Downclimb

2014.11.21

RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2014.11.14 – 2014.11.21: https://SummitRoute.com

Quotes

“less Twitter more committer! Keep coding” thegrugq

Top stories

Out-of-band MS14-068 for CVE-2014-6324

Microsoft released an out-of-band (ie. non-patch-tuesday) patch for CVE-2014-6324 that was being exploited in the wild. “CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).”[1]

BeyondTrust shows a great analysis of this vuln, which boils down to a difference in the docs vs implementation, where the implementation allows something as simple as a CRC to be used for signature verification[2].

  1. http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  2. http://blog.beyondtrust.com/a-quick-look-at-ms14-068

WireLurker network traffic

OpenDNS provides DNS services, and using that, they are able to get a good global, historical, view on domain usage. Using that data, they released some information about WireLurker.

  • http://labs.opendns.com/2014/11/14/wirelurker/

Business

  • Endgame raises $30M in Series C: Endgame, which previously sold exploits to governments and is now moving into commercial defense, is ramping up, having made 40 hires in the past 3 quarters and has now raised $30M in funding. It raised a Series B in March, 2013 for $23M, and a Series A in 2010 for $29M, bringing it’s total funding to date to $86M since it’s founding in 2008.

Conference Materials

Tools

  • Detekt: Detekt is an open-source Windows utility, built in collaboration with the EFF, to detect a handful of malware supposedly associated with governments. The assumption behind the tool is that antivirus vendors co-operate with governments so that they won’t detect the malware the government uses to spy on it’s citizens, so this tool adds those detections. It’s not a great assumption, and this product is basically antivirus. Joanna Rutkowska, in reference to Detekt commented “I thought we all agreed years ago AV is a dead end, no?” The release of the tool received a lot of negative feedback from the security community because AV is no longer viewed as an effective defense, largely due to it’s signatures essentially being public. The tool does provide some possible value in becoming a framework to allow people create their own private signatures.

Other news

  • Stuxnet kernel analysis
  • Triggering MS14-066: BeyondTrust’s look at the s-channel issue from Patch Tuesday last week. No one has yet managed to exploit it (beyond DoS). This affects IIS servers, but clients should not be affected.
  • BIOS and Secure Boot Attacks Uncovered
  • EMET 5.1 Bypass. This is sort of pointless, since if you have the ability to read and write any of your process memory, then yes, you can bypass a protection tool that works by running within that memory. They have released their code, so EMET will likely need to update again to add some obfuscation to make this not work the same, and this company will likely try to get press again by figuring out a way around that obfuscation. Dropping 0-days on security products (especially free ones that really are trying to help protect people and not profiting from it) is not a good way of trying to get press.
  • Xen pivilege check missing: Xen missing privilege checks on instructions allowing privilege escalation within the guest (this is basic security of virtualization, and many virtualization products seem to get this simple stuff wrong).
  • Let’s Encrypt: A free certificate authority, with apparently easy usability, for providing HTTPS to web servers. It won’t be released until 2015, but as it should be apparent already, more and more websites are moving to HTTPS, so if your defense solutions rely on being able to see unencrypted traffic, you’ll need new solutions.
  • Drupal vuln: This vuln allows random session hijacking.