RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2016.03.13 – 2016.03.20:
To receive a weekly email notification of this newsletter, email


"Coolest thing about training people is to learn new things because you try to answer questions you never asked yourself before" Stefan Esser


"Basics: The lock icon does not tell you whether a website is secure." Eric Lawrence


"It’s a shame so many people’s first experience with BitCoin is a ransomware demand." Chris Snyder


"Stupidity may be the most asymmetric of all weapons. One stupid person can keep a dozen smart ones busy." halvarflake


"There's nothing wrong with accidentally creating a threat intell feed. We've all done it. The mistake is believing it's useful long term." Scott J Roberts

Top stories

California Attorney General defines "reasonable security"

When businesses are breached, their liability is largely determined by if they had practiced reasonable security, so a lot of litigation regarding breaches is focused on determining that. This litigation is due to there being no definition of reasonable of security. The California Attorney General Kamala Harris, on February 16th, released California's annual breach report and within it, she defined reasonable security, stating "The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security."

The breach report itself, like most breach reports, isn't that interesting. California has been collecting information about breaches since 2003, when California became the first state to require businesses to inform affected parties when those victims are residents of California. Now 46 states have similar requirements.

The definition the Attorney General used for reasonable security, the CIS Critical Security Controls (direct link to a copy), are extremely aggressive goals that few organizations outside of the Department of Defense currently implement. For example, it requires application white-listing (CSC 2.2), disabling javascript (CSC 7.3), and other controls which although valid recommendations, are difficult to implement in practice from a business perspective.

Ransomware using iCloud services

In this story from Malwarebytes, instead of the normal ransom attack of encrypting a victims files, the attacker took over their iCloud account and used the "Find My Mac" feature to lock the device and demand ransom or all sms, email, computer files, contacts, and photos will be made public and shared with their contacts. For many people, ransomware is becoming less of a concern, because all their files are just stored on cloud services such as gmail and dropbox, but if the attackers took control of those accounts, the effects would be much more devastating for those people (assuming they couldn't regain control of their accounts and the service didn't help them retrieve backups). In this case, it also shows how the data on the iPhone can be targeted, without ever exploiting the iPhone itself.


Newspaper news

  • $100M stolen from Bangladesh account in US Federal Reserve: There aren't many details on how criminals got ahold of the SWIFT numbers needed to transfer money from the account of the Bangladesh government from the US Federal Reserve. It is known that the amount would have been a lot larger ($1 billion as opposed to $100 million) had the criminals not mis-spelled one of the destination accounts. This story states that hackers had breached the computer networks of the Bangladesh Bank to carry out this theft.
  • How pirates and hackers worked together to steal millions of dollars in diamonds: Interesting read about how pirates in the South Pacific had boarded shipping vessels and knew exactly where the containers with diamonds were, because hackers had access to information about ships' cargo and where on the ship that cargo was kept.


  • BinDiff: BinDiff is now free. Only binaries are available, not source code as is the case with the other Zynamic's tool BinNavi. This tool uses IDA Pro to show differences in binary executables. If you want an open-source and more actively maintained option, check out Diaphora from Joxean Koret.
  • Simplevisor: SimpleVisor from Alex Ionescu is a simple, Intel x64 Windows-specific hypervisor with two specific goals: using the least amount of assembly code (10 lines), and having the smallest amount of VMX-related code to support dynamic hyperjacking and unhyperjacking.

Other reads

  • TabNabbing: This phishing technique relies on the idea that people open a lot of tabs, and that people are less likely to verify a site in an old tab versus a new one. So the site might display one thing for a while, and then modify the site to look like a phishing site later in the hopes that this old tab will be opened and the victim will be more likely to enter their credentials.
  • AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device: Claud Xiao of Palo Alto Networks discusses how DRM software used by Apple devices, called Fairplay, has been used since 2013 to spread pirated iOS apps and now, for the first time, spreading malware.
  • git vulnerability: Details of a new vuln (CVE-2016‑2315) for git were released prior to there being any binaries that could be installed. The vuln affects both servers and clients.
  • APT Ransomware: There have been a few cases of APT actors infecting their targets with ransomware, which goes against the assumptions one would have about intelligence gathering from nation states.