This past week in AppSec we’ve seen more of the same with some new twists: Snapchat, perhaps unsurprisingly, got hacked after neglecting vital vulnerabilities, Cryptolocker has spawned a new demon, the Syrian Electronic Army went after Skype and the NSA is (also unsurprisingly) trying to build a quantum computer that could decrypt anything.
Take a few minutes to catch up on all you may have missed with those New Years hangovers!
A new Leadership Poll was released by Defense News Monday, and, according to nearly half of the nation’s top security, DoD civilians, military and other sector leadership, Cyberwarfare is today’s top threat.
Interesting to note that both Democrats and Republicans agreed on Cyberterrorism as the nation’s biggest threat in 2014, but diverged on the second most important (Republicans chose terrorism while Democrats voted climate change). Over 350 senior leaders in different defense sectors responded to the poll in late November.
Read the full report here.
Netherlands-based security firm Fox-IT spotted compromised ads on yahoo.com since the end of December. Using a Java exploit, the hackers served several pieces of malware through advertisements after injecting IFRAMEs into them. The malware included Andromeda and Zeus, among others. Apparently, victims didn’t need to click on the ads in order to be infected; any computer running the vulnerable Java version would have been exposed to the malware.
Infected computers have been placed in Romania, the UK and France. The IT Company estimated that the malware may have infected up to 2.5 million computers in those areas. Anyone who may have visited a Yahoo site and runs an older version of Java are advised to scan their computers with an anti-virus to check and see if they’ve been affected.
Read more about the malware on Fox-IT’s blog.
This week, the Washington Post reported on a leaked document alleging that the National Security Agency is in a race to build a quantum computer that could break almost every kind of encryption protecting all sorts of government, medical, banking and other records, globally.
The project is part of a nearly $80 million research project the NSA calls “Penetrating Hard Targets”. Sort of an understatement when considering what kind of a breakthrough creating a quantum computer with capabilities to quickly break a 1,024 bit encryption would be. The E.U. and Swiss have apparently been catching up to the USA in quantum computing, and the report indicates the NSA is trying to keep that from happening.
A quantum computer in the hands of something like the NSA is just a bit terrifying, depending on who you speak with, we guess. The Post reported that “some leading Internet companies are moving to 2,048-bit keys, but even those are thought to be vulnerable to rapid decryption with a quantum computer.” Yikes.
Read more at The Post.
Last week we told you that the security firm published two exploits it had discovered in the Snapchat API. This week, hackers used the exploits to extract 4.6 million of the photo-sharing apps usernames and partial phone numbers, releasing a database online and available for download. Snapchat had this to say about the incident, posted on their blog:
We acknowledged last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Year’s Eve, an attacker released a database of partially redacted phone numbers and usernames…We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns.
The post went on to add that Snapchat would be releasing an updated version of their app and that they’re “dedicated to preventing abuse.” Let’s hope they’re a little more careful next time security researchers do reach out with security concerns, especially considering they’ve already turned down multi-billion deals with Facebook and Google.
Read everything Snapchat had to say on their blog.
Skype was the subject of a Syrian Electronic Army (SEA) attack on its’ Twitter account and blog on the 1st of January, making it the first hack of the year. ‘Tis the season, we guess. The hackers posted a few tweets on Skype’s main account: “Stop Spying on People! via Syrian Electronic Army,” as well as “Don’t use Microsoft emails (Hotmail, Outlook), They are monitoring your accounts and selling it to the governments. More details soon. #SEA”
The new messages are possible responses to recent allegations that the NSA is monitoring emails of foreigners and US citizens, and may indicate new motivation behind the attacks. The SEA, who conducts its attacks in support of the Syrian president, Bashar Al-Assad, has hit numerous media and communication outlets previously. Previous major take-downs include The New York Times, LinkedIn, the Associated Press, Skype competitor Viber and even Twitter. Skype acknowledged the hack and informed users no user information was compromised.
Read more from ZDNet.
The CrytoLocker malware has apparently been ‘upgraded’ and can now be spread via USB. Security firm TrendLabs published a blog last week documenting their findings on what’s called WORM-CRILOCK A. Researchers added that the newly detected malware differs from other ransomware variants because it acts like an activator for popular software like Photoshop and Microsoft Office using peer-to-peer (P2P) sites. The blog recommends avoiding such P2P sites when looking to download software and always purchase directly from the vendor or reputable sites.
Read more about the new CryptoLocker variant here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.