Downclimb

2015.03.08

RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2015.03.01 – 2015.03.08: https://SummitRoute.com

Quotes

“Murphy’s Law for Security #41: For every WAF signature you write, there will be a legitimate Base64 string that includes it. Trust me!” Ory Segal

Top stories

FREAK attack

25% of SSL-protected sites were found to be vulnerable to being downgraded to their older export grade crypto. This severely weakened crypto can be cracked in about half a day, allowing MiTM attacks.

  • http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

Why a free obfuscator is not always free

Free online javascript obfuscators includes ads in the sites it obfuscates. Many of the free online obfuscators do this, including a free WordPress plugin.

  • http://blog.sucuri.net/2015/03/why-a-free-obfuscator-is-not-always-free.html

Format injection vulnerability in Duo Security Web SDK

Sakurity finds a way to take advantage of the format used to store and process some data.

  • http://sakurity.com/blog/2015/03/03/duo_format_injection.html

Business

  • Veracode to IPO: Veracode has already raised over $110M (most recently a $40M Series F). Veracode performs static code analysis to look for potential security vulnerabilities. No S-1 filing is available yet.
  • ProofPoint acquiring Emerging Threats: The publicly traded ProofPoint ($2B market cap) provides SaaS solutions primarily for email. The Indianapolis, Indiana based company Emerging Threats provides threat intelligence. ProofPoint is acquiring Emerging Threats for $40M.
  • PayPal acquires CyActive: Isreal based start-up CyActive was acquired for somewhere between $60M-$80M by the payment company PayPal. CyActive was started in 2013 and has only raised $2M. CyActive promotes itself as being able to take known malware and predict how it will look in the future so it can be stopped.
  • The MACH37 accelerator announces it’s Spring cohort: Start-up accelerators take in young companies, and give them some money ($20K-$150K) and guidance in exchange for some equity (around 8%). Often they take in sets of companies, called a cohort, at the same time so they can schedule various talks and other activities over a perhaps 3 month period. This culminates in a “demo day” where additional investors see what the companies have accomplished and possibly invest additional money in them. Well known tech start-up accelerators are Y-Combinator and Tech Stars, but they have a more general tech focus. MACH37 is based out of the DC area and is focused on cyber security companies. It has funded 5 companies for it’s Spring cohort.

Newspaper news

  • Hillary Clinton used personal email: Secretary of State Hillary Clinton ran her own email server, using the address hdr22@clintonmail.com instead of using the State Department’s email system for all business.
  • Uber subpoenas github: This is a non-story, but it’s been popular. Uber suffered a compromise, and had code on github, so they are trying to get access to github logs to get evidence.

Tools

  • Trinity: Open-source linux system call fuzz tester that uses some intelligence by passing the type of argument the syscall expects, for example a file descriptor.
  • LLVM Fuzzer: Fuzzer like AFL, but potentially faster at the expense of some restrictions.

Other reads

  • Using volatility to analyze a key logger: While doing hard disk forensics, a key logger file was found, and by looking at the hibernation file, hiberfil.sys, they were able to find and analyze the key logger.
  • Defending against Return-Oriented Programming: PhD thesis paper describing kBouncer which attempts to defeat ROP exploits in binaries for which no source code is available. kBouncer was the first place BlueHat prize winner from 2012 and was described in an academic paper at that time, but this paper goes more in-depth.
  • Company stealing MalwareBytes engine: MalwareBytes discusses how they discovered a company was using MalwareByte’s engine in their product.