Downclimb: Summit Route's Weekly Infosec News Recap
2015.01.02 – 2015.01.09: https://SummitRoute.com
"When people ask me what working in security is like, I tell them that the only real leadership in the field is a celebrity parody account." @grahamvsworld
"Writing a MIME parser from scratch in C (!) for your cool new secure email thinger? Might want to consult WebMD about NIH syndrome." Bruce Leidl
"A lot of people are talking about attackers in terms like "advanced" and "sophisticated" but are not really offering any usable information. This is a problem because it creates an image of attackers as mythological creatures rather than humans with limitations." Andreas Lindh
Malvertizing in apps
The Skype application has been asking users to install a malicious Flash download due a hijacked ad network. If you see ads in any Windows applications, chances are it's using the same renderer as Internet Explorer which is embedded inside the application. This is very easy to do on Windows. One of the big dangers of this is that the security of this embedded IE is going to be worse than for the Internet Explorer browser. Specifically, there will not be a sandbox around this embedded view. This means it can be easier for exploits to get through. Unlike your browser though, you can't browse to potentially malicious sites, so you are normally safe. But when an ad network gets hijacked, an exploitation vector opens up.
OpenSSL announced fixes this week for a couple of low and moderate severity vulnerabilities, mostly memory issues that seem unlikely to be exploitable and some downgrade issues. One interesting bug is "Bignum squaring may produce incorrect results (CVE-2014-3570)". Kryptos Logic explains how this sort of vulnerability can be detected using Z3.
Diversionary Tactics 101
In light of the North Korea attribution to the Sony hack, this write-up from Jeff Horne of Accuvant from Dec 23 is a good read. It discusses different techniques used for malware attribution and how they can be modified by an attacker.
This research publication from Dec 6, shows how Google is avoiding many of the problems of attackers moving laterally within networks by not having an internal network. Many companies have internal servers that are a little softer to attack than they should be. Everything within the network is assumed to be more trusted, which creates problems when an attacker breaches the perimeter. Google is avoiding this trust issue and they show how only properly authenticated devices and users are able to access enterprise resources.
A paper from the nccgroup and a 2 month old paper from Microsoft show what Intel SGX is and how it can be used. Intel SGX is a trusted execution environment that allows for software to run in a potentially untrusted environment, such that the protected software can maintain it's integrity and confidentiality (nothing can read or write to it). The purpose of this is that whereas normally you are trying to protect a privileged environment (a VM host) from the untrusted code (the VM guest), this allows you to protect the guest from the host.
-iSIGHT raises $30M: iSIGHT Partners provides threat intelligence. They just closed a $30M Series C with Bessemer Venture Partners. This brings the Dallas based company's total funding to date to $43M since it's founding in 2006. The VC investor behind the funding described his reasoning, which is that 2014 is the year the "cyber dam broke" with many breaches taking place. One of the problems today is too many alerts going off. "Instead of finding more anomalies, startups would better spend their time finding ways to eliminate alerts that don’t matter, and highlighting the ones that do. They would provide the analysts with better tools for connecting the alerts into incidents and campaigns, tapping into the skills of experienced 'military grade' hackers to profile the attack patterns."
Publications and Conference materials
- SECURE 2014: Took place in Warsaw, Poland in late October.
- Video archives of security conferences and workshops for 2014: Collected by Contagio
- Secure SSH: A configuration guide for securing SSH by removing it's weaker, or less trusted, ciphers.
- Remote Debugging with QEMU and IDA Pro
- List of Windows kernel callback functions
- sigreturn oriented programming for exploitation on Linux
- Gogo Inflight Internet issuing fake SSL certificates
- Triaging a System Infected with Poweliks: Corey Harrell shows how to do incident response for fileless malware.
- NOAA insider charged with providing information to China on US dams
- Infiltrating a network via Powerline (HomePlugAV) adapters: Interesting discussion of how crypto problems can be used for compromise.