Security News | 安全資訊 (2016-01-18)

Android

• Insecurity Cameras and Mobile Apps: Surveillance or Exposure?
• Keyboard or Keylogger?: a security analysis of third-party keyboards on Android (Research Paper)
• See other papers in NDSS 2016 conference section.
• Android.Bankosy: All ears on voice call-based 2FA

iOS/OS X

• SMSNinja: SMSNinja is a lightweight but highly efficient firewall for blocking and hiding SMS, MMS, iMessages, phone calls and FaceTime on stock Phone and Message Apps.

Linux

• From SMM to userland in a few bytes

Web

• Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised
• web-malware-collection
• Google Chrome - Javascript Execution Via Default Search Engines
  • Video Example: https://www.youtube.com/watch?v=WoF-LkA6fMk
  • Walkthrough: https://metalkey.github.io/google-chrome-search-poison—default-search-engine-exploit.html
• Attacking HTTP/2 Implementations
• Buffer(number) is unsafe: a security issue in nodejs, there are deep discussions about the causes
• A Simple Bug On Facebook That Is Worth $8000: $8000!
• XSS Flaws lead to Keylogging,Webcams, & more

MS-related

• Microsoft Security Bulletin MS16-007 - Important
• DLL Injection Part 1: SetWindowsHookEx, DLL Injection Part 2: CreateRemoteThread and More
• WINDOWS REGISTRY AUDITING CHEAT SHEET - Win 7/Win 2008 or later
• AuthentiShellcode Pops Calc From Authenticode block Signature Checks Out vie Sigcheck.exe
• The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day
• Triaging the exploitability of IE/EDGE crashes
• The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day
• Heap corruption buffer underflow in devenum.dll!DeviceMoniker::Load(): There exists a buffer underflow vulnerability in devenum.dll!DeviceMoniker::Load when attempting to null terminate a user supplied string. The function as it exists on Windows 7 x86 is implemented as follows:
• Internet Explorer 11.0.9600.18124 EdUtil::GetCommonAncestorElement - Denial of Service: Internet Explorer
• Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll
• 15 Dec Analysis of CVE-2016-0035, A Remote Code Execution in Microsoft Office Excel

Malware

• Unmasking Malfunctioning Malicious Documents
• Dealing With Script Kiddies – Cryptear.B Incident

Network

• SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
• The DGA in Alureon/DNSChanger
• Exploring Peer to Peer Botnets
• Step-By-Step: Using AutoFocus API and Postman for Automation
• Flexible, secure SSH with DNSSEC
• HTTP Evasions Explained - Part 9 - How To Fix Inspection
• Benchmarking Windows Packet-Capture Methods

Tool

• hidden-tear: an open source ransomware-like file crypter kit
• Using IDAPython to Make Your Life Easier: Part 5: Yes, it's part 5, you can find previous tutorials. It's worth reading.
• powercat: Netcat: The powershell version. (Powershell Version 2 and Later Supported). Writeup
• afl-fuzz-js
• BSQLinjector - Blind SQL Injection Exploitation Tool
• 20 Popular Wireless Hacking Tools [updated for 2016]
• Enoki: Wrapper class for IDAPython. Regroups various useful functions for reverse engineering of binaries.
• lostpass
• Custom made versatile autonomous MiTM WiFi box v1.0
• scapy: Python-based interactive packet manipulation program & library http://www.secdev.org/projects/scapy/
• foolav
• DAMN VULNERABLE ROUTER FIRMWARE

App

• Adobe Acrobat Reader DC Search Query Use-After-Free Remote Code Execution Vulnerability
• Adobe Reader Graphics State Parameter Dictionary Double Free Remote Code Execution Vulnerability
• Adobe Reader DC AGM Use-After-Free Remote Code Execution Vulnerability

IoT

• Turning a Webcam Into a Backdoor

Misc

• Clang Hardening Cheat Sheet
• FingerTec Biometric Access Control Devices - Remote Code Exec and Remote Enrollment
• Java 反序列化 (Chinese)
• Hijacking Verizon FiOS Accounts
• no more downgrades: protecing TLS from legacy crypto
• TrendMicro node.js HTTP server listening on localhost can execute commands
• A Case Study of Information Stealers: Part II
• Devil in a Box: Installing Backdoors in Electronic Door Locks (Research Paper)
• How email in transit can be intercepted using DNS hijacking
• On SMS logins: an example from Telegram in Iran
• Manage Engine Applications Manager 12 Multiple Vulnerabilities
• Open Course: Malware Analysis - CSCI 4976
• Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778: a comprehensive advisory for recent OpenSSH vulnerabilities.
• FFmpeg: stealing local files with HLS+concat
• backdoor in IRC code: There's a backdoor in the IRC code of lucky7coin that gives the attacker the ability to run arbitrary commands on the victim's host. And same backdoor in torcoin.
• Introduction to DFIR: Worth reading.
• A type-safe and zero-allocation library for reading and navigating ELF files
• Get the 2015 Incident Detection & Response Survey Results!
• Exploiting Trade-offs* in Symbolic Execution for Identifying Security Bugs
• VxWorks Fuzzing 之道：VxWorks工控实时操作系统漏洞挖掘调试与利用揭秘 (Chinese)

Conference

• Online Security Conferences
• NDSS 2016
  • Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy
  • Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android
  • Automatically Evading Classifiers A Case Study on PDF Malware Classifiers
  • VISIBLE: Video-Assisted Keystroke Inference from Tablet Backside Motion

Source

The resources are collected in various sources such as blog feeds, Twitter and Weibo. Here, I list some of my personally favorite sources.

• Security feeds in my subscriptions, download OPML
• Security guys in my Twitter following.
  • Tweets of @binitamshah
• Security guys in my Weibo following.
  • 每日安全动态推送 from Weibo @腾讯玄武实验室 (Chinese)