"An important lesson to learn is not to deploy tools before they are ready. The risk is revealing capability before you can exploit it" the grugq
"What if instead of everyone playing CTF, people would start looking at real software again?" @marver
New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer
Last week, just as I was getting ready to push Downclimb out, I included a link about the OSX BitTorrent app Transmission that had pushed out a malicious update, but few details existed yet. Then Palo Alto published their research showing this was the first OSX ransomware campaign, and the first signed malicious update on OSX. BitDefender then showed that KeRanger is actually a rewrite of Linux.Encoder, a ransomware that has impacted thousands of Linux servers since the start of 2016.
A good security practice is to audit not only your own code and infrastructure, but also try to assess the security risk of various third-party companies you integrate with. I mentioned in my post The Great Graph the dangers of having to integrate and trust so many entities. If you provide confidential information to SaaS company that get's hacked, that data could be exposed. If you receive software updates from an entity that get's hacked (such as Transmission above), you'll be compromised. It is therefore important to audit these other entities.
Google released their Vendor Security Assessment Questionnaire (VSAQ) this week to help companies determine the risk of other businesses being hacked. However, over a year ago, LinkedIn released a much more extensive guide in their post A security policy framework to help companies unlock the power of the cloud. Whereas Google's doc helps you assess if a business will be hacked, LinkedIn's doc helps you to actually make the decision of whether to still trust them or not, and also digs into other security related concerns. For example, LinkedIn's doc asks if the vendor provides an API to revoke user accounts (important for account compromises or departing employees), and if the business has a disaster recovery plan and provides breach notifications (in case they are actually hacked).
Facebook's CSO, Alex Stamos, discussed in the WSJ this week the need for a common platform for businesses to share their auditing of vendors, because companies are doing these same audits on dozens if not hundreds of vendors every year, and it makes sense that some of this information should be shared to reduce such duplication of work.
FCC suspected attempting power grab
There have been some news articles circulating, such as this one, that the FCC (Federal Communications Commission) is attempting a power grab into the FTC's domain, by preparing a proposal to be put in charge of consumer privacy, which as I high-lited last week the FTC has become more aggressive with. In 2015 the FCC fined three companies for failing to protect their customer information, and in 2016 has fined one. This was done through it's powers of the Communications Act of 1934, which states in Section 222:
"Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers"
The companies fined were Cox Communication for $0.5M for a phishing incident, TerraCom, Inc for $3.5M for PII on publicly exposed servers, AT&T Services Inc for $25M for an insider threat that stole PII (the large fine was because AT&T didn't inform law enforcement originally), and most recently Verizon this past week for $1.3M for using technology that allowed marketers to track its customers' online activity. However, these actions of the FCC only affect telecommunications providers, and not edge providers, such as Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn who the FCC announced on November 6, 2015 specifically that it would not regulate. Therefore, unless you're a telecommunications provider (which Google and Facebook actually are now for specific parts of their business), I don't think you have much to worry about from the FCC.
Having ISPs do naughty things like Verizon was fined for is much more common in other parts of the world, such as China, where we've all heard of the Great Firewall, but their ISPs also inject and replace ads. As you might guess, attackers have gotten hold of those ad servers to do malvertising, as explained in a WooYun drops article this week (unfortunately in Chinese).
With regards to the FTC, they announced this week orders to various PCI auditing companies to describe their auditing practices. It's unclear if the FTC wants to take over that business, or punish auditors that do bad jobs, or some other motive.
- Capital One acquiring Critical Stack: This odd acquisition involves a bank (Capital One) buying a network security company with over 4,200 customers, where Critical Stack plans on continuing it's existing business.
- The Incredible Story Of How Hackers Stole $100 Million From The New York Fed: It seems someone got ahold of account numbers for the Bangladesh central bank, and used that to extract $100M from their account at the New York Federal Reserve.
- The Next Front in the New Crypto Wars: WhatsApp: Like Apple with the iPhone and the FBI, WhatsApp (owned by Facebook) is involved in a similar stand-off with the Department of Justice (DoJ). The DoJ is frustrated by its lack of real-time access to messages protected by the company’s end-to-end encryption.
- secureworks/dcept: A tool for deploying and detecting use of Active Directory honeytokens.
- Cracking Ransomware: Article from Cylance showing how they used some artifacts on a system that had been compromised by ransomware to identify the original PRNG that had been used to create the random key that encrypted the files. This then allowed them to decrypt the files.
- How I could have hacked all Facebook accounts: $15k Facebook bug bounty bug for no rate limiting on password attempts involving some non-standard stuff. It's a very high reward, and a relatively simple bug. Chris Rolf explained "Bounties dont reward you for being clever. They award you for reducing risk to the business and that is judged by bug impact, not complexity"
- RSA 2016: Musings and Contemplations: Great summary of RSA vendors from a Gartner analyst, which explains the various ways in which most of the infosec vendors aren't actually useful.
- An Examination Of Ineffective Certificate Pinning Implementations: Article from Cigital about issue affecting some libraries (OkHttp and PhoneGap SSL Certificate Checker) used by Android apps.
- Do you trust this application?: This article identifies a bunch of Gnome applications that have vulns in their use of TLS or WebKit.