Downclimb: Summit Route's Weekly Infosec News Recap
2015.01.09 – 2015.01.16: https://SummitRoute.com
"And while I view the greatest potential contradiction between cybersecurity and science to be the sentient opponent, it may be that it is the rate of change of the technical fabric which is ultimately distinguishing."
Dan Geer to the NSF; January 6, 2015
"isn't google's "thing" to give vendors 90 days to fix issues? Doesn't apply to forks or what?"
"You want a formal disclosure for every random github project? Do you take a penny you found on the street to the authorities?"
"I just didn't realize the google disclosure policy was so subjective :) How many users does a project need to qualify for 90 days?"
From a conversation between Aaron Portnoy (of Exodus Intelligence) and Tavis Ormandy (of Google) about Tavis dropping 0-day on Aviator (a Google Chrome fork).
President Obama's cyber security interests
The President of the United States State of the The Union address (POTUS SOTU for those from DC) will take place next Tuesday. Much of these talks is kept in secret until it is delivered, but it has been revealed that cyber security will play a key role. Of particular interest are the Law Enforcement provisions he outlined in a proposal to congress to make the sale of some hacking related tools illegal. Many security tools are dual-use, so this proposal is being keenly watched, especially by those in offensive research.
Lizard Squad: Home routers and bot source
Sony and Microsoft's gaming networks were shutdown around Christmas due to a DDoS attack from a group called Lizard Squad. They run a booter service, which is a service to DDoS sites. Interestingly, Brian Kreb's found that this service is run off of hacked home routers that are using default username and passwords.
The Lizard Squad members are being arrested, and this week someone posted the source code for their bots and servers (a simple 2000 line IRC bot, nothing too exciting).
Google vuln disclosure practices
Over a year ago, on Oct 21, 2013, WhiteHat Security announced their own browser, Aviator, which is a fork of Google Chrome. WhiteHat Security has some good folks working for them, and the purpose of this free product was to take the most secure browser out there (Google Chrome) and also make it one that doesn't reduce your privacy. Their marketing makes the bold claim of this being "the most secure and private Web browser available". It was a good idea, but it was criticized for not being open-source (which Google Chrome mostly is) so people couldn't really tell what had been added or changed to create Aviator. Privacy advocates especially dislike proprietary software and that was the target audience.
This past week WhiteHat Security open-sourced their Aviator product and immediately Tavis Ormandy (of Google) tweeted a 0-day vulnerability he spotted in the code with a PoC exploit for it and called out other problems with the changes that had been made. This is where the earlier quote from Tavis comes from where he stated "You want a formal disclosure for every random github project? Do you take a penny you found on the street to the authorities?" Justin Schuh (of Google's Chrome Security team) also wrote a post about why you shouldn't use Aviator. The Aviator team responded as best as you can when the 800 pound gorilla Google has their security team publicly rip apart your product (it's unclear if this was done on the clock or under specific direction from someone at Google).
On the one hand, you have to give credit to WhiteHat Security for what some of their goals were and for apparently being successful enough that they poked the bear. You also have to give them credit for being willing to open-source their product completely so people could see what turned out to be some faults in what they did. On the other hand, many of their changes were simply rebranding and marketing for themselves instead of Google and these changes were not implemented as well as may have been hoped. A good recap of the incident is at , by Nasko Oskov (another Google employee, but a developer for Chrome, specifically working on their security) with the simple message to "Be Humble", wherein he states that those in offense and defense should try on each other's shoes.
Google's vuln disclosure practices also made the news this week after they dropped 0-day on Microsoft, the day before Microsoft patched it in their monthly Patch Tuesday round-up. Google has an uncompromising 90-day disclosure policy, and Microsoft has a somewhat uncompromising monthly patch cycle. Unlike WhiteHat Security, Microsoft are themselves another 800 pound gorilla, so it'll be interesting to see how this feud plays out. Chris Betz from Microsoft made a public statement on the Microsoft Security Response Center blog about Google's actions.
Space Rogue, a man that has been in the industry since his days at the L0pht in the 90s, commented on this incident, which ultimately comes down to this being a debate that has been going on for over a century since the days of lock smiths. What is interesting now, versus the 90s when this debate was first popularized for software vulnerabilities, is historically it was a lone researcher interacting with a software giant. The researcher was technically in control, but was somewhat concerned by potential legal action that the software giant might take against them. Google however isn't scared of Microsoft.
- Google rips apart Aviator: https://plus.google.com/u/0/+JustinSchuh/posts/69qw9wZVH8z
- Be Humble (recap of the Aviator incident): http://netsekure.org/2015/01/10/be-humble/
- The vuln that was released just before Patch Tuesday: "Windows Elevation of Privilege in User Profile Service": https://code.google.com/p/google-security-research/issues/detail?id=123
- Microsoft discussion of disclosure: http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx
- Space Rogue's commentary: "In the Beginning There was Full Disclosure": http://www.spacerogue.net/wordpress/?p=536
Evolution of Agent.BTZ
This research shows the percentage of code differences between different versions of Agent.BTZ. It tracks it's evolution from 2007 until now across 46 versions. Nothing earth shattering is revealed, but it does prove many assumptions. For example, it shows that the compilation timestamps between releases have not been manipulated up until the most recent release.
Hacking a Bitcoin Exchange
Post from Egor Homakov of Sakurity about vulnerabilities he found while looking at the open source crypto currency exchange Peatio in order to steal the hot wallet. Most interesting is his look at bypassing two-factor authentication.
Predictions for 2015
In case you missed it, I made the following predictions for 2015:
- Poland will become a major focus for infosec.
- Certificate Authorities will be more closely scrutinized.
- Malware detonation platforms will evolve towards client honeypots.
- Multifactor authentication will become more common, but this will be driven more by a marketing need than security.
- Developers and admins will be targeted.
- MiTM attacks will impact businesses.
- Threat Intelligence will endure transparency by specializing.
Publications and Conference materials
- S4x15: This SCADA and ICS security conference took place in Miami, Florida. Some slides have been posted by the presenters.
- "how to fuzz 100+ industrial DTMs and stay alive" by Alexander Bolshev.
- Ntpdc Local Buffer Overflow: This write-up is interesting due to the depth it goes into in getting code execution and needing to neuter NX/RELRO/Canary/SSP/ASCII Armor.
- UAC bypass used in Simda since 2010 discovered by FireF0X.
- Supreme Leader's Not-That-Supreme Malwares: Analysis of malware that infects visitors to the "Korean Central News Agency of DPRK" website by CodeAndSec.