Downclimb: Summit Route’s Weekly Cyber News Recap
2015.06.21 – 2015.06.28: https://SummitRoute.com
Quotes
“The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately.” krypt3ia on the OPM hack
“Saying your company/organization/client deals with ‘millions’ of attacks is a great way to instantly lose all tech credibility” Andrew Case
“Did you know that CISO comes from the Greek word for the lamb they slaughter first?” Dino A. Dai Zovi
“Between #Snowden & #OPMhack, America is having a novel experiment in how a major power fares without secrets. Poorly, I expect …” John Schindler
“Don’t make me sudo. You wouldn’t like me when I’m root.” the grugq
“Instead of hiring a senior dev, we can just hire 3 junior devs and put them in a trenchcoat.” Open Source Cupcake
Top stories
Analysis and Exploitation of an ESET Vulnerability
Post from Tavis Ormandy on a vuln in the “emulator” of ESET AV. This is interesting to learn about how AV uses emulators, and also interesting with regards to the way they created an emulator, which was done by single-stepping the execution of the sample.
- http://googleprojectzero.blogspot.ca/2015/06/analysis-and-exploitation-of-eset.html
What is a “good” memory corruption vulnerability?
First post in a series from Chris Evans about the robustness of exploits[1]. Many types of exploits, especially when faced with additional mitigations from EMET, will crash instead of exploit applications, at least some of the time. This is important for people to understand and was the basis for a product I worked on once (CRAN[2] at Parsons) to detect exploit attempts by analyzing crash dumps[2]. Leviathan has a similar product called Lotan[3].
- Original post: http://googleprojectzero.blogspot.com/2015/06/what-is-good-memory-corruption.html
- CRAN: http://www.parsons.com/about-parsons/Pages/CRAN.aspx
- Lotan: http://leviathan.st/
A month with BADONIONS
Someone tested authenticating to a test site through 100+K tor exit nodes, and then monitored to see if the credentials were attempted again. They were in 12 cases, including two “guard” nodes.
- https://chloe.re/2015/06/20/a-month-with-badonions/
How to build your own public key infrastructure
In order to get your various servers to communicate securely with one another you need to setup your own PKI. This post from CloudFlare shows how to do this.
- https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/
UnFIN4ished Business
FIN4 is a financially motivated threat group that has been targeting publicly traded companies since 2013 in order to insider information to trade on. This past week the SEC announced it is investigating them. This is an interesting group because it’s not a government actor going after defense secrets, or a crimeware or ransomware group going after the general public, or a competitor trying to get secret intellectual property that would hurt the victim’s business. Instead FIN4 are performing somewhat “victimless” crimes, where the victim is other stock traders who don’t have access to the same internal secrets. This write-up touches a little on the technical aspects of the group.
- http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html
Business
- 11% of UK firms have cybersecurity insurance: Although this article stated “just” 11% of mid to large UK organizations have cybersecurity insurance, I’m surprised at how many have it. This survey was taken over 100 companies.
- Checkmarx closes $84M Series C: Checkmarx was founded in Tel Aviv in 2006. It does static code analysis to identify security vulnerabilities. It closed a $84M round, bringing it’s total funding to date to $92M. From what I’ve been hearing over the past month from entrepreneurs is they expect the easy money to dry up soon, so they are trying to close large rounds to carry them through an expected market correction.
- Auth0 closes $6.9M Series A: Auth0 was founded in Bellevue, WA in 2013. It helps apps authenticate with identity providers providing identity-as-a-service.
- The State Of The Cyberthreat Intelligence Market: Forrester posting showing since October 2014 there have been a total of $102.5M raised in 8 funding rounds and 4 acquisitions in the Threat Intel space (acquisition amounts are mostly undisclosed except one for $40M).
Conference materials and publications
- Results of my recent PostScript Charstring security research unveiled: j00ru posted his slides from REcon from looking at Adobe Type Manager Font Driver (ATMFD.DLL) which provides support for fonts in the Windows kernel since Windows NT 4.0.
Tools
- Semtrex: Tool for dynamic taint analysis integrated into IDA Pro for around $780.
- Atom 1.0: Atom is a text editor made by Github that looks and feels a lot like Sublime, but is free and open-source. Atom just hit it’s 1.0 release.
- Detecting unauthorized cross-app resource access on OS X: Responding to the XARA issue with Apple OS X seen last week, Facebook’s osquery is now capable of detecting this issue. It’s interesting seeing an open-source project from a non-infosec tech company responding to security issues faster than the infosec companies are.
Other reads
- Multiple Default SSH Keys Vulnerabilities in Cisco Virtual WSA, ESA, and SMA: Many Cisco products were found to have the same default SSH keys and this SSH server is publicly exposed, allowing remote attackers to connect with privileges.
- What are Little PatchGuards Made Of?: Shows what the different checks are that PatchGuard makes, and interestingly Windbg provides all this information.
- Samsung deliberately disabling Windows Update the way the user intends it to: The OEM software installed by Samsung on it’s laptops changes Windows update functionality so that you can’t have Windows automatically install updates. It’s interesting seeing the malware-like things that legitimate vendors are doing.
- Cisco AnyConnect Secure Mobility Client v3.1.06073 EoP: Simple privilege escalation on Windows by abusing what data get’s trusted by a service.
- The NoScript Misnomer – Why should I trust vjs.zendcdn.net?: Audit of the popular plugin Noscript reveals that it has a number of sites that it white-lists to allow javascript to run even if you set Noscript to forbid scripts globally. This is a long list and included domains that were available (the author of the post bought one).