Downclimb

2016.01.10

RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.01.03 – 2016.01.10: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.” The Mentor in the “Hacker’s Manifesto”, January 8, 1986; 30 years ago in Phrack

 

“Modern PC exploit: buffer overflow, rop chain, bypass aslr, bypass dep, elevate privileges.
Modern PLC exploit: read user manual.” @ReverseICS

 

“My stock advice for 2016: SELL integer overflow, BUY use-after-free, and HOLD type confusion” John Lambert

 

“We only promised to make a better TLS implementation, not a better TLS.” Ted Unangst, developer of LibreSSL

 

“‘Intel’ is what data wants to be when it grows up.” David J. Bianco

 

“Before you attend a security conference honestly ask yourself if you’re attending for open dialogue or groupthink with high fives” Chris Rohlf

 

“There’s still no ‘you can calculate values in this xls but not rm my docs’ option.” scriptjunkie on the problem of disabling macros entirely for Microsoft Office

 

“#RedTeamTips Compromise user machine -> Annoy user till they fill support ticket -> target elevated account when IT support investigates” Greg Linares

 

“Sometimes I think people on twitter are trying to get me to infoleak by being so stupid about a thing that I just have to correct them.” @a_profligate

Top stories

Linode hacked

On January 5, Linode (a hosting provider) posted a security notification that all accounts should reset their passwords after discovering unauthorized logins to three accounts. The story however seems to begin back in July of last year when PagerDuty announced they were breached. Based on recent comments online, it seems that the PagerDuty breach was due to them using Linode as their hosting provider at the time. So someone hacked Linode, and used that to hack PagerDuty. This is the nightmare people have about using “the cloud”. No matter how good your security is, if someone hacks the company that owns the hardware your services run on, you’re owned as well. At the time PagerDuty had suspicions about what happened and got off Linode, but unfortunately for everyone else on Linode, they were unaware until now.

Ukraine power outage

In what appears to be the first act of a cyberwar, just before Christmas, 80,000 people in Ukraine went without power for 8 hours. There was nothing but rumor at the time about the cause, so I held off reporting, but more details have now surfaced. It is believed a Microsoft Word doc with malicious macros was used to infect a system. Ukraine’s SBU state security service has blamed Russia. Normally I believe attribution is irrelevant in infosec, but when a nation calls out another nation for an act of cyberwar, when there is an existing hot war, it becomes more relevant. Read more here.

Business

  • Uber fined $20K for privacy violations: Uber has had a string of bad infosec practices over the years, resulting in this settlement with the New York Attorney General. Although a small fine, it is interesting to see the expansion of institutions getting involved with penalizing companies for their infosec practices and demanding improvements. In this case, Uber is being required to encrypt rider geolocation information and adopt multifactor authentication for employees accessing sensitive information.
  • CFP for Internet Defense Prize: The Internet Defense Prize awarded $50K in 2014 to one group, and $100K in 2015 to another, for research related to infosec defense. The CFP for this competition for 2016 has opened.

Newspaper news

  • SLOTH attack: Unless you’re really into crypto, you probably won’t care about this “new” attack. The main point is just that you shouldn’t use MD5 in your TLS, which we all already knew.

Conference materials and publications

  • Secure 2015 videos: Slides and schedule are also available for this conference from October in Warsaw, however, most of the presentations are unfortunately only in Polish.
  • Real World Cryptography slides: This conference at Stanford in California this week brings together crypto researchers with the developers implementing real-world crypto systems.

Tools

  • Sysinternals update: Among other updates to these tools from Microsoft, Sysmon is now able to log raw disk and volume access.

Other reads

  • Using IDAPython to Make Your Life Easier (Part 1, Part 2, Part 3, Part 4): Great series on how to use IDAPython to assist with malware reversing.
  • Vulnerability in Blackphone: This write-up shows how leftover functionality in the Blackphone (a secure phone) allows for abuse, showing the difficulty in stripping down the attack surface of a mobile OS.
  • Forbes forces users to turn off ad blockers, then serves them malware: The Forbes website recently began detecting users with ad blockers, and denied them access until they turned them off. When they did so, the site served them malware, which is one of the reasons users use ad blockers. If content providers want to stop people from using ad blockers, one of the first things they need to do is ensure their ad networks aren’t serving malware.
  • Smart TV’s targetted for malware: Smart TVs run older versions of Android, so a malicious app, if installed, could exploit the system when run to gain higher privileges. In this story, owners of Smart TVs are being lured into downloading these malicious apps. No information is given about what happens once these apps are installed, but I find it fascinating that such a limited, and I assume generally unappealing, target group would be targeted in such a way. IoT devices are often targeted, but it usually involves a scan-and-exploit tactic, not the difficulties and expenses of running an SEO campaign to get higher search rankings to advertise trojaned software.