Downclimb

2016.03.06

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.02.28 – 2016.03.06: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Your company sent you to SF/RSA to drink free alcohol, eat free dinners, see friends, and still get paid. Your life is terrible. We get it.” ‏Chris Rohlf

“We used to often quote Microsofts - 10 immutable laws of security which were fun / true / worth reading https://technet.microsoft.com/library/cc722487.aspx Law 3 was: Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore. Now.. whats interesting is.. if Apple do take the next step.. and give us secure enclave that wipes when messed with (or requires a pin to upgrade) Would this law still hold?” ‏haroon meer

“Trust relationships are the foundations of compromise.” the grugq‏

“The #1 mistake Security vendors make is thinking we want more. We want less. I don’t want 90,000 events a day; I want the 3 actionable ones.” Scott J. Roberts‏

“ancient proverb: ‘if you want to kill a vulnerability, you have to worm it.’” Ralf (RPW)‏

“I wonder if a church will set up a booth at RSA conference next year. Prayer is probably just as good as what half the vendors are selling.” Null Session‏

Top stories

FTC stepping up

The US has many government bodies providing advice and attempted assistance in various forms for cybersecurity. The question of enforcement and policing in terms of forcing companies to improve their cybersecurity practices is somewhat unsettled, with the FTC becoming increasing focused on that challenge. The main purpose of Federal Trade Commission (FTC) is consumer protection. Since 2009 it has pursued dozens of cases against companies such as Twitter, MySpace, Oracle, Google, and more with regard to violations of expected consumer privacy (see full list here).

The FTC’s punishments are getting more aggressive. For example, in 2010 the FTC had one of it’s largest settlements, by fining Lifelock $12M for false claims related to it’s identity theft protection services. The FTC also slapped some other requirements on them that they needed to improve their safeguards. In December, 2015, the FTC decided Lifelock hadn’t done a good enough job and handed them a $100M fine. That charge was mostly relevant to false advertising though.

Last week the FTC settled charges against ASUS that vulnerabilities in their routers had led to thousands of compromises of consumers. The settlement is pretty weak and just requires ASUS to designate some folks to be responsible for security, and to undergo third-party assessments (pentests) once every two years for the next twenty years. This “punishment” represents less security than anyone would reasonably expect ASUS to have, but it’s a first step toward the FTC going after companies for having vulnerabilities.

This week we also saw the FTC advocating some contrarian advice wherein their Chief Technologist wrote an article arguing against the practice of mandatory periodic password changes. Although reasonable and something I personally believe in, this position opposes many stated best practices. I view this as the FTC starting to become more vocal in infosec practices by basically picking fights with the old guard.

In January, the FTC hosted it’s first PrivacyCon where it reached out to researchers and academics for presentations. The head of the FTC, chairwoman Edith Ramirez, stated “We want to increase the FTC’s engagement with the technology community in order to more effectively encourage innovation that is protective of consumer privacy and security.”

It is my expectation that the FTC will become the main enforcement arm of the US federal government in improving the cybersecurity of private companies.

Distributed Security Alerting

This article from a security engineer at Slack describes how when they detect suspicious activities from employees, a message is sent to them to confirm it’s them and not that their account has been compromised.

SSL vulns

This week saw more SSL vulns including DROWN, CacheBleed, and a number of CVEs for OpenSSL. In general these were uninteresting. The DROWN attack involves abusing SSLv2 which has been deprecated since 1996. Therefore, crypto attacks on SSLv2 are roughly equivalent to attacking Windows 95. It’s well understood that these older protocols and systems have security issues. The unfortunate problem with SSL vulns though is that so many systems still support them. Red Hat Enterprise Linux still ships with SSLv2 enabled by default.

Business

RSA happened this week in SF which is a vendor conference. Most infosec conferences break new research and allow opportunities to learn and network with fellow defenders, developers, and researchers. RSA is for the other side of infosec involving sales people and executives. It’s a place for announcing new products and starting conversations for M&A deals.
Announcing Windows Defender Advanced Threat Protection: Microsoft is getting into the EDR business with their Windows Defender Advanced Threat Protection, which works on Windows 10 and gives insight into suspicious behaviors across an enterprise’s fleet. Security products benefit from a network effect where the more data they collect, the better they’ll get at identifying anomalies and other alerts. Microsoft is collecting anonymous information from over 1 billion Windows devices, 2.5 trillion indexed URLs on the Web, 600 million reputation look-ups online, and over 1 million suspicious files detonated every day. Additionally, it is already protecting 500K end-points.

Newspaper News

DoD starting Bug Bountry program: The Department of Defense announced that it will invite vetted hackers to test the department’s cybersecurity. No details are given but it gives some further evidence that having a bug bounty program is now an expected part of a mature security program.
San Bernardino DA says seized iPhone may hold “dormant cyber pathogen”: The case involving the San Bernardino shooter’s iPhone has become a soap opera. This DA filing appears to be the first use ever of the term “cyber pathogen”, and saying it may lie dormant in the iPhone just makes this story more ridiculous.

Conference materials and publications

ZeroNights Videos and Slides: This conference took place in Moscow in November.
Fastly Speaker Series: Outside of conferences, a lot of tech companies bring in infosec speakers to present to their employees and possibly some outside audiences. Some of these companies film and distribute these talks, such as Duo Security, and now Fastly. I especially liked Rolf Rolles’s talk recently at Fastly about Program Synthesis in Reverse Engineering which shows how he generated more accurate descriptions (sort of LLVM IR) of x86 instructions by using SMT solvers and some other magic. Then he uses that to produce automatic code deobfuscators (and obfuscators) using a similar technique.
3 things that Rowhammer taught me: Presentation by Halvar Flake at Null Singapore. One of the more interesting parts is the Q&A at the end where Halvar digresses away from Row Hammer into some more general infosec topics.
Learning Linux Binary Analysis: Book by elfmaster.

Tools

Lockdown: New tool from Objective-See that puts a UI interface around my own osxlockdown tool.