Downclimb: Summit Route’s Weekly Infosec News Recap
2015.02.22 – 2015.03.01: https://SummitRoute.com

Quotes

“Exploit presentation protip: If your demo isn’t reliable, set calc.exe to be your just in time debugger.” Evan P.

 

“Statistically speaking it’s more likely for you to be mauled by a bear than for you to properly secure WordPress.” @sadserver

 

“As Benjamin Franklin said, ‘those who would give up memory safety for performance deserve neither.’” @horse_rust

 

“Bullshit, that’s all this Lenovo guy is spewing. It was done for MONEY. http://nyti.ms/1JJ3sIG” Marcin Kleczynski (CEO of MalwareBytes)

Top stories

SuperFish fallout

Comodo PrivDog worse than SuperFish

The SuperFish software installed on Lenovo laptops that was discovered last week to use the same discoverable private key across all installations used a library called Komodia to accomplish this. Despite the similar name, Comodo is a different company and the problem with it’s software is even worse. In the case of SuperFish, one can MiTM users by using the now known private SSL key. Additionally, PrivDog sends information about every site you visit, unencrypted, to an ad company.

In the case of Comodo’s PrivDog software though, no SSL checks are performed at all, so you can use any private key you want. Comodo’s main business is SSL certificates, but it also offers end-point protection software. Knowledge in either of those areas should have ensured they didn’t do what they did.

• https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html
• https://blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html

Lavasoft also using Komodia

Lavasoft is another end-point protection company, and they were also found to be using the same libraries that resulted in the problems of SuperFish.

• http://www.jbgnews.com/2015/02/malicious-code-found-in-lavasoft-security-software/524704.html

Windows kernel memory scanning

Overview of the techniques that can be used to scan Windows kernel memory as used by an anti-cheat software.

• http://everdox.blogspot.com/2015/02/how-esea-detects-cheat-software-in-its.html

Hostile python package

At the start of 2015, I predicted that “Developers and admins will be targeted” this year. That prediction has come true as malicious packages have been found in the Python Package Index for those that mistype the names of the packages they want to download.

• https://blog.shodan.io/hostility-in-the-python-package-index/

Blue-ray exploitation

This post describes two vulnerabilities in Blue-ray disc players: One for exploiting Windows, and the other for physical devices.

• https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandbox-escapes/

Ruby open-uri issues

Sakurity discusses interesting bug classes exposed by the Ruby library open-uri in their post “Using open-uri? Check your code - you’re playing with fire!”

• http://sakurity.com/blog/2015/02/28/openuri.html

Malware Analysis

• Equation Group: More analysis from Kaspersky on the USB backdoor functionality used by Equation Group.
• Caphaw: Also known as Shylock, has been around since 2011 and includes various anti-sandbox and obfuscation techniques.

Analysis of old vulns

• Analysis of Windows USB Descriptor Vulnerability – MS13-081 (CVE-2013-3200): Review of patch diffs for a USB vuln that could be exploited with special hardware.
• Adventures in Xen exploitation: Discussion from NCC Group of how to exploit a bug that was patched in 2012 and exploited by VUPEN (they had a Black Hat talk on it). This post goes into a couple of the other details needed to reliably exploit it.

Newspaper news

• Director of National Intelligence attributes Sands hack to Iran government: The Director of National Intelligence, James Clapper, made a testimony in front of the Senate Armed Services Committee, in which he attributed the hack on the Sands Las Vegas Corporation in 2014 to the Iranian government. Customer data such as credit card, social security numbers, and drivers license numbers were stolen, but the hackers also supposedly attempted to destroy data there.
• SEC on the prowl for cyber security cases: Publicly traded companies must announce information related to major events that shareholders should know about in the form of what is called Form 8-K filings. For example, when JP Morgan was hacked, they released an 8-K. The SEC (which regulates the disclosures of publicly traded companies) is now on the prowl to investigate companies that have been breached to ensure they are disclosing information properly and have adequately protected their information in the first place.
• Security breach at Uber: The driving service Uber had a breach that exposed info about 50,000 drivers.

Business

• Twilio acquires Authy: Twilio provides an API to interact with the telecom world, such as sending SMS messages. Authy provides two-factor authentication. The amount was not disclosed, but Authy had recently (September, 2014) closed a $3M round bringing their total funding to date to $3.8M.
• $3M bounty on Zeus Author: A Russian man is believed to be responsible for building and distributing the Zeus malware, which has been used to steal hundreds of millions of dollars.

Publications and Conference materials

• nullcon: Conference took place in Goa, India at the start of February. My favorite presentation was “Analyzing Chrome crash reports at scale” about ClusterFuzz.

Tools

• WinObjEx64: The open-source tool Windows Object Explorer 64-bit allows you to view and edit some of the attributes of objects on a Windows system.
• SSL Black List: List of SSL certificates that are known to have been used maliciously.
• Discussion of how to use Sysmon: Shows how to use sysmon from Microsoft to collect data about processes started on a system, then tie that into hash analysis and ip address analysis tools.

Other reads

• Kizzle: A Signature Compiler for Exploit Kits: Academic paper from Microsoft about automatically generating signatures for javascript exploit kits by clustering them and then generating regular expressions that can match all elements within the cluster. The signatures produced by Kizzle have a false positive rate under 0.3% and false negatives are under 5%. It takes 90 minutes to do the clustering and generate the signatures. Although Kizzle can generate signatures for known exploit kits, it must first be told what exploit kits to detect and be given samples of them.
• Advisory: Seagate NAS Remote Code Execution Vulnerability: Multiple vulnerabilities in Seagate NAS devices. Some due to old software with known vulns, some due to their custom software. After 130 days from advising the company initially, the researcher released details once Seagate said they would not be updating it. There are 2500 devices visible from Shodan.