Downclimb: Summit Route's Weekly Infosec News Recap
2015.05.17 – 2015.05.24: https://SummitRoute.com
"Doing the basics of network security & hygiene eliminates entire groups of threats while making the advanced threats stand out more." Robert M. Lee
"If software is eating the world and all companies are software companies, then they all need to learn hard infosec lessons faster. Lessons like how 'we don't talk about how our product works because security' does not engender trust in consumers or regulators." Alex Stamos
"I'd love for our industry to allow consultants to advertise their contributions at some point but most are held back by lifelong NDAs. [...] And workforce is changing. Engineers entering the industry want and expect to be able to blog/tweet/github re: their work. Dino A. Dai Zovi
"Another reason why people may be frustrated is that we should be advancing the state of offense and defense as an industry. and much of IoT "hacking" is the same kind of useless brain-drain distraction as weeding out cmdline parsing bugs from unpriv apps. Of course, if you can't climb the mountain, I guess picking weeds at the base is a way to look busy ;)" grsecurity
"ProTip: If fuzzing with JS then make your own random num generator with seed to ease of repro." uzumaki trimo
"You can get 25% off a Mandiant incident response with the code: ITWASCHINA. 100% off if you just use that code as the report." the grugq
"Where is the logo for the #logjam vulnerability so I know it's serious?" Bob Lord
Hacking Starbucks for unlimited coffee
Egor Homakov of Sakurity shows how to exploit a race condition in a real web app (Starbucks). These bugs are likely very common, since you need to lock your database in some way to avoid them, which hurts performance, and makes for more awkward code. This class of vulns is also largely not audited for and is difficult to identify in an automated way.
The trojan Emoji
An interesting problem is how can you patch things without attackers identifying vulnerabilities that you've patched by diff'ing the code. In the case of Wordpress, they made a 1,000 line change months ago that they stated was for emoji support, but in actuality was a massive vuln patch.
Unconfirmed / unpatched vulnerabilities in Google App Engine
Adam Gowdiak of Security Explorations found a number of vulnerabilities in Google App Engine (GAE) allowing code to escape the GAE Java sandbox. Google is known for releasing vuln info about products when companies don't patch fast enough, but ironically, in this case Security Explorations has done this to Google. From the post:
"The irony is that all of the bugs reported to Google so far were specific to the "extra security" layer implemented on top of JRE that aimed to protect GAE against...security vulnerabilities in Java."
Trojanized PuTTY Software
Someone created modified versions of the open-source Windows SSH tool PuTTY, and made them available for download on compromised sites where they could then be downloaded. When used they would beacon authentication credentials back home.
NitlovePOS: Another New POS Malware
This point-of-sale malware uses emails asking about jobs in order to infect victims with a malicious .doc file. It uses a mailslot for comms, has a weird PE format, and most notably has a modern and attractive C&C UI.
Precomputation attacks on 1024-bit DH groups are "plausible". If you do a lot of work for a known server, you can then easily break all DHE keys from then on. The basic problem is modern SSL servers and clients still allowing the ability to be downgraded to export grade cryptography (ie. breakable crypto), and a MiTM attacker being able to cause this downgrade. SSL labs checks for the common primes associated with part of this problem.
- Proposed US Wassenaar laws: Much like the crypto wars of the 90s, we are seeing some attempts at restricting the export of security research. Specifically, this is focused on disrupting the sale of exploits, but the legislation is perhaps being overly aggressive. It is important to remember that these are just proposed laws, and can be easily worked around for legitimate researchers and businesses. Law, as opposed to perhaps software, is not entirely unambiguous, nor will it ever be, and nor should it ever be. Even Exodus Intelligence, which would have the most to fear based on many people's reading into the proposed legislation, stated this won't affect their business if it goes into affect.
- Lloyd's of London wary of market aggregation of cyber risk: The global cyber premium volume is estimated to be between $1.5 billion to $2 billion. This means that $1.5B-$2B is being paid annually for cyber insurance offerings. The problem is the need to ensure the insured policy holders are not all using the same technologies. It is bad when insurance companies receive lots of claims all at once. For example, if a regional property insurance company operates in an area that gets hit by a hurricane or other natural disaster, suddenly it will receive a lot of claims. This could bankrupt the insurer, and those claims will go unpaid. Insurance companies need to diversify their policies. As such, if a vulnerability in a technology used by all of the policy holders for cyber insurance is exploited (a Heartbleed event), that vendor will not be able to support all of the claims.
Conference materials and publications
- The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching: Using data collected over 5 years on 8.4 million hosts, available through Symantec’s WINE platform, they present a study of patch deployment in 1,593 client-side vulnerabilities in 10 client applications. 80 vulnerabilities affected code shared by two applications, and the time difference between patches in those applications was up to 118 days (median 11 days). They demonstrate two attacks to exploit old versions that are still installed even though they've been updated.
- More Rounds, Less Security?: This paper focuses on a surprising class of cryptanalysis results for symmetric-key primitives: when the number of rounds of the primitive is increased, the complexity of the cryptanalysis result decreases. They focus on PBKDF1, the Unix password hashing algorithm.
- AppSec EU 2015
- "Driven by Data": Talk by Dan Geer
- "Windows Phone App Security for Builders and Breakers": Examples of real-world insecure code involving Windows Phone apps developed with the Silverlight and Windows Runtime technologies.
- "Finding Bad Needles on a Worldwide Scale": Presentation on Yahoo's experience of developing, testing and improving cross-site scripting scanners and the methods of more accurate web application security testing.
- "Application Security Assessments by the Numbers - A Whole-istic View"
- "Heap Models For Exploit Systems": Describes formal semantics for heap allocators for those working on DARPA's Automated Exploitation Grand Challenge
- CSP and HPKP violation reporting with report-uri.io: CSP and HPKP are HTTP headers that describe policies that add additional security for clients browsing your site. If a violation occurs that the browser detects, these policies can specify a URL these violations should be reported to. report-uri.io is a new free service from Scott Helme (creator of securityheaders.io) that provides a place for those violations to be reported to, and a UI for you to access that info.
- HTTPS Client Testing Made Easy: Based on the tlspretense-service project from iSEC Partners, Yelp made a docker image out of it to easy setup a MiTM test for client applications.
- LaZagne: The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like OS.
- Snowman: Snowman is an IDA plug-in (or stand-alone tool) for decompiling C/C++ code for x86, AMD64, and ARM.
Apple released a 55 page doc on the various security components within iOS, including Apple Pay, the Apple Watch, and other technologies. Included in that report is a line about how one of the threats to the font parser on these devices is that it can lead to arbitrary code execution, leading one person to remark:
"Arbitrary code execution via fonts on your watch. A thing in 2015. #whatatimetobealive" @dreid
- Software Development KITchen sink: This in-depth report discusses a vuln in a TRENDnet router, but the vuln itself is part of the Realtek SDK used in the router, and thus affects a wide range of devices.
- KCodes NetUSB: How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide: Similar to the above issue, this issue is in software from a library that affects many routers.
- Xerox scanners/photocopiers randomly alter numbers in scanned documents: This is not a security issue exactly, but an interesting issue. Xerox devices for the past 8 years have, in some cases, been changing the number "6" to the number "8". This is not an OCR issue, but caused by simply photocopying a sheet of paper, and is not just a hard to read "8", but clearly has been converted to look more like an "8" than a "6".
- Reverse engineering Might and Magic III compression: Reversing an old (90s era) 16-bit x86 DOS executable that uses overlays. I like how he shows how he combined his online searching research with reversing. Often reversing posts just show how the author sat down in IDA Pro and figured it out, which is sometimes not the most efficient way of reversing, especially for reversing older formats.
- Using mprotect(.., .., PROT_NONE) on Linux: Debugging a memory protections issue in Volatility. It's good to see how you can debug issues with the tools you use.
- Artifacts and tricks for Mac OS X: Collection of places to look when gathering data about an Apple OS X host. Mostly of interest for attackers.
- Microsoft Security Intelligence Report (SIR): This is the latest intelligence report from Microsoft, although it's from July 2014 to December 2014.