Downclimb: Summit Route’s Weekly Infosec News Recap
2016.02.07 – 2016.02.14: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“defenders who try to defend everywhere defend nowhere. You have to pick your spots. The two most important things in infosec are Identifying what kind of moat your business has and then defending that moat. That is also why there is no one, single answer for what to secure, its very industry specific and moat specific - for Pharma its IP and channel. For retail its brand loyalty, efficiency. The things to measure and defend are the those that map to the business’ advantage not technical constructs” Gunnar Peterson
“Spawn camp in your own environments: Where are the chokepoints? Where can you hit attackers as soon as they become visible?” Rick Holland as summarized by Kyle Maxwell
“We wanted to focus on the browsers that have made serious security improvements in the last year” Brian Gorenc, manager of Vulnerability Research at HPE (the Zero Day Iniative’s new home), on why Firefox is no longer part of Pwn2Own
Top stories
Cybersecurity National Action Plan
Following on an op-ed piece by Barack Obama this week, the Whitehouse posted a Cybersecurity National Action Plan. Changes include:
- Increases the President’s Fiscal Year (FY) 2017 Budget for cybersecurity by 35%, bringing that funding to $19B.
- Creates a position for a Federal Chief Information Security Officer (CISO), which has not been filled yet.
- Expands the EINSTEIN program, so all Federal civilian agencies adopt it.
- Focuses on multi-factor authentication, but mentions fingerprints as one such additional factor.
- Reduces use of Social Security numbers as identifiers.
- States the DHS is collaborating with UL (Underwriters Lab) and other industry partners to develop a Cybersecurity Assurance Program to test and certify networked devices.
- States “the Government will work with organizations such as the Linux Foundation’s Core Infrastructure Initiative to fund and secure commonly used internet “utilities” such as open-source software, protocols, and standards. Just as our roads and bridges need regular repair and upkeep, so do the technical linkages that allow the information superhighway to flow.”
Analysis of attacks against trading and bank card systems
In February 2015 (one year ago) the first major successful attack on a Russian trading system took place, when hackers gained access to trading system terminals resulting in trades of more than $400M. It lasted only 14 minutes, but caused high volatility in the exchange rate between the Russian ruble and US dollar, moving it 15%. Only 5 very large trades were made, and 14 minutes after the first trade had been issued the malware was instructed to delete itself. At the time, the botnet had infected 250K devices worldwide, including 100 financial institutions, with most of the infections focused on Russia, and nearby countries. This report is interesting largely because it is an attack on a trading platform. Read Group-IB’s report here.
Cisco ASA Adaptive Security Appliance vuln
In a technical post by Exodus Intelligence titled Execute my packet, they discuss a vuln with Cisco appliances related to IKE (Internet Key Exchange).
Malvertising Via Skype Delivers Angler
Skype and a handful of other applications (such as Spotify) include browsers, largely in order to display ads and parts of the UI. When 3rd party ads are displayed, this creates a problem, because these browsers’ security capabiliies are not up to par with real browsers. In this post by F-Secure they discovered that Skype’s ads use Flash, and this was used to by the Angler exploit kit.
Other reads
- Analyzing the Anti-Analysis Logic of an Adware Installer: This Objective-See blog post covers how to reverse OSX malware that contains anti-debugging features.
- Google to warn about unencrypted emails: Email should be sent from one provider to another using TLS, but some do not, so Google will be warning users when they receive emails from such a provider. There are still many ways in which spam and fraudulent messages can be sent, but this is a big step toward helping to ensure senders can be verified, and herding the non-compliant email services toward proper security.
- Investigating Account Takeover: Ryan McGeehan has a great series of articles about general infosec threats that affect start-ups and what they should do to prepare for them, protect against them, detect them, and resolve them. In this latest piece he discusses compromised accounts of your users.
- 0days: Dave Aitel writes a series of examples and questions discussing the concept of what is a 0-day? As policies are being created regarding 0-days, the definition of a 0-day needs to first be defined.
- Pwn2Own: Details are out for this competition that occurs during CanSecWest in Vancouver, Canada in mid-March. Prizes for Chrome and Safari have been reduced by $10K, to $65K and $40K respectively. They added VMware Workstation as a target. The biggest change is Firefox has been removed as a target, supposedly because Firefox has not improved it’s security in the past year according to the quote at the top of this post.