Downclimb: Summit Route's Weekly Cyber News Recap
2015.08.30 – 2015.09.06: https://SummitRoute.com
"It's good to question why the costs of defending against nation-state sponsored attacks and espionage must be borne by private companies." Dino A. Dai Zovi
"We have done a good job of teaching people that crypto is hard, but cryptographers think that UX is easy." Jon Callas
"Basically being successful at fuzzing is just 'bothering to do it'" Dave Aitel
"Whoever has pwned my phone and work machine - do some Q/A, it is making the systems unstable. Let me know if you need help!" Nasko Oskov
"Thunderstuck is the hacker equivalent of rick rolling." Chris Campbell
"Who needs R&D when you have Espionage?" John Schindler on China's recent military parade
Mozilla's bug tracking compromised
"1990's CERT compromised for vendor vulns. 2015 Mozilla's Bugzilla popped for the same reason. Tactics only change when they stop working." .mudge
Mozilla's bug tracking system was compromised, apparently due to password reuse by one of the users, allowing for 185 nonpublic bugs to be accessed, of which 53 were of high security concern, and at least one of which was exploited in the wild (CVE-2015-4495, which was used to read local files via Mozilla's PDF reader).
Enterprises set to use more deception to defend against cyber attacks
According to Gartner, "10% of enterprises will use deception tools, tactics and operations to defend against cyber attackers". These phony documents or environments are more easily monitored because any interaction with the fake assets can more easily be identified as being malicious, with higher confidence than other techniques.
- Microsoft making malware detonation product: Microsoft hasn't announced anything yet, but they posted a job description that describes a product called Sonar that is under development that sounds similar to products like FireEye.
- Tanium closed $120M round: Tanium is (sort of) an EDR solution that competes with Carbon Black, CrowdStrike's Falcon, and others. Historically, Tanium did not come from a security focus, and as such would just make periodic scans of the network to answer specific questions, making it largely ineffective for security, and more focused on generic IT problems, such as checking uptime. Lately, they've been focusing more on the security front, and are hoping for global expansion.
Conference materials and publications
- Factoring RSA Keys With TLS Perfect Forward Secrecy: A more digestible write-up on this was done by Ars Technica. The problem identified is that network hardware sold by several manufacturers failed to properly implement RSA-CRT properly, providing leaked key data for 272 keys. Many more keys and manufacturers are likely affected, as this research was only done on a small number of sites.
- The Antivirus Hacker's Handbook: Written by Joxean Koret (@matalaz, who has been publicly discussing problems with security software for a while) and Elias Bachaalany (@0xeb one of the creators of EMET and previously worked at IDA Pro)
- The HPKP toolset: Web app to assist with getting HTTP public key pinning correct for your site.
- qb-sync: Synchronize IDA's graph windows with Windbg's position.
- Passive SSL: Queryable database of SSL certificates that have been seen associated with an IP address.
- PathScan: Los Alamos labs (LANL) has selected Ernst and Young (EY) to help them commercialize a solution LANL developed to detect abnormal flows of information within a network. This is a case of a researcher with a solution to a problem that doesn't exist, which is common, especially in infosec, but what makes this interesting and odd is having EY assist them. EY is a consulting company that you bring in to tell you who to fire to streamline your business, or other steps needed to make a company run more efficiently. Marketing, supporting, and selling products is not EY's wheel-house, so it's unclear what is happening here.
- Cyph pentest: Interesting concerns found with the encryption product Cyph by Cure53.