Downclimb

2016.02.21

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.02.14 – 2016.02.21: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“In 2015, Google Project Zero reported 17% of all MS security bugs, and 37% of Adobe Flash bugs. Ian Beer alone was 8% of iOS/OSX CVEs. And remarkably, @natashenka individually reported 25% of all Flash bugs, making her the most prolific reporter of Adobe vulns in 2015. For these results we had 10 individual researchers with public credits. We don’t typically work 100% on VR though!” ‏Ben Hawkes

“I work with a team of the best hackers on the planet. These hackers attend Defcon in Las Vegas [..] They are all prodigies, with talents that defy normal human comprehension. About 75% are social engineers. […] If you doubt my credentials, Google “cybersecurity legend” and see whose name is the only name that appears in the first 10 results out of more than a quarter of a million.” John McAfee‏, founder of McAfee antivirus and 2016 Presidential Candidate, on the Apple vs FBI case and his offer to break into the device for the FBI for free

“Security in a Box. For $250k a quarter I’ll send you a curated box of misc. security products. Same as most doing now, but more trendy.” ‏@mtanji

“It may be time to read glibc again. Re-reading the classics may be soothing as alternative to browser postmodernism.” ‏halvarflake

Top stories

CVE-2015-7547: glibc vuln

Google’s Project Zero posted about an interesting vuln in glibc’s getaddrinfo() function. The discovery story is interesting because it wasn’t found by bug hunting, but rather someone at Google reported that every time they ssh’d to a system, their ssh process crashed. Apparently, this bug with glibc has been witnessed before, for example, here is a bug report from 2009 where someone reported sudo crashed because they had too many hosts in their /etc/hosts file. This glibc vuln is exposed in a variety of ways (who would have thought sudo was hitting DNS?), and has been around since 2008. Even things like Javascript, Python, and Java are affected. Luckily, some systems, such as OSX and iOS, do not use glibc and thus are unaffected.

More details, including advice on mitigation options, come from Dan Kaminsky here. With the main take-aways being that your only real option is to update, but that luckily this vuln requires the attacker be nearby or on the communications path, and that it does take a bit of work to get working RCE exploits (something more than a DoS).

Apple vs FBI: Backdoor request

The news went nuts this week when Apple’s CEO Tim Cook posted “A Message to Our Customers” stating the FBI has requested assistance in the FBI’s case against the San Bernardino shooters by providing a means of allowing the FBI to make unlimited password attempts to break one of the shooter’s iPhone’s passcode. Some key points:

Apple already handed over the iCloud data for the shooter, but this data stopped 1 month prior to the shooting for unknown reasons. In any case, Apple isn’t fully trying to back personal privacy.
Apple has assisted in unlocking 70 devices previously (Read more here).
Apple has this capability, so the FBI isn’t exactly asking Apple to build a backdoor. One could say they are asking Apple to share the backdoor capability Apple already has. Details about how Apple could do this are provided by Trail of Bits here. It’s assumed that Apple could create a means of accessing only this one phone. Apple likely will try to close up this backdoor ability they have in the future.
The FBI already has all the information they need, as the shooters are dead and enough evidence exists to show they were guilty, and they don’t seem to have been working with anyone else. So this phone data has no value. Read more in the grugq’s post.

So what is this all really about then? It’s about giving special access (a backdoor) to the government, but specifically it’s hard to describe why this is different than anything that has happened in the past. Once upon a time, the US government had export regulations that required US companies to use weakened crypto. This was a widespread “backdoor” of sorts. Warrants have provided access to user’s data no matter where it was. Many aspects of this case, have precedents, but signing code has historically been off-limits. If the case favors the FBI, then it provides the opportunity for them to tell Microsoft or Apple or Google or whoever else to send down a special auto-update that opens up user’s devices to them. This breaks an assumption of security that people globally have had. If this happens, it hurts these companies in non-US markets.

The key take-away is developers should seek to build products that even they can’t break into.

Linux Mint hacked

The Linux distribution Mint has been hacked and the ISO’s are trojaned. This is probably the lamest OS compromise ever, as the inserted malware is an IRC bot in the autoruns code. Just like there are “code smells” for finding bad code, there are also “security smells” for finding bad security practices. These include Mint providing MD5 signatures in their breach notification for known-goods for users to check the validity of the downloads, and hosting their forum on Wordpress (which was also compromised, as one should expect for all things Wordpress).

Business

Drawbridge Networks out of stealth: Drawbridge Networks provides a solution for micro-segmentation of network traffic.

Newspaper News

Hospital paid $17K ransom to hackers: A hospital near Los Angeles paid a $17K ransom after hackers shut down their network. The original request was for $3.6M.