Weekly infosec news summary for 2017.06.04 – 2017.06.10

Summit Route news

This issue of Downclimb is a day early as I’ll be on vacation for the next two weeks. I’ll do a catch-up issue when I get back.

Quotes

“So many AWS credentials sprinkled across the Delicious source code… I think this acquisition will rapidly pay for itself” @Pinboard on its recent acquisition of Delicious from Yahoo

“Every time you fork a project instead of sending a patch, an open source developer dies a little.” Julien Vehent‏

Top stories

The Journey to Hijacking a Country’s TLD – The Hidden Risks of Domain Extensions

Matthew Bryant (@IAmMandatory) describes how many TLD name servers, such as .vn for Vietnam and .ao for Angola, have security issues (link). He shows some example problems and goes on to show the possible dangers of this, for example Google allows for logins from google.co.ao. So by taking over one of the ~200 TLDs that Google allows logins from, you’d be able to compromise accounts in other regions.

Tools

• Aardvark and Repokid: Netflix has released new tools to check for and enforce IAM least privileges for AWS. In addition to those tools, check out my recent post Free tools for auditing the security of an AWS account which provides an overview of other tools that can be used.
• airbus-seclab/bincat: Binary code static analyser, with IDA integration.

Conference materials and publications

• Security Fest videos: The rest of the talks from Security Fest, mentioned last week, are now online. One talk I liked a lot was Frans Rosen’s talk on DNS hijacking using cloud providers. That talk goes well with this new post by Patrik Hudak on The Principles of a Subdomain Takeover which shows in particular how this issue can impact AWS Cloudfront.

Other reads

• Qatar hacks: Saudi Arabia, the UAE, and other nearby countries suddenly decided to cut ties with Qatar this week, in part due to statements on Qatar’s state news website made by the country’s ruler which Qatar claims were due to a hack. Although claims of hacks have been happening throughout the year for various elections, which means public opinion within countries was being changed, this represents a strong reaction by nations against other nations. Although any hack likely played a small part in these diplomatic issues, it does high-lite the need for stronger controls over the integrity of information.
• Verelox wiped: The VPS provider Verelox posted a statement that an ex-administrator wiped all of their servers. It’s a good idea to have two separate admins with two separate backup processes for incidents like this. Be mindful also of possibilities where one admin can takeover the accounts of the other admin if the account recovery process of the backup servers goes back to the admin’s work email, and the other admin has runs the email server.
• PLATINUM continues to evolve, find ways to maintain invisibility: Microsoft describes the techniques used by the APT Platinum, which uses the Intel Serial-over-LAN (SOL) functionality for communication on a network. This allows their malware to communicate at a level below the host OS, so security tools on the host cannot detect or monitor the communication.
• Turla’s watering hole campaign: An updated Firefox extension abusing Instagram: Turla is always one of the most interesting APT’s to watch, as it goes through a lot more work to accomplish its goals than other APTs. In this post from ESET, Turla set up watering hole attacks for sites related to embassies around the world. These then had what looks like web analytics trackers on them, but this was being directed to compromised sites that used this to do an initial filter for targets of interest based on IP address, so only certain IPs would receive the next stage, whereas everyone else would get a benign javascript file. The next stage was a fingerprint script to further identify targets of interest. Where things get extra interesting is with a Firefox extension that the attackers request to be installed. This extension then monitors a legit Instagram account (for the pop star Britney Spears), and reads the comments, looking for ones that match a hash it computes over them. When a match is found, it then converts that comment into a bitly link, and uses that for further C&C. ESET believes this was all just some initial test work from Turla.
• NSA leaker caught: An NSA employee, named Reality Winner, leaked some classified files from the NSA about Russia’s interference in the US election. That’s not very interesting, as that was already known. What is interesting is how she was caught. The news entity she leaked to handed the documents over to the NSA to confirm its authenticity, and in doing so the NSA was able to view watermarks on the documents that identified when it had been printed and on which printer. Not all printers have these watermark dots, so as security teams, you should ensure that the printers you have do print these dots in order to expose leaks at your own company. The best way is to print a blank sheet of paper and look for the dots, but there is also a list of printers that do not show these dots here, that you’ll want to avoid.
• Authy taking steps to combat SIM swapping: Authy emailed users who have authenticated to Coinbase to tell them they’ve disabled features to make SIM swapping attacks more difficult. The ability to take over someone’s phone number has become a real problem and it’s good to see companies like Authy taking action to combat this.