February 8, 2013 
Flash Exploit, ICS Hacks, and Federal Reserve Bank Breach
We’ve had another busy week of security news, with more stories than I can cover in a short video. So I’ll stick to the highlights. Today’s episode talks about a couple Adobe Flash zero day vulnerabilities, the latest Anonymous hijinks, some cross-platform mobile malware, and more. If you missed this week’s InfoSec news, and want to learn about the biggest stories (including how to defend against the latest attacks), click the play button below. Also, check out the Reference section for links to some other interesting security stories I skipped.
Enjoy your weekend, and stay frosty out there.
(Episode Runtime: 8:03)
Direct YouTube Link: http://www.youtube.com/watch?v=B6YdI3NGwlg
Episode References:
- February Microsoft Patch Day brings a dozen bulletins – WGSC
- Zero day Adobe Flash vulnerabilities in the wild - WGSC
- Anonymous breaches Federal Reserve site and leaks Banker PII - ZDNet
- Radio Free Security episode including Aaron Swartz/Anonymous story – WGSC
- Lucky 13 SSL and TLS crypto weakness - Ars Technica
- DroidCleaner cross-platform android malware - Gizmodo
- Building ICS software vulnerabilities can affect elevators, boilers, and more - Wired
- EXTRAS
- US Department of Energy breached - Help Net Security
- Beebus: New advanced malware (APT?) - Computer Weekly
- Citadel authors re-focusing on cyber espionage - McAfee
- EU releases Cyber Security Strategy - Tech World
- US President can order pre-emptive cyber attacks - Computer World
- Microsoft legal team takes down another botnet - Naked Security
- Iran releases hacked US drone footage - Rinf.com
- List of vulnerable routers from last week’s UPnP vulnerabilities - DefenseCode Blog
- BREAKING: Bit9 breached, and Certs stolen for malware – The Register
- US Department of Energy breached - Help Net Security
W
Fabio Bini
Eco Elettronica S.I. srl
Two news was most interesting for me: “Lucky 13″ attack to SSL/TLS encryption and malware, which combines spyware for Android and spyware for Windows.
1. As for “Lucky 13″ should notice, that in spite of high complexity and many “if” conditions should be met for attack to be successful – products from Opera Software and Offspark B.V. (PolarSSL) already have been patched. Besides, OpenSSL is expected to issue patches soon. So, it was taken seriously, in spite of high complexity. Open SSL engine serves as a OEM-technology for a huge number of commercial products.
To dig more deeper in it – I’ve downloaded “TLStiming.pdf” (PoC for this method). Will study it more closely from theoretical point of view.
2. About new Android-Windows spyware – it’s W-O-W! Very sad, that malware like this can be placed and distributed through Google Play…Abilities of this particular malware I can classify us innovative, and this is the first known “Mobile Phone–>PC bridge spyware soft”.
Hey Alexander,
I think you are right about Lucky 13. While I still suspect that few attackers will leverage it in the real-world, venders, like OpenSSL and other, MUST take SSL/TLS vulns very seriously, since our entire eCommerce paradigm relies on them. Without SSL, we’d have many issues… Meanwhile, it seems researchers are finding chinks in SSL’s armor every month… and that doesn’t even take into account all the cert issues various CAs have been having (somewhat related to SSL, since we rely on the certs for authentication). So I definitely expect all the SSL providers to patch, and take this seriously.
Yeah… I like that Google is more open about development, and don’t restrict their SDK and APIs as much as Apple. However, their open marketplace means more trojaned malware. They have implemented “Bouncer,” which is supposed to help discover malicious apps, but researchers have already found ways around it. The good news about the Droidcleaner malware’s PC portion is if you disable “Auto-Play” on your Windows computer, it shouldn’t be able to spread. In anycase, more and more malware is becoming cross-platform (PC + OS X, or Mobile + normal OS), so I suspect we’ll see more of this in the future.
Thanks for you comments, Alexander, they are always insightful.
Cheers,
Corey