Downclimb: Summit Route’s Weekly Infosec News Recap
2015.11.29 – 2015.12.06: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“It’s not necessarily wrong, but “cyber security firm warns of major vulnerability in its specialty field” isn’t news, it’s an advertisement.” Alexander Olesker

 

“Watched someone do a “TLS Crazy Ivan” (pushed an internal server public temporarily just to use SSLlabs) “ Jim Manico

 

“The totem of the password is protected by numerous taboos. One of these mandates looking away when another person is typing a password.” Cyber Freud

 

“Sprinkle crushed pepper and cinnamon on your keyboard before banking online for added security.” homeopathic tech

Top stories

Chimera ransomware blackmailing and offering affiliate program

The Chimera ransomware is adding a new threat to the game by threatening to post the files it has encrypted if the ransom isn’t paid. The usual response to ransomware from companies with backups has simply been to wipe the system and restore files from backup, but this new ransomware strategy potentially complicates things.

Chimera’s executable also includes an offer to become part of an affiliate program to provide Ransomware-as-a-Serice for any technical folks that get their hands on the malware. This is an interesting place to put an advertisement because the only people likely to see this are the people infected (probably not good partners), or the people called in to help respond to this malware or employees at infosec companies that are reversing the malware.

• http://blog.trendmicro.com/trendlabs-security-intelligence/chimera-crypto-ransomware-wants-you-as-the-new-recruit/

Newspaper News

• Kazakhstan requiring CA be installed for MiTM: In a brief and awkwardly translated statement, KazakhTelecom, Kazakhstan’s largest telecom, said citizens are “obliged” to install a certificate on every device. This is believed to be for Kazakhstan’s government to be able to MiTM traffic and surveil it. This is unfortunate but should not surprise people as much as it did. Tunisia just outright bans encryption with up to 5 years in prison for it (resulting in a story in October about 96% of emails sent from Tunisia being stripped of STARTTLS to downgrade them to being unencrypted), and nearly every country requires their telecoms provide the ability to wiretap phone calls and makes court orders to get access to server data, in addition to new debates about encryption backdoors. Further, many nations have trusted CA certs in your browsers already. A good resource to learn about the policies of different countries with regard to Internet freedom is Freedom House. None of this is good, but the only actually interesting part of what Kazakhstan is doing, is that they are going to accomplish via legislative means what every one else is likely accomplishing via technical means, which is both cheaper and may point to where other countries are heading.

Conference materials and publications

• What Got Us Here Won’t Get Us There: The video of Haroon Meer’s Black Hat EU Keynote is now available. Watch it at least once.
• Hackito Ergo Sum slides: This conference in Paris happened last week.

Tools

• Signal desktop: Signal is a chat application from Open Whisper Systems, allowing for encrypted chat and group messaging, including text, picture, and video messages for free. Original only a phone app, they now are moving to the desktop with a Chrome app. Of all the available chat apps and protocols, Signal is the one you should probably trust the most.
• Let’s Encrypt: Let’s Encrypt provides free HTTPS certs and has now entered public beta so anyone can get one.
• dnstwist: Given a domain it will generate a list of misspellings for that domain, which could be used for phishing. It will then retrieve DNS information for all those domains.
• SekoiaLab/Fastir_Collector: This is an open-source alternative to FireEye/Mandiant’s free Redline tool for collecting interesting forensic artefacts from Windows systems for malware analysis.

Other reads

• Cyber war in perspective: Russian aggression against Ukraine: I don’t recommend reading this 175 page paper which is a compilation of other papers from folks at RAND, FireEye, universities, and elsewhere. With the word cyber used 1,273 times (7/page on average), this is written for what I’ll call armchair cyber strategists. I think the most important section is Chapter 5, which simply states that there is no cyber war occurring between Russia and Ukraine, and asks why, because both sides have ample talent, and there is a hot military conflict, but outside of web defacements and DDoS attacks, there hasn’t been the Hollywood cyber war. Nor has there been anything like Estonia or Georgia experienced from Russia. There has been “vigorous cyber espionage, the targeting of cell phones by Russian electronic warfare, and the use of old-fashioned bolt-cutters to sever lines of communication in Crimea.” But there has not been attacks on critical infrastructure or defense systems. No conclusion as to why is reached.
• Follow-up on last week’s Dell fiasco: Last week we learned Dell was involved in something similar to Superfish. This resulted in Microsoft ensuring it has removed trust for these certs. Along with the Superfish cert, there was a vuln found in the Dell Foundation Service which is an HTTP server that Dell was installing on it’s laptops. This disclosed the Service Tag of the asset. This is a fairly boring vuln, but it was fixed by apparently removing the JSONP API and switching to a SOAP API, which introduced a new and worse vulnerability. This new vuln provides a way to run arbitrary WMI queries against the system, which means anything about the system, including the service tag as before, and now filesystem metadata (filenames), can be acquired.