Downclimb: Summit Route’s Weekly Infosec News Recap
2015.04.26 – 2015.05.03: https://SummitRoute.com
Quotes
“Security by Insecurity. Leaving a system so unpatched that most attackers assume it’s a honeypot and move on.” @sadserver
“Advanced Persistent Failure: The inability for human beings and their collectives to learn from security incidents, data, polls, and any other lessons learned that would normally cause changes to be made. Instead, the cognitive dissonance wins out and they believe nothing is ever wrong, they are safe, and unicorn devices will prevent their data from being stolen.” Krypt3ia
“If Congress is going to invent science via law they should start by outlawing cancer and requiring perpetual motion.” Alex Stamos
“Any East Coaster visiting RSAC looks around and says “Wow, you guys have a TON of CRAP here.” But a West Coaster will smile and say ‘Exactly.’” Dave Aitel
“We’ll never progress as an industry if pointing out failures continues to draw the largest audience and applause. I die inside every time someone builds a solution and they’re immediately met with someone who finds a vuln/bypass and says #fail” @mimeframe
“Your warning will reach < 5% of Internet users. 90% of attackers will be in that 5%.” David Litchfield regarding Project Zero disclosing 5 OS X sandbox escapes
Top stories
Detecting malware via power analysis
Virta Labs with their product WattsUpDoc[1] and PFP Cybersecurity[2] are detecting malware on embedded devices or legacy systems via power analysis. In both these cases, you can can’t modify the systems, so you need to do your detections in some other way. Historically, in the ICS (SCADA) space, all infosec products were therefore focused on doing something on the network. These products included network IDS’s, crypto tunneling, and in some rarer cases network IPS’s that would actually block traffic (which probably no one used because that freaks people out that you might potentially block a critical message to or from a SCADA device). Power analysis, as a side channel, opens up an additional product category. However, is it a good idea? Will it actually detect anything without throwing too many false positives? The paper for WattsUpDoc mentions it “flags the anomalous behavior with accuracy of 94% and 99.5%”, but has no mention of false positives. My assumption is that this will not be effective. Dave Aitel (of Immunity) makes a similar point[3].
- http://www.theregister.co.uk/2015/04/27/us_hospitals_to_treat_medical_device_malware_with_ac_power_probes/
- http://pfpcyber.com/
- Dave Aitel’s take: http://seclists.org/dailydave/2015/q2/16
Mozilla is planning to deprecate HTTP
Mozilla has announced an intent to phase out non-secure HTTP, so only HTTPS will receive new features, and not HTTP. Also, gradually phasing out access to browser features for non-secure websites.
- https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Race conditions on Facebook, DigitalOcean and others
This post[1] describes actual bug bounties collected (including a $3K one) for issues in major sites related to race conditions. One of the first discussions of these issue was a Black Hat 2008 presentation[2].
- http://josipfranjkovic.blogspot.gr/2015/04/race-conditions-on-facebook.html
- “Concurrency Attacks in Web Applications” - Stender and Vidergar, Black Hat USA 2008: http://www.hakim.ws/BHUSA08/speakers/Stender_Vidergar_Concurrency_Attacks/BH_US_08_Stender_Vidergar_Concurrency_Attacks_in_Web_Applications_Presentation.pdf
The BACKRONYM MySQL Vulnerability
DuoSecurity shows that mysql clients are vulnerable to what amounts to the old sslstrip issues where if an attacker server tells a client SSL does not work, it will make an unencrypted connection.
- https://www.duosecurity.com/blog/backronym-mysql-vulnerability
Newspaper News
- Congress discussing crypto backdoors: There has been talk of a second crypto wars, with the first being the Clipper Chip of the 90s. In this new crypto war, the government wants to have some sort of backdoor built into crypto, except there isn’t a good technical way of doing it that allows “only good guys” to decrypt it.
- Russian Hackers Read Obama’s Unclassified Emails: Last year, State Department computers were breached, resulting in unclassified emails from politicians and members of that department being compromised.
- SendGrid hacked: Start-ups are increasingly being targeted by hackers. The chat platform Slack was hacked last month. It can be argued that neither Slack nor SendGrid are really start-ups anymore, but it’s important to remember that it’s not just the long-established companies that hackers go after, and even modern software companies are victims of hackers.
- Boeing 787 integer overflow: There are 2^31 hundredths of a second in 248 days. A Boeing 787 must be rebooted every 248 days, else a bug in the software causes the power to stop working.
Business
- FireEye now an anti-terrorism technology: FireEye is the first-ever cybersecurity company to receive SAFETY Act certification, which means they are not liable in the event that their product fails in a terrorist act. On the one hand, this shows a vote of confidence from the Dept of Homeland Security in FireEye. On the other hand, FireEye can get out of potential legal battles if they can get a breach to be viewed as cyber terrorism, such as the Sony breach. Personally, I want the companies behind the products I buy to have the threat of liability if they fail.
Conference materials and publications
- AppSec California: Conference took place in February.
Tools
- Visual Studio for Windows, OS X, and Linux: Microsoft’s Visual Studio IDE is now available for free on OS X and Linux, in addition to Windows. This appears to be even more stripped down than previous community editions, in that it can’t even open .vcxproj files.
- Local Administrator Password Solution (LAPS): Microsoft has released a tool called LAPS to deal with the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
- go-fuzz: A fuzzer for Go code based on the AFL fuzzer. Due to Go being memory safe, it’s unlikely to find any security vulnerabilities, but it has found a number of bugs.
- vortessence: A tool to partially automate memory forensics analysis. It provides a web based GUI front-end to Volatility along with some other niceties.
Other reads
- WordPress 4.2 Stored XSS: Vulnerabilities, especially in WordPress aren’t that interesting, because honestly, it’s expected for new vulns to be regularly found in WordPress because it has had so many (almost 200 CVE’s). What’s interesting about this one is the vuln uses comments that are larger than 64KB which causes WordPress’s checks to fail.
- How Antivirus can lower your HTTPS security: In the wake of Superfish and Privdog that intercepts TLS connections to be able to manipulate HTTPS, someone looked at Kaspersky which intercepts HTTPS traffic in order to be able to scan it for malware, and apparently it is susceptible to FREAK and CRIME attacks, along with disabling HTTP Public Key Pinning.
- Websense employees targeted with spear-phishing emails following acquisition by Raytheon: Spear phishing attacks, by definition, use information relevant to their victims to trick them. This one is interesting both in how it is using information that is relevant to the whole company, and also in that it is going after a security company.