#CyberSecurityPulse: The Transparent Resolution of Vulnerabilities Is Everyone’s Business

ElevenPaths    9 January, 2018

The new year has started with a story that has taken the covers of specialized and generalist media all around the world. The vulnerabilities named as Meltdown and Spectre have put on the table that even aspects that we took for granted as the architecture of the hardware that makes operate almost all of our systems is likely to have to be reinvented. The correction of this type of failures in the future should be put to the test with new designs that prevent them, but until these new systems go on the market it is necessary to find contingency software solutions that mitigate the problem in the meantime.

The different operating systems have tried to deal with a vulnerability that was notified to several operating systems security teams on November 9, 2017. In fact, the proofs of concept included in the Meltdown paper are made on Firefox 56, which was the current stable version until the arrival of Firefox Quantum (version 57) on November 14 of that same month. According to the managers of Canonical, the company responsible for the development and maintenance of Ubuntu, this date is important providing that this was used on November 20 as a reference to establish a consensus about January 9, 2018 as the date for the publication of the details of the vulnerability by its authors.

This period of “responsible disclosure” is common in the resolution of vulnerabilities. Its objective is to guarantee that the development teams of the affected products (in this case, practically all the systems that we use from Windows to MacOS through all types of Linux or Android-based systems) have a prudent period to study the problem and develop and test the necessary patches. It is true that this operating scheme places some people in an advantageous position taking into account that they will be informed of the existence of security flaws earlier than anyone else so that they could exploit this information in beforehand. However, this is a necessary toll to pay to ensure that the identification of security issues is, both, properly recognized first and quickly patched by the time it is published.

For this reason, transparent and diligent action by people who have access to this information is necessary and enforceable. Regardless of whether the reasons for advancing the committed date of publication are justified or not (if the fear was a possible loss of authorship, the papers could have been timestamped in any public blockchain blockchain, for example), we have to be clear about our priorities to face problems reported with enough time to be fixed in reasonable periods of time because, unfortunately, there may not be a second chance to protect our systems.

Top Stories

Spear Phishing Attacks Already Targeting Pyeongchang Olympic Games

Security researchers from McAfee reported hackers are already targeting Pyeongchang Olympic Games, many organizations associated with the event had received spear phishing messages. The campaigns have begun on December 22, attackers used spoofed messages that pretend to come from South Korea’s National Counter-Terrorism Center. The analysis revealed the email was sent from an address in Singapore and referred alleged antiterror drills in the region in preparation for the Olympic Games. Attackers attempt to trick victims into opening a document in Korean titled “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.”

More information at McAfee

Iran Infy Group MayAattempt To Target Protesters and Their Foreign Contacts

According to cybersecurity firms and researchers, a nation-state actor called Infy is intensifying its attacks against anyone is in contact with protesters. The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004. The malware evolved over the years, the authors improved it by implementing new features such as support for the Microsoft Edge web browser that was introduced in the version 30. Unlike other Iranian nation-state actors who target foreign organizations, the Infy group appears focused on opponents and dissidents.

More information at Palo Alto

Rest of the Week´s News

CoffeeMiner: Hacking WiFi Networks To Mine Cryptocurrencies

A developer named Arnau has published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks to inject crypto-mining code into connected browsing sessions, an ingenious method to rapidly monetize illegal efforts. Arnau explained how to power a Man-In-The-Middle attack to inject some javascript in the html pages accessed by the connected users. In this way all the devices connected to a WiFi network are forced to be mine a cryptocurrency.

More information at Security Affairs

Critical Flaw Reported In phpMyAdmin Lets Attackers Damage Databases

A critical security vulnerability has been reported in phpMyAdmin, one of the most popular applications for managing the MySQL database, which could allow remote attackers to perform dangerous database operations just by tricking administrators into clicking a link. Discovered by an Indian security researcher, Ashutosh Barot, the vulnerability is a cross-site request forgery (CSRF) attack and affects phpMyAdmin versions 4.7.x (prior to 4.7.7).

More information at The Hacker News

Critical Unpatched Flaws Disclosed In Western Digital ‘My Cloud’ Storage Devices

Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital’s My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device. The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.

More information at Gulftech

Further Reading

Hundreds of GPS Location Tracking Services Leaving User Data Open to Hackers

More information at The Hacker News

PyCryptoMiner Botnet, a New Crypto-Miner Botnet Spreads Over SSH

More information at Security Affairs

Member of Lurk Gang Admits Creation of WannaCry for Intelligence Agencies

More information at Security Affairs

Leave a Reply

Your email address will not be published.