Downclimb: Summit Route’s Weekly Cyber News Recap
2015.05.31 – 2015.06.07: https://SummitRoute.com

Quotes

“When I think of cyberwar, I imagine the chaos that would follow if Stuxnet got loose and started attacking laundromats.” Andreas Lindh

 

“vuln hunters are just a specialized form of truffle hogs, often with similar lifestyle preferences.” halvarflake

 

“Avoid if possible. The code was written by a colony of drunk monkeys, in an era before anyone understood the basics of modern cryptography; I’m really not sure which is worse between gnupg and OpenSSL. Of course, GPG is the standard for encrypted email, just like SSL/TLS is the standard for web sites, so you may have no choice” Colin Percival (Founder of tarsnap and creator of scrypt) on whether to use GPG.

 

“For maintainers open source software is ‘free as in a puppy’” Trek Glowacki

 

“OH: ‘The only good management is heap management.’” halvarflake

 

“With 512GB microSDs, I now calculate that a carrier pigeon has a payload of 27TB of data (with some spare capacity)” David Rogers

 

“Hey, when my 86 gets pastebin’d, that stuff in section 22, that’s all alleged…” @mtanji In reference to the SF-86 forms which were stolen from the OPM, and section 22 refers to incidents involving the police. These are forms government employees must fill out to get clearances which give an intimate view into one’s history.

 

“I’ll call you a security researcher if you make the unknown knowable and the knowable understood.” John Lambert on whether reversing and exploiting makes you a security researcher.

Top stories

OPM defense tools —————– The OPM was hacked again by “Deep Panda” with the records of up to 4M government employees, dating back to 1985, being compromised. These records give extensive details about the lives of government employees. This is unfortunate (it’s really bad), but usually there is nothing to learn, as an infosec professional, from these announcements that show up on the WSJ or are reported by Krebs. So I normally put those in the “Newspaper News” section, which is where I put links for things you should know about since your associates who aren’t in infosec will bring it up, but it won’t help you in your job to know much about it. So the reason I’m including this link here, is because this link actually discusses the tools OPM uses and how they are integrated together. Specifically, the OPM uses CSG Invotas Security Orchestrator, HP ArcSight, FireEye Endpoint (HX series), and BMC Remedy IT Service Management Suite. What’s interesting is how these are tied together for automated response. The article also discusses the setup used by two other companies.

• Discussion of the tools: http://searchsecurity.techtarget.com/feature/Endpoint-threat-detection-gets-more-response
• The newspaper announcement of the hack: http://www.reuters.com/article/2015/06/06/us-cybersecurity-usa-idUSKBN0OL1V320150606?irpc=932

Auditing GitHub users’ SSH key quality

Github makes it possible to see people’s public SSH keys. That shouldn’t be a problem, because those are your public keys. A researcher named Ben Cox discovered that many of these keys suffer from the old Debian OpenSSH bug that generated weak keys[1]. Some of these keys had commit access to some very valuable projects, which means that an attacker could have slipped in nefarious commits (backdoors, purposeful exploits, etc.). The issue with the weakened Debian keys was found in 2008, and Github even issued their own warning to users about it[2], but took no action until now. HD Moore used to have a copy of the blacklist of these weak keys on metasploit.com, but it seems to be gone, so there is a copy on github[3].

1. 2015 post: https://blog.benjojo.co.uk/post/auditing-github-users-keys
2. 2008 Github post: https://github.com/blog/63-ssh-keys-generated-on-debian-ubuntu-compromised
3. Blacklist: https://github.com/g0tmi1k/debian-ssh

Facebook adds PGP for password resets

Password reset emails are a weak link in web site authentication. The emails can be MiTM’d in transit (likely only by nation states), or the email service can be attacked. If someone get’s access to your email account, they now have access to all of your other accounts. Facebook has taken the amazing and unexpected step of allowing for their password reset emails to be PGP encrypted when sent to you. This means that even if your email account is compromised, an attacker can’t compromise your Facebook account.

• https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302

Analysis on APT targeting China’s Government

The English of this report is a struggle to read, but it’s good. Antiy is a Chinese company that has been around since 2000 and was added to VirusTotal in 2009. It develops an anti-virus engine focused on mobile and embedded (network) devices. It does not offer a consumer product. This is a different APT than OceanLotus which was announced last week by a different Chinese company and also targeted the Chinese government. In this case, “APT-TOCS” uses the product Cobalt Strike, hence the name TOCS which stands for “Threat On Cobalt Strike” (should be “Of”). What’s funny is they then give a full bio of Rafeal Mudge (author of Cobalt Strike) in the same way Krebs gives bios on malware authors, complete with a photo, history of where he worked, and a history of the versions of Cobalt Strike like you see with malware version history in reports.

• http://www.antiy.net/p/analysis-on-apt-to-be-attack-that-focusing-on-chinas-government-agency/

More projects hijacked on sourceforge

In addition to GIMP being hijacked last week, more (VLC, nmap, and others) have been hijacked. Sourceforge should now be considered an adware distribution site like Download.com. There are many aspects about this story that are depressing:

• A once respected company is now abusing it’s prestige and search rank to cash in by trojaning the software it distributes with adware.
• This is legal.
• No action is being taken by search engines or browsers to warn users of these “malicious” sites.
• No antivirus companies are flagging these binaries as malware, just like none flag Java when it includes the “ask.com” toolbar.
• AV, search engines, and others aren’t taking action because they’ll get sued because this is a “legitimate” and lawful business.

Some AV have the ability to block PUA (Potentially Unwanted Applictions), but this becomes more difficult when the adware is trojaned into the legitimate binaries. This is a problem that could only be solved by community action by generating your own signature sets much the way uBlock Origin works for blocking ads.

• Explanation from VLC: https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/ nmap
• http://seclists.org/nmap-dev/2015/q2/194

Conference materials and publications

• Exploit Development Community: Series of articles on doing modern Windows exploitation.
• Efficient Hypervisor Based Malware Detection: Despite the 2014 in the URL, this is a paper released last month.

Tools

Triton

From the readme:

“Triton is a concolic execution framework based on Pin. It provides components like a taint engine, a dynamic symbolic execution engine, a snapshot engine, translation of x64 instruction into the SMT2-LIB representation, a Z3 interface to solve constraints and Python bindings.”

What do those words mean? Basically, think of the fuzzing framework American Fuzzy Lop, which works by randomly modifying an input and watching the execution paths taken. When new execution paths are taken, the input that was used to get there is deemed “interesting” and the random modifications are focused on that input in order to progress further. This ultimately is randomly guessing inputs that might be interesting. What Triton does is it calculates the inputs that would be interesting. So in theory, for these tools, you give it a program, and it gives you a data set that will reach every code path. What distinguishes Triton from similar tools is it works “online”, meaning it works on running programs as opposed to using static analysis, and it’s Python bindings make it easier to interact with.

• Code: https://github.com/JonathanSalwan/Triton
• Slides: http://shell-storm.org/talks/SSTIC2015_English_slide_detailed_version_Triton_Concolic_Execution_FrameWork_FSaudel_JSalwan.pdf

Other reads

• ClamAV 0.99b Meets YARA!: The open-source AV, ClamAV, now supports yara for it’s engine.
• Adversary Intelligence: Getting Behind the Keyboard: Massive article describes the reasons behind doing attribution and focusing on Adversary Intelligence.
• Android for Work Security white paper: Paper from Google describing the security features in Android.
• GitHub for Mac remote code execution: Not much info, other than “malicious github-mac: URLs could be crafted, leading to arbitrary remote code execution when visited by users”[1]. Creating your own URI has historically been a good source of vulns. As more applications become essentially custom wrapped browsers with their own add-ons (ex. Atom Electron powers Slack, Visual Studio Code, and others), we should expect more of this. -Mongo BSON Injection: Ruby Regexps Strike Again: If you don’t want to find vulns directly, there are some other options. 1) Watch what get’s fixed in code bases or diff patches and updates in order to find old-days that have perhaps been silently fixed. 2) Watch for patch vulns to get accidentally unpatched. This is a case of the latter.
• Embracing open source security: Post from Mike Arpaia of Facebook on lessons learned from MIDAS (developed by Etsy) that were used to build osquery.
• A Look at Golroted/Hawkeye Keylogger: Well written independent malware analysis with actionable incident response artifacts to look for.