Security Briefing 11.22.16

In this highly technical article, learn how to compromise a Linux desktop using Nintendo Music Files (NSF) due to two separate vulnerabilities and logic errors. Not for the uninitiated.

OPM-Impersonating spam emails distribute Locky ransomware… this is neat, especially since winter is coming and OPM (Office of personnel management, US Gov’t) will be sending out delay/cancellation notices due to inclement weather. Many variations, all spam emails. Macro-enabled office docs, zip’s, JavaScript, WSF, DLL’s. Locky/Odin variants.

Linux vulnerability allows root access to system partition by holding enter for roughly 70 seconds at boot. On x86 Linux variants, a user with physical access at a reboot can hold enter for 70 seconds or enter 93 blank passwords to open a BusyBox shell. This is VERY specific because no two Linux distributions are equal. Some platforms affected include Debian, Ubuntu, and Fedora. This is fixed by updating the cryptsetup package to 2:1.7.3-2, this is not in the stable releases yet.

412,000,000 Adult Friend Finder accounts compromised affects not only current users, but apparently anyone who has ever used AFF or any affiliate in the last 20 years. 125 million accounts had passwords stored in plaintext and the remaining accounts were encrypted with SHA-1, which is relatively weak.

Flaw in OAuth2.0 can be exploited to sign into a victim’s phone via third party apps. Not a whole lot of information other than this is an attacker-owned SSL man-in-the-middle attack proxy using mobile app accounts (think ‘Sign in with Facebook / Google’).

Facebook, Google to increase awareness and decrease the rate at which fake news propagates their sites. Zuckerberg and others have announced that they believe the ‘fake news’ and ‘viral propagation’ of it on respective networks may have influenced voter turnouts in the U.S. Google will soon stop allowing ‘fake news’ sites to run ads on their network.

Another technical article shows how websites can load insecure images on secure pages using iFrames. (think Edge security warning – ‘Only some content is shown – what’s the risk?’)

Britain has approved and ordered the extradition of a U.S. hacker who compromised networks of the Federal Reserve, NASA, and the US Army in 2012-2013. Hacking has real consequences, this is a stark reminder of that.

Facebook accused of buying stolen passwords on the black market after mining leaked data from the 2013 Adobe breach.