Downclimb

2015.11.08

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.11.01 – 2015.11.08: https://SummitRoute.com

Quotes

"Infosec is an industry that wastes billions of dollars on firewalls and policing network perimeters, things that 'make us feel safe' but don't address real problems. Look at the major breaches of recent memory and you will find companies that were attacked despite using next-generation firewalls and high-level software that, for all their cost and promise, allowed massive, embarrassing and harmful breaches." Amit Yoran, President of RSA

 

"EMET, the tool nobody ever enables is the one everyone wants to bypass..." Chris Gerritz

 

"We love to talk about 0days and nation state actors, but the trustworthiness of third-party services is one threat many overlook." Runa A. Sandvik

 

"security through vulnerability: your appliance’s SSL is so fucked firefox refuses to connect to it." Spoopy_DA_667

Top stories

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

Google's Project Zero team discovered vulns in a popular Android phone. Samsung uses the Android Open-Source Project (AOSP), but Samsung is obviously not owned by Google. This research is interesting because it shows the problems introduced by third-parties which use the libraries or projects a company releases. In recent years, the Android brand has been viewed as inferior in terms of security from Apple's iPhone, but one could argue a big reason for that is the problems OEMs like Samsung are introducing, and not so much problems with Android itself.

In a somewhat related news story, a Google engineer has been testing and reviewing all the USB-C cables on Amazon, because Google (and Apple) made use that spec in their products, but the market is being flooded with inferior cables, which ultimately may lead people to view Google's Chromebook as inferior. This is a problem that has plagued many products, that the third parties that enter the ecosystem, end up tarnishing the brand, and as a result, the owner of the brand has to test and attempt to fix or take action against the 3rd parties.

Java serialization vuln

This vuln in a common Java library was mentioned in a presentation 9 months ago, but no one took notice, so a security company (not the original discoverers) have described what it is and why it's bad. Further, they figured out how to exploit it in WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. Likely many more are all affected by this vuln which results in pre-authentication, remote code execution exploits.

PageFair distributed malware

PageFair provides javascript that businesses include in their web sites to detect ad-blockers. Unfortunately, it was hacked via phishing, and the attackers then modified the javascript that PageFair provided so that instead of detecting ad blockers, it distributed a fake Flash Updater (malware). This third-party code ran on many sites, such as The Economist, who now has a page offering advice on antivirus to use to remove the PageFair associated malware. This hack high-lights the concern of attackers going after third-parties in order to reach users and customers of more businesses.

The post-mortem (linked below) from PageFair is detailed and discusses issues with browser caching and CDN invalidations. My favorite part is how PageFair reached out to the "business", called NanoCore, that sells the RAT that was used and NanoCore disabled the account of attackers due to violating their terms. NanoCore stated "We strictly prohibit malicious use of our software and have terminated the PageFair hacker's account."

Newspaper News

  • NSA admits to reporting 91% of vulns it finds: The NSA released a statement on their own site stating "Historically, NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the United States. The remaining 9% were either fixed by vendors before we notified them or not disclosed for national security reasons."*
  • First OSX ransomware: A self-proclaimed "security researcher" created a proof-of-concept ransomware for OSX, to prove that it could be done. Thankfully, the POC has not been released. This is not security research and it makes me sad to see it claimed as such.

Business

  • FCC Fines Cox $595K Over Lizard Squad Hack: The FCC is continuing to enforce it's new self-made role as enforcer of Internet security by fining Cox for failing to prevent a hacker from obtaining PII. I applaud this work, as the current business climate has dictated simply that you buy cyber insurance (see this article) and pay for credit monitoring if you're ever breached. This is hopefully a move in the direction of creating real financial pain for companies that fail to secure their businesses.
  • FireEye shares drop 15% on claim Chinese hacking has slowed. FireEye reduced it's fiscal year revenue forecasts to $620M-$628M from $630M-$645M by claiming the clamp down by United States and China on cyber spying led to lower demand for the company's security products.

Conference materials and publications

  • Ruxcon slides: Conference in Australia last week.
  • Power Of Community: Slides from this conference in Seoul, Korea have been released as part 1 and part 2.
  • Saintcon videos: Conference in Utah last week.
  • Black Hat USA videos: Conference in Las Vegas over the Summer. Slides have been up for a while, but now videos are available as well.

Other reads

  • WoW64 and So Can You: Bypassing EMET With a Single Instruction: Paper from Duo Security on exploiting Wow64 processes when security products are involved, using EMET as a case study.
  • The Untold Story of PKCS#11 HSM Vulnerabilities: Post and PDF describe common vulnerabilities with HSM devices, which are supposed to make encryption keys unextractable.
  • iOS 9 security: Zerodium announced that they had paid a team $1M for a "remote browser-based iOS 9.1/9.2b #jailbreak (untethered)", while Elcomsoft, a forensics company, discussed the improved security of iOS that has resulted in them being unable to dump iOS 9 phones if the phone is locked and the password is unknown.