SnapChat Snaffu, Backdoored Routers, and Target Turmoil
Happy New Years, and welcome to the first episode of WatchGuard Security Week in Review for 2014!
If you are new to the show, this is a weekly video podcast dedicated to summarizing the most important Information Security (InfoSec) news, while also sharing security tips and best practices. If you are too busy to follow the always active security industry yourself, this is a great way to catch up at the end of each week.
Today’s episodes covers a number of stories from past three weeks (due to our holiday hiatus), including news of the big Target data breach, info on a SnapChat vulnerability, the latest Hactivist attack, and a story about vulnerabilities in a number of consumer DSL routers. Watch the quick YouTube clip below, and check out the Reference section for more details, and links to extra stories.
I hope you have a prosperous and secure year!
(Episode Runtime: 10:07)
Direct YouTube Link: http://www.youtube.com/watch?v=f4rsOzekEjQ
Episode References:
- Target Breach:
- Target suffers PoS system breach (affects physical stores) – Krebs on Security
- Target breach may have been insider attack – CSO Online
- Customer pins stolen during Target breach – Computer World
- SnapChat vulnerability allows 4.6 millions phone records to leak – Forbes
- OpenSSL defacement doesn’t affect OpenSSL software – OpenSSL
- Syrian Electronic Army hijacks Skype Social Networks – Network World
- Security researcher finds backdoor in DSL routers using Sercomm – Ars Technica
Extras:
- DERP group DDoS many game related sites, like Steam – T3
- New Cryptolocker copycat is pretty lame – We Live Security
- Latest NSA hacking revelations about ANT – Wired
- Details on old DoE breach [PDF] – Energy.gov
- DGA changer malware makes C&C harder to take down – ThreatPost
- GNUPG security vulnerability – Security World
- Jack Barnaby’s death (pacemaker hacker) was due to drug overdose – The Verge
- Trojan targets WoW gamers – Kotaku
— Corey Nachreiner, CISSP (@SecAdept)
I just saw this website for the first time. Nice and useful summaries and you clearly elaborated on the details. There is one correction I should mention. Gibson Security did not harvest and publicly release the 4.6 million Snapchat username/phone number pairings. They only disclosed the full details of the Snapchat API and are providing a lookup mechanism to see if a username is part of this particular set. Even though they are Australian, I have to point out that this breach is very similar to the Goatse Security AT&T email/ICCID breach from June 2010. The US government prosecuted Weev in that case, who is currently appealing conviction and sentence of 3.5 years, Whoever was responsible for this leak could find themselves prosecuted and imprisoned as well even though the crime seems to be on the part of Snapchat for totally ignoring security and privacy.
Please, correct me, my thoughts can be wrong. With the latest stories about stealing of huge amount of data from magnetic stripes – the technical side of the story is the most important, and unclear…
Getting the full memory dump (track1 and 2) of a card AND a PIN value (stolen with hardware skimmer) can give a way for cyber criminal to clone, create bogus cards and use it. In any way – intercept PIN data for debit transactions are required. So – we are speaking about different implementations: hardware skimmers with chips and specially crafted firmware OR malware program (to copy, store and send card dumps) and simple “recording and storing PIN” hardware (with camera-like embedded devices). Let’s call it “skimmer complex”. Why it’s so complicated? – because the PVV/PVKI/CVV etc. values can’t be determined easily after the reverse engineering of track1 and 2 data. Don’t forget – the final goal for cyber criminals is to steal money. Besides – don’t forget about “smart chip credit cards” with encryption of data.
With the described cases (including “Target”):
– are cyber criminals were able to install hardware parts of “skimmer complex” on the payment terminals of big stores?
– or hacked video surveillance systems and compromised servers provides them possibilities to record and store PINs (it’s hardly possible, I think)?
– with the lack of technical information – how it is possible to count even approximate damage BEFORE money will be transferred from stolen cards?
Interesting article about DGA-based malware. Should also add one point, noticed by the security researchers: modern implementations of DGA provide the botmasters not only with ability to hide C&C servers in a big “flow” of DNS-NXDomains requests and stay invisible for blacklists, but also with the ability to activate C&C servers for a small, limited period of time. For example – C&C servers for the BankPatch and ZeuS botnets were active no more than 24 hours in a couple of weeks: sending new DGA seeds, upload stolen data, send commands to quick-update…and then C&C servers were stopped (just turned off) then for a time being.
DGA is a very dangerous technology, and modern research methods of “DGA-mailware-traffic” includes a lot of complex statistical methods (mainly to correlate DNS-NXDomains traffic to actual malware campaigns).