Downclimb: Summit Route's Weekly Infosec News Recap
2014.08.29 – 2014.09.05: https://SummitRoute.com
Crowdstrike describes how they identified an attack using their Falcon platform in a webcast. Although an hour long, there is really just 26 minutes of interesting technical discussion beginning at 13:30, with the rest being global politics discussions.
At 13:30 it begins discussing the actual attack. It discusses the techniques used by the attackers for deploying directly into memory and using powershell commands instead of custom malware. One technique discussed is replacing the "sticky keys" executable, which is discussed in articles from 2012 from Mandiant and Carnal0wnage. Running in memory to avoid detection or post-incident forensics is becoming more common. As an example, there was an article this week about the Angler Exploit Kit running entirely in memory.
At 16:45 it discusses how Crowdstrike's Falcon product is able to collect memory as attacks occur, which seems to imply they are watching the attacker work. There is always a trade-off between trying to block attackers versus allowing them to do their work so you can get greater intelligence on them. The concept of collecting memory dumps throughout an "attack" was also recently described by LastLine with regards to their product which collects memory snapshots are points throughout the execution of the processes it emulates. I assume LastLine has hooks that will cause a memory dump to occur whenever API's of interest are called, such as when a new process is created.
At 21:40 the webcast discusses their Falcon platform more in-depth. At 27:50 they show a demo of what the attack they monitored looked like and at 30:40 how they can monitor that with their Falcon platform.
Also released this week was a video from Immunity describing their El Jefe product, which is a free and open-source version of something similar to Crowdstrike's Falcon product.
JPMorgan breach investigation
JPMorgan has allegedly been breached by criminals from Russia. There is no apparent nation-state affiliation. The most interesting part of the article is the stats that JPMorgan "expects to spend more than $250 million per year in cyber security, with some 1,000 employees dedicated to those operations by the end of this year."
Using a smart card for SSH logins
Passwords have many problems as an authentication mechanism. Specifically, they are prone to theft, re-use, and hard to remember. This article gives easy to follow steps on how to purchase and use smart cards instead for authentication.
This follows from another article this weak describing brute-force attempts on ssh servers hosted on Amazon EC2. One interesting point from the story is the attacker would use one system to attempt logins, a second system to upload malware, and a third system to command the malware.
-  Using smart cards for SSH: https://www.scriptjunkie.us/2014/09/easy-smart-card-ssh-setup/
-  Login attempts on SSH on EC2: http://blog.smarthoneypot.com/in-depth-analysis-of-ssh-attacks-on-amazon-ec2/
Celeb photos leaked on iCloud
Various celebrity accounts were hacked and their nude photos leaked. Although better passwords would have helped, it's interesting that two factor authenticaton (2FA) does not protect this part of the iCloud service.
VirusTotal being used by nation states
This researcher describes how he monitors the submissions to VirusTotal from malware developers. Linked from his post are a white-paper and a document describe PlugX activity.
Rogue cell towers showing up in US
The German company CryptoPhone, which markets a secure cell phone, identified 17 bogus cell phone towers in the US. Running your own cell phone tower is now cheap enough for even hobbyists.
- BeyondTrust purchased by Veritas Capital: Very few details are provided.