Friday Five: 1/05 Edition
Catch up on the week's infosec news with this recap!
Lost in the haze of the microprocessor flaws Spectre and Meltdown disclosed this week was news of a macOS exploit that's lingered in the wild as far back as 2002. The issue, IOHIDeous, disclosed by self-proclaimed "hobbyist hacker" Siguza affects Mac operating systems with the IOHIDFamily - a kernel extension that provides an abstract interface of with human interface devices like buttons, touchscreen, etc. - and could allow an attacker with local access or previous access to a device to obtain root access. While a local privilege escalation bug isn't especially damning, it's yet another in a long line of Apple vulnerabilities (HomeKit, the High Sierra "root" issue) to surface over the last several months.
The authors behind malware, no matter the type - banking, mobile, etc. - continually have to add new tricks to adapt and bypass detection. The same goes for LockPoS, a point-of-sale (PoS) malware that steals credit card data. The malware surfaced last summer, delivered via the same botnets that were spreading Flokibot, a strain of banking malware. Researchers with Cyberbit this week detailed a new injection technique recently co-opted by LockPoS. According to RetailDive, who recapped Cyberbit’s finding, the method, something researchers are calling silent malware injection, can bypass hooks installed by anti-malware software.
Google enhanced Google Apps Script, a tool that allows developers to build web apps and publish add-ons, last fall after researchers discovered it was vulnerable. Attackers could have delivered malware via URLs through Apps Script DarkReading's Kelly Sheridan reported Thursday. "This type of attack is different from phishing and malware distribution via links to Google Drive URLs, which are fairly common. These normally involve sending a Microsoft Office doc, which is enabled to run macros when the user gives permission." In wake of the discovery Google has blocked installable triggers and customizable events causing events to automatically occur. It also blocked simple triggers from presenting custom interfaces in Docs editors in other users' sessions.
Alexander García-Tobar had a worthy op-ed on FCW this week where he extolled the virtues of proper email hygiene, especially as it pertains to the federal sector. Use HTTPS, use STARTTLS, so on and so forth. Near the end of the editorial García-Tobar recaps a DHS binding operational directive issued in October and highlights some expected 2018 fedsec challenges, chief among them getting government sites to implement DMARC properly ahead of a Oct. 2018 deadline.
Another excellent story lost in the Meltdown/Spectre shuffle this week: Multiple vulnerabilities identified in hundreds of GPS services that harvest geolocation data of users from devices. We're talking car trackers, pet trackers, even GPS trackers for children. The research, Trackmageddon, relies on poor passwords, exposed folders, insecure API endpoints, and insecure direct object reference issues. When pieced together the issues could allow an attacker access to location data by the services. The researchers behind the report recommend users of the services either change their password or discontinue using the devices until they're fixed.