Downclimb: Summit Route’s Weekly Infosec News Recap
2015.04.12 – 2015.04.19: https://SummitRoute.com
Quotes
“Mobile malware exists, but in a very insignificant fashion in our incident data” Marc Spitler, senior risk analyst for Verizon, with regard to the new Verizon Data Breach Investigations Report
“Results in the Verizon #DBIR suggest what I’ve long suspected: threat actors know we subscribe to intel feeds so they avoid artifact re-use.” Craig Chamberlain
“I can’t help but think that hackathons are the 21st century version of Dickensian slave labour.” @semibogan
“Worst thing about the 90s crypto wars was a decade of wasted talent batting down one stupid proposal after another. Can’t afford that again. Computer security people need to focus on securing our computers, not explaining over and over why dangerous backdoors are dangerous.” Matt Blaze
“We should have positive security goals (e.g. build trust) rather than just negative (e.g. reduce risk).” Joey Tyson
Top stories
Verizon DBIR
The annual Verizon Data Breach Investigations Report is one of the most commonly rerenced reports for stats across many infosec breaches.
Some interesting quotes
- “Organizations would need access to all threat intelligence indicators in order for the information to be helpful—a herculean task.”
- “less than 3% overlap of IOCs among threat intel feeds during a “long exposure” six month comparison. 97% were unique to their feed.”
- “Of the IPs observed in current info feeds, only 2.7% were valid for more than a day”
- “Numbers show just 10 [phishing] e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey”
- “We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”
- “Ten CVEs account for almost 97% of the exploits observed in 2014”
- “Many subsectors in different industries actually share a closer threat profile than do subsectors in the same overall industry.”
- “we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.”
- “Two-thirds of the incidents in this pattern (espionage) had no attacker-attribution information whatsoever.”
Read the summary or full report.
HTTP.sys vuln
The recent patch Tuesday included a patch (MS15-034) for a vuln (CVE-2015-1635) in HTTP.sys. The Microsoft write-up about this[1] gave everyone panic attacks because it stated Remote Code Execution was possible on all Windows 7 and up systems. From what I’ve seen[2], this only affects systems running IIS, and so far only a BSOD has been achieved. Likely someone will get RCE, if they have not already with this. Luckily, even if you don’t want to apply the patch for whatever reason, the IPS signature is fairly simple to implement[3].
- https://technet.microsoft.com/library/security/MS15-034
- http://www.securitysift.com/an-analysis-of-ms15-034/
- http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observations/
Prosecutors suspect man hacked lottery computers to score winning ticket
This case is interesting in that a man is suspected of having inserted a thumb-drive into computers that aren’t connected to the Internet that generate lotto numbers. The numbers should be random but he is suspected having manipulated them. I find this interesting because much of the basis for cryptography is based on the ability to generate random (unpredictable) numbers. Manipulation of random number generation is an interesting area to watch.
- http://arstechnica.com/tech-policy/2015/04/prosecutors-suspect-man-hacked-lottery-computers-to-score-winning-ticket/
Problems in automatic crash analysis frameworks
Tavis Ormandy has found some privilege escalation vulnerabilities in the crash handling software in Ubuntu, Fedora, and other distros. He has also released exploit code for two of these.
- http://www.openwall.com/lists/oss-security/2015/04/14/4
The Chronicles of the Hellsing APT: the Empire Strikes Back
Fun story from Kaspersky about two APT actors going to war against each other. After one was hacked, it tried to hack-back to identify the attacker.
- https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/
crossdomain.xml : Beware of Wildcards
This bug report shows how a flash file could be uploaded to an ebay.com site, as a .jpg, which could access data on paypal.com.
- http://blog.h3xstream.com/2015/04/crossdomainxml-beware-of-wildcards.html
Newspaper news
- Lawyer representing whistle blowers finds malware on drive supplied by cops: Although this would be quite an interesting (and horribly immoral and illegal) technique from cops, this attention grabbing story seems much more innocent, as the malware was just copy/pasted to the drive, and doesn’t appear capable of “infecting” the system. It seems more likely it ended up there by mistake than any evil motive. This events behind this story should be attributed more to incompetence than malice.
Business
- AEI - Norse: Iran report: Infosec companies using FUD to market themselves has become a fact of life. Summit Route’s Downclimb has attempted to be a filter on this to give you important news and cut threw the marketing. This week Norse corp released a report at the request of the AEI (American Enterprise Institute). The report is about Iran and it’s cyber war activities (nothing technical). What’s interesting is there has been a backlash from a couple of infosec professionals about this, for this “heinous fear-mongering”, as Jeffrey Car put it. Infosec companies are increasingly being used to manipulate popular opinion. This has an impact on not only on political agendas, but may also impact who the potential customers and employees of these companies are. Examples of the backlash here and here.
- Internet Bug Bounty now paying for tools to find bugs: The biggest take-away from a recent hackerone post is actually an unrelated paragraph at the bottom announcing that the Internet Bug Bounty will pay bounties for tools that aid in vulnerability discovery and determining exploitability.
- Raytheon to acquire Websense for $1.9B: The government contractor Raytheon has agred to buy the Austin, Texas based network security company Websense for $1.9B.
- Illumio raises $100M: Illumio, based out of Sunnyvale, CA, has raised a $100M Series C, bringing it’s total funding to $140M since it’s start in 2013. It spent 2 years in stealth, having been founded in January, 2013. It provides end-point security for the enterprise.
- Duo Security raises $30M: Duo Security, based out of Ann Arbor, MI, has raised $30M, bringing it’s total funding to $48M since it’s start in 2010. It provides two factor authentication products and services.
- Adallom raises $30M: Adallom, based out of Silicon Valley, has raised $30M, bringing it’s total funding to $49.5M since it’s start in 2012. It is a cloud access security broker.
- Palerra raises $17M: Palerra (formerly Apprity), based out of Silicon Valley, has raised $17M, bringing it’s total funding to $25M since it’s start in 2013. It provides cloud-focused threat detection, predictive security analytics and compliance management.
- HyTrust raised $25M: On April 1, HyTrust announced it raised $25M. The Silicon Valley based cloud security startup, has raised $84.5M to date since 2008.
- Endgame launches Enterprise Threat Protection Platform: Announced on April 7, Endgame has gotten into the ETDR (End-point Threat Detection and Response) game with it’s new product. This competes with products such as Crowdstrike’s Falcon, or Bit9’s Carbon Black.
Conference materials and publications
- Modern Objective-C Exploitation Techniques: Phrack article released in conjunction with the author’s presentation at the Infiltrate conference.
Tools
- ArkDasm: 64-bit interactive disassembler freeware for Windows.
- IDA Pro 6.8: The reversing engineering tool is out with new release.
- evolve: A simple web interface for volatility.
- crashwalk: Ben Nagy has released a couple of tools to triage crashes on Linux and OS X from AFL fuzzing.
- crashwalk: Bucket and triage on-disk crashes. OSX and Linux: https://github.com/bnagy/crashwalk
- francis: LLDB engine based tool to instrument OSX apps and triage crashes: https://github.com/bnagy/francis
- pdflex: Minimal and hacky PDF lexer: https://github.com/bnagy/pdflex
- aflfix: Use any program to perform fixups for afl via AFL_POST_LIBRARY: https://github.com/bnagy/aflfix
- terry: Wrap radamsa on OSX, add instrumentation / triage: https://github.com/bnagy/terry
Other reads
- Safari cookie access vulnerability: A Safari iOS/OS X/Windows cookie access vulnerability (CVE-2015-1126) could be exploited by attackers to create specially crafted web page which, when visited by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.
- A QUIC update on Google’s experimental transport: Last year Google announced a new protocol called QUIC, to be used in place of TCP + TLS. Today roughly half of all requests from Chrome to Google servers are served over QUIC. I had no idea.
- Google Shuts Off NPAPI in Chrome: Chrome 42 disabled NPAPI which results in Java and Silverlight no longer working at all in that browser.
- Redirect to SMB: Cylance report on a vulnerability in Windows that has been around for a long time, similar to a vuln discovered in 1997. It requires man-in-the-middle and being on the same network.
- APT30: Huge report from FireEye on a threat actor called APT30. Interestingly, FireEye isn’t focusing on the attribution of the threat, but rather on analyzing the development. It’s been around since 2005, and has been jumping air gaps from the start. Interestingly, the controller for the malware (which FireEye somehow got ahold of) checks the serial number of the hard-drive and will not run if it doesn’t match a value from a list. It also has functionality that seems to be to track work shifts (page 16).
- APT28: Shorter report from FireEye on a different threat actor that used two 0-days in thier recent campaign.
- So, you want to be a darknet drug lord…: Interesting read about the precautions cyber criminals take (or at least one that was successful in not getting caught), and some of threats faced on maintaining an anonymous server behind tor.
- Bypassing kernel ASLR: Shows where some fixed memory (not put in a random location) is in Windows 7 and up.