Downclimb: Summit Route's Weekly Infosec News Recap
2015.10.04 – 2015.10.11: https://SummitRoute.com
"There are 3 types of adversaries: criminals, nation states and pentesters/conference speakers. We worry too much about the latter" Martijn Grooten
"I remember when AV flagged adware. What do they do on Android apps/ad network stuff? Nothing? It's worse than the PC stuff." @jduck
"'AV is dead and useless. But, hey, but can I please have your IOCs'" Ryan Naraine
"We have no consensus definition for cybersecurity. We can't even agree on whether there's a space in the word." @sintixerr
"Nobody builds a webapp except on someone else's framework [...] mobile apps are going to have to go that direction, where when you sit down, you're not going to use [...] whatever XCode gives you. [...] There are interesting problems here with some of the App Store rules about what libraries you use. [...] If the XCodeGhost guys can do it, we should be able to have a library we give to everybody." Alex Stamos
- It's been ten years since the discovery of Sony Music's rootkit they were using for DRM by Mark Russinovich.
- There were 20 RCE's patched in the latest Android Nexus update. 15 were in libstagefright.
The SHAppening: freestart collisions for SHA-1
A major milestone towards breaking SHA-1 has occurred. A freestart collision means a hash collision was found for a SHA-1 hash with the big caveat that a special initialization vector was chosen, which sort of means that a slight variation of the SHA-1 algorithm was broken, but not the real algorithm. A freestart collision alone is not an actual concern, but because it indicates a full collision is likely to be possible soon, it is cause for alarm, because a full collision means the hash is broken and should no longer be used. To help understand this a little better, the first free-start collision for MD5 occurred in 1996, and the first full collision occurred in 2004. The researchers believe a full collision could be produced today for about $100K. All major browsers have announced they will stop accepting SSL certs by 2017, but they, and everyone else, should seek higher ground as fast as possible, moving minimally to SHA-2.
Fishing the AWS IP Pool for Dangling Domains
This paper discusses how when you launch an EC2 instance, it's IP is likely one used in the past by someone else, and that person many not have updated their DNS settings yet, allowing you to take over that domain, which if the DNS settings weren't bothered to be updated, this likely means it is unused subdomain. This could allow for powerful phishing attacks or stealing cookies.
"Goodware" worm open-sourced
The author of the wifatch worm discussed last week contacted Symantec's research to answer some questions and open-sourced his work. This code also contains some of the signatures for the malware it looks for.
In February, Qihoo 360 and Cheetah Mobile discussed a Windows worm named Lingdun, that was hijacking QQ sessions to send malicious links via that chat program. Palo Alto networks has now decided that this worm was being hijacked in order to spread a different piece of malware, from an entirely different group named YiSpecter. Other infection methods were also used. This malware is signed by enterprise certificates, which means it can be installed on non-jail-broken devices without needing to be put on the App Store. It uses many private iOS APIs to perform sensitive (malicious) operations and it hides itself (no icon to see it or remove it).
- Warren Buffett enters the cybersecurity insurance market: Buffett’s Berkshire Hathaway Specialty Insurance announced this week two new insurance policies providing coverage for cyber liability and breach response. Copies of the policies are not publicly available. This news comes after a report from PricewaterhouseCoopers (PwC) in mid-September which estimated the annual gross written premiums for cyber insurance are set to increase from around $2.5B today to $7.5B by 2020. A summary of PwC's report is here.
- DARPA effort will rate cybersecurity of software for public: Mudge is building a company focused on doing independent testing of software from a cybersecurity perspective, modeled on the Underwriters Laboratories, the global independent safety science company known for product safety standards development, testing and certification. Mudge's company has received a $500K contract on behalf of DARPA so far.
- LastPass acquired by LogMeIn for $110M: LastPass is a password manager.
- CYBERCOM released a draft of a $460M contract: It's filled with gov speak, but it's a pretty comprehensive contract.
- Safe Harbor agreement ruled invalid by EU: This ruling has scared people as it is attempting to force tech companies to host European user data in Europe and abide by country specific laws, rather than hosting it in the US and transferring it over. This has worked poorly for Russia and China who have attempted something similar. Although the ruling was in the name of privacy, I believe that was just propaganda to gain public support. These types of rulings are normally for economic reasons because by creating nationalist policies you incentivize domestic businesses. If you can't beat Silicon Valley, keep them out so your domestic businesses have a chance of catching up.
- China arrested hackers: Supposedly as part of China's President Xi and America's President Obama's discussions in September related to coming to agreement on economic espionage, Obama gave Xi a list of hackers to round up and arrest as proof of China's support of the agreement. China has done so.
- Samsung Pay breached before it was even part of Samsung: Samsung acquired LoopPay in February and rebranded it as Samsung Pay which made it's public debut in the US last week. Prior to LoopPay's acquisition it had already been breached. This breach was not discovered until late August, but 38 days after it's discovery the product was still unveiled. This story is interesting for a couple of reasons:
- It shows the danger of making acquisitions that may already be infected.
- It calls into question if attackers strategically go after less well-funded, softer, targets in the hopes of them being acquired and then allowing the attacker to be the fish that eats the whale.
- One should consider how much this story has been encouraged by competitors to draw negative media attention to the newly announced product. This is a business strategy to keep an eye on.
Conference materials and publications
- AppSec USA: Took place in SF in late September.
- I especially enjoyed the keynote by Alex Stamos.
- Brucon videos: Brucon took place this week in Belgium.
- VB2015 slides: Some slides were posted last week, but now all slides are up, so you should check them out again.
- Writing Cisco IOS Rootkits: Following on the disclosure of the Synful Knock Cisco rootkit found by FireEye in September, this whitepaper shows how to create such a rootkit.
- Amazon introduces WAF and Inspector: Amazon's WAF (Web Application Firewall) allows you to blacklist and whitelist parts of URL's, IP address, and other parts of an HTTP request to prevent exploitation. Amazon's Inspector product works on EC2 instances by inspecting internal issues related to network, file system, and process activity over a period of time (ex. 15 minutes or 1 day), and then comparing that to a rule set. This appears to be similar to Netflix's Conformity Monkey.
- gzthermal: Not infosec related, but really cool tool to visualize the compression efficiency of a file. You can see it applied to the Google logo here.
- Using intents for UXSS on mobile browsers: This shows how to use lobotomy to find what are currently unpatched vulns in many of the browsers for Android.
- Microsoft pays $24K bounty for hotmail vuln: This was for a CSRF in the OAuth of login.live.com which is used to authenticate to Microsoft's email and other services.