RSS feed

Downclimb: Summit Route's Weekly Cyber News Recap
2015.07.12 – 2015.07.19:


"Authentication is a classification problem amenable to machine learning, with many signals in addition to the password available to large Web services." Passwords and the Evolution of Imperfect Authentication


"Tomorrow is Windows Server 2003 end of support. And Bastille Day. Both were bloodbaths --" Kostya Kortchinsky


"Full disclosure at work: Leak 2 Flash 0days, Mozilla kills Flash. "responsibly report" 10s of them to Adobe... nothing happens" @4Dgifts


"Vega$ is two weeks away. Visit the store and purchase deodorant you stinky #hax0rz" jeff bryner

Top stories

Vuln broker timelines

This is the most informative table you'll ever have seen about the 0-day industry. This table from Vitaliy Toropov (recently famous for being identified as the person who found some of Hacking Team's 0-days) shows the dates when vulns were reported (sold) to vuln brokers and when they were reported to the vendors. It's understood that part of the value of the assumedly legitimate brokers is to screen these vulns so these brokers pay for good vulns and only submit valuable vulns, but this chart shows that this process takes hundreds of days and once over 226 days. I understand there can be backlogs, but having repeat submissions from the same vuln researcher should make his submissions more trusted and higher priority which leads to the conclusion that these vuln brokers may be purposefully delaying reporting them for naughty reasons.

Darkode Shutdown: FireEye Intern Accused Of Creating $65,000 Android Malware

Although it's long been assumed that some of those who work on defensive products also moonlight as malware authors, I don't know of any cases of it being revealed until now. In this case someone had interned at FireEye for two summers, some of which time overlapped with this malware selling.

Hacking Team hack

More fallout from the Hacking Team leak.

Windows issues

Outside of Hacking Team, more vulns have been discovered and explained.

Apple issues

Flash issues

SSL issues


  • Rapid7 IPO'd: Using the ticker RPD, the maker of Metasploit, IPO'd on Friday, and jumped up 58% before the close.
  • CounterTack acquires ManTech Cyber Solutions International: CounterTack sells an end-point detection and response product. ManTech is a large publicly traded government contractor so what was a bought was a subset of their business. ManTech Cyber Solutions International is a piece of ManTech that develops commercial software, and is a renaming of HBGary from when it was bought by ManTech in 2012.
  • Crowdstrike's $100M round: Crowdstrike's recent $100M rumored round was announced this week as reality, and it wasn't solely Google Capital investing, but also included Rackspace, Accel and Warburg Pincus.
  • UK giving £5,000 to SMEs to obtain cyber security advice: The UK has decided to address cyber security with the "throw money at the problem" option. The UK "will offer SMEs up to £5,000 for specialist advice on how to improve their cyber security and protection for intellectual property (IP)."
  • Software bug prompts Range Rover recall: Keyless entry and ignition systems on Range Rovers have vulnerabilities that allow car thieves to steal them. Other cars are also susceptible, but have not yet been recalled.

Conference materials and publications

  • SPHINCS: practical stateless hash-based signatures: Paper from DJB and others on a "post-quantum stateless hash-based signature scheme that signs hundreds of messages per second".
  • Modern Binary Exploitation - CSCI 4968: All course materials are now up online for the class at RPI that taught vuln research, reverse engineering, and exploit development for Linux targets with mitigations enabled.
  • Defcon Russia: This Russian infosec conference apparently is releasing some of it's talk prior to the actual conference which will occur in September. Some are in Russian, but the following is in English and worth skimming.


  • Sleepy Puppy: This tool helps audit for blind XSS. The concept here is that in blind XSS the attacker is getting javascript to execute in contexts that they don't know about. For example, they send some javascript through a support form that get's read in a different application by the support staff and the javascript get's executed there. This might happen days later. This project helps to keep track of where blind XSS attempts were submitted and also includes in the javascript the ability to screenshot the browsing session and beacon it home.
  • Building reliable SMM backdoor for UEFI based platforms: Discussion and code for an SMM backdoor for UEFI based platforms.
  • NSA on github: The NSA is no stranger to releasing open-source tools, having developed and released SELinux back in 2000. However, this is their first release of code up on Github (at, but unfortunately, my take is it's not going to useful for anyone. Their use of Github is odd with the repo at /NationalSecurityAgency/SIMP redirecting people to a different group of repos at /SIMP, which has around 100 repos, none of which contain code in the master branch, but rather in versioned branches within. Confused? I am. The end result of this project is to be able to use Puppet to set up and check the configs of various services.

Other reads

  • How We Fared in the Cyber Grand Challenge: Much of this post is about the Cyber Grand Challenge event and results, but what I find most interesting is the description of how their solution actually worked in the sections "Bug Finding" and "Patching".
  • Trend Micro Threat Intelligence Manager RCE: By chaining three trivial vulnerabilities together it is possible for a remote attacker to get RCE on this Trend Micro security solution.
  • Security for building modern web apps: A lot of actual useful advice for web app development.
  • Golang security: If you have, or are building, a Golang webservice, these posts (one and two) are worth reading.
  • Windows 10 security features: Although this post is largely an advertisement for Bromium, it does collect info about the various security features of Windows 10 into one place. Also, some documentation from Microsoft has been created for a new mitigation in Windows 10 to only allow trusted fonts.
  • Email security: Advice from Ben Nagy on how to use mutt, GPG, and gmail for security, and advice from the grugq on how to use PGP in general.
  • Exchange between Dino A. Dai Zovi, Aaron Portnoy, and Claudio: A lot of infosec communication happens on twitter. This exchange is worth reading and surprisingly one of the most cordial and professional arguments you're likely to ever see online between groups with such different views. On one side is Dino A. Dai Zovi and Aaron Portnoy who have businesses with ties to the offensive infosec research world, and on the other is Claudio, who has released a lot of open-source defensive tools, and who is more of an idealist (his own self description).