Downclimb: Summit Route's Weekly Infosec News Recap
2014.09.05 – 2014.09.12: https://SummitRoute.com
The monetization of information insecurity
Dave Aitel asks "How can we avoid making the mistake of Anti-Virus ever again?" Anti-Virus is broken and has made money despite failing to secure computers. Spender followed this up with a sarcastic post mocking Google's Project Zero and stating that Bug Bounties are just the modern form of whack-a-mole that AV has played. Despite that, Robert Graham made the case last week that Bug Bounties are the new norm, and are standard practice of due diligence in cybersecurity now. He states "When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be 'did you follow industry norms?'" and one of those norms is a Bug Bounty program.
- Anti AV: http://seclists.org/dailydave/2014/q3/34
- Anti Bug Bounties: https://grsecurity.net/~spender/av.txt
- Pro Bug Bounties: http://blog.erratasec.com/2014/09/vuln-bounties-are-now-norm.html
Apple made some big announcements this week with a new iPhone, watch, and other news, but the biggest news for security is Apple Pay. Apple Pay is based on NFC, which is a wireless technology that has existed for a decade and uses less power than even Bluetooth. Some Android phones have had NFC capabilities, but it hasn't really caught on yet.
Having Apple behind the technology will help it, but also In October 2015, there will be in a switch in liabilities for credit card fraud. As explained in one old article, "When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability. So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.".
What this means is, by October 2015, most current credit card swiping machines will be replaced, and if you're going to replace them, it's likely something with NFC will be involved (in addition to chip and pin). As proof of the security implications here, Target immediately made an announcement that it is integrating Apple Pay into it's stores.
Reports about how using your phone will be easier than finding your credit card are missing the point. Digital payments enable all sorts of new technologies. Think about how Mint and other personal financial trackers wouldn't exist if we still used cash. Likewise, with Apple Pay, it should be possible to ensure things like one-time "credit cards", ensure the phone's GPS indicates that it was used at the same location as sales terminal, and other benefits, in addition to the non-security business use cases, such as easier loyalty card use.
A great podcast for technology news (focused more on the business and venture capital side of things) is a16z, and they go more into Apple's announcements from that business angle.
Home Depot hit by same malware as Target
Last week Home Depot was suspected of being hacked, but there was nothing interesting about the story: Just another retailer getting hacked. This week Brian Krebs has identified the malware as being a new variant of that used in the Target hack, and Trend Micro has some analysis on the malware.
- Brian Krebs write-up: http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
- Trend Micro analysis: http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/
Rootkit analysis using SwishDbgExt
This post shows how to identify the different hooking used by a rootkit using windbg and the extension SwishDbgExt.
- Veracode expected to IPO soon: Veracode raised $40M, bringing it's total funding to $134M. Veracode primarily performs static analysis on source code. It is expected to IPO soon.
Conference materials and publications
- Troopers slides: German conference that took place in March.
- Sandstorm.io: Interesting Docker-like alternative being developed with security and sandboxing being focused on. The project's goal is to allow you to install servers as easily as you install apps on your phone, with a single login mechanism used across all servers.