RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2015.11.15 – 2015.11.22:
To receive a weekly email notification of this newsletter, email


"People be like "defense is hard, we have to win every time". Attackers also have to win every time or they will spend decades in a cages." ‏@stribika


"Proving a product hasn't been tampered with by spy agencies is like trying "to prove the non-existence of god" Joe Skorupa

Top stories

Microsoft Security Intelligence Report

Within this massive 166 page report is an expose on a threat actor Microsoft calls Strontium. One interesting activity from this threat actor is they will use a VPN to join a Kali Linux computer to the victim's network. This red team focused Linux distribution allows Strontium to use many existing open-source hacking related tools (so they don't need to build or expose any private tools), and ensures they don't need to deploy their toolchain to a system on a victim's network, which would leave behind forensics artifacts.

Another threat discussed in the report is Brazilian banking malware called Win32/Banload which will install a browser extension that monitors the sites a victim visits for things that look like payments, and when the user submits them, the browser extension modifies recipient's account number to one the attacker controls. Although this extension is installed without the user's knowledge, I've found that most users do not realize that browser extensions have such abilities.

TIFU by using Math.random()

This long and technical post can be summarized as beware of where you get your random from, and in particular the algorithm behind Math.random() in the javascript engine V8 is not sufficient for any security related needs.

The Great Jeep Cherokee Hack of 2015

Funny 2 minute video from Duo Labs where Charlie Miller and Chris Valasek recount their car hacking.


  • British government to invest $250M in cyber security startups: This investment fund is believed will be similar to America's DARPA or In-Q-Tel. Additionally, Britain will double its public spending on fighting cybercrime to $2.9B/year by 2020.
  • Blue Coat Doubles Down on CASB: This post describes Blue Coat's July acquisition of Perspecsys, a Cloud Access Security Broker (CASB), and why the CASB market is having so many acquisitions. It can be summed up with this quote from the post:

"Similar to other cybersecurity product categories, CASB is fundamentally rooted in visibility and control"

Conference materials and publications

  • Security @ Scale videos: Conference in Boston last week focused on companies showing how large companies are defending their networks.


  • Visual Studio: Microsoft's minimal version of Visual Studio, called Visual Studio Code, has now been open-sourced. This quick loading version of Visual Studio is based on similar technology as Github's Atom editor. I long ago moved from notepad++ to Sublime on Windows, then to Atom, and now to VS Code (on all my OS's), which has things like Git and diff'ing built-in. For those that do need the full version of Visual Studio, and can't get by with the free Community version, Microsoft also announced that it now provides monthly subscriptions to Professional at $45/mo, which is useful for freelancers. Finally, Microsoft released a remote GDB debugger for Visual Studio (works with Community), so you can debug code on Linux or other architectures that support GDB, using Visual Studio.
  • LIMA CHARLIE: This open-source end-point monitoring platform that works across Windows, OSX, and Linux. It's still a work in progress, but aims to be able monitor process creation, DNS requests, and other functionality of an EDR, such as Carbon Black.
  • InVtero: This tool enables hypervisor virtual machine introspection for dumping physical memory and provides analysis tools. It works for both Windows and BSD OS's and Hypervisors.
  • nmap 7: This major release comes 3.5 years since the last major release. Among the major improvements are better IPv6 support and scripts for scanning for SSL vulnerabilities.
  • Wireshark 2: The last major release of Wireshark (1.0) was back in 2008. However, this release is just improvements on existing functionality.

Other reads

  • VirusTotal += Mac OS X execution: No details are given on what product VirusTotal is using for this, but now when you upload an OSX sample, the file will be detonated in a sandbox and information about the function calls made will be included in the VirusTotal results.
  • Windows driver signing bypass by Derusbi: Taking a page from the Uroburos rootkit which used a vulnerability in a legitimate VirtualBox driver, the Derusbi malware uses a vulnerability in a legitimate Novell signed driver in order to patch memory in kernel space.
  • Russian financial cybercrime: how it works: Break down of the different roles involved in Russian cybercrime.
  • Zerodium price table: The exploit broker Zerodium published a price table for how much it is willing to pay for exploits to different software. This gives some confirmation of the security of various software, or at least how much it might cost an attacker. However using this data in that manner does have it's faults. First, we don't know how genuine these prices are, as there have been accounts of large reductions between "asking" prices and actual purchase prices, and we have to realize that publishing this price list is mainly done for marketing reasons. Next, the price has many other factors involved beyond difficulty, such as the value of the targets and number of targets actually using that technology.
  • Truecrypt audited by the German government: The homepage of Truecrypt still has the warning at the top "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" which was put there after some drama with the Truecrypt team seemingly becoming frustrated in June 2014 that people were being paid to audit the project while the team itself was never paid. Since then, 3 teams have publicly audited the project: The original Indiegogo funded audit, Google Project Zero, and now this. No major concerns have been found by any of these audits, and it's interesting to see the different tactics taken and how each review did find new and different minor issues, although the issues are local attacks, which arguably are not within the tool's threat model.