Security Week 39: An evening of exciting stories about how businesses don't give a damn about security

This time, the news from our digest contains a self-evident moral: many companies do not care about the safety of their customers until it causes direct financial damage. Fortunately, this does not apply to all companies, but this week has been particularly rich in such shameful stories.

As soon as the new version of MacOS was released (not a week has passed), a researcher from Synack Patrick Wardle published a posh post about High Sierra. It turns out that Keychain - a secure container for credentials, PINs, bank card numbers and other important data - in fact, version three already does not protect anything. That is, in fact, Keychain is such a place from where you can steal at once, that's all.

Comrade Wardle said that an application, whether signed or unsigned, could dump a dump of all Keychain content in an open, unencrypted form. Strictly speaking, applications quite officially have access to Keychain, but only to their data - and here it seems to be to everyone. An important nuance: the exploit works only with unlocked Keychain, however, by default it is unlocked when logging into the system.

Immediately after the publication, Patrick was prompted with comments in the spirit of “why are you such a bastard, he didn’t tell Apple, but publish on the blog,” and that he simply does not have enough attention from others. But the poor fellow actually reported to the office, and even sent a ready-made exploit, just the office dismissed him! Motivated notably - they say, there is nothing to install software from hopeless sources, but install only from MacAppStore, and read the security warnings from macOS. That is, in principle, this is a template response to messages about all locally exploited vulnerabilities. Whoever puts the left software is to blame. By the way, the reward program for vulnerabilities in Apple products does not apply to MacOS.

Wardle nevertheless did not publish the exploit and did not even disclose technical details about the vulnerability. But, if you take his word for it, the vulnerability found greatly expands the capabilities of Malvara. It’s worth picking up a sensible Trojan somewhere (and for MacOS there are more of them), and all your credentials and payment data are leaking into the wrong hands. Not good.

According to the researcher, he tested the vulnerability on versions of High Sierra and Sierra, and sees no reason why not be on El Capitan. You can protect yourself from this at the cost of a bit of convenience - just set the Keychain lock so that when you try to access it, a password is requested. Well and yes, if possible, avoid installing applications from left sources.

In mobile applications for stock trading have found dozens of vulnerabilities

News .Research . The words "investor" and "trader" even sound somehow rich. These guys do not exchange for trifles, in order to at least achieve something on the stock exchange, serious money is needed. But the situation on the stock market is changing so quickly that they need the ability to close deals anytime, anywhere. That is, through a mobile phone.

Accordingly, a lot of mobile applications for trading have been released. It is clear that their vendors must carefully build a security system, even to the detriment of convenience - money is at stake. But in reality, everything turned out to be wrong. Researchers from IOActive took 21 applications from the top (for both iOS and Android) and found a lot of fun holes there. Lots of. Up to storing passwords in clear text and transmitting data over HTTP.

And this time, the researchers showed a responsible approach to disclosing vulnerabilities and turned to 13 brokerage companies that supply these applications. So what would you think? Only two answered. The rest have no time - it is necessary to trade, but here they pester with vulnerabilities. Alejandro Hernandez from IOActive expressed his reaction to what happened: “Gentlemen, I seem frustrated! I worked as an auditor and I know how tightly the financial sector is regulated. And it’s very strange that we faced such problems. ”

Deloitte says that a cyber attack affected a few customers

News. The “Big Four” of auditors has always been considered an example of best business practices and policies. It is clear that in cybersecurity it is difficult to lay straw wherever there is a chance to fall, but in this area there are rules that should not be violated if you do not want to substitute your clients. And here you are! Distinguished Deloitte, one of the pillars of the business community.

According to the Guardian, the office was hacked back in the fall of 2016, and found this only in March. Most likely, the attack went through the credentials of the administrator of the mail server. There was no two-factor authentication - the password was either brushed off or tricked out of the admin by some method of social engineering.

Leaking mail Deloitte in its consequences can be disastrous, because the company, conducting an audit, is dealing with the most sensitive business data of customers. However, the reaction of Deloitte itself is discouraging: the company says that the attack did not affect the business of customers. And in general, "the cybersecurity in the company is provided at the highest level." It sounds like a bad joke, considering that their mail was read for six months by unknown people, but they did not notice it.

Antiquities

ZipEater-1984

Uses a stealth function when calling the FindFirst and FindNext DOS functions. Very dangerous - sometimes it destroys files whose sum of characters of the name extension (i.e., for .COM files: 'C' + 'O' + 'M') in ASCII encoding is 100h, D6h, F3h, E2h or DFh. Such files include .TXT, .STY, .BAS, .DOC ,. ZIP, .EXE, and .COM files.

Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 36.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Here it’s how lucky.