The new capabilities are set to gradually roll out to all G Suite editions and should become available to all customers within the next two weeks.

*Source: Security Week, August 09, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top