Downclimb: Summit Route’s Weekly Infosec News Recap
2016.01.10 – 2016.01.17: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“El Chapo was caught because he used BlackBerry Messenger. If they’d picked Signal instead he would likely be free. Backdoored proprietary cryptography is never a good choice. His IT department might need to spend the rest of their lives in hiding now.” Copperhead

 

“Hard Coded Credentials in Firewalls, Does that mean HIPAA,SOX,FISMA risks can shift responsibility to CISCO,Fortinet & Juniper?” @gyenaymi

 

“Security at its core is about reducing attack surface. You cover 90% of the job just by focussing on that. The other 10% is mostly luck.” Justin Schuh

 

“Cybersec startups don’t have to outwit hackers, they only have to outwit customers.” Rob Graham

 

“If cutting power for six hours is the high water mark of cyber warfare, I’m not exactly shaking.” Matthew Green referring to the cyber attack in Ukraine

 

“Infosec sucks. I should have gone to modeling school.” Brooks

Top stories

SSH Roaming vuln (CVE-2016-0777)

Qualys identified two vulns in OpenSSH clients, one being an information leak similar to Heartbleed (CVE-2016-0777), and the other being a buffer overflow (CVE-2016-0778). The buffer overflow can’t be reached, so the information leak is the vuln that scared everyone. It exists due to an undocumented feature that was enabled by default in all versions of OpenSSH since 5.4 (released in 2010). The vuln can only be exploited when a client connects to a malicious server (MiTM is not possible), and potentially could expose private keys of the client. Read Qualys’s report here.

The best fix is to upgrade your OpenSSH client, but where that is not an option (looking at you Apple), add the undocumented “UseRoaming no” to your ssh_config. Users using ssh-agent (a separate process to store their private keys), or with smart cards for their private keys, are not affected.

Shortly after news of the vuln, an “exploit” for it was posted, which would do a classic ‘rm -rf’ to any script kiddies that attempted to run it. There was a nice write-up done on this fake exploit here, showing how to reverse the shell-code.

Hot Potato

Using a series of known techniques, Foxglove security released a tool called “potato” for local privilege escalation on Windows 7 to Windows 10, to System. More info here.

Trustwave sued for filing “woefully inadequate” forensics report

A Las Vegas based casino operator, Affinity Gaming, hired Trustwave in October 2013 to investigate and contain a network breach that allowed attackers to obtain customers’ credit card data. Trustwave claimed it identified the source and contained the malware. A year later a second breach occurred, and the casino hired Mandiant, who claimed the original breach had never been fully removed. This case will be interesting to follow to see if an incident response company can be liable if they don’t adequately remove attackers. Read more here.

Trustwave is no stranger to lawsuits, having certified many companies prior to their breaches including Target before it’s breach in 2014, who then sued Trustwave. However, this lawsuit is for their incident response, not their certification.

Business

• Raytheon breaks off new company Forcepoint: Raytheon made a series of purchases of infosec companies in 2015 (Websense and Stonesoft), and is now breaking off that part of the company into a new company called Forcepoint.
• Israel’s Ministry of Defense to require export permits for offensive infosec technology: This is only a draft bill, but is similar to proposals in the US such as the Wassenaar Arrangement, of which Israel is not a member.

Conference materials and publications

• Power of Community 2015 keynote video: “On Cyber” by the grugq.
• 2015 Security Conference videos: List of videos for 40 infosec conferences that occurred in 2015.
• Malware Analysis - CSCI 4976: Course materials for a malware analysis course at RPI.
• PoC or GTFO 10: At 57MB due to multiple polyglot files being used, it takes a while to load.

Tools

• Ostiarius: Tool for El Capitan that blocks unsigned internet binaries from executing.
• Microsoft/ChakraCore: The core part of the Javascript engine that powers Microsoft Edge is now open-source.
• osx_verify: Tool and associated database of hashes for verifying OSX apps.

Other reads

• LostPass: Shows the dangers of browser extensions, such as LastPass, using in-browser UIs, as these can be mimicked by an attacker for phishing.
• Cryptsy bitcoin exchange hacked: Yet another bitcoin exchange has been hacked, this time named Cryptsy. This was due to cleverly created backdoor in some bitcoin software. See the backdoor in the software lucky7coin here, which also found it’s way into another bitcoin related software called torcoin here. This breach highlights the need to audit the software you run and ensure your network is properly segmented. Also don’t run a bitcoin exchange.
• Microsoft Security Bulletin Summary for January 2016: List of Microsoft’s Patch Tuesday vulns patched.
• Introduction to DFIR: Introduction to the different areas of DFIR, with videos, tools, books, and people for each section.
• The Hierarchy of Cyber Needs: This post makes a claim for what the basic capabilities are that need to be in place to secure a network. The initial requirement is device management, or having an inventory of the devices that should be on the network. Although often thought of as an IT problem and not a security problem, this forms the foundation for the later stages.
• The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day: In this story from Kaspersky, they discuss how they found a zero-day being exploited in the wild, that had been mentioned in the Hacking Team dump. The dump only mentioned that it was a Silverlight exploit, and who the author was, so Kaspersky went looking for strings contained in other exploits from the author. A paid account on VirusTotal will allow you to setup Yara signatures so that VirusTotal will give you copies of any samples uploaded that hit on those signatures, so it looks like this was what Kaspersky did. It seems they likely also put special detections into their security tools to search for this exploit. Security products include some looser, more generic detections that are more likely to give False Positives (FPs), which may upload copies of the files to the vendor to investigate, without alerting the user. This article is a good example of the methods that are used to find new zero-days based on older ones.
• Triaging the exploitability of IE/EDGE crashes: Discusses the security mitigations in the Edge browser and how these need to be taken into account when triaging crashes.
• Fortinet backdoor: Fortinet firewalls had a backdoor that was disclosed this week. Apparently it was patched a year ago.
• Raising the Dead: Deeply technical post on features of Windows that James Forshaw figured out how to exploit in order to change to different user accounts on a shared Terminal Server, such as a Windows Server 2012 with Remote Desktop Services enabled.