Greeting from Felix
Shift Security Left #14
Security constantly provides opportunities to intellectual challenges and adventures. You know, Shift Security Left issue was released just a half year ago and we have covered so many topics since then!
Today, while riding on this never stopping merry-go-round of security amusements, we'll take a look at banking trojans on Android, fuzzing hardware, cybersecurity in wartime, attacking and extracting sensitive information on Django, and digging for encryption and data inside UK rail e-tickets.
And to mark the milestone, I'd appreciate it if you could have 1 minute to answer this short survey so I can improve Shift Security Left to make it more useful to you. :)
Have a nice reading, keep security reliable.
News
Cybersecurity in wartime: how Ukraine's infosec community is coping
Warfare threats force Ukrainian cybersecurity experts to learn faster. But even when the risks and threats differ greatly from "normal" life and textbook examples, security and usability still must be balanced. Read an article by Andrada Fiscutean about the challenges the Cossack Labs team and our colleagues from other companies are facing, with hands full of new discoveries on securing the important.
Real world
What will it take?
Bruce Schneier raises a question: what will it take for policy makers to take cybersecurity seriously? Should it be something catastrophic with large-scale loss of life or property damage? Or maybe engineers can help facilitate a change in attitude by providing systems that can defend themselves against bad actors; secure IoT-systems; and systems that can reestablish security after a breach? Drop a line to Bruce in his blog if you have a good idea :)
In the meantime, while we have the power to create secure and reliable systems, we should do so.
AppSec
Vultur, with a V for VNC
Android banking Trojans usually use an HTML overlay strategy, but here comes Vultur. This RAT malware, based on VNC, simply records what is shown on the user screen and gets login credentials in an automated and scalable way. That can be a real inconvenience.
According to news, as of November'22 Vultur reached a total of more than 100,000 downloads on the Google Play Store. It targeted WhatsApp Messenger, TikTok, Facebook, its Messenger and Facebook Lite, as well as many banking apps and cryptocurrency wallets. ThreatFabric team investigates who's behind the trojan.
P.S. For better understanding of how Android's overlay attacks work and how to counteract them, deep dive into the WithSecure™ Labs' post.
Hardware security
Evaluating IoT firmware through emulation and fuzzing
Fuzzing is quite a popular technique for uncovering memory corruption bugs or hangs in software products. Fuzzing also benefits embedded systems and IoT firmware because it automates the process of generating potentially malformed input data.
How it works? In his article, Sergio García shows on Netgear R7000 how fuzzing with emulation and dynamic instrumentation help evaluate the security of smart devices.
Vulnerabilities
Reversing UK mobile rail tickets
Have you ever wondered what's written in your mobile rail tickets? Eta from London decided to look into the UK e-tickets and save time for your curiosity. She explored UIC barcode, then found an Android app used by the UK inspectors to decode e-tickets, and decompiled it. Later, she moved to decompiling another inspector app on iOS. All these steps are now documented in detail in an interesting writeup.
Disclosing information with a side-channel in Django
Little-known vulnerabilities are yummy. Here's one for the fans of the Django framework—the Sonar team discovered a way to trick the framework into disclosing sensitive information by interacting with how the data is sorted before displaying it in the interface. Dennis Brinkrolf gives lots of technical details behind a vulnerable variable resolution logic in the dictsort filter of Django templates.
