Downclimb: Summit Route’s Weekly Infosec News Recap
2015.11.22 – 2015.11.29: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“the remarkable thing here is not the bug, it’s the fact that the kernel has an x509 parser users can trigger” @hanno on CVE-2015-5327

 

“The information to be found within the wireless spectrum is not limited to product specifications.” @isecom

 

“FIPS 140-2 encryption should be the dictionary definition of cargo cult. It’s an out-of-date standard encouraging bad practices.” Copperhead

 

“Pub/Priv Info Sharing is a strategy to navigate a minefield by making it easier to yell ‘medic!’ after your leg has been blown off.” Mudge

Top stories

Dell’s eDellRoot root cert

Being referred to as Superfish 2.0, and Superfish 2.1, Duo Labs broke the story that recent Dell laptops ship with custom root certificates for some sort of customer support purpose. Like Superfish, Dell also included the private key, which allows anyone to easily set up MiTM attacks against Dell users. The researcher Haife Li wrote an article that showed that Dell is also adding “*.dell.com”, to Internet Explorer’s “Trusted sites”. This means that browsing to dell.com is not sandboxed by the browser, and any Microsoft Office files downloaded from dell.com are not sandboxed. Because of the aforementioned MiTM capability, it then becomes trivial to make it appear as though a user is downloading an arbitrary document from a “secure” connection to dell.com. Dell added this 6 months after Superfish, so they learned nothing from that fiasco. For any other vendors out there, let’s review what all the horrible things about this are:

1. The same root certificate was added to all laptops: This effectively makes Dell a Certificate Authority to all the users of it’s laptops without having to go through any vetting.
2. The private key was shipped along with the public key: This allows easy MiTM against “secure” communications.
3. A site was added to the Trusted Site list: This provides a way to escape various sandboxing and protection mechanisms.

The CSO of Facebook commented

“The eDellRoot fiasco reinforces that there is a huge difference in the safety of the Windows bits on shipped PCs and the MSDN version.” Alex Stamos

This is true, however, vendors can still ensure their software survives OS wipes and reinstalls. I’ve not been able to identify if Dell’s changes have been included in the Windows Platform Binary Table, but this is a capability that allows vendors to store their special add-on software in the firmware of the laptop so that even if you wipe the hard-drive and re-install the OS from scratch, the vendor software will be automatically installed as was found with Lenovo over the Summer. So even if you’ve reinstalled your OS, you will want to check for this cert.

Some people have also wondered why Google Chrome didn’t detect this as they have with abuse and compromises of Certificate Authorities. The reason is that Google Chrome only alerts if it’s certificate chains to a different public CA, not a private CA. People add their own private CA’s to systems all the time. For example, corporate networks do this in order to be able to monitor encrypted traffic for various reasons. Also users do this for testing and debugging (ex. the excellent tool Fiddler will do this).

In somewhat unrelated news, Microsoft itself added 5 more CA’s to Windows this week. Having all these certificate authorities is really breaking some of the objectives of encryption.

Why did TalkTalk’s stock drop when it was hacked?

This analysis from yours truly on the hack on TalkTalk a month ago which caused an immediate 9% drop in their stock price. It is rare for hacking to impact a company’s stock price, so this analysis investigates what may have caused that.

Microsoft’s Accidental Enterprise DFIR Tool

This article covers how to use Microsoft’s SCCM (which collects event logs), feed those into Splunk, and shows the specific rules one should set up to hunt for badness.

Abusing CSS Selectors to Perform UI Redressing Attacks

LinkedIn allows some minimal HTML for user’s blog posts and other content. By abusing existing CSS styling of LinkedIn, an attacker could make a page that looks how they want (a UI-redressing attack). See their article for more.

Newspaper News

• Facebook tips off US State Dept employees to account hijack attempts: With the use of SaaS and other services, it’s often only the vendor that is capable of determining when accounts are being brute-forced or otherwise attempted at being hijacked. Given that, it’s nice to see Facebook warning users when these attacks are identified. No information is given as to what Facebook detected or how they did so. The article only states:

“Over the past month, Iranian hackers identified individual State Department officials who focus on Iran and the Middle East, and broke into their email and social media accounts, according to diplomatic and law enforcement officials familiar with the investigation. The State Department became aware of the compromises only after Facebook told the victims that state-sponsored hackers had compromised their accounts.”

Business

• NCC Group acquiring Fox-IT: The British security consulting business NCC Group, which also acquired iSEC partners and Matasano security, is now acquiring the Dutch company Fox-IT for $143M.
• Yahoo blocking access to mail for users for Adblock tools: It will be interesting to see how this plays out, as historically most service providers tried only to bypass Adblockers, if they did anything at all, and didn’t just block service to users.

Conference materials and publications

• hack.lu slides: Conference in Luxemberg in late October.
• BSidesDC videos: Conference in DC in mid-October.

Tools

• yahoo/csptester: This tool provides a way to test Content Security Policies for different browsers. Their presentation is here.