Downclimb: Summit Route's Weekly Infosec News Recap
2015.01.23 – 2015.01.30: https://SummitRoute.com
"So the next step in infosec is a YouTube interview along with the advisory. Just, wow." twiz (@lazytyped)
"Let's all thank John von Neumann for that data can become code so easily." @joernchen
(CVE-2015-0235) Qualys discovered that a flaw in glibc within the gethostbyname() and similar functions can cause a buffer overflow resulting in exploitation. This flaw was actually discovered and already patched in May 21, 2013, but was not viewed as a security vulnerability, so many packages on Linux were not updated. What Qualys discovered therefore was not the flaw, but that it could be exploited. This vuln has been in glibc from 2000 until 2013.
Qualys took the exploit marketing game to a new level by creating not just a logo, but also a youtube video.
The vulnerability is in a very common library (glibc) and has been around for long enough to exist in many applications, but it is not likely to be exploitable in many cases. So far the only known application that can be exploited is the Exim mail server. An explanation of why this vuln is not a big concern is here.
- Technical discussion: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
- Youtube video and logo: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
- Why this vuln is not a big deal: http://blog.erratasec.com/2015/01/some-notes-on-ghost.html#.VMqYk2g1r3Q
BlackPwn: BlackPhone SilentText Type Confusion Vulnerability
Mark Dowd from Azimuth Security in Australia discusses a vulnerability he found in the privacy focused Android based BlackPhone. All that is needed is for the attacker to know the Silent Circle ID (a privacy app) or phone number, and can then decrypt messages or run arbitrary code on the phone. The root problem is their use of a third-party library. Specifically in how the library SCIMP (Silent Circle Instant Message Protocol) uses the library libyajl ("Yet Another JSON Library"). The problem there is due to the libyajl being able to decode Base64 data multiple times and the Silent Circle code not taking this into account. These types of issues of needing to check if multiple decodings are possible are difficult for fuzzers to detect. Furthermore, be aware that as libraries get more mature (and thus assumedly more trusted) they also get more complicated.
Best Defensive Practices for Destructive Malware
The NSA has released a "best practices" guide on mitigating malware. It has much of the same advice as Australia's DSD's "Strategies to Mitigate Targeted Cyber Intrusions". Both advocate application white-listing as the top recommendation, which is one of the important features Summit Route is developing in our product.
- NSA's guide: https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
- Australia's DSD guide: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
Analysis of Project Cobra
This technical analysis from GDATA looks at another branch of a framework used by the actors that use Uroburos and Agent.BTZ. In the age of over-marketed security research, I was happy to see ASCII diagrams and solid technical info in this write-up.
American Fuzzy Lop (AFL) is becoming a very popular fuzzing tool. It's internals are explained by it's author in.
Also in news about AFL, Parker Thompson (@m0thran), has created a tool called aflpin to enable "afl to fuzz blackbox binaries using a pin tool to trace execution branches."
- Internals of AFL: http://lcamtuf.coredump.cx/afl/technical_details.txt
- aflpin: https://github.com/mothran/aflpin
New Rules in China Upset Western Tech Companies
"The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called backdoors into hardware and software."
Google won't provide patches for old Android devices
Despite Google's Project Zero dropping zero days on Microsoft and Apple, Google has decided not to patch some of their own products. Specifically Android 4.3 and earlier.
Adrian Ludwig, a security engineer on the Android project at Google, explained
"Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."
It seems that Google has been sucker punching Apple and Microsoft, but Risk Based Security published some analysis on the bugs they've disclosed and whose products they were in, which shows this is not entirely the case.
- Reason Google won't patch old Android devices: https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
- Vendor bias: https://www.riskbasedsecurity.com/2015/01/an-analysis-of-googles-project-zero-and-alleged-vendor-bias/
ADT alarm system hack research results in class action lawsuit
At Defcon over the Summer, research was presented that showed how to defeat the popular ADT alarm system. Although very interesting on it's own, what is most interesting is that as a result of that research, a class action lawsuit has been filed against ADT.
A researcher reverse engineered the toy Parrot drone in order to upload his own firmware to the drone. This is teaser information, as more information will be presented during the author's presentation at Nullcon in Goa, India next week. It is unclear if he remotely compromised the drone or if he needed physical access.
In other drone news, the Chinese manufacturer of a drone that crashed into the White House lawn earlier this week will be providing an update to their firmware that users can download to ensure their drones are not able to fly in no fly zones.
- "Maldrone the First Backdoor for drones": http://garage4hackers.com/entry.php?b=3105
- Drone maker provides update to deny flying in no-fly zones: http://www.bbc.com/news/technology-31023750
Strategies Without Frontiers
This presentation from BSides Las Vegas over the Summer was high-lited by the a16z newsletter which is sent out by Andreessen Horowitz (one of the large tech venture capital firms). It's interesting when there is cross-over between two interest areas (cyber security and financing).
- Video: https://www.youtube.com/watch?v=jWxtTsRJOYg
- Slides (hard to follow): http://www.slideshare.net/maradydd/strategies-without-frontiers
- Karprica releases Tachyon: Kaprica is a security firm that was originally formed from the PPP CTF team in recent years. Their new Tachyon product "automatically configures and deploys large numbers of Samsung smartphones and tablets".
Publications and Conference materials
- Shmoocon: A DC based infosec conference
- The Vast World of Fraudulent Routing: Discusses IP address hijacking
- Analysis Of An Interesting Windows Kernel Change Mitigating Vulnerabilities In Some Security Products: Discusses privilege escalation vulnerabilities found in many personal security products.
- Screenshot Demo: Carbon Black "Live Response" in Action: Shows some of the features of Carbon Black.
- Project SPARTAN: Some technical details of Microsoft's new browser have been released.
- COMSEC: Presentation from the grugq and Ben Nagy on communications security with many funny pictures to keep people focused.
- Windows 10 introduces two font security features
- Fortinet FortiClient Hardcoded Encryption Keys / Broken SSL Validation