Downclimb: Summit Route’s Weekly Infosec News Recap
2015.12.06 – 2015.12.13: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“It is uncomfortable, but important that we provide the best safety we can in non-ideal circumstances. “ Alex Stamos

 

“The best way of keeping hackers away - Name your servers/networks Honey*” Robin von Post

 

“In reality I alternate between “don’t worry little bug I won’t give up on you” and “I can find ten more bugs like you if you don’t shape up”” Natalie Silvanovich (vulnerability researcher)

 

“I wish a lot of security vendors would spend less time on pretty analytics and more on implementing proper APIs and working Boolean search.” Lesley Carhart

Top stories

Patches

Security updates were released this Tuesday from Microsoft, Adobe (mostly for Flash), and Apple for OSX and iOS. Among Microsoft’s patches was the scary sounding MS15-127 which warned that RCE on Windows DNS servers was possible. Domain Controllers require they run a DNS server, but so far no one seems to be able to successfully exploit this vulnerability. The Apple iOS vulns are interesting because despite there being a $1M bounty from Zerodium for an RCE exploit on iOS, researchers are still informing Apple of the vulns they find, and many vulns are being found.

SHA-1 deprecation: No browser left behind

SHA-1 is being deprecated by browsers at the end of December, but there are a decent number of Internet users that still use old, unsupported browsers, such as IE6 or old phones. Therefore posts have come out from both Cloudflare and Facebook on techniques they are using to support SHA-1 to users who can’t use SHA-2, while still supporting SHA-2 to everyone else, and hopefully not making it possible for a downgrade attack to occur.

There is one set of beliefs that says that everyone should use SHA-2, and if you can’t, then your system is so insecure anyway that an attacker can already compromise your system and your communications, so websites shouldn’t try to provide the illusion of security to them. The other belief (held by Facebook and Cloudflare) holds that crypto should be applied everywhere, and cracking SHA-1 is still outside of the reach of everyone except potentially nation-state attackers, so you should still try to give people whatever security you can. Facebook has a bug bounty if you think you can apply a downgrade attack to their setup, which they’ve open-sourced.

Chrome Extensions – AKA Total Absence of Privacy

This article was posted in mid-November. The basic point is that Chrome extensions (or any other browser) have access to information on all the sites you visit, and can beacon this information home somewhere.

Business

• Courion Acquires Core Security: Courion provide an Identity and Access Management (IAM) solution, whereas Core Security provides a suite of solutions around vulnerabilities (finding them, managing them, testing for them). These are two very different spaces.
• LookingGlass Acquires Cyveillance: LookingGlass Cyber Solutions and Cyveillance each provide threat intelligence. LookingGlass additionally announced it closed a $50M Series C round.

Newspaper News

• FBI admits to using 0-days: An FBI official for the first time has admitted it uses zero-day exploits. The official noted the trade-off between which is the greater good, to “identify a person who is threatening public safety” or alert the vendor?
• Google announces quantum computing news: The quantum computing company, named D-Wave, that Google owns made some advances in quantum computing, but it’s still not even close to being competitive with any other computing techniques. Specifically, a D-Wave computer costs $10M for you to buy, but is only about as fast as one core of a 6-core Intel system that sells for $600 (see here). So quantum computing is advancing, but it’s nothing to worry about yet, as no one is even forecasting if or when quantum computing will catch up to other computing techniques. In theory, the most concerning aspect of quantum computing is that it could break a lot of existing crypto, but we don’t need to be very worried yet.

Conference materials and publications

• ZeroNights slides: ZeroNights took place in Moscow in late November.
• Defcon videoes: Defcon took place in Las Vegas over the Summer.
• Journal of Cybersecurity: A journal on academic aspects of infosec that makes it’s papers freely available. If you do academic writing, this is a good place to submit papers.
• Rugged Software Engineering from LASCON: SignalScience, who provides a defensive layer for web applications, just started a blog and has opened with a video of a talk one of them gave at the LASCON conference in Texas.

Tools

• hashcat: This password cracking tool is now open-source.
• etsy/phan: Static analyzer for PHP 7+ code.

Other reads

• Google to distrust a Symantec CA: Google will be moving to distrust the “Class 3 Public Primary CA” root certificate operated by Symantec Corporation. Symantec has indicated that they do not believe their customers will be affected by this removal, and they initiated this by posting a notice on their site advising platforms to untrust it. So this does not appear to be a case of Google picking a fight with Symantec. This story is crazy because this has been a root cert forever (since 1996 and are valid until 2028) and is used by 10 of the top 100 sites in the world, among many others from this search on censys. However, these sites have other chains, and so those were only used for older browsers. No reasoning is really offered as to why Symantec doesn’t care to support this anymore, but that they “intend to use this root certificate for purposes other than publicly-trusted certificates”. It’s also crazy that Symantec decided to stop auditing this CA before platforms had stopped supporting it. I think the main take-aways are the CA system is very broken, and Symantec (one of the old guard, core players) is doing sketchy things.
• Safe Browsing now on Android Chrome: When it comes to which browser is safest, I used to argue based on the sandbox, whether it was 64-bit to take advantage of ASLR, and the other aspects related to the difficulty of making a fully capable exploit against it. After working in enterprise defense, and seeing what actually hits people most, I’d argue one of the most impactful features of a browser for stopping real-world attacks is Google’s Safe Browsing, which helps identify and avoid malware downloads and phishing sites. This public API is also used by Mozilla Firefox, but in both cases it’s only done on the desktop. This latest news is that Safe Browsing has now come to Chrome on Android. It’s already been on by default for years on Chrome on the iPhone.
• Backstab: Mobile backup data under attack from malware: Although this problem has been known about for a long time, it’s a good reminder that malware can steal data from phones (text messages, pictures, etc.) when plugged into computers that have been infected. There are 6 different strains of such malware that infect computers, some of which have been around for 5 years.
• Postmortem: Server compromised due to publicly accessible Redis: This is a good rundown of the techniques used by an attacker against a Linux server in one hack.
• Exploiting Windows Media Center using a polyglot: Windows Media Center has a simple to exploit feature that can allow an attacker to execute arbitrary files, but those are run within the context of the sandbox, so by using a file polyglot, this can be avoided.
• Twitter warning users of state sponsored attacks: Like Facebook did a little over a month ago, Twitter is now warning users when it appears state-sponsored attackers are going after their accounts. This is good, but these sites will want to make sure they are accurate in who they warn so as not to make people unnecessarily paranoid.
• Binding two processes on the same port for fun and firewall evasion: This post shows how you can bind multiple processes to listen on the same port, even essentially hijacking a port from a more privileged process. This makes some investigations really difficult.
• Bypass DEP and CFG using JIT compiler in Chakra engine: Chakra is the javascript engine used by IE 9+ and Microsoft’s Edge browser. This article shows how to use a JIT spray to bypass not just DEP but also Control Flow Guard (CFG).
• Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts: This article shows how to get special notifications (Event ID 4964) whenever “special group” accounts logon.
• Nemesis malware targets boot record: This malware named Nemesis discovered by FireEye targets the VBR, which is one of the boot records on a hard-drive partition that tells the system how to load the OS. This therefore gets loaded before the OS does.