Downclimb: Summit Route’s Weekly Infosec News Recap
2016.01.24 – 2016.01.31: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Being optimistic in the security community is a choice. It’s a good one too. We need more hopeful and passionate defenders.” Robert M. Lee‏

 

“If you want encrypted communications with centralized oversight, just set up a box with TLS. Anything else is just wasteful engineering.” Kaepora

 

OH: “Hacker pro-tip: take the week of February 8th off so that all of your hacking will be attributed to China”

 

“A great way to mitigate TAO is to not be the elected leader of a nation state, #protip” the grugq‏

 

OH: “if TAO is in your threat model chances are you’re just horrible at threat modeling.”

 

Top stories

NTP services being abused to identify systems

As noted here and here, systems that contact ntp.org pools from IPv6 addresses are being scanned by Shodan. IPv6 addresses cover a huge 128-bit range, so iterating through the addresses is not feasible, thus this technique was used. It is frustrating that this can happen, but NTP servers are run by volunteers and you should not have different expectations with regard to privacy or anonymity just because you are using IPv6 instead of IPv4. These servers have since been removed by the operator of NTP as explained here.

Common OSX autoupdate framework vuln to MiTM

Many common OSX apps use the Sparkle Updater framework, and unfortunately many used HTTP, which with this framework results in the ability to exploit the update process if an attacker has MiTM. Apps affected by this included Adium (a popular IRC client), VLC, Tunnelblick, and more. Many are, or until recently were, vulnerable. Read more here.

Java browser plugin being deprecated

As browser vendors work to restrict and reduce plugin support, Oracle has begun making plans to deprecate the Java browser plugin. As Java in the browser has been the source of many security vulns over the years, this is good news for security folks. However, there are many sites that will continue to require Java support, especially corporate sites, so hopefully patches will continue to be provided.

Bulletproof TLS Newsletter #11

The Bulletproof TLS Newsletter is a monthly newsletter focused on crypto. Although I discuss crypto news here on Downclimb, the Bulletproof TLS Newsletter goes more in-depth, with greater coverage and greater expertise on that subject than I cover here.

Business

• Bank of America to spend $400M on cybersecurity: The US’s second largest lender, Bank of America, has an unlimited budget for cybersecurity, and expects to spend $400M. This follows on JP Morgan Chase who recently announced they spend $500M on cybersecurity.

Newspaper News

• Norse Corp. Imploding: The Threat Intelligence company, most known for it’s pewpew attack map and Viking outfits at security conferences, laid of 30% of it’s workforce this month and the CEO was replaced.

Conference materials and publications

• Recon 2015 videos: This conference in Montreal, Canada took place in June and focuses on reverse engineering and exploit techniques.
• Enigma videos: This new USENIX affiliated conference happened in San Francisco this week. There were many good talks, but the most discussed one was NSA TAO Chief on Disrupting Nation State Hackers. The talk is largely about implementing the security practices that the NSA has been advocating for years, such as turning on logging and monitoring those logs, implementing application and domain white-listing, running EMET, knowing the devices on your network, etc. Those best practice docs are here.
• SANS DFIR Prague Summit 2015: Conference that occured in the Czech Republic in October.

Tools

• Policy Analyzer: Tool from Microsoft to analyze and compare Group Policy Objects (GPOs).
• EMET 5.5: This version adds support for Windows 10’s untrusted font mitigations.
• VirusTotal now able to scan firmware: Thanks to Teddy Reed of Facebook, VirusTotal is now able to extract interesting information from firmware dumps if provided. Care should be taken when uploading such dumps because they may contain user configured data such as passwords.
• QIRA: QIRA (QEMU Interactive Runtime Analyser) is an open-source timeless debugger, meaning that it records all state while a program is being run. This tool came out over a year ago (prior to Downclimb, so it was never announced here). It was recently discussed at the Enigma conference this week, so now is a good time to point it out.

Other reads

• Rogue Google Chrome Extension Spies On You: Following on last week’s Downclimb pointing out the concerns of browser extensions, Malwarebytes has published information about yet another malicious extension that was hosted on the Chrome web store.
• An XSS on Facebook via PNGs & Wonky Content Types: Interesting issue caused by putting data in a special part of PNG image files and having these interpretted as code.
• The Wrong Number Attack: Discussion of vulns fixed in three different XMPP servers due to using bad random.