Downclimb: Summit Route's Weekly Infosec News Recap
2015.09.20 – 2015.09.27: https://SummitRoute.com
"The historical absence of software liability will come to an end when IoT happens. As software eats the world its laws will have to change." @halvarflake
"A whitepaper was suddenly removed from where it was being hosted. Luckily people submit everything to VT. Better than the Wayback Machine." Artturi Lehtiö
"People finding xss in sites and contacting them to see if they have bounties are the equiv of homeless people washing your dirty windshield" @SecurityBerg
"Watching image fuzzers run is like sprinting through an abstract art exhibition. On acid. Forever." Ben Nagy
"Someone needs to make a "Hackers 2" where Dade is the CEO of a snake oil cybersecurity company and Joey does overhyped talks at conferences" Natalie Silvanovich
The Inside Story Behind MS08-067
This article explains the use of Windows Error Reporting (WER) crashes by Microsoft to identify (in 2008) a previously unknown exploit in use based on the crashes it sees. Reversing from a crash to an exploit to a vulnerability is difficult, especially when you don't even know if the crashes are from failed exploits. This is not only a great story, but explains a relatively unknown defensive measure.
Georgia hacks back
(Editor's note: This report is from 2012, but had not come to my attention until now). This report is probably the most open example ever of a government explaining it's use of hacking back. In this report, people in the country of Georgia were under attack, so the Georgian government supplied the attacker's own exploits back to him in order to RAT the attackers' boxes.
Zerodium offers $1M bounty for iOS 9 exploits
Zerodium announced that for a browser-based (or SMS) jailbreak exploit that does not require tethering for iOS 9, it will pay $1M.
"At least somebody has an iOS bug bounty." Jonathan Zdziarski
Obama announces 'understanding' with China's Xi on cyber theft
President Xi of China met with President Obama in DC to discuss cyber espionage policies, among other topics (see this article). At the conclusion of the meeting, they agreed not to use hacking for economic espionage, but it is believed that nothing will change.
To coincide with Xi's visit, a report from ThreatConnect was released titled CameraShy that outs one of those responsible for some hacks from China. There is zero technical info in this report, and is purely a politically motivated attribution report.
DHS infosec chief: We should pull clearance of feds who fail phish test
On the one hand, if you aren't being paranoid about protecting government secrets and access to them, then you shouldn't have access to them. On the other hand, people are human and make mistakes.
Conference materials and publications
- Framing Dependencies Introduced by Underground Commoditization: This is a survey paper that combines the research of many other papers to explain the current black-market cyber economy, specifically the different services that need to work together to create a complete "end product", which is useful to understand since it can be more effective to disrupt one piece of a system than the piece which it is impacting you most directly.
- Derbycon videos: Derbycon took place this week in Kentucky.
- iOS App Reverse Engineering: Free 434 page book on reversing iOS apps.
- Gryffin: Gryffin is a large scale web security scanning platform from Yahoo. It's goal is to be able to be able to scan 100,000 applications by straightforward horizontal scaling. It supports plugins such as sqlmap and arachni. It includes functionality for page deduplication, and uses PhantomJS to render the DOM for better navigation to improve coverage.
- 2015 Hex-Rays Plugin Winners: Every year Hex-Rays holds a contest for IDA Pro plugins. If you use IDA, you should skim this list.
- Lemur: Open-source project from Netflix for x.509 certificate orchestration, meaning it acts as a broker between certificate authorities and internal deployment and management tools when you want to generate and use certificates.
- Kaspersky vulns: Tavis Ormandy posted some of the vulns he found in Kaspersky's products. As has been seen elsewhere, AV products parse a lot of things, parsing lots of things often results in vulns, AV therefore has vulns. These become problematic because just scanning a file can result in exploitation. Exploitation is possible because unfortunately Kaspersky (and many AV vendors) do not compile their products with the compiler mitigations.
- SSH bypass on Cisco: (CVE-2015-6280) The login to Cisco routers can be bypassed, allowing a remote attacker to be authenticated.