Downclimb

2015.01.30

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.01.23 – 2015.01.30: https://SummitRoute.com

Quotes

"So the next step in infosec is a YouTube interview along with the advisory. Just, wow." twiz (@lazytyped)

 

"Let's all thank John von Neumann for that data can become code so easily." @joernchen

Top stories

GHOST

(CVE-2015-0235) Qualys discovered that a flaw in glibc within the gethostbyname() and similar functions can cause a buffer overflow resulting in exploitation[1]. This flaw was actually discovered and already patched in May 21, 2013, but was not viewed as a security vulnerability, so many packages on Linux were not updated. What Qualys discovered therefore was not the flaw, but that it could be exploited. This vuln has been in glibc from 2000 until 2013.

Qualys took the exploit marketing game to a new level by creating not just a logo, but also a youtube video[2].

The vulnerability is in a very common library (glibc) and has been around for long enough to exist in many applications, but it is not likely to be exploitable in many cases. So far the only known application that can be exploited is the Exim mail server. An explanation of why this vuln is not a big concern is here[3].

  1. Technical discussion: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
  2. Youtube video and logo: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
  3. Why this vuln is not a big deal: http://blog.erratasec.com/2015/01/some-notes-on-ghost.html#.VMqYk2g1r3Q

BlackPwn: BlackPhone SilentText Type Confusion Vulnerability

Mark Dowd from Azimuth Security in Australia discusses a vulnerability he found in the privacy focused Android based BlackPhone. All that is needed is for the attacker to know the Silent Circle ID (a privacy app) or phone number, and can then decrypt messages or run arbitrary code on the phone. The root problem is their use of a third-party library. Specifically in how the library SCIMP (Silent Circle Instant Message Protocol) uses the library libyajl ("Yet Another JSON Library"). The problem there is due to the libyajl being able to decode Base64 data multiple times and the Silent Circle code not taking this into account. These types of issues of needing to check if multiple decodings are possible are difficult for fuzzers to detect. Furthermore, be aware that as libraries get more mature (and thus assumedly more trusted) they also get more complicated.

Best Defensive Practices for Destructive Malware

The NSA has released a "best practices" guide on mitigating malware[1]. It has much of the same advice as Australia's DSD's "Strategies to Mitigate Targeted Cyber Intrusions"[2]. Both advocate application white-listing as the top recommendation, which is one of the important features Summit Route is developing in our product.

  1. NSA's guide: https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
  2. Australia's DSD guide: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm

Analysis of Project Cobra

This technical analysis from GDATA looks at another branch of a framework used by the actors that use Uroburos and Agent.BTZ. In the age of over-marketed security research, I was happy to see ASCII diagrams and solid technical info in this write-up.

AFL

American Fuzzy Lop (AFL) is becoming a very popular fuzzing tool. It's internals are explained by it's author in[1].

Also in news about AFL, Parker Thompson (@m0thran), has created a tool called aflpin[2] to enable "afl to fuzz blackbox binaries using a pin tool to trace execution branches."

  1. Internals of AFL: http://lcamtuf.coredump.cx/afl/technical_details.txt
  2. aflpin: https://github.com/mothran/aflpin

New Rules in China Upset Western Tech Companies

"The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called backdoors into hardware and software."

Google won't provide patches for old Android devices

Despite Google's Project Zero dropping zero days on Microsoft and Apple, Google has decided not to patch some of their own products. Specifically Android 4.3 and earlier.

Adrian Ludwig, a security engineer on the Android project at Google, explained[1]

"Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."

 

It seems that Google has been sucker punching Apple and Microsoft, but Risk Based Security published some analysis on the bugs they've disclosed and whose products they were in[2], which shows this is not entirely the case.

  1. Reason Google won't patch old Android devices: https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
  2. Vendor bias: https://www.riskbasedsecurity.com/2015/01/an-analysis-of-googles-project-zero-and-alleged-vendor-bias/

ADT alarm system hack research results in class action lawsuit

At Defcon over the Summer, research was presented that showed how to defeat the popular ADT alarm system. Although very interesting on it's own, what is most interesting is that as a result of that research, a class action lawsuit has been filed against ADT.

Drones

A researcher reverse engineered the toy Parrot drone in order to upload his own firmware to the drone[1]. This is teaser information, as more information will be presented during the author's presentation at Nullcon in Goa, India next week. It is unclear if he remotely compromised the drone or if he needed physical access.

In other drone news, the Chinese manufacturer of a drone that crashed into the White House lawn earlier this week will be providing an update to their firmware that users can download to ensure their drones are not able to fly in no fly zones.

Strategies Without Frontiers

This presentation from BSides Las Vegas over the Summer was high-lited by the a16z newsletter which is sent out by Andreessen Horowitz (one of the large tech venture capital firms). It's interesting when there is cross-over between two interest areas (cyber security and financing).

Business

  • Karprica releases Tachyon: Kaprica is a security firm that was originally formed from the PPP CTF team in recent years. Their new Tachyon product "automatically configures and deploys large numbers of Samsung smartphones and tablets".

Publications and Conference materials

  • Shmoocon: A DC based infosec conference

Other news