Downclimb

2016.03.13

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.03.06 – 2016.03.13: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“An important lesson to learn is not to deploy tools before they are ready. The risk is revealing capability before you can exploit it” the grugq

“What if instead of everyone playing CTF, people would start looking at real software again?” @marver

Top stories

New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer

Last week, just as I was getting ready to push Downclimb out, I included a link about the OSX BitTorrent app Transmission that had pushed out a malicious update, but few details existed yet. Then Palo Alto published their research showing this was the first OSX ransomware campaign, and the first signed malicious update on OSX. BitDefender then showed that KeRanger is actually a rewrite of Linux.Encoder, a ransomware that has impacted thousands of Linux servers since the start of 2016.

Third-party audits

A good security practice is to audit not only your own code and infrastructure, but also try to assess the security risk of various third-party companies you integrate with. I mentioned in my post The Great Graph the dangers of having to integrate and trust so many entities. If you provide confidential information to SaaS company that get’s hacked, that data could be exposed. If you receive software updates from an entity that get’s hacked (such as Transmission above), you’ll be compromised. It is therefore important to audit these other entities.

Google released their Vendor Security Assessment Questionnaire (VSAQ) this week to help companies determine the risk of other businesses being hacked. However, over a year ago, LinkedIn released a much more extensive guide in their post A security policy framework to help companies unlock the power of the cloud. Whereas Google’s doc helps you assess if a business will be hacked, LinkedIn’s doc helps you to actually make the decision of whether to still trust them or not, and also digs into other security related concerns. For example, LinkedIn’s doc asks if the vendor provides an API to revoke user accounts (important for account compromises or departing employees), and if the business has a disaster recovery plan and provides breach notifications (in case they are actually hacked).

Facebook’s CSO, Alex Stamos, discussed in the WSJ this week the need for a common platform for businesses to share their auditing of vendors, because companies are doing these same audits on dozens if not hundreds of vendors every year, and it makes sense that some of this information should be shared to reduce such duplication of work.

FCC suspected attempting power grab

There have been some news articles circulating, such as this one, that the FCC (Federal Communications Commission) is attempting a power grab into the FTC’s domain, by preparing a proposal to be put in charge of consumer privacy, which as I high-lited last week the FTC has become more aggressive with. In 2015 the FCC fined three companies for failing to protect their customer information, and in 2016 has fined one. This was done through it’s powers of the Communications Act of 1934, which states in Section 222:

“Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers”

The companies fined were Cox Communication for $0.5M for a phishing incident, TerraCom, Inc for $3.5M for PII on publicly exposed servers, AT&T Services Inc for $25M for an insider threat that stole PII (the large fine was because AT&T didn’t inform law enforcement originally), and most recently Verizon this past week for $1.3M for using technology that allowed marketers to track its customers’ online activity. However, these actions of the FCC only affect telecommunications providers, and not edge providers, such as Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn who the FCC announced on November 6, 2015 specifically that it would not regulate. Therefore, unless you’re a telecommunications provider (which Google and Facebook actually are now for specific parts of their business), I don’t think you have much to worry about from the FCC.

Having ISPs do naughty things like Verizon was fined for is much more common in other parts of the world, such as China, where we’ve all heard of the Great Firewall, but their ISPs also inject and replace ads. As you might guess, attackers have gotten hold of those ad servers to do malvertising, as explained in a WooYun drops article this week (unfortunately in Chinese).

With regards to the FTC, they announced this week orders to various PCI auditing companies to describe their auditing practices. It’s unclear if the FTC wants to take over that business, or punish auditors that do bad jobs, or some other motive.

Business

Capital One acquiring Critical Stack: This odd acquisition involves a bank (Capital One) buying a network security company with over 4,200 customers, where Critical Stack plans on continuing it’s existing business.

Newspaper News

The Incredible Story Of How Hackers Stole $100 Million From The New York Fed: It seems someone got ahold of account numbers for the Bangladesh central bank, and used that to extract $100M from their account at the New York Federal Reserve.
The Next Front in the New Crypto Wars: WhatsApp: Like Apple with the iPhone and the FBI, WhatsApp (owned by Facebook) is involved in a similar stand-off with the Department of Justice (DoJ). The DoJ is frustrated by its lack of real-time access to messages protected by the company’s end-to-end encryption.

Tools

secureworks/dcept: A tool for deploying and detecting use of Active Directory honeytokens.