Downclimb: Summit Route’s Weekly Infosec News Recap
2015.10.18 – 2015.10.25: https://SummitRoute.com

Quotes

“Who are these criminals who manage to config their phones to be unbreakable? They should stop being criminals and become IT administrators.” matt blaze

 

“The amount of victim blaming in this industry is at epidemic levels. Bad passwords are not the users fault, you let them create it! Passwords just one ex. of the victim blaming, clicking email links, opening attachments, surfing to ‘bad’ sites, all of it, Stop The Blame!” Space Rogue

 

“AirCnC: It’s like AirBnB for botnets. Have a compromised host you don’t use all the time? Need a host but can’t afford the maintenance?” the grugq

 

“I wish people would spend as much time fixing XSS and SQLi, as they do debating about ciphersuites and the NSA…” Julien Vehent

Top stories

Chinese Taomike Monetization Library Steals SMS Messages

The Taomike library allows Android apps to offer in-app purchases via SMS messages. To do this, the app needs access to the SMS messages sent to the phone. 18,000 Android apps contain this library, of which some versions of the library now collect copies of the SMS messages and send them home.

• http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-library-steals-sms-messages/

Doctor Seven OSX Vulnerability

This is just a local DoS that was fixed in the latest OSX, but it’s interesting because it shows how to do some patch diff work on OSX using both the source code that Apple releases, and also binary diff’ing using the free tool radare2. It also discusses how to hot patch this vuln if upgrading is not an option.

• https://www.nowsecure.com/blog/2015/09/30/doctor-seven-osx-vulnerability/

Business

• Trend Micro acquires HP’s TippingPoint for $300M: Trend Micro is a Japanese antivirus company, and TippingPoint makes a network IPS along with containing the ZDI (Zero Day Initiative) which does vulnerability research. TippingPoint was originally acquired by 3Com in 2004 for $430M (rougly $541M in today’s dollars after adjusting for inflation). 3Com in turn was acquired by HP. HP announced in March that it would be splitting into two companies, so this divestment seems to be part of that strategy.

Newspaper News

• CIA director private email hacked: Like Hillary Clinton, CIA Director John Brennan maintained a private email account. However, his only contained sensitive, but not classified, emails, such as a copy of his SF-86, which is a document used to obtain and maintain classified clearances that details one’s life. This email account was on AOL, and the hackers used social engineering to gain access to it. Some of these emails have since been put on wikileaks.
• 23andMe releases transparency report: The company 23andMe collects DNA samples to help with health testing related to hereditary diseases. It has received 5 requests from the US government hoping to tie a customer (or their family member) to a crime. I mention this here in Downclimb only because it’s important to remember that if you collect it, you need to protect it, because someone somewhere likely will want what you’ve collected.

Conference materials and publications

• hack.lu slides: Slides from this conference in Luxembourg this week are up.
• Phrack: Attacking Ruby on Rails Applications: Summary of common security issues with Ruby on Rails apps.
• RAP: RIP ROP: The PaX team announced their new ROP mitigation they call RAP (Return Address Protection). I wasn’t very clear on what they plan on doing based on these slides so you may want to wait for an implementation or paper.

Tools

• muymacho - exploiting DYLD_ROOT_PATH: This is a write-up and tool for an exploit for a dyld bug present in Mac OS X 10.10.5 allowing local privilege escalation to root.
• sandbox-attacksurface-analysis-tools: Set of tools from James Forshaw at Google for testing process sandboxes on Windows.

Other reads

• The uncomfortable whitehat truth: Dave Aitel posits that the security reporting for vulnerabilities is likely compromised, allowing well-funded attackers advanced warnings of vulns, and the opportunity to react accordingly before these bugs are fixed or disclosed publicly.
• Google has moved entirely to BoringSSL: This post announced that Google is now using BoringSSL, instead of OpenSSL, for Chromium, Android, and their servers. The meat of the post is about how BoringSSL was created, which involved adding items from OpenSSL to a fresh project instead of forking and stripping pieces out.
• finding UI crashes by fuzzing input events with american fuzzy lop: These UI bugs aren’t security issues, but it’s cool to see AFL being used outside of vulnerability research for general bug finding. The author used AFL to identify key press sequences that cause crashes in LibreOffice.
• Analysis of HD Rootkit on Linux: Kaspersky recently found a bootkit on Windows they call HDRoot that infects the MBR, and posted two articles (post 1 and post 2). Tencent then found a similar sample that infects Linux systems.
• Automating Forensic Artifact Collection with Splunk and GRR: Shows how to use Google’s DFIR tool GRR and it’s API, with Splunk, for automated collection of interesting data related to a logged event.
• we asked for death rays, all we got was RADAR: Motivational piece from Andrew Ruef on the benefits of research.