Downclimb: Summit Route’s Weekly Infosec News Recap
2014.09.26 – 2014.10.03: https://SummitRoute.com

Top stories

JP Morgan hack

JP Morgan was hacked and the attack impacts 76M households. In addition to this massive number, it is also interesting that they chose to disclose this via an SEC Form 8-K filing, which is used to inform shareholders of material events, meaning major events that are expected to move the stock price. However, the stock price was unaffected by the news. It had been reported a little over a month ago that JP Morgan had been hacked, but the severity was unknown at the time until the SEC filing this past week.

• http://www.sec.gov/Archives/edgar/data/19617/000119312514362173/d799478d8k.htm

New Xen vuln

(CVE-2014-7188) In addition to the Xen bugs discussed last week, an even worse one[1] was disclosed which allows guests to crash the host, and read data relating to other guests or the hypervisor itself. Amazon AWS EC2 systems were rebooted due to this[2]. The Qubes team discusses how this isn’t actually that bad[3].

1. Advisory: http://xenbits.xen.org/xsa/advisory-108.html
2. AWS explanation: http://aws.amazon.com/blogs/aws/ec2-maintenance-update-2/
3. Qubes discussion: https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ

Taking over zombie botnets

Kryptos Logic discusses how old botnets that have been “taken down” could be revived due to the old (and now breakable) crypto they use. A 2013 survey showed there were 50,000 Zero Access 1 nodes still around after a take down. These take downs often don’t remove they malware from systems, they just neuter it. Kryptos Logic shows they have broken the 512-bit RSA key used by this malware which could potentially allow them, or someone else who breaks the key, to reclaim this botnet (requires only a few days worth of computing, and you would need to position yourself in such a way that you could act as a controller).

• http://kryptoslogic.blogspot.com/2014/10/world-war-zero-access-when-zombie.html

Security pro’s set-up

Ever wonder what a security professional’s computing environment is? HD Moore describes his in detail, with great comments along the way such as “My hands look like they belong to a rejected claymation model, so tiny keys don’t work so well.”

• http://www.thesecuritysetup.com/home/2014/10/1/hd-moore

Disarming EMET 5

Technique for diasarming the latest EMET 5 and bypassing it.

• Discussion: http://www.offensive-security.com/vulndev/disarming-emet-v5-0/
• Expoit code: http://www.exploit-db.com/exploits/34815/

Attacks on Chinese

Massive MiTM in China on Yahoo using a self-signed cert[1]. Also in China, in Hong Kong, activists received a WhatsApp message about a app that is supposed to help coordinate the Occupy Central protests, but is actually a trojan for not just Android but also iOS (although it requires the iOS device to be jail broken).

1. http://www.netresec.com/?page=Blog&month=2014-10&post=Verifying-Chinese-MITM-of-Yahoo
2. https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/

Jimmy Johns breach due to breach of POS vendor

Brian Krebs reports on how the point-of-sale vendor Signature Systems was breached, and that allowed the restaurant Jimmy Johns to breached. Going after supply chains and vendors is more and more common.

• http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/

Tools

• Windows 10 Tech Preview available: A Tech Preview for Windows 10 is now available for download. Microsoft jumped from Windows 8.1 directly to 10 in their numbering. Symbols are available here.

Conference materials and publications

• DerbyCon slides and videos
• VirusBulletin slides: Part 1 and Part 2
• Black Hat US 2014 videos: Videos from Black Hat, which happened back in early August, are up online.

Other reads

• IOS8 MAC randomization analysis
• BERserk analysis Part 1
• More bash vulns discovered
• List of shellshocker POCs
• Self-destructing SSDs
• Malware Investigator service for law enforcement to upload malware