RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.10.11 – 2015.10.18:


"The only thing worse than a threat actor using your handle in malware, is the threat intelligence company who thinks you wrote it." James Forshaw


"OH: incident response is easier and cheaper than dealing with SELinux." Ben Hughes


"How can an industry that so prides itself on social engineering, also claim that "management don't get it" ?" Haroon Meer


"For those that like talking about hacking back please realize that if you can't run security ops you're unlikely to run offensive ops well." Robert M. Lee


"Journos assume we know to say 'off the record' and we assume they know not to click on 'Secret Doc.PDF.exe'" the grugq


"what i want is a 'usb killer' + 'flash drive', that works like a normal flash drive on authorized machines, and kills unauthorized ones." Christien Rioux

Top stories

The Ethics and Perils of APT Research

This paper from the Virus Bulletin conference is about how if security researchers are uncovering and publishing information about nation-state groups, they are disrupting those groups, and some of those groups may choose to take action against those pursuing them.

Yahoo replacing passwords

Yahoo announced it's Account Key which is just like Duo Security's app, except no password is entered at all, so when you want to try to log into your Yahoo account, you only type in your username, and then an app on your phone allows you to authorize the access.

Voice activated smart phones can be controlled silently

In this work, researchers showed that the cable of microphone-enabled headphones can be used as an antenna, allowing you to transmit to a device as if you were speaking into the microphone. iPhones by default allow you to use it's voice activation features even when locked, but this required you to make a long press on the phone. By reverse engineering this, the researchers figured out how to trigger Siri without user interaction. Sadly the paper for this is paywalled behind the IEEE, but slides from Hack in Paris are available.


Conference materials and publications

  • AWS re:Invent | Security & Compliance: re:Invent is Amazon's big conference about their AWS business. At it they announced their WAF and Inspect products as discussed last week, but now they've released their videos, including 29 about security related to AWS.
    • AWS IoT: Amazon also announced a new product line within it's AWS business specifically focused on the "Internet of Things", and highlights it's security and authentication. This is just some marketing over existing AWS services with some templating for common workflows, but it's valuable to know about because it's also helping to establish best practices and hopefully help stop people from making the basic mistakes in common IoT products. If you're focused on evaluating the security of IoT, this is good product to investigate and keep an eye on.
  • ACM CCS 2015: The ACM Conference on Computer and Communications Security took place in Denver this week, but unfortunately papers are only being posted privately by the presenters in some cases, so they are hard to track down. The list of accepted papers is here, but you'll need to search online for the papers.


  • Unicorn: Unicorn is a CPU emulator similar to QEMU. The differences are explained here with the biggest difference being that they are only emulating CPU operations and no other parts of the machine. It supports Arm, Arm64 (Armv8), M68K, Mips, PowerPC, Sparc, & X86 (include X86_64).
  • Rootfool: As expected, people would begin finding ways around Apple OSX's new SIP technology that protects system binaries. @osxreverser has done so and released a tool for it.
  • pdb_type_theft: This tool allows you to copy debugging symbols from a version of a file that has them to one that is lacking some. This was needed for a recent release of NTDLL.
  • meow: Tool to disable PatchGuard with write-up.

Other reads

  • Windows Drivers are True’ly Tricky: This Project Zero post from James Forshaw shows a privilege escalation in TrueCrypt. TrueCrypt was previously audited, but the focus there was not so much on privilege escalation issues, and finding an issue like this takes a lot of expertise in a specific area of Windows.
  • Vulns in LibreSSL (CVE-2015-5333 and CVE-2015-5334): When you fork a project and rewrite code, even if you're trying to make a more secure version of the original code base, you may still end up introducing bugs. This is the case with the recently found vulns in LibreSSL, which are vulns not found in OpenSSL.