Downclimb: Summit Route's Weekly Infosec News Recap
2015.03.08 – 2015.03.15: https://SummitRoute.com
"Threat intel is not part of incident management. Threat intel is part of adversary management, of which your incidents are encounters." John Lambert
"New rule: You only get to give your vuln a cutesy name if mass exploitation is possible." Chris Eng
"Everything security researchers do is an "0day" at some point. That's what that word means." Rob Graham
"Doing detection before being good at prevention is like having a bug bounty but no SSDLC; whack-a-mole fixing the same things over and over." Andreas Lindh
Exploiting the DRAM rowhammer bug to gain kernel privileges
In December 2014, a paper was released discussing the idea of reading or writing bits by flipping nearby bits in RAM. Although interesting, the technique seemed theoretical and possibly would only work on certain hardware. Some folks at Google Project Zero have figured out some real-world vulnerabilities for this. So far it seems to be limited to sandbox escapes.
- Original paper: https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf
- Real-world attacks: http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Stuxnet LNK vuln fixed again
Microsoft patched the LNK vuln used by Stuxnet in 2010, but did not fix it properly, so it's been patched hopefully correctly this time.
Digital certificate forensics
Interesting use of digital certificate information to confirm that clintonemail.com, used by Secretary of State Hillary Clinton, did not use encryption during it's first three months when she was travelling to places such as China, Egypt, and others.
Xen hypervisor vuln
There were a few security vulnerabilities in the Xen hypervisor that have been patched. Of particular interest is Joanna Rutkowska's commentary, specifically her comment:
"It seems really difficult to understand why would anybody design a structure like the one shown above, which uses a union to store two, RADICALLY DIFFERENTLY TRUSTED data: an internal pointer into hypervisor memory and VM-provided UNTRUSTED DATA?"
- Blue Coat being sold for $2.4B: In preparation for going public again (Blue Coat went private in 2012), it is being sold from one private equity firm (Thoma Bravo LLC) to another (Bain Capital) for $2.4B.
- Prevoty raises $8M Series A: Prevoty, founded in March 2013 in Los Angeles, California, provides application monitoring and protection that is configured into applications at compile time. It's recent $8M Series A brings it's total funding to date to $11M.
- Bugcrowd raises $6M Series A: Bugcrowd, founded in September 2013 in San Francisco, California, sets up and manages Bug Bounty programs for companies. It currently has 40 such programs. This $6M Series A brings it's total funding to date to $7.7M.
- Starfighter launched: Thomas Ptacek (founder of Matasano Security consulting) and others have created a new company to create CTFs in order to assess programming skills. This follows on Matasano's crypto challenges which the company used to recruit and assess employees.
- Yahoo moving forward with encrypted email: Alex Stamos, the CISO for Yahoo, gave a demo this week of encrypted email for Yahoo (email that Yahoo can't even read). They released a Chrome browser extension for this end-to-end encryption that is based on Google's own extension.
Conference Materials and Publications
- BSides Tampa: Conference took place in Tampa, Florida on Feb 21. One of the more popular talks was "The Need for Proactive Threat Hunting" by Andrew Case, who is one of the core Volatility developers.
- OpenREIL: OpenREIL is an open-source library that implements a translator and tools for REIL (Reverse Engineering Intermediate Language). The REIL concept was initially developed by Zynamics (makers of BinDiff for IDA Pro and some other tools) for their products. After Zynamics was acquired by Google in 2011, all of their projects were pretty much abandoned. OpenREIL was created by Dmytro Oleksiuk to translate instructions to REIL, which by itself doesn't do much as there isn't much outside of Zynamics's BinNavi that uses REIL, but this will hopefully be used as a starting place for more reverse engineering tools.
- Diaphora announced: Joxean Koret, who last year was finding holes in antivirus vendors, has announced an open-source plugin for IDA Pro for binary diffing called Diaphora. This was developed because one of the main diff'ing programs people use, Zynamics BinDiff, is no longer updated. One interesting new trick used by Diaphora is that one of the heuristics it uses to find matching functions is to use the output of the Hex-Ray's decompiler. Diaphora is not yet publicly available, but should be soon.
- Introducing Masche: memory scanning for server security: Masche is a memory scanning tool for Mozilla's MIG (Mozilla InvestiGator) platform. MIG allows for querying end-points in real-time to look for IOCs, similar to Facebook's osquery. MIG (and Masche) works across Linux, OS X, and Windows. One interesting aspect of Masche is that it is primarily Go code. It is currently less featureful than Volatility or YARA. One stated goal of the project is to attempt to avoid infringing too much on people's privacy when detections are run which limits some of their capabilities.
- BERserk attack implementation: The crypto attack known as BERserk was announced on the same day as Shellshock, so it received much less coverage than it should have. Filippo Valsorda, who created a popular site for testing heartbleed, has created an implementation of the BERserk attack.
- NSA IAD on github: The NSA's Information Assurance Directorate (the defensive side) just started a github account. So far the projects up there are just docs and reference material for the docs.
- EMET 5.2 Released: Minor release that now has all it's components compiled with Control Flow Guard. Also blocks vbscript from running and alerts work better with Internet Explorer Protected Mode enabled.
- Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player: CoreSecurity discusses an exploit for a recent vuln patched in Adobe Flash at the end of January. The use-after-free can be used to read and modify arbitrary memory, allowing the attack to bypass DEP and ASLR, but not Control Flow Guard in Windows 8.1, which Adobe Flash is surprisingly compiled with (surprising, because this is a very new feature that requires a bleeding edge tool chain). CFG can still be bypassed, but details of that will be in another post from CoreSecurity.
- Inside the EquationDrug Espionage Platform: More analysis by Kaspersky on the Equation group's tool chain.
- Security Issue: Combining Bcrypt With Other Hash Functions: bcrypt ignores any thing after a null byte which isn't a problem for it's normal password checking, but if you pre-hash a password and then pass it through bcrypt, you can have issues.
- How "../sms" could bypass Authy 2 Factor Authentication: Sakurity shows us again the dangers of format injection with a problem that affects Rail's Sinatra and it's use of rack-protection which a library for Rails that is supposed to protect against web attacks.