Downclimb: Summit Route's Weekly Infosec News Recap
2015.09.06 – 2015.09.13: https://SummitRoute.com
"Here's a novel idea: if you want to get paid (by the vendor) for bugs, try researching something that has a bug bounty." Andreas Lindh
"rather than "threat intelligence" I should found a "threat archaeology" startup. vuln history repeats itself constantly." iarce
"Thank you Dennis Ritchie for our jobs for life \o/" @osxreverser referring to the creator of C
FireEye and Kaspersky exploits
The week started with a man with a sketchy past of seemingly making extortion attempts in exchange for his research on vulnerabilities he discovered published one exploit for FireEye's product and offering to provide info on his other vulns for $10K each (see post here). This exploit allows unauthenticated read of /etc/passwd or any other file. The exploit is a trivial path traversal bug, calling into question FireEye's own security practices. The ease with which FireEye's product can be exploited was shown in 2014, when someone disclosed three reflected Cross-Site Script (XSS) vulnerabilities; a single Cross-Site Request Forgery (CSRF) vulnerability; a NoSQL Injection vulnerability; a PostgreSQL Injection vulnerability; file and path disclosure vulnerabilities; and information disclosure vulnerabilities. FireEye brought lawsuits against the employer of that researcher at the time, setting the stage for this latest drama. Additionally, in 2014, FireEye showed how it deals with bad press, when it argued with NSS labs for their evaluation of the effectiveness of FireEye's product.
So after the news of the vulns in FireEye this week from that one person, next came a real researcher, from ERNW, presenting more details about vulns in FireEye's product. FireEye attempted to deal with them with a lawsuit, resulting in both companies trying to explain their side of the story (ERNW's side and FireEye's side). The main result of this was to ignite some members of the security community, who, being led by halvarflake, are hoping to have a booth at RSA to audit these security products.
The other desire for such an audit was after Tavis Ormandy went after Kaspersky this week by finding some vulns in Kaspersky's products, but unlike Tavis's previous rampage against Sophos in the past, Kaspersky fixed the discovered vulns within 24 hours. Kudos to Kaspersky for their quick response, but coupled with the FireEye fiasco, the release last week of "The Antivirus Hacker's Handbook", and a number of other concerns built up over the years, it seems many have finally become fed up enough with the ironic insecurity provided by some security vendors. This is evidenced in the following quotes:
"'Our commitment continues to be to our customers' < by using court injunctions to enforce security through obscurity." Tero Hänninen
"As usual, security by "keeping an expensive box out of researchers' hands" is shown ineffective." Duo Labs
"Let's rent a booth at RSA, place a few good vuln researchers there and challenge vendors to drop their products off at the booth." halvarflake
Satellite communications being abused by malware C&C
Kaspersky released a report on the Turla group abusing satellite communications for their malware C&C. The group intercepts the unencrypted satellite communications and inserts their own data into the stream, making it harder to remotely track or disrupt them. Further, this is yet another report from Kaspersky against a Russian threat. As Richard Bejtlich stated:
"Hey "@kaspersky only outs Western hackers" team, how do you square this story on Russian Turla crew w/your thesis? " Richard Bejtlich
Encryption flaws in attacker tools
Someone discovered a padding oracle attack on Poison Ivy (a popular RAT used by APT1 among others). This attack can be used to improve on past exploits. Kaspersky also reported on their use of an attack on the an implementation of the Diffie-Hellman protocol used by the Angler Exploit Kit.
Ransomware takes secret photos of victims while watching porn
In my favorite story of the week, a trojaned porn viewing app for the phone was taking pictures of the viewer while watching porn in order to coerce them to pay ransom (see post here).
Thinkst discusses an interesting idea of laying traps in a network to identify when an attacker access various resources and provides some Linux code to implement this concept.
- John McAfee is running for President: John McAfee is a larger than life character who was the founder of McAfee Antivirus, but has since become completely unassociated with it. He has at times been wanted for murder (he hid from the police by burying himself in the sand and putting a box over his head), donated laptops to the Belize police where he was living that were infected with a RAT so he could monitor any potential investigations against him, had his own harem in Belize, and now is running for President of the United States.
Conference materials and publications
- 44con: Conference in London this week, some slides available.
- Ashley Madison passwords cracked due to mixed MD5 and bcrypt: The database from the Ashley Madison dump contained bcrypted passwords which is a preferred and secure way to store authentication credentials. Unfortunately, passwords created prior to June 2012 were also stored as salted MD5 hashes, allowing for easier cracking. This has allowed 11M of the 36M passwords to be cracked.
- Stagefright exploit code: Zimperium, who originally found the Stagefright vuln, have released their exploit code.