Downclimb

2015.05.24

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.05.17 – 2015.05.24: https://SummitRoute.com

Quotes

"Doing the basics of network security & hygiene eliminates entire groups of threats while making the advanced threats stand out more." Robert M. Lee

 

"If software is eating the world and all companies are software companies, then they all need to learn hard infosec lessons faster. Lessons like how 'we don't talk about how our product works because security' does not engender trust in consumers or regulators." Alex Stamos

 

"I'd love for our industry to allow consultants to advertise their contributions at some point but most are held back by lifelong NDAs. [...] And workforce is changing. Engineers entering the industry want and expect to be able to blog/tweet/github re: their work. Dino A. Dai Zovi

 

"Another reason why people may be frustrated is that we should be advancing the state of offense and defense as an industry. and much of IoT "hacking" is the same kind of useless brain-drain distraction as weeding out cmdline parsing bugs from unpriv apps. Of course, if you can't climb the mountain, I guess picking weeds at the base is a way to look busy ;)" grsecurity

 

"ProTip: If fuzzing with JS then make your own random num generator with seed to ease of repro." uzumaki trimo

 

"You can get 25% off a Mandiant incident response with the code: ITWASCHINA. 100% off if you just use that code as the report." the grugq

 

"Where is the logo for the #logjam vulnerability so I know it's serious?" Bob Lord

Top stories

Hacking Starbucks for unlimited coffee

Egor Homakov of Sakurity shows how to exploit a race condition in a real web app (Starbucks). These bugs are likely very common, since you need to lock your database in some way to avoid them, which hurts performance, and makes for more awkward code. This class of vulns is also largely not audited for and is difficult to identify in an automated way.

The trojan Emoji

An interesting problem is how can you patch things without attackers identifying vulnerabilities that you've patched by diff'ing the code. In the case of Wordpress, they made a 1,000 line change months ago that they stated was for emoji support, but in actuality was a massive vuln patch.

Unconfirmed / unpatched vulnerabilities in Google App Engine

Adam Gowdiak of Security Explorations found a number of vulnerabilities in Google App Engine (GAE) allowing code to escape the GAE Java sandbox. Google is known for releasing vuln info about products when companies don't patch fast enough, but ironically, in this case Security Explorations has done this to Google. From the post:

"The irony is that all of the bugs reported to Google so far were specific to the "extra security" layer implemented on top of JRE that aimed to protect GAE against...security vulnerabilities in Java."

Trojanized PuTTY Software

Someone created modified versions of the open-source Windows SSH tool PuTTY, and made them available for download on compromised sites where they could then be downloaded. When used they would beacon authentication credentials back home.

NitlovePOS: Another New POS Malware

This point-of-sale malware uses emails asking about jobs in order to infect victims with a malicious .doc file. It uses a mailslot for comms, has a weird PE format, and most notably has a modern and attractive C&C UI.

Logjam

Precomputation attacks on 1024-bit DH groups are "plausible". If you do a lot of work for a known server, you can then easily break all DHE keys from then on[1]. The basic problem is modern SSL servers and clients still allowing the ability to be downgraded to export grade cryptography (ie. breakable crypto), and a MiTM attacker being able to cause this downgrade. SSL labs checks for the common primes associated with part of this problem[2].

  1. https://weakdh.org/
  2. https://dev.ssllabs.com/

Newspaper News

  • Proposed US Wassenaar laws: Much like the crypto wars of the 90s, we are seeing some attempts at restricting the export of security research. Specifically, this is focused on disrupting the sale of exploits, but the legislation is perhaps being overly aggressive. It is important to remember that these are just proposed laws, and can be easily worked around for legitimate researchers and businesses. Law, as opposed to perhaps software, is not entirely unambiguous, nor will it ever be, and nor should it ever be. Even Exodus Intelligence, which would have the most to fear based on many people's reading into the proposed legislation, stated this won't affect their business if it goes into affect.

Business

  • Lloyd's of London wary of market aggregation of cyber risk: The global cyber premium volume is estimated to be between $1.5 billion to $2 billion. This means that $1.5B-$2B is being paid annually for cyber insurance offerings. The problem is the need to ensure the insured policy holders are not all using the same technologies. It is bad when insurance companies receive lots of claims all at once. For example, if a regional property insurance company operates in an area that gets hit by a hurricane or other natural disaster, suddenly it will receive a lot of claims. This could bankrupt the insurer, and those claims will go unpaid. Insurance companies need to diversify their policies. As such, if a vulnerability in a technology used by all of the policy holders for cyber insurance is exploited (a Heartbleed event), that vendor will not be able to support all of the claims.

Conference materials and publications

Tools

  • CSP and HPKP violation reporting with report-uri.io: CSP and HPKP are HTTP headers that describe policies that add additional security for clients browsing your site. If a violation occurs that the browser detects, these policies can specify a URL these violations should be reported to. report-uri.io is a new free service from Scott Helme (creator of securityheaders.io) that provides a place for those violations to be reported to, and a UI for you to access that info.
  • HTTPS Client Testing Made Easy: Based on the tlspretense-service project from iSEC Partners, Yelp made a docker image out of it to easy setup a MiTM test for client applications.
  • LaZagne: The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like OS.
  • Snowman: Snowman is an IDA plug-in (or stand-alone tool) for decompiling C/C++ code for x86, AMD64, and ARM.

Other reads

- Apple iOS Security Guide

Apple released a 55 page doc on the various security components within iOS, including Apple Pay, the Apple Watch, and other technologies. Included in that report is a line about how one of the threats to the font parser on these devices is that it can lead to arbitrary code execution, leading one person to remark:

"Arbitrary code execution via fonts on your watch. A thing in 2015. #whatatimetobealive" @dreid