Downclimb: Summit Route's Weekly Infosec News Recap
2015.02.06 – 2015.02.13: https://SummitRoute.com
"Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life." the grugq
"'Unpreventable' is code for 'not responsible bc the adversary was more motivated to win than I was to defend.'" Anup Ghosh (CEO of Invincea)
"Cyber has shifted balance between offensive and defensive in warfare. Offensive easy and cheap. Defence difficult and expensive." Carl Bildt (former Prime Minister of Sweden)
"What do I expect the Cyber Threat Intelligence Integration Center to provide that DHS, FBI, NSA, and CIA don't already?
A 5 letter acronym" Waylon Grange
"We put the 'security' in 'job security'." Dan Kaminsky
"If you have the choice between spending your limited post-breach resources on chasing attribution or fixing stuff, I suggest you fix stuff." Jack Daniel
"Unix: the only place a dollar sign conveys a LACK of privilege." 0xabad1dea
"whenever I get an unlikely cert validation error, I hope I'm important enough to be the victim of an incompetent state sponsored attack" Yan Zhu
New Cyber Threat Agency
The Obama administration is creating a new agency to deal with the cyber threats. It's unclear what it will be doing that other agencies aren't already doing, but it will start with 50 people and a budget of $35M.
Facebook announced they have created a platform for threat exchange information. Few details about what they are actually doing have been announced, but a couple of companies are getting together for this (Twitter, Dropbox).
- Landing page: https://threatexchange.fb.com/
- More technical info: https://www.facebook.com/notes/protect-the-graph/understanding-online-threats-with-threatdata/1438165199756960
White House Summit on Cybersecurity and Consumer Protection
President Obama is in Silicon Valley today talking with CISO's from various tech companies. Yesterday NIST released a Cybersecurity Framework which was the result of an Executive Order from 2013. The framework provides a roadmap for cybersecurity investments that companies should make. The following companies have shown some form of commitment to it: Intel, Apple, Bank of America, AIG, Walgreens, and others. The President is signing an Executive Order today to promote sharing of cybersecurity information. The creation of the new cyber threat agency and Facebook's announcement of ThreatExchange all seem to be coordinated for this Executive Order.
- Cybersecurity Framework: http://www.nist.gov/cyberframework/
Automatic YARA rule generation
Joe Security announced a new service to automatically generate YARA rules based on a sample uploaded. The rules generated are clearly something from machine learning, like was seen in 2012 with Adobe's Malware Classifier. This means that the rules end up containing fairly irrelevant details from the PE file metadata (such as "pe.sections.name contains '.data'") and strings within the file (such as "$s16 = 'MS Sans Serif' fullword nocase wide ascii"). It's a good start though.
- Blog post: http://joe4security.blogspot.ch/2015/02/introduction-yara-rule-generator.html
- The service: http://www.yara-generator.net/
- Adobe's Malware Classifer from 2012: http://www.h-online.com/security/news/item/Adobe-open-sources-Malware-Classifier-tool-1500289.html
Forbes used for actual sophisticated attack
The Forbes.com Thought of the Day appears when you click links to Forbes.com. This Adobe Flash widget was compromised and used to infect machines with two chained 0-days, which specifically target certain firms while sparing everyone else. iSIGHT Partners is attributing the attack to Chinese cyber espionage operators referred to by the moniker Codoso Team.
Someone is "leaking" fake usernames and passwords to pastebin for a fake BitCoin trading site. After a would-be thief uses these fake credentials to log in, they will then be tricked into thinking they have accessed someone's account and can steal their bitcoin. At this point the site then tries to collect the thieves credentials for a real bitcoin site.
APK MiTM in China
Few details available but it seems that when user's download APK's in China (Android software), MiTM is being performed to download different apps because no signature checks are done and the download is unencrypted.
- One company loses $17.2M after spear-phishing: The Omaha based company Scoular Co, a commodities trading firm with 800 employees and $6.2 billion in annual revenue, received social engineering emails that tricked an employee into wiring $17.2M to a bank in China under the belief that Scoular was purchasing a company there.
- TurboTax potentially breached: > "TurboTax owner Intuit Inc. said Thursday that it is temporarily suspending the transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find crooks had already claimed a refund in their name."
- Symantec Ordered to Pay $17 Million for Patent Infringement: The patent licensing firm Intellectual Ventures originally sought $298M from Symantec, and had also filed lawsuits in 2010 against McAfee, Check Point, and Trend Micro. McAfee and Check Point settled in 2012 and 2013 (for undisclosed amounts), and the Trend Micro case starts in May.
Publications and Conference materials
- AppSec is Eating Security: OWASP keynote from Alex Stamos, the CISO of Yahoo. This is one of the best cyber security keynotes ever done. Few people can both understand both the business needs of a large company and deep technical details.
- Collection of source code for various malware including: Dexter v2, Rovnix, Carberp, Tinba, Zeus, KINS, Dendroid, Grum, Pony 2.0, Alina Spark, and RIG Front-end.
- Command-line logging: Microsoft releases a tool to audit command-line usage by recording all uses of the command-line to the event log. To avoid antivirus and other protection tools, threat actors are using the command-line more and more, so this will help record their activities, and could potentially be used to tighten up protections by providing evidence of how little the command-line may actually be used in a network.
- KRBTGT Account Password Reset Script: Microsoft has released a script to reset the KRBTGT account password, also known as the "Golden Ticket" because it couldn't be changed so once an attack had it they could forever escalate privileges and move laterally within networks.
- Windows Binary Analyzer: Web app that extracts a variety of PE information, focused mostly on identifying potential security weaknesses in the executable.
- Bindead: A binary static analysis tool, like IDA Pro. Open-source.
- JASBUG: A common way in which Group Policy is used on networks can be take advantage of by local attackers that are able to perform ARP spoofing. This threat allows attackers to move laterally within a network.
- Firmware Forensics: Diffs, Timelines, ELFs and Backdoors
- An In-depth analysis of the Fiesta Exploit Kit: An infection in 2015
- VirusTotal working to reduce false positives. Eventually, we'll hopefully get to a point where security vendors start telling you files are trusted, instead of only telling you when a file is known bad.
- One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit
- Exploiting CVE-2015-0318: Project Zero reports on Flash vuln caused by their use of the PCRE regex engine.
- Popping alert(1) in Flash