Downclimb: Summit Route’s Weekly Infosec News Recap
2016.01.31 – 2016.02.07: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Anyone who claims offense is more “alluring” than defense has never made a really good tackle.” Aaron Beuhring‏

 

“You know you’re looking at some super legit software when there’s “\Desktop" in the pdb path… #adware” Sébastien Duquette‏

 

Top stories

Post-quantum crypto

The NSA released an FAQ for guidance on post-quantum crypto, which is crypto that can be effective in a world with quantum computers, which are able to brute force keys faster than normal computers. Quantum computers do not yet exist (at least not any that are useful). The NSA is changing it’s guidance not because any quantum computers currently exist, but because the NSA guidance is used for devices and protocols with lifespans of 30 years, so the data encrypted by them should remain protected during that time.

Symmetric crypto is more resistant to quantum computers and so AES-256 and SHA-384 are believed to be safe. The future of public key algorithms is unclear though. The current guidance is for RSA-3072 or larger, but that algorithm may change in the future.

NIST also released a Report on Post-Quantum Cryptography which is a readable overview of the current state of post-quantum crypto, including considerations of categories of algorithms that may be resistant.

Custom browser failures

Last year we saw problems exposed with the Aviator browser from WhiteHat Security where they tried to fork Chrome to add some features for security and privacy, but ended up with vulnerabilities (see here). This week, we saw vulnerabilities exposed in other forks. This includes two forks from security vendors, one from Avast, and one from Comodo. The Comodo vuln is for their Chromodo browser which seems to be a rebranding of their Comodo Dragon browser which is from at least 2010, so they aren’t new to releasing their own browser.

We also saw the release of the Brave browser from a company that has raised $2.5M so far just to create a new browser. Of importance is this is from Brendan Eich, the creator of JavaScript and co-founder of Mozilla, so this is from a team with a long history in web browsers. Unfortunately, in order to create their browser they forked Electron, which is a wrapper for the Chromium renderer, and is used for making apps, not web browsers, and as such it has no sandbox, unlike Chrome which is well-known for having a good sandbox.

Maintaining a browser is a lot of work, even if you build it off of the open-source components of Firefox or Chrome. Usually people just fork Chrome because they want to add some marketing feature, but Chrome won’t allow them to add it as an extension of some sort. In the end, all the attempts at making browsers that are more secure than Chrome, but based on Chromium, end up failing at their goal.

Business

• Bit9 + Carbon Black renamed to Carbon Black: In 2014, the application white-listing company Bit9 purchased the EDR company Carbon Black and renamed itself to the awkwardly long “Bit9 + Carbon Black”. This week the company has finally reduced the name to just Carbon Black.
• TalkTalk admits losing $87M and 101,000 customers after hack: TalkTalk released it’s quarterly earning report this week (it’s just 2 pages), in which it disclosed the impact of the cyber attack from October (discussed here). They’ve listed numbers for customer churn directly tied to their hack.

Conference materials and publications

• Shmoocon videos: This conference in DC took place a few weeks ago.

Tools

• gophish: Open-source phishing toolkit designed for businesses and penetration testers.
• samsung/adbi: Android Dynamic Binary Instrumentation tool for tracing Android native layer by Samsung’s R&D team.

Other reads

• socat used non-prime DH value: socat is a more featureful version of netcat with the ability to encrypt traffic. It had an interesting vuln (likely backdoor) discovered where the Diffie-Helman implementation hard-coded a p value that was not prime, resulting in weaker encryption. A description of how this can be abused is here.
• PWN0RAMA: Similar to CanSecWest’s Pwn2Own contest in Canada, this contest will parallel Syscan in Singapore in late March. It provides prizes for various exploits. Some of the exploit targets are interesting in that they are for mobile protocols and not the apps on them, such as wifi (with no user interaction), SMS, and baseband attacks. The pricing is also interesting, with an iPhone exploit against Safari and escaping to kernel going for $130K, as opposed to the $1M that the exploit vendor Zerodium offered only a few months ago. This doesn’t necessarily mean that anyone will be willing to participate for such low prices, but it perhaps reflects changes in the market, meaning that iPhone exploits have become more common.
• Domain Validation Vulnerability in Symantec Certificate Authority: This post describes a flaw with Symantec’s registration for SSL certs that would allow someone in certain circumstances to be able to register for an SSL cert for a domain they do not own. Using this, if they had MiTM over someone, they could read and manipulate their traffic as if it were HTTP as opposed to HTTPS. These flaws are interesting because even if you do everything right for the security of your own domain, that security can still be subverted by mistakes from folks unrelated to you or your business, because every browser extends its trust to the certificate authorities, not to you, and that ultimately can be abused.
• Android devices with MediaTek chips vulnerable to local rooting: The researcher Justin Case discovered that phones that use MediaTek chips (budget smartphones from Lenovo, Huawei, and other largely Chinese brands) left debug capabilities on that allows write access to what should be read-only memory. Using this an app could easily root the phone.
• New Family of Cross-Platform Desktop Backdoors Discovered: This post from Kaspersky describes a new strain of malware that is code-signed from a COMODO cert, and cross-compiled for both Linux and Windows. The malware hides in plain sight by pretending to be a part of Dropbox or other common apps. It’s interesting that Kaspersky first detected the Linux variant, and then from there discovered the Widows version.