RSS feed

Downclimb: Summit Route's Weekly Cyber News Recap
2015.06.21 – 2015.06.28:


"The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately." krypt3ia on the OPM hack


"Saying your company/organization/client deals with ‘millions’ of attacks is a great way to instantly lose all tech credibility" Andrew Case


"Did you know that CISO comes from the Greek word for the lamb they slaughter first?" Dino A. Dai Zovi


"Between #Snowden & #OPMhack, America is having a novel experiment in how a major power fares without secrets. Poorly, I expect ..." John Schindler


"Don’t make me sudo. You wouldn’t like me when I’m root." the grugq


"Instead of hiring a senior dev, we can just hire 3 junior devs and put them in a trenchcoat." Open Source Cupcake

Top stories

Analysis and Exploitation of an ESET Vulnerability

Post from Tavis Ormandy on a vuln in the "emulator" of ESET AV. This is interesting to learn about how AV uses emulators, and also interesting with regards to the way they created an emulator, which was done by single-stepping the execution of the sample.

What is a "good" memory corruption vulnerability?

First post in a series from Chris Evans about the robustness of exploits[1]. Many types of exploits, especially when faced with additional mitigations from EMET, will crash instead of exploit applications, at least some of the time. This is important for people to understand and was the basis for a product I worked on once (CRAN[2] at Parsons) to detect exploit attempts by analyzing crash dumps[2]. Leviathan has a similar product called Lotan[3].

  1. Original post:
  2. CRAN:
  3. Lotan:

A month with BADONIONS

Someone tested authenticating to a test site through 100+K tor exit nodes, and then monitored to see if the credentials were attempted again. They were in 12 cases, including two "guard" nodes.

How to build your own public key infrastructure

In order to get your various servers to communicate securely with one another you need to setup your own PKI. This post from CloudFlare shows how to do this.

UnFIN4ished Business

FIN4 is a financially motivated threat group that has been targeting publicly traded companies since 2013 in order to insider information to trade on. This past week the SEC announced it is investigating them. This is an interesting group because it's not a government actor going after defense secrets, or a crimeware or ransomware group going after the general public, or a competitor trying to get secret intellectual property that would hurt the victim's business. Instead FIN4 are performing somewhat "victimless" crimes, where the victim is other stock traders who don't have access to the same internal secrets. This write-up touches a little on the technical aspects of the group.


  • 11% of UK firms have cybersecurity insurance: Although this article stated "just" 11% of mid to large UK organizations have cybersecurity insurance, I'm surprised at how many have it. This survey was taken over 100 companies.
  • Checkmarx closes $84M Series C: Checkmarx was founded in Tel Aviv in 2006. It does static code analysis to identify security vulnerabilities. It closed a $84M round, bringing it's total funding to date to $92M. From what I've been hearing over the past month from entrepreneurs is they expect the easy money to dry up soon, so they are trying to close large rounds to carry them through an expected market correction.
  • Auth0 closes $6.9M Series A: Auth0 was founded in Bellevue, WA in 2013. It helps apps authenticate with identity providers providing identity-as-a-service.
  • The State Of The Cyberthreat Intelligence Market: Forrester posting showing since October 2014 there have been a total of $102.5M raised in 8 funding rounds and 4 acquisitions in the Threat Intel space (acquisition amounts are mostly undisclosed except one for $40M).

Conference materials and publications


  • Semtrex: Tool for dynamic taint analysis integrated into IDA Pro for around $780.
  • Atom 1.0: Atom is a text editor made by Github that looks and feels a lot like Sublime, but is free and open-source. Atom just hit it's 1.0 release.
  • Detecting unauthorized cross-app resource access on OS X: Responding to the XARA issue with Apple OS X seen last week, Facebook's osquery is now capable of detecting this issue. It's interesting seeing an open-source project from a non-infosec tech company responding to security issues faster than the infosec companies are.

Other reads