Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

The Sochi Hacking Scare Take Down & The Rest of The Weeks Best


This week, NBC got called out for a slightly exaggerated report of hacking in Sochi (hint: they weren’t even in Sochi); SnapChat got hit with another vulnerability report; Target was hacked via their A/C and heat guys and more. Here’s a short n’ sweet version of the weeks’ news you may have missed.

NBC Called Out On Report of Hacking in Sochi

On Wednesday, NBC reporter Richard Engel gave a shocking report of the hacking horrors in Sochi, giving the now-famous statement “we got before we even finished our coffee.” Since the news update, NBC and Engel have both faced a fair amount of backlash from security experts taking down the report. It turns out (further evidenced in this video) that Engel and his team ignored warnings and intentionally downloaded malicious apps and software. That’s only one of the offenses, and Robert Graham has the most to say about it, as he laid out on his blog:

    1. They aren’t in Sochi, but in Moscow, 1007 miles away.
    2. The “hack” happens because of the websites they visit (Olympic themed websites), not their physical location. The results would’ve been the same in America.
    3. The phone didn’t “get” hacked; Richard Engel initiated the download of a hostile Android app onto his phone. [update here], and he had to disable the security on the phone to do it.

Graham continued, saying the only reason you’d be more vulnerable to hacking in Russia was that Google would feed you more shady Russian sites due to your geolocation. NathanKP, a commenter on Hacker News, put it best:

“The devices were hacked, not because Sochi is especially dangerous, but because of pure stupidity. Nothing can help you if you deliberately ignore warnings, and deliberately install Trojan horse malware.”

The lesson here for NBC and all media: Hackers do NOT appreciate sensationalizing hacking.

Read Robert Graham’s full take-down here.

Target Hackers Breached Network Via HVAC Co.

Well, this one came out of left field. This week it was reported that the Target hackers were able to get in with the help of network credentials given to the company’s HVAC contractors in Pennsylvania. It’s still unclear how the hackers got a hold of the information – or why an HVAC company could get into the payment processing system with their login credentials. It leads to the matter of security in segmenting different areas of an enterprise system.

The company, Fazio Mechanical, released a statement affirming their being just another victim in the breach, although due to the ongoing investigation they can’t comment much further. They said they are in full compliance with industry standards and that Target was their only customer affected by the incident.

As Brian Krebs reported, it’s still unclear whether or not Target will face charges for failing to adhere to PCI standards, but the bill on this breach is already pretty high. Gartner fraud analyst Avivah Litan estimates that they could be facing losses of up to $420 million when all is said and done, including “reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.”

Read the full post on Krebs on Security.

Small Victory for Security: GOTCHA is SO the New CAPTCHA

In the midst of all the security blunders, a work of security beauty: a group of researchers from Carnegie Mellon University has developed an answer to the crack-able CAPTCHA system. The CAPTCHA, created in 2000 as a way to fight spam generated by robots by requiring the user to decipher a distorted message that computers can’t read. The CAPTCHA was great, but where there’s a will, there’s a way, and there was certainly a strong will to hack a CAPTCHA. Hackers have cracked the CAPTCHA system in a variety of ways, and they’re just no longer up to security standards. That’s where the GOTCHA comes in.

An example of a GOTCHA test.

The researchers designed GOTCHAs (Generating panoptic Turing Tests to Tell Computers and Humans Apart) as a way to prevent “automated offline dictionary attacks against user selected passwords,” using ink blots instead of the typical distorted letters. A user-provided password is used to generate multi-colored inkblots, shown at random. The user describes the inkblots with a phrase, which, along with the password, are stored in random order. To sign-in, a user would need to match the shown inkblot to their description as well as enter their password. The matching is where hackers are deterred – an attacker would need to know the user’s password, in addition to whatever inkblot is shown. The complexity of the inkblot also requires human interaction. The GOTCHA bolsters password security as well as cutting down on spambot activity.

The research team has invited other security experts to try their hand at cracking GOTCHAs offline. Read the full report by the CMU team here.

Yet Another Snapchat App Vulnerability

Snapchat has had a rough few months, starting on Christmas when security researchers published over 4.6 million usernames and passwords which were later used to have into many of those accounts. This time around the flaw allows iPhones to be remotely crashed using a denial of service attack.

Jaime Sanchez, a cyber-security consultant with Spanish telecommunications company Telefonica, described the new attack on his blog. The vulnerability allows an attacker to send someone thousands of Snapchats in seconds, overloading the phone to the point where it could possibly freeze or crash. The issue is caused by the fact that the security tokens used to authenticate user requests don’t expire – Sanchez reported that he had been reusing the same token for almost a month to demonstrate the attack. A hacker could abuse the flaw by sending spam to those 4.6 million leaked accounts in under an hour – or just to one account in particular.

The hack only shuts down iPhones (it slows Androids but not to the point of crashing), but it’s another error in an already glitchy – yet highly appraised –mobile app. Snapchat has not responded to questions about the issue, but did take time to block Sanchez’ accounts as well as his VPN’s IP address.

See video of the hack & read Sanchez’ full post here.

Google Expands Bounty Coverage

Google has been plenty generous in regards to their security patch rewards, and it’s probably due to their success in finding major flaws that has prompted them to expand their bounty program even more. The company is now including Chrome apps and extensions developed by Google in its’ reward scope, with rewards ranging from $500 to $10,000.

“We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and gmail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly,” wrote Eduardo Vela Nava and Michal Zalewski of the Google Security Team.

In the same post, Vela Nava and Zalewski announced increased reward amounts in Google’s Patch Reward Program for their web apps and Chrome. The program now offers $10,000 for complicated fixes, $5,000 for ‘moderately’ complex patches, $1,337 for modestly complex flaws and $500 as a “one-liner special” for small repairs.

Read the whole post here

Jump to Category