Downclimb: Summit Route's Weekly Infosec News Recap
2015.11.08 – 2015.11.15: https://SummitRoute.com
"C is a programming language for turning low-level byte arrays into security advisories." @fare
"There is plenty of money to be made in cleanup-on-aisle-seven security." Gary McGraw
"Vulnerability discovery is looking for exploitable errors in code. Exploitation is using those errors as a programming language." Dino A. Dai Zovi
"Developer Myth: if it was hard to write it should be hard to exploit. Hacker Myth: if it was easy to exploit it should be easy to fix." Christien Rioux
China and Russia get a lot of attention with regard to cybercrimes, but Brazil is also an interesting player, and this write-up from Kaspersky looks at many of the parts that enable this. An interesting story about Brazil's infosec world came out this week when it was found that the Brazilian Army was hacked due to a CTF (cybersecurity competition). Personal details of about 7,000 officers has been leaked, along with their passwords, and details of 10 vulnerabilities used in the hack. This was in retaliation for the Brazillian Army's team cheating in a CTF.
The Anatomy of an IoT Hack
This is a great write-up showing how Avast manually found a command-injection vulnerability in an IoT device, along with discovering that the HTTPS certificate for the devices updates were not checked, and how they used this to research the system further.
Inaudible sounds used to link devices
There was some news this week of a company named SilverPush using inaudible sounds from ads that can be picked up by their library that is included in some apps, in order to link what devices you own. So if the company knows your phone, they can the identify your TV or laptop as well. A number of ad companies are doing this and it brings up interesting concerns. The first is the motivation discussed by these companies to to identify all the electronic devices you use. There are other interesting corollaries of this concept that are not being discussed:
- You might disable location tracking for an app, but if it can play sounds, then perhaps another device you use can help identify the location of the device with that app.
- More precise location tracking could be done, such as what aisle in a store you're browsing. Or for social network mapping, you could identify what people you're sitting next to in a restaurant.
- Another would be if a user browses the Internet via Tor or their browser's incognito mode, if they end up playing any noises, that could get picked up by their phone, and thereby de-anonymyzes them.
- U.S. charges three in huge cyberfraud targeting JPMorgan, others: The indicted men are accused of a number of crimes, with the main one being stealing customer lists from banks in order to scam them into buying penny stocks in pump and dump scams. Although the financial data of the banks was not affected, the concerning part of this story, as we've seen time and again, is the men used only off-the-shelf hacking tools, with little to no technical knowledge themselves, and were able to hack banks.
- Tenable raises $250M: Tenable makes Nessus, the vulnerability scanner.
- Cymmetria raises $9M: Cymmetria makes a deception product that creates decoy servers which simulate an organization’s real networks, in order to deceive and detect attackers. This press release states that Gartner Inc. "expects that by 2018, 10% of all enterprises will use deception tools and tactics, and actively participate in deception operations against attackers."
- Microsoft acquires Secure Islands: Secure Islands makes a product to control access to corporate files in the cloud and automatically encrypt them based on the contents. The price is believed to have been between $77M-$150M.
Conference materials and publications
- Black Hat EU slides: Conference in Amsterdam this past week. Among the many good talks, I especially liked Haroon Meer's keynote "What got us here won't get us there".
- Intel SGX Enclave Support in Windows 10 Fall Update: This discusses an upcoming Intel feature called Software Guard Extensions (SGX), often referred to as Secure Enclaves, and how it works with Windows 10.
- coreos/clair: Container Vulnerability Analysis Service. Scans containers (without running) them by looking at the hashes of the binaries on the layers to identify known vulnerable executables.
- Google ending support for Chrome on Windows XP and Vista, and Mac OSX 10.8 and below: Support will stop on April 2016, as these OS's are no longer supported by Microsoft or Apple.
- Tor deanonymization: Court documents revealed a user had been de-anonymized on the Tor network. $1M was paid for this attack to be performed, which lasted 5 months and likely deanonymized more people. Some noise is being made about how this was done by a "university-based research institute", supposedly Carnegie Mellon University, but that side of the story is not nearly as interesting as Tor having been "broken".
- Rocket Kitten: This report on the Iranian threat actor digs into the tooling and exposes one of the people behind it.
- Let's Encrypt explains their 90-day certificates lifetimes: Let's Encrypt will provide free certificates, but they will only have 90-day life-times. They explain their reasoning that this limits damage from compromises and forces the use of automation.
- Chrome now blocks potential phishing sites: Google Chrome's Safe Browsing now blocks deceptive looking sites.