Downclimb: Summit Route’s Weekly Infosec News Recap
2015.03.15 – 2015.03.22: https://SummitRoute.com

Quotes

“Who said TTF stands for True Type Font? If we look @ #pwn2own it might as well be TREASURE TIME FORMAT.” Joshua J. Drake

 

“How do you know progress is being made in secure engineering? When research starts out with ‘Given physical access to…’” Josh Pitts

 

“Are there any #pwn2own winners that aren’t sponsored by massive Chinese Internet companies? It’s the equivalent of a Google team winning. No doubt the teams are skilled, but this is just marketing for the Chinese audience. ‘Tencent wins hacking competition!’ ‘Baidu wins…’ Is it time to accept that #Pwn2Own has outlived its usefulness to the community? Companies paying each other for marketing… yawn” the grugq

 

“Waking up to an inbox full of hate mail: this too could be your daily ritual if you decide to write OSS software and give it away for free.” Moxie Marlinspike

Top stories

Pwn2Own

All major browsers were successfully exploited in this year’s Pwn2Own[1]. Due to issues with The Wassenaar Arrangement (which restricts the export of exploits) and “low” pay-outs, some past winners, such as the company VUPEN, did not participate. Many of the competitors were from China or Korea (which are not restricted by The Wassenaar Arrangement).

Only a few details of the exploits used in Pwn2Own become known to the public. One interesting trick used was the Firefox preference named turn_off_all_security_so_that_viruses_can_take_over_this_computer. This setting is used for testing and has that name so no one will set it, but it was used to give an exploit god mode in the recent Pwn2Own[2].

It’s believed that the main reason people or companies compete in Pwn2Own is for the publicity, and that the prizes aren’t really that valuable in terms of the amount of work required. It is also believed that, especially in the case of the Chrome exploits, that these vulns were going to get patched soon anyway[3], so their value would plummet. Specifically, in the next release of Chrome, there will be support for PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY which is a new setting in Windows 8 that denies system calls and thus will defeat some privilege escalation techniques that were likely used.

1. https://threatpost.com/all-major-browsers-fall-at-pwn2own-day-2/111731
2. Firefox setting: https://bugzilla.mozilla.org/show_bug.cgi?id=984012
3. Chrome win32k mitigations: https://code.google.com/p/chromium/issues/detail?id=365160#c30

Dangers of counterfeits

Recently, the phone security company Bluebox posted a write-up about security issues they found with the Chinese Android phone maker Xiaomi[1]. Unfortunately, it seems the Xiaomi phone that was tested was a counterfeit[2]. This raises a couple of issues. First, the most important is how can a vendor stop consumers from buying counterfeit versions of it’s products if a phone expert can’t even determine if it is a counterfeit? Next, not only do counterfeits damage the sales of companies, but they also can damage the reputation, as Bluebox tarnished the Xiaomi name in their research, even though they apparently weren’t even testing a real Xiaomi product.

1. https://bluebox.com/blog/technical/popular-xiaomi-phone-could-put-data-at-risk/
2. https://sec.xiaomi.com/#/notice/100030

Apple iOS Hardware Assisted Screenlock Bruteforce

There is a device called the “IP Box” that can be bought, primarily by phone repair shops, for $300, to bruteforce the iOS lockscreen. It works even if the device is set to erase the data after 10 attempts because it seems to cut the power if the attempt fails. Each entry takes 40 seconds, so it would take about 111 hours to bruteforce every possible PIN.

• http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html

Business

• Rapid7, LogRhythm, and MimeCast to IPO: Rapid7 (makers of Metasploit), LogRythm (a SIEM), and MimeCast (email security) are planning to IPO.
• Darktrace raises $18M: Darktrace, founded in 2013 in London, England, monitors host and network data and looks for anomalies. It’s first round raised $18M.
• Target to pay $10M for it’s 2013 breach: Target Corp has agreed to pay $10 million in a proposed settlement of a class-action lawsuit related to it’s 2013 breach. Considering 40 million credit cards were exposed, this amounts to 25 cents per card.

Newspaper news

• Smear campaign again Kaspersky: A garbage article from Bloomberg came out that bashed Kaspersky with the final statement “Bottom line: Popular security-software maker Kaspersky Lab has close ties to Russian military and intelligence officials.” The fact is that every cyber security company has employees who have spent time at the intelligence agencies of the nation of that company and usually has employees who have connections with the intel agencies of other nations. Contrary to the claims of the article, Kaspersky has done an excellent job of exposing Russian hacking groups as well as groups from every other nation. Eugene Kaspersky (the CEO of the company) responded well to the sensationalist and false claims in his post.
• Comodo mis-issued SSL cert: Comodo improperly issued a cert for live.fi (Microsoft’s email service in Finland) to a security researcher. It is sad that certificate authorities don’t have a better way of checking who the real owner of a site is, but it’s worse that this is not the first time Microsoft has allowed themselves to be compromised using this trick. In the case of live.fi, a man was able to register the email address hostmaster@live.fi, which then allowed him to get the certificate for the site. There are a couple of email address names that if you can get access to one, then you can get an SSL cert for that site. This same situation happened in 2008 when a researcher named Mike Zussman registered the email account sslcertificates@live.com in order to get the certificate authority Thawte to issue him a live.com cert.
• Feds warned Premera Blue Cross about security flaws: Three weeks before hackers breached Premera Blue Cross, it had received audit findings from federal authorities that it’s network security was inadequate.

Conference materials and publications

• PoC or GTFO 0x07
• Tetcon: Took place in early January in Saigon, Vietnam
• CactusCon: Took place last week in Pheonix, AZ.
• Tornado Attack on RC4 with Applications to WEP & WPA: This 65 page paper[1] on an attack on RC4 is based on work from 2012.
• Dylib hijacking on OS X: Paper from presentation by Patrick Wardle of Synack at CanSecWest of applying the Windows concept of DLL hijacking to OS X.

Tools

• Frida 3.0 released: Frida is a dynamic code instrumentation toolkit to inject javascript into native apps on Windows, Mac, Linux, iOS, and Android.

Other reads

• OpenSSL bugs fixed: A couple of OpenSSL bugs were fixed this week, but nothing much came from it as the two High severity bugs were only a DoS and a MiTM vuln.
• Kernel Rootkit Analysis with Lastline Breach Detection Platform 6.5: Lastline now has kernel monitoring capabilities. In their example they show some kernel memory hooks identified.
• Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware: Analysis of a malware campaign against journalists in Ethiopia believed to be from the company Italian company Hacking Team.
• Taming the wild copy: Parallel Thread Corruption: Google shows how a bug that was previously not thought to be exploitable is exploitable on BSD variants due to a quirk in their memcpy implementations.
• Detect System File Manipulations with SysInternals Sysmon: Shows how to use Splunk and Sysmon to search for anomalies that may indicate intrusions.
• Automated algebraic cryptanalysis with OpenREIL and Z3: Walk-through on how to use the recently released OpenREIL to do something useful, in this case, crack a keygen.
• Analysis of a Remote Code Execution Vulnerability on Fortinet Single Sign On: Core Security discusses a vulnerability in the Single Sign On feature of the FortiGate next generation firewall.
• Row hammer fix POC and generic root kit detection using performance counters: Method of detecting Row hammer on Windows.