Downclimb: Summit Route's Weekly Infosec News Recap
2014.12.19 – 2014.12.26: https://SummitRoute.com
"Sorry, I'm stupid but how is attribution really going to help you improve your defenses? You are still blind as before to attacks." @osxreverser
"when your attribution is based exclusively on forensic artifacts, you're using only adversarial controlled data" @thegrugq
"20 years ago today I was sitting in a hotel room in Denver hacking into Tsutomu Shimomura's SunOS boxes as he was skiing. How time flies :-)" @kevinmitnick
"Reality: The things that keep our lights on and water clean are built to lesser security specifications than the DRM in our game consoles." @halvarflake
Elcomsoft Phone Breaker
The Russian company Elcomsoft is an old name in the infosec world. Back in 2001, at Defcon 9, an Elcomsoft employee named Dmitry Sklyarov was arrested by the FBI just after his presentation about Adobe eBook security. Elcomsoft primarily makes products to provide access to forensic investigators for all sorts of encrypted and locked files and devices. Their recent product Phone Breaker can get access to the password protected backups of Blackberry and iOS devices including the Apple iPhone 6. It can get access to iCloud and Windows Live. It can bypass 2-factor authentication.
(CVE-2014-9295) A couple of vulnerabilities have been found in the Network Time Protocol (NTP) project NTP daemon (ntpd). The most critical is a buffer overflow. Apple released it's first ever automatic security update in response to this (no reboot was needed). The issue affects various Linux distributions and many systems use NTP clients and servers to keep their time in sync.
- CERT announcement: http://www.kb.cert.org/vuls/id/852879
- The code change for the buffer overflow fix: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g
- SwishDbgExt: Matt Suiche's extension for windbg is now open-source. This tool can be used to to identify and understand Windows kernel rootkits when doing incident response, and is also a great tool for Windows debugging in general. The source code itself is also a great read for anyone interested in reading clean, modern real-world Windows Visual Studio C code.
- Green bar for EV cert changes: The green bar in Chrome is going away for EV SSL certs that do not have Certificate Transparency for certs issued after January 1, 2015.
- EMET 4.1 bypass: Palo Alto discusses an in-the-wild Flash exploit that includes an EMET 4.1 bypass.
- mach_port_kobject() and the kernel address obfuscation: OSX exploitation and mitigation
- Docker Image Insecurity: A couple of issues have been found with how Docker handles images it loads. The problem isn't too bad due to how it would need to be exploited, but it's an interesting read for the types of vulnerabilities involved.
- Reversing the DNS cache: This post shows how to use Rekall to do some reversing on Windows 7 x64 to understand the heap.