Downclimb: Summit Route's Weekly Infosec News Recap
2014.12.05 – 2014.12.12: https://SummitRoute.com
"So, I know people are excited that I'm posting malware PCAPs. But that misses the point. I'm posting entire malware executions!" @moyix
Control Flow Guard in Visual Studio 2015 Preview
Control Flow Guard (CFG) is a mitigation against ROP attacks. It checks every indirect-call instruction is going to a location that it is expected to reach. Ideally you would want to ensure every library used by your application has been compiled with CFG, so this will take awhile for it to become more effective. There are still ways around it, but the hope is it will make life more difficult for attackers. This is only in the preview of Visual Studio 2015 and is still viewed as experimental so you have to make some changes from the default compilation settings to take advantage of this.
Turkish pipeline blast from 2008 involved hackers
Bloomberg is reporting that in 2008, hackers used vulnerabilities in the surveillance cameras that monitored an oil pipeline through Turkey to make their way into the network. From there they compromised a Windows computer in charge of alarm management. The hackers shut off the alarms and surveillance cameras so two men could walk up to the pipelines with laptops in order to increase the pressure which ultimately caused the explosion and shut the pipeline down for 3 weeek, resulting in the State Oil Fund of the Republic of Azerbaijan losing $1 billion in export revenue while the line was shut down. The hackers erased more than 60 hours of surveillance video. Russia is believed to have been behind this, as 3 days later they went to war with Georgia, where the pipeline also runs through.
Code Execution In Spite of BitLocker
Windows 8 changed how BitLocker works from the implementation used for Windows Vista and Windows 7, by no longer using one of the features (something called the Elephant Diffuser). The removal of this feature means that an attacker could flip bits on a hard-drive such that the next time the owner logs in, code execution could be obtained. If an attacker obtains physical access to your equipment you should assume it has been compromised (it could be physically bugged in some manner) but the threat identified in this article is still unexpected and it's unfortunate this feature was removed.
Malware signed with Sony Pictures cert
Due to the breach of Sony Pictures Entertainment, their signing cert has been compromised and used to sign malware. It appears the hackers signed this malware just to show how thoroughly they have compromised Sony Pictures. They likely wanted this malware to get picked up by antivirus vendors just to show off that they acquired a copy of the signing cert.
Cyber Supply Chain and Transparency Act of 2014 bill introduced
A bill has been introduced in Congress that proposes "that any supplier of software to the Federal government must identify which 3rd party and open source components are used, and they cannot include known vulnerabilities (per the NIST NVD) for which a less vulnerable alternative is available." This bill has not been made into law yet but it will be interesting to follow and will likely force a lot of new work to be created to check software being provided to the government does not have known vulnerabilities.
Malware analysis using docker containers
One of the difficulties of doing malware analysis is simply getting the tools to work. There are now docker images available to make it easier to use V8, Thug, Viper, Rekall, and JSDetox. Precautions should still be taken when analyzing malware.
- Belden to acquire Tripwire for $710M: Belden is a maker of networking and cable products, and Tripwire is most famous for it's application to scan a system for file changes. This is an odd pairing.
- Cisco to acquire Neohapsis](http://www.zdnet.com/article/cisco-acquires-neohapsis-beefs-up-security-advisory-efforts/): The networking giant Cisco is acquiring Neohapsis for undisclosed terms. Neohapsis is a security advisory firm that performs cyber security auditing and compliance services.
Publications and Conference materials
- Botconf: Botnet fighting conference in France
- Defcamp: Romanian security conference. You need to go to one page for the presentation titles, and another to see the materials.
- Snort 3.0: Snort 3.0 has been in development since 2005, and is still an Alpha release, but this release includes lots of new functionality such as now being multithreaded.
- List of all the bug write-ups for bounties Facebook has awarded: Of particular interest is a recent bug involving symlinks in zip files allowing for local file reads.
- POODLE Bites Again: SSLv3 issues still affecting TLS. Brian Krebs reports how this means many banks are vulnerable.
- Related work and historical notes for afl-fuzz
- Cloud Atlas (aka Barbicas): A new version of the RedOctober APT
- Flaw in Redhat RPM due to time of check
- Attack on Sands Casino: On Feb 10, hackers sought to destroy the company due to remarks from the CEO regarding Iran.
- Target breach legal doc: This 123 page document describes various failures of Target with it's security, including not only the massive 40M credit card breach from last year but other issues it has had as well. It also discusses various legal requirements that Target failed to meet and how it was proven that Target failed to meet these requirements.