RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2014.12.26 – 2015.01.02:


"A wish for 2015: waste less energy on malware attribution and more on actual (reasonably strong) defenses." Joanna Rutkowska


"Guess what? If you wear steampunk you are not on a kill list. More like the 'we don't take you seriously list.'" Josh Pitts)


"If your only security concerns are the NSA's capabilities against encryption consider yourself one of the best defenders on the planet." Robert M. Lee


"I enjoy that CCC stream player recommends to use VLC and actual talk is an 0day in VLC." Dave Aitel


"Dear kids: If you want a job in 5 years, study computer science. If you want a job forever, study computer security." Aaron Levie, CEO of Box

Top stories

NTPd exploit write-up

This write-up from P0 (Google's Project Zero), discusses the flaw in the NTPd code, how to exploit it, and mitigations.

Attribution As A Weapon & Marketing Tool

Krypt3ia has a very unfiltered writing style, but he maintains a good contrarian view to the marketing that is presented as research or expert opinion from many cyber security companies out there. Scrolling down into his article[1] to the section "Attribution As A Weapon and Marketing Tool" is where the article gets good. He states "Attribution is mostly useless. It is really only useful as a naming convention at the most to describe a group acting in a particular way when they attack."

The grugq also discussed attribution this week[2] and stated in his article "This brings us to the problem of cyber attribution. Fundamentally, the core problem is that when you’re working from forensic evidence you are dealing with information channels that are exclusively under the direct control of the adversary."

The supposed benefit of attribution for companies is that if you know who is attacking you, and what techniques they commonly use, then you can focus your defenses and detection more to those specific IOCs. Outside of company defenses though, the main reason to perform attribution is for retaliation, and this is the game of governments. Here the tools of retaliation are political shaming or the threat of something more offensive. The discussion of Hacking Back has been brought up again though[3], as the US government appears to be doing very little to assist US companies in defending themselves and bringing attackers to justice. In addition to being illegal, one of the reasons to avoid hacking back is the attribution problem is hard, so you don't want to hack back against the wrong entity.

  1. Krypt3ia on attribution:
  2. The grugq on attribution:
  3. Hack back:


  • TLS Observer: This open-source project[1] allows you to run a TLS compliance check much like the Qualys SSL test.
  • WDBGARK: WDBGARK is a WinDBG Anti-RootKit extension. In many ways it overlaps with SwishDbgExt. SwishDbgExt seems to be more feature complete, but in the subset of functionality WDBGARK has, it seems to be making more checks. SwishDbgExt also had some activity this week and now is able to detect NDIS hooks due to code additions by someone named x9090.
  • IDA 6.7: The reversing tool IDA Pro had a new release this week. Although none of the new features seem too interesting, there were some vulnerabilities patched, specifically one in loading PE files.

Publications and Conference materials

  • LASCON: The Lonestar Application Security Conference is an OWASP conference held in Austin that was two-day, single-tracked and occurred in late October. Only one presentation has been posted, titled "DevOoops" by Chris Gates (Carnal0wnage) and Ken Johnson (cktricky) on flaws in our devops and development tools and how many of them expose information publicly.
  • CCC: Chaos Computer Club's 31C3: This conference in Germany made a lot of big news this week and has dozens of presentations so there is a lot to cover. In addition to the slides[1], here are the high-lights:

Other news