Downclimb: Summit Route's Weekly Infosec News Recap
2014.12.12 – 2014.12.19: https://SummitRoute.com
"AV = "Additional Vulnerabilities" @joernchen
Comparison of security features in OpenBSD vs FreeBSD
This article compares the default security features enabled in OpenBSD vs FreeBSD, with OpenBSD seeming to provide a more secure default platform in general, but it lacks jails which FreeBSD offers. This article will help introduce you to many of the security features of these OS's.
Process Hollowing detectable from Prefetch file
Corey Harrell shows how to detect process hollowing (a technique used to hide malware in another process) by checking the Windows prefetch file for that process.
Sony Pictures cyber insurance
The popular (and ridiculous) story of the media continues to be that North Korea hacked Sony Pictures and are questioning if the US should take military action. The best explanation I've read for the reasoning there, is not that North Korea had anything to do with it, but that we politically needed an event so that the US could create policy, and this seemed good enough.
I'm going to avoid that discussion, and instead focus on a more interesting concern of this hack, which is details of Sony Picture's cyber insurance. According to one article "Sony Pictures and Sony Corporation of America would share a total policy limit of $60 million ($5 million retention) at an annual cost of $356,963. The policy includes security and privacy liability coverage, as well as event management, network interruption, cyber extortion, and regulatory action." The current estimated cost of the hack is as much as $200M according to some reports, but that number seems much too high. The article goes further into some of the negotiations and who the various companies are that offer cyber insurance.
- Policy explanation - http://seclists.org/dailydave/2014/q4/73
- Cyber insurance disclosure - http://www.csoonline.com/article/2859535/business-continuity/breach-insurance-might-not-cover-losses-at-sony-pictures.html
(CVE-2014-9390) Git clients for Windows and OSX have a vulnerabilty such that if you clone a malicious repo, an attacker could get remote code execution on your system. This vuln isn't really that bad, but it's making some noise in the news, I'll explain here why it's unlikely most people will run into situations where they could be exploited. First, all github.com repos have been scanned and block users from pushing such a problem to the repos there, and chances are you trust everyone at your company that pushes code to your internal repo. Next, if you are pulling code from a repo, chances are you trust the source and are just going to execute that source anyway so this vuln isn't necessary. - https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
Publications and Conference materials
- Defcon: Defcon took place in August in Las Vegas.
- BalCCon 2014: Balkan Computer Congress in Serbia from September 5-7th.
- Facebook bounty of $7500 from using nmap to find a Jenkins server
- CSRF in Doorkeeper: Doorkeeper is a popular OAuth2 gem. One interesting aspect of this vuln is that it was originally discovered in DigitalOcean by someone else, but the root of the problem was not recognized by the finder or DigitalOcean. Reading bug reports is helpful so you can find similar problems in other projects (or sites) or someone might have mis-identified the root case of the bug.