Downclimb: Summit Route’s Weekly Cyber News Recap
2015.08.09 – 2015.08.16: https://SummitRoute.com

Quotes

“If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?” Exodus Intelligence

 

“I sometimes think of sacrificing some non-exploitable bug that stops my fuzzer from reaching deeper code paths, but I never do.” argp

 

“There was a time when the worst thing about your browser was the Java plugin. Now the worst things about your browser is that it is Java.” Ted Unangst

 

“As an exec (and gentleman) let me say a word to Oracle exec: we shit on your EULAs & we shit on software vendors in general.” Chaouki Bekrar of @VUPEN and @Zerodium

 

“Of course we make false positives. In banya, then riding bears to the beach. We have an fp factory 6 miles north of the Kremlin” Eugene Kaspersky in response to allegations from Reuters that they purposefully tried to make other AV companies FP on files

Top stories

Middlekit

Idea from Sakurity about how once a site is owned by an attacker, the attacker can abuse caching of things to permanently cause problems for users of that site, even after the initial attack is mitigated.

• http://sakurity.com/blog/2015/08/13/middlekit.html

JIT Malware

This write-up from Invincea shows how malware uses techniques borrowed from late-binding compilers to assemble a malware executable on the target endpoint itself in order to evade network sandbox analysis. It’s also interesting to see a security company specifically call out examples of how other technologies are failing. Invincea makes the case that the entire category of detonation environment technologies is being bypassed, and specifically calls out FireEye. They further shows how this bypasses another category of products: ETDR solutions (although they don’t specifically call out the vendors in that category, such as Crowdstrike’s Falcon, and Carbon Black). This report is a good read, as it describes how a variety of attacks actually worked and why they were effective, as opposed to just dropping some IPs and MD5 hashes and giving them playful names.

• http://www.invincea.com/assets/uploads/2015/08/Invincea-1H-2015-Advanced-Endpoint-Threat-Report.pdf

Lenovo using BIOS rootkit

Lenovo uses a BIOS rootkit in order to ensure that it’s laptops will always have Lenovo software installed on them. So even after wiping the hard-drive and reinstalling the OS, Lenovo’s software will be re-installed on the system at bootup.

• http://thenextweb.com/insider/2015/08/12/lenovo-used-a-hidden-windows-feature-to-ensure-its-software-could-not-be-deleted/
• Affected models: http://news.lenovo.com/article_display.cfm?article_id=2013

Hackers used insider trading to earn $100M in profits

Hackers broke into news companies in order to gain access to 150,000 confidential press releases which they sold resulting in insider trading and profits of $100M.

• http://www.bloombergview.com/articles/2015-08-11/why-not-insider-trade-on-every-company-

New Windows USB vuln

This issue in the Mount Manager affects Windows Vista to Windows 10. No details are given on how this actually works, but one interesting detail about this is that Microsoft not only patched against this exploit, but also records attempted exploit attempts of this vulnerability in the Windows Event Log with the error description “CVE-2015-1769”.

• https://technet.microsoft.com/library/security/MS15-085
• http://blogs.technet.com/b/srd/archive/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick.aspx

No, You Really Can’t

Oracle’s CSO posted a ridiculous essay describing how people shouldn’t reverse engineer their software. For example, she likened breaking the EULA as similar to adultery. It was so outrageous that people originally thought the blog had been hacked, but sadly, this was real. It’s a fun read from the perspective of seeing the complete disconnect of an executive at a large company with the reality of the world, and specifically her audience of infosec professionals.

• Archived copy as the original post was deleted.

Vanguard login flap

Vanguard’s user authentication accepts mis-spelled passwords. A customer discovered if they set their password to “password” and provided the password “passwort” they would still be able to login. Some have guessed this may be to allow logins by phone. Whatever the reasoning it also opens a lot of questions, such as whether Vanguard is storing passwords as plain-text in order to provide this “feature”. In any case, the password complexity expectation is greatly reduced.

• http://www.investmentnews.com/article/20150813/FREE/150819958/vanguard-login-flap-showcases-battle-of-cybersecurity-vs-convenience

StageFright: Mission Accomplished?

This post from Exodus Intelligence, shows how the 4 line patch for the original StageFright vuln (there have been others discovered since), doesn’t actually fix the problem correctly. Additional commentary in the post questions Google’s motivations of it’s security team.

• http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/

Doubling the Internet Defense Prize

Facebook awarded $100K, it’s Internet Defense Prize, to a team that proposed a system for detecting bad casts by combining both static and dynamic analysis, which found actual bugs, including two in Firefox.

• https://www.facebook.com/notes/protect-the-graph/doubling-the-internet-defense-prize-at-usenix-security-15/1634464803460331

Business

• Dell to break off SecureWorks for IPO: Dell is a private company, but cyber security is hot these days, so Dell is looking to spin off Dell SecureWorks as a private company and have it IPO. This would be similar to what EMC has done with VmWare.
• Mapping Israel’s Cyber-Security Startups: You’ve probably noticed there are quite a few Israeli cyber security companies. This post maps out all 150 of them.

Conference materials and publications

• USENIX Security: Conference in Washington, DC this week. Along with USENIX Security is WOOT (Workshop on Offensive Technologies).
  • USENIX papers
  • WOOT papers
• DFRWS: The Digital Forensic Research Workshop was held this week in Philadelphia.
  • Papers and presentations.
• Chaos Computer Camp: German conference this week involving a mix of infosec and maker type talks.
  • Videos
• PHDays: Conference in May in Moscow… with English translators (and closed captioning)!
  • Videos
  • Slides (had been posted a few weeks ago).

Tools

• Test Lab Guide for EMET: This step-by-step guide from Microsoft walks you through deploying EMET in an enterprise via Group Policy and with custom configurations.
• KLEE-TAINT KLEE is a symbolic virtual machine built on top of the LLVM compiler infrastructure, and this fork adds taint analysis.

Other reads

• NSA Suite B: NSA provided a list of algorithms it approves from NIST for protecting classified information up to Top Secret. Of importance, is they point out that these are quantum resistant, meaning if an adversary creates and uses a quantum computer, the NSA believes these provide sufficient protection. However, there is nothing really novel in these. It’s AES-256, SHA-384, RSA-3072, and some other common algorithms, albeit with larger key sizes than is commonly used.
• One Font Vuln to rule them all: Part 3 of Google’s P0 font series
• Injection on Steroids: Code-less Code Injections and 0-Day Techniques Code is now up for my favorite talk from BSidesLV from EnSilo on a Windows process injection technique.
• On Safenet HSM key-extraction vulnerability CVE-2015-5464 (part I): HSM’s (hardware security modules) are supposed to protect private encryption keys, so this attack defeats their whole purpose.