Downclimb: Summit Route's Weekly Infosec News Recap
2015.04.19 – 2015.04.26: https://SummitRoute.com
"Infosec has largely become an industry of client extortion, especially via stunt hacking. This must stop." @attackresearch
"Something we too often do is forget to ask ourselves, 'What have I secured?' or 'How has my research bettered others security?'" Silas Cutler
"If you're planning on buying something you heard about from #RSAC, don't. Take that money, hire some smart engineers, and listen to them." Parisa Tabriz
"The infosec industry has become a marketplace where everyone saying their product is best but everyone is afraid to share for public test." Haifei Li
"OH: 'We're going to release the enterprise API, which just means it returns XML instead of JSON.'" Scott J Roberts
The RSA conference happened this week. So this has been a boring week.
Qubes trust considerations
Qubes is an OS to isolate applications so if one is compromised it can't affect the others. They released version 3.0 this week, and even if you are interested in running Qubes, you should still read their post to see the trust issues they consider. I wish all security companies took these precautions.
Wink cert issues
Wink sells home-automation products which are supposed to be able to beacon home to a web service. Wink used SSL for this (good), but the cert expired (bad), resulting in many devices no longer being able to call home, and forcing Wink to offer the option of having devices returned and updated with a new fix along with a $50 store voucher. As the Internet-Of-Things are secured, it's important to realize that some of these security features require maintenance.
Attack on tor involved 70 exit nodes
There isn't much to this story, except to point out that someone controlled 6% of the tor exit nodes. This was apparently done in order to try to de-anonymize users of a tor based email service called SIGAINT.
- Accuvant renaming to Optiv Security: Accuvant, who recently merged with FishNet Security, is renaming itself to Optiv Security.
Conference materials and publications
- BSides SF
- Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library
- Sysmon v3.0: Microsoft advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, adds the process name to process terminate events, reports remote thread creation events, and improves the simplicity and flexibility of filter settings.
- Pre-authentication XXE vulnerability in the Services Drupal module: Drupal is a widely used CMS (content management system) written in PHP, like Wordpress. Researchers at the French based consulting company Synacktiv (not to be confused with the US based pentesting company Synack), have found a vulnerability in Drupal's authentication code, which when configured to enable REST end-points, allows specially formatted XML data to be send to the server without authentication that results in arbitrary file reads from the system.
- Analyzing the Magento Vulnerability: Magento is a web e-commerce platform, again written in PHP. A string of vulnerabilities found by Check Point lead to RCE.
- SSL MiTM on AFNetworking: AFNetworking is a popular library for iOS apps. The result of this bug is the same as Apple's goto fail in that it completely disables all SSL certificate validation. "Only" a thousand apps were found with this issue, but then another bug was quickly found in this library that affects over 25,000 apps with similar consequences.
- The CozyDuke APT: Kaspersky researchers discuss the CozyDuke APT. One interesting technique is it's use of WMI to look for security products installed on the systems it infects.
- Ubuntu privilege escalation: This easy to exploit vulnerability found by Tavis Ormandy, uses the USB D-Bus service.