Downclimb: Summit Route’s Weekly Infosec News Recap
2016.04.03 – 2016.04.10: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Exploiting Flash is getting harder. Used to find a bug a day. Now it’s a bug a week.” Natalie Silvanovich

“When searching StackOverflow for angular questions, be sure to filter by the month when your version was relevant” ‏@GonzoHacker

“You carry a networked location-tracking mic/camera/accelerometer everywhere you go, but sure, tape over the built-in webcam on your laptop.” Mike Myers

Top stories

Panama Papers

A Panamanian law firm was hacked that was responsible for putting billions of dollars of the rich and famous into offshore accounts for tax evasion purposes in many cases. The documents were leaked and has caused some real world impact, such as Iceland’s Prime Minister stepping down. There were also stories this week of someone recruiting hackers to help him gain access to law firms in order to do insider trading. The take-away is that law firms are being aggressively targeted now, and once again we have a case where attackers aren’t targetting their victims directly (the politicians), but rather going after third-parties (the law firm) in order to gain access to the data of interest.

Business

• Bluebox and Lookout merged: The mobile security companies have merged, and now are just called Lookout.

Newspaper news

• $2.3B lost to CEO email scams: The FBI has reported that since October 2013, criminals have impersonated company executives to convince employees to transfer money to their accounts, resulting in $2.3B stolen.
• 55+ companies have fallen to W-2 Phishing Scams: A popular scam in recent months has been to attempt to get information from companies that can be used to collect the tax refunds from their employees. 55 companies including Snapchat, Seagate, Sprouts grocery store, and many more have fallen victim to this scam.
• WhatsApp integrates Signal: WhatsApp integrated the Signal Protocol, resulting in end-to-end encryption turned on for all users by default, including warning users when the people they are speaking with have not updated their app. This ensures that not even WhatsApp developers can not see the plain text of messages sent (well, they could always push down a malicious update to disable or workaround this, but this is still a giant step forward).
• GitHub enables GPG signature verification: Git supports signing commits and tags with GPG, and now GitHub will show you when these are signed.

Conference materials and publications

• BeyondCorp: Design to Deployment: Google’s BeyondCorp strategy has been heralded as the right way forward for protecting networks. The concept is to no longer have an internal corp network that employees need to hard-wire or VPN into, because that promotes a crunchy outside and soft inside network, where once an attack gets on one of your employee laptops they end up with free rein. The BeyondCorp strategy that Google announced a year ago advises that you shouldn’t provide access to systems just because of what network they come in on. This new paper describes this concept in more detail.
• CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities: This paper, presented recently at Black Hat Europe, describes how popular Firefox extensions, such as NoScript, Firebug, Greasemonkey, and more allow a malicious add-on to leverage the capabilities of other add-ons.

Other reads

• If You Can’t Break Crypto, Break the Client: Recovery of Plaintext iMessage Data: A month ago Matthew Green and his team disclosed an attack against iMessage involving tricky crypto, some special circumstances and assumptions, and 70 hours to carry an attack that would gain access to the encrypted iMessage attachments. This week though, a much simpler attack was revealed by going after the client itself. In this attack, if you can convince the user to click a weird looking link that begins with “javascript://” you’ll be able to retrieve their entire chat history and associated attachments.
• RubyGems.org gem replacement vulnerability and mitigation: The Ruby gems repo had a vulnerability that allowed anyone to replace the gems of other developers, if that gem name contained a dash.
• Analysis of an Intrusive Cross-Platform Adware; OSX/Pirrit: Shows analysis of adware on OSX without reversing, looking only at forensics evidence of it.
• Rollout or not: The benefits and risks of iOS remote hot patching: iOS apps have to be reviewed by Apple, even updates, which slows down the development cycles of app creators. They have bypassed Apple’s App Store restrictions by hot-patching their apps, and this post looks at how this is done and the dangers it creates.
• Flash ITW 0-day killed before functional (CVE-2016-1019): Adobe fixed a vuln this week that was being exploited In The Wild (ITW) in an attempt to serve ransomware. However, the exploit didn’t quite work due to mitigations in Flash, so this exploit wouldn’t work on anyone despite being a new, previously unknown vulnerability. Great work by ProofPoint for discovering this change to the Magnitude exploit kit before it was able to work successfully. It seems it’s been a long time since an ITW browser 0-day was used for purely criminal purposes as opposed to nation state work. Most criminal exploitation these days uses old-day against out-dated browsers.