Downclimb: Summit Route's Weekly Cyber News Recap
2015.07.19 – 2015.07.26: https://SummitRoute.com
"If you receive a USB key in the mail from your automaker, its totally legit. Plug it into your car right away." Tom Cross on Chrysler's decision to mail USB keys to customers to patch their vehicles
"It is a disappointment to me that so many greatly skilled hackers now working for big dollar company are putting so much energy in politics" Julien Vanegue
"Always download and archive all the software updates. The vendors like to make getting the old shit so hard / impossible!" tmanning
"From now on, exploit kit authors and people selling exploits to HT are to be referred as "security researchers". As their actions, plus or minus a day, are indistinguishable from Project Zero or Qualys." grsecurity
Hacking Team: A zero-day market case study
One of the most valuable insights from the hacks and leaks of exploit brokers and other infosec threat actors is learning the costs associated with different attacks and what attacks exist, as this allows defenders to better identify what solutions are effective and how much they should pay for those defenses. For example, iOS exploits are very expensive, costing at least $250K, which implies both that iOS is security more effective than alternatives, but also that such 0-day do exist and are actively sought after. This post describes much of the financial related information associated with Hacking Team's exploit purchases.
- Microsoft to buy Adallom: Microsoft is reported to be buying the Israeli based Adallom for $320M. Adallom is a cloud access security broker (CASB). It provides a gateway between enterprise customers and SaaS offerings such as Microsoft Office 365, Google Apps and Salesforce. In addition to secure SaaS access, Adallom provides policy-based enforcement for compliance and visibility into employee usage of cloud apps. More here.
- Zerodium debuts: New company from Chaouki Bekrar, the founder of VUPEN, to pay bug bounties for premium bugs. The company buys exploits for Windows, OSX, Linux (including Tails), phones, VM escapes, browsers, and nearly everything else. Their difference from other programs they state is they pay for quality as opposed to quantity. It seems VUPEN has shutdown, likely due to regulatory issues in Europe, and so this seems to be it's rebirth under a new name.
- Car hacking: Chrysler’s UConnect infotainment system, which uses Sprint's wireless network, was leveraged to remotely commandeer some aspects of a Jeep Cherokee. However, this vuln extends across Chrysler's line of vehicles and similar flaws exist from other auto makers. The most dangerous aspect of the hack was they could monitor the location and speed of the vehicle and then cut the brakes. It does not appear however that they could cause the vehicle to accelerate or control it's steering. This is a confusing point in the sensational news articles, as it seems they were able to disable power steering, but not actually turn the vehicle. So for the most part they were able to shut down parts of the car, which for any of us that have driven old cars, isn't quite as scary as the news make this out to be, although knowing someone is doing it maliciously and can do it at the worst times, does make it bad. Security vulns in cars have been known about for a decade, but this is interesting from the perspective that it can be done remotely, and the result of these news articles has been a recall of 1.4M vehicles.
Conference materials and publications
- Recon: Recon is a conference in Montreal focused on reverse engineering in late June. Slides are now up.
- Attacking Windows Fallback Authentication: Paper on a Kerberos to NTLM downgrade attack by Matt Weeks (scriptjunkie) of Root9b.
- Too LeJIT to Quit: Extending JIT Spraying to ARM: Show JIT defenses on ARM are less adequate than when they are used on x86.
- SUIDGuard: This week, a simple priv escalation for OSX using DYLD_PRINT_TO_FILE was released by Stefan Esser, and most people focused on that, but more importantly was his mitigation he also released called SUIDGuard. This is explained in his blog post.
- Visual Studio 2015: VS2015 is finally out of technology preview and available for general download or purchase. More info here.
- MIEngine: Visual Studio MI Debug Engine from Microsoft provides an open-source Visual Studio Debugger extension that works with MI-enabled debuggers such as gdb, lldb, and clrdbg. The value of this is that not only can you use Visual Studio to cross-compile for other operating systems and architectures, but you can also debug those platforms with Visual Studio now.
- NSA Control-Flow-Integrity: Implementation for Linux for Control Flow Integrity from the NSA.
- One Perfect Bug: Exploiting Type Confusion in Flash: Describes the factors that make a vuln good for reliable exploitation.
- Windows 10 Sharpens Browser Security With Microsoft Edge: Discussion of some of the additional security mitigations being put into Microsoft's Internet Explorer replacement called Edge.