"People ask me "How come all the hackers of these big companies are kids?" You should ask "How come it's only the kids that get caught?"" Sash
"Security companies compete for customers, but they also compete for victims b/c for them victims==aperture and learning about attacks first." John Lambert
"When you're researching an undocumented Win32API call & Google's results are only in Chinese or Russian, you are doing it right. " Greg Linares
"So you want to shut down part of the internet... Well, the Internet's pretty resilient. You're going to need a boat anchor or an intern." Lesley Carhart
"Somebody set a lengthy banner on this router and STILL DIDN'T CHANGE THE DEFAULT CREDS " Johnny Xmas
Instagram's Million Dollar Bug
A bug bounty hunter posted an article about how he got RCE on Instagram's servers (owned by Facebook), used that access to explore further, and how Facebook reacted aggressively toward him. This story created a lot of drama with one side saying that Facebook's policy was not clear and that in order to show the full impact and find further issues this additional exploration was needed. The other side believes the bug bounty hunter went too far in his actions, which including exfiltrating data. You can see the response from Alex Stamos (CISO of Facebook) here.
This is likely to be a critical moment for bug bounty history, and will lead to much more stringent guidelines for bounty hunters. Bounty hunters are digging deeper into the problems they discover in order to be able to show greater impact, as that will result in a higher reward for them, but at the same time, this activity begins looking more like a breach, and less like research. This follows on a story from earlier this month in The Atlantic where it mentions bug bounty hunters "have supplemented their bug-bounty income with shadier activities, like using their skills to access people's credit-card information."
Beyond the drama, the bounty hunter's write-up does make for a good case study to identify security improvements that could have been implemented to hinder the attacker. I'll post an analysis on this soon.
Juniper routers backdoored
During an internal code review, Juniper (a maker of large network routers) discovered two backdoors inserted into it's code base that had been there since 2012. One allowed admin access via it's SSH interface, while the other allows passive monitoring on VPN connections. See the announcement here. The SSH issue was easier to discover and potentially was done by a different group. The passive monitoring issue appears to involve a manipulated random number generator and is believed to the work of a nation state.
Back to 28: Grub2 Authentication 0-Day
This article discusses a crazy, easily exploitable vulnerability in Grub, the bootloader for Ubuntu and most other Linux distributions. If someone has attempted to secure their system with a username and password in Grub (any version since December 2009 until now), you can press the backspace space key 28 times at the user prompt and it will bypass the authentication. Here is an explanation of the craziness:
"if you press backspace 28 times in GRUB, it 'gives you root' (drops you to a rescue shell). The details of this are amazing. By pressing backspace you overflow a variable, which overwrites the return address with zero & jumps. The code at address zero Just Happens to be a valid self-modifying loop (!) that also Just Happens to jump somewhere into grub_rescue()" whitequark
FireEye Exploitation: Project Zero’s Vulnerability of the Beast
FireEye, like all software, is an amalgamation of various third-party software projects. One of those happens to be the open-source Java decompiler JODE. The Project Zero team found a vuln in JODE while looking at FireEye, and used that to get RCE on the FireEye appliance, which usually monitors network traffic, or scans emails, so just by sending an email to a user (no need for them to open it) you can get a shell on the FireEye appliance, and from there read all future emails or network traffic. See the post here. The important take-away here is not the vuln itself, but rather that FireEye is built on a number of projects, which themselves have vulns. This is common to all modern software, however, FireEye should be sandboxing these parsers. Further, attempting to find and fix these vulns would be an appropriate action they should take.
- Sophos buys SurfRight: The antivirus company Sophos has purchased another AV company, SurfRight, that makes HitmanPro for $32M.
- Army issues awards for first Cyber Innovation Challenge: In an attempt to solicit, evaluate and purchase limited quantity prototypes of equipment faster, especially from non-traditional sources, the Army has made it's first award for it's Cyber Innovation Challenge. Initial awards went to CriticalStack ($3M) and Parsons ($1.5M). The original solicitation can be found here, which is for a risk scoring tool.
- Digital Guardian raises $66M: DigitalGuardian is a cybersecurity product company that in 2015 had acquired Code Green Networks which made a Data Loss Prevention (DLP) solution, and Savant Protection which made an application white-listing solution.
- Congress approved CISA by slipping it into budget: The CISA bill made a lot of noise back in September when it was first introduced. Generally speaking some of the older tech companies (Microsoft, Oracle, Adobe, IBM, Apple) supported it, while the newer tech companies (Google, Amazon, Facebook) opposed it. The bill makes it easier for companies to share information with regard to cybersecurity threats, which also has caused concern for the government being able to get easier access to personal data. When it was first introduced it did not pass due to these privacy concerns, but this week it was slipped into the budget bill which guaranteed it would get through. The President is expected to approve it.
Conference materials and publications
- Deepsec slides: Deepsec took place in mid-November in Vienna, Austria.
- fREedom: Chris Eagle has released a tool to use the Capstone dissasembler with BinNavi. What this means is you can use BinNavi (an alternative front-end to IDA Pro) without IDA Pro.
- Tuber: Trail of Bits released an open-source tool for hosting your own video conferences, so you don't have to use a third-party host or proprietary solution anymore.
- Privileged Access Workstation (PAW) scripts: This is a set of scripts from Microsoft for implementing a PAW, which Microsoft describes here. The concept is that for certain activities such as domain administration you should use a dedicated workstation and it should be locked down so it can't be used for other activities. The scripts and the docs are pretty complicated, but the main step for these workstations seems to be that you'll configure them to use a proxy that will be set to localhost, which will effectively disable Internet browsing on that host. Microsoft is now calling this a recommended practice.
- maltrail: Maltrail is a network detection system for IPs, domains, and URLs. Sensors are installed on Linux systems to collect pcap data, sent back to a central server, and a UI is provided.
- Xen XSA 155: Double fetches in paravirtualized devices shows a vulnerability that does not exist in the source code, but only exists in the binary due to how gcc compiles Xen. In this case the vuln is a TOCTTOU (Time of check to time of use) race condition.
- Bad life advice - Replay attacks against HTTPS: This post discusses how it is possible to get replay attacks to occur with HTTPS.