RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2015.09.13 – 2015.09.20:


“Almost every serious recent improvement in web security has come from a browser vendor axing old unsafe tech.” Darius Jahandarie


“If DynamoDB can avoid further problems, they can be back on track for their five nines SLA in just 60 short years.” @Opacki on an AWS outage Sunday morning


“We believe that the lack of standards of what is accepted as a reasonable cryptographic assumption can be harmful to the credibility of our field.” Cryptographic Assumptions: A Position Paper


“Dear browser makers, the people using the strongest security measures are also the people blocking your tracking Not in your stats != unused” scriptjunkie


“We have a deterrence deficit” David Rothkopf on America’s inability to deter infosec threats


“Drop 0day, not bombs.” thegrugq


“There are two kinds of 0day researchers: those who get money, and those who get a CVE” Chaouki Bekrar


“Joe’s code has 20 bugs. If Joe fixes 2 bugs per hour for 8 hours, how many bugs does Joe’s code have now? Answer: 27.” @mikeash


“I need a handle, man. I don’t have an identity until I have a handle.” Joey from “Hackers”, released 20 years ago on September 15, 1995

Top stories

XCodeGhost: Compiler trojan resulting in hundreds of millions of infections

Chinese researchers have discovered a wide-spread infection that began with a trojaned XCode installer. XCode is the compiler used to compile iOS and OSX apps, and is about 3GB, so local downloads were available in China in various places. Unfortunately, these downloads were trojaned with special malware that would infect iOS apps compiled with it.

This trojaned compiler was used by WeChat, among dozens of others, and resulted in WeChat’s iOS app being infected, which is used by hundreds of millions of people. The apps were available in the official App Store, meaning this is a rare case in which iOS devices that have not been jail-broken were actually impacted by malware.

Once an infected app is installed on a device, it will collect information about the device and attempt to collect passwords from the user via fake alerts (phishing), copying the clipboard (for password managers), and other means. Specifically, some of the rough Chinese translations mention some sort of MiTM attack on protocol handlers.

This story is interesting in terms of it’s scale (hundreds of millions of users and dozens of companies), it’s technique (trojaning a compiler), it’s lack of detection (undetected by Apple’s App Store and spread to so many users before it was caught), and the response (primarily responded to by Chinese infosec companies).

Also interesting is the author of the malware weirdly published it’s source code after the story broke, and tried to claim it was all just an experiment.

Airdrop vuln

There is a vulnerability in Airdrop which is a way to share files for iOS and OSX devices that uses Bluetooth and Wifi. The recently released iOS 9 from September 16th fixes this vuln, but no patch is yet available for OSX. It is hoped that the OSX 10.11 release on September 30th will address this. Even with a patch, I recommend you disable Airdrop on both iOS and OSX, since few people actually use it.

With the release of iOS 9 comes a list of over 100 vulns that were patched!

SYNful Knock: Cisco router implant

79 Cisco routers world-wide have been discovered to have been implanted.

Practical Invalid Curve Attacks

This post explains the concept of an invalid curve for Elliptic Curve Crypto (ECC). It then shows how this attack can work against TLS and specifically found flaws in certain libraries including Bouncy Castle, which is commonly used by Java applications.


  • Cyber insurer refuses to pay for phishing: A bitcoin processor was hacked resulting in 5K BTC stolen (about $1M USD). That’s not too interesting, since bitcoin companies are hacked all the time. What is interesting is the company had cyber insurance but the insurer is refusing to pay because the transfers were done by the actual CEO after being tricked. But this isn’t really a “social engineering” trick, because the email account of the CFO had been compromised, so when the CEO was asked to send money, he asked for confirmation from the CFO via email, and the hackers responded to the email.
  • AVG to begin selling users search and browsing history: AVG is one of the most popular providers of free antivirus. They recently changed their policies such that they themselves are now essentially spyware, that blocks other spyware from infecting your computer. AVG responded to these claims, and they make a good point, by saying “Many companies do this type of collection every day and do not tell their users”.
  • VW Is Said to Cheat on Diesel Emissions; U.S. to Order Big Recall: The Environmental Protection Agency accused the German automaker of using software to detect when the car is undergoing its periodic state emissions testing. Only during such tests are the cars’ full emissions control systems turned on. During normal driving situations, the controls are turned off, allowing the cars to spew as much as 40 times as much pollution as allowed under the Clean Air Act.

Newspaper News

  • Largest known data breach the US ever prosecuted: Using SQL injection, various companies were hacked, resulting in 160M credit card numbers being compromised, and $300M in losses to people and businesses. The victim companies included NASDAQ, Dow Jones, 7-Eleven, JetBlue, and others.
  • SEC obtains $30 million over press release hacking: From the $100M of illegal profit over a 5 year period from the theft of 150K press releases, two of 34 defendants have settled by agreeing to pay $30M.

Conference materials and publications

  • FourQ: New elliptic curve from Microsoft that targets the 128-bit security level.

Other reads

  • Stagefrightened?: Post from Google’s P0 team about the incorrect patch that Google originally attempted for Android’s Stagefright vuln. This is one of those fairly technical posts to show Google actually knows what they are doing in terms of security, since Exodus Intelligence’s finding on their patch caused them to lose face.
  • PoC or GTFO 0x09: At 66MB (over 1MB/page), this publication loves to use polyglot files that cram extra data into the PDF. I’ve been turned off by past issues that focused a little much on polyglots and quirkiness, but this latest edition brings the type of articles I’m more interested in.
  • Dlink private key put on Internet: Private keys used to sign software published by D-Link were found in the company’s open source firmware packages.
  • Google caught Symantec cert mishap: Symantec employees issued certificates for for testing, which was caught by Certificate Transparency logs. This shows the importance of the Certificate Transparency project.
  • Android lock screen bypassed through boredom: jgor has found a couple of ridiculous Android lock screen bypasses by basically manually fuzzing. This latest hack takes 8 minutes to pull off, by repeatedly copy and pasting a password and taking pictures in rapid succession resulting in what seems to by a crash due to resource starvation.
  • The Dukes: 7 years of Russian cyberespionage: Summary and timeline of the various Duke toolsets discovered over the years.
  • Spotting the Adversary with Windows Event Log Monitoring: Rules to setup in a SIEM to catch bad guys via Windows Event Logs.
  • Smart Sherrif audit: Audit of a software that South Korea has mandated be installed on the phones of minors. As detailed in that report, and one from Cure53, there are problems in the software. South Korea is a hot mess when it comes to it’s weird software usage, much of it mandated by the government, whereby I mean that the government tries to enforce rules to make them more secure but it has the exact opposite effect. As an example of unique software, South Korea has it’s own home-grown Word Processor called Hangul. You can read about an ITW (In The Wild) exploit for Hangul discovered by FireEye this week here. Although Microsoft Word has it’s own problems, and you can read another report from FireEye about an ITW exploit for Word here.