RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.10.25 – 2015.11.01:


"There are so many security holes in US systems, that China had to end its one-child policy just to ensure they'd have enough future hackers." @Grifter801


"So what government do I send the invoice for a new MacBook?" Stefan Esser after his notebook appears to have had an evil maid attempt on it in his hotel room.


"When TalkTalk calls it a "significant & sustained cyber-attack" because a kid in his bedroom has sqlmap, they've seriously dropped the ball." Troy Hunt


"New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it 'advanced' or 'sophisticated.'" the grugq


"Its not a 'Pearl Harbor' if you've been under attack for several decades..." @mtanji


"Let us pause in remembrance of the words whose meaning we have lost in the past decade: friend, like, favorite, advanced, sophisticated." Allen Householder


"First off, I can’t say I broke the NTLM handshake; the march of time did it." Mark Gamache in a 2013 paper which involves breaking NTLM due to it's reliance on DES

Top stories

Self-Protection of Antivirus Software

Finally an antivirus evaluator is starting to look at whether antivirus software is actually secure itself. They looked at whether the products had DEP and ASLR enabled.

Microsoft Runs the 10 Largest Botnets

Over the years, Microsoft has taken action to take over botnets such as Zeus and Rustock, resulting in Microsoft operating the C&C servers for between 60M to 70M infected systems. Microsoft uses this list of IP addresses to help it's customers that run on Azure identify if the systems connecting to their servers are infected. I'm not sure I see the value proposition in this, but it's an interesting way to differentiate their product from Amazon's AWS. They also collect lists of compromised credentials and use that for their customers on Azure's Active Directory to tell generate reports for those organizations to tell them which employees are using compromised credentials.


  • Raytheon acquiring Intel's McAfee NGFW: Intel purchased Stonesoft two years ago for $389M, rolled it into it's McAfee unit and rebranded the product as McAfee NGFW. The McAfee unit was later rebranded as Intel Security, but the product name was maintained. This gets Intel out of the network security business. This follows on Raytheon's recent acquisition of Websense in June for $1.9B. Prices on this acquisition were not disclosed.
  • Cisco acquiring Lancope for $452M: Lancope specializes in network behavior analytics.
  • Former NSA Chief’s Keith Alexander’s IronNet Cybersecurity Startup Raises $32.5M: IronNet is developing a detection product, but no details are yet available. IronNet made waves back in June 2014 when it was disclosed that they were charging $1M/month for their consulting services.
  • TalkTalk price swings on hack and arrest: TalkTalk is a British telecommunications company with a market cap of over $2B. In the course of a few days it was announced that TalkTalk had been hacked and customer financial data had been stolen, resulting in the share price tanking over 21% since it's high at the start of the week. This is interesting because historically, hacks have not had much of an affect on share prices. Following the announcement that a 15-year-old had been arrested for the hack, shares shot back up nearly 15% in a day. One possible explanation for the bounce back is that investors might assume that the teenager would not have been able to market the stolen financial information. The hack was supposedly a SQL injection.

Conference materials and publications

  • Intel x86 considered harmful: Joanna Rutkowska goes through the different components of the Intel architectures and points out the flaws in each. This paper serves as a discussion of the problems for a yet to be released paper that will offer solutions.


  • joelpx/reverse: Reverse engineering tool for x86/ARM/MIPS binaries that generates pseudo-C (leverages Capstone). What is unique about it is how it displays it's output which includes tab indendations for logic flows, while also maintaining address locations, as seen in it's screenshot.
  • 2015 Volatility Plugin Contest: The open-source memory analysis project has an annual plugin contest, and results are in.
    • shimcachemem: The winner of the Volatility plugin contest came from FireEye for a plugin to parse the Windows Application Compatibility Database (aka, ShimCache) from memory. Their posts on this are here and here.
  • USB cleaning device for the masses: Project from the CIRCL (Computer Incident Response Center Luxembourg) to install on a Raspberry computer that involves having ports for a "dirty" USB and a "clean" USB. The project converts files from commonly exploited formats (Microsoft Word) to more benign formats (.HTML), appends the word "DANGEROUS" to executables, extracts compressed files, and other file type based conversions.
  • microsoft-pdb: Microsoft released the specs for it's PDB format which is used for debugging Windows executables.

Other reads

  • Google forcing Symantec to use Certificate Transparency: Earlier this month, Google discovered that Symantec had created 23 test certificates for domains including ones associated with Google and Opera. Symantec took action and fired people and audited themselves. They found an additional 164 inappropriate certificates. Google is holding Symantec further accountable by requiring that they conform to the Chromium Certificate Transparency policy and write post-mortems on why the inappropriate certs were created and root causes. The punishment for failing to do so seems to be that Google products (ie. the Chrome browser) will stop supporting Symantec as a root CA.
  • Does Your Cyber Security Work Like a Police Force? or Like a Bodyguard?: Interesting contrast of the differences between police (reactive) and bodyguards (proactive) and how it relates to cyber security.
  • Samsung WifiHs20UtilityService path traversal: This Project Zero vuln discovery is an interesting case where two fairly benign, but risky behaviors, combine to result in a vulnerability. In this case, Chrome can automatically download files, and this Samsung software automatically extracts certain files in the Downloads directory and overwrites some files with them. The latter behavior is not good, but not quite as concerning until it's been combined with the first behavior, which thereby allows for drive-by exploiting.
  • Understanding Microsoft Word OLE Exploit Primitives: Discussion of the Microsoft Office format from NCC Group, and how it is exploited.
  • Critical Xen bug in PV memory virtualization code: Qubes security bulletin for a vuln in Xen allowing the Guest to reliably access all of the host's system memory reliably. This bug was introduced into Xen in 2008.
  • Unpatched browser weaknesses can be exploited to track millions of Web users:: Browser history sniffing attacks are possible using HTTP strict transport (HSTS) which instruct browsers to connect only over HTTPS.