RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.04.05 – 2015.04.12:


"To teach kids about Bitcoin, give them piggy banks. 6 months later smash them, steal the money, and laugh." Sam Browne


"I'm dubbing the OS X bug "Frank" #bugswithpeoplenames" @snare


"WordPress is the modern equivalent of wu-ftpd." Federico Kirschbaum

Top stories

Anonabox Analysis

Excellent write-up on getting root on an Anonabox tor device for anyone on the local wifi.

Root privilege escalation in Apple OS X

Describes how by looking at the patch used for an older privilege escalation, the author was able to find a new privilege escalation vuln. The write-up refers to this as a "backdoor", but it's just a vulnerability of the class known as a "confused deputy".

Darwin Nuke

Although the name references the old WinNuke bug, this is more like the ping of death in that it uses ICMP. Kaspersky researchers discovered that OSX and iOS up until OSX 10.10.3 and iOS 8.3 could be crashed by simply sending them a malformed ping.

Huthos VPS Provider: Totally legit, 1000% not a criminal organization.

Interesting business model discovered: Hack into servers, and sell them as a VPS.

Newspaper news

  • China’s Great Cannon: The DDoS attack against Github from last week is being referred to as "China's Great Cannon". It's an attention grabbing name for something not that exciting, but you should probably be aware of the term.


  • SingTel to buy Trustwave for $810M: Singapore Telecommunications announced it would buy US based Trustwave. SingTel is Southeast Asia’s biggest telecommunications firm by revenue, and the biggest company in Singapore. Trustwave provides managed security services. This is an unexpected and odd pairing.
  • RedSeal raised $17M Series C: RedSeal of Sunnyvale, CA, sells a product that uses network device configurations to model all possible traffic paths into and throughout a network.
  • Soha Systems emerges from stealth: Soha Systems provides a solution to securely access applications running in public clouds. It appears to be some sort of VPN solution. It has been in stealth since 2013, with almost $10M in funding.

Conference materials and publications

  • Catch-up: Last week we tried to reference some of the slides posted for various conferences. Now almost all slides have been posted for those conferences.
  • BSidesSLC: BSides Salt Lake City took place a few weeks ago and videos are now up.


  • Deviare: Deviare is a hooking engine, like Microsoft Detours, but also works with .NET binaries, and is now GPL and on github.

Other reads

  • MRG Effitas Real World Exploit Prevention Test March 2015: This paper shows the results of exploit testing against a couple of exploit mitigation solutions. It is sponsored by Hitman Pro, so low-and-behold Hitman Pro comes out as the winner in this test. The paper has a bias towards ensuring Hitman Pro looks good, and has some misdirection by creating scenarios in which EMET "fails" because the tests aren't things EMET protects against. Despite these faults, it is a well put together paper with some insights.
  • How Heartbleed could've been found: This post shows how Heartbleed could have been found using afl-fuzz and Address Sanitizer. Of course finding bugs is much easier when you know what you're looking for and it's much easier to triage crashes, but this shows how to use these tools to find actual bugs and what it looks like when they are found. It's also useful to prove what bugs could have been found with certain tools and what needs to be done to find them, so that new bugs can be found in other projects (or find similar bugs in the same project).
  • Jailbreaking, China and Playing the Racial Discrimination Card: An inside look at the iOS jail-breaking world from i0n1c (Stefan Esser).
  • Extracting the Private Key from a TREZOR: A TREZOR is a hardware device for storing bitcoin. This article shows how by using an oscilloscope the private key can be extracted by using a power analysis side-channel attack.
  • Hacking the D-Link DIR-890L: Post from /dev/ttyS0 showing how they've found a command injection bug in recent D-Link routers.