"I have no actual numbers but it seems the market of selling vulnerable black box appliances is still bigger than the 0 day market." Stefan Esser
"Star Wars and infosec. You’re convinced you need Death Stars to keep you secure, when actually you should teach your stormtroopers to shoot." Ben Hughes
"What if ransomware allows poor victims to trade ransom payment for 2 infections? Human-assisted RW-worm?" @tacticalRCE
"There are people with Tor browser 0day. This is a perennial truth. Learn to be secure even if the adversary has exploits. Because they do." the grugq
"One man's lowly bug is another company's press release." Ralf (RPW)
Patch Tuesday and Badlock
This Patch Tuesday coincided with the release of details for the Badlock vuln that had begun a marketing campaign two weeks prior with the site and logo at badlock.org. This over-hyped bug had a number of interesting aspects:
- It was hyped weeks before details of it were released. This was an excellent marketing strategy.
- Once details were disclosed, it was revealed that the bug itself was fairly low impact, due to it only being a MiTM and only allowing for things such as a modifying file permissions or DoS, making this disclosure a non-event.
- It could be argued this bug has been known about for years. @pwnallthethings stated "Kudos to Microsoft's PR team, who got out in front of #BadLock by publishing mitigation advice for it 7 years ago https://technet.microsoft.com/library/security/974926"
- The bug was found by one of the developers of Samba itself, which was what the bug affected. It is not normal for developers to hype vulns in their own code.
Hacking Team hack write-up
The hacker Phineas Fisher that hacked Hacking Team, and previously hacked Gamma Group, documented how he did it. The post was originally in Spanish, but has been translated to English. It serves as a good tutorial on how this type of thing is done. The initial foothold was finding a 0-day in a router or VPN, after scanning the IP space of Hacking Team. Then a firmware backdoor for this device. From here, due to lack of expected network segmentation, the attacker was able to access backup servers, and then find credentials in order to move laterally and escalate privileges, and persisted by hiding in RAM on servers with high uptime.
Apple has abandoned support for QuickTime for Windows, despite it still being widely installed, and now there are two known vulns for the product. In another case of abandoning software, the recently announced Google Chrome 50 abandons support for Windows XP and Windows Vista along with ending support from OSX before 10.9. Those users will also no longer receive updates. In Apple's case they abandoned their own product, while in Google's they abandoned the users of the product on a specific platform. Should the vendor automatically remove their software from unsupported systems or show a warning? Contrast this with Google's Nest, which is used for home automation, which purchased a company called Revolv, and disclosed a few weeks ago that they are stopping support for those products, meaning not just that they won't get updates, but people's home automation will no longer work.
I also abandoned some software this week, although it's code that never had any users. The original purpose behind Summit Route was to create an End-Point Protection product, but things didn't work out, so I've put all the code up on GitHub.
Infosec can be a depressing field where it seems we're facing a losing battle. I'll try to include some mentions in this section of news where the Good Guys win.
- Blackhole exploit kit author gets 7 years: The author and distributor of the popular Blackhole exploit kit, known as "Paunch", has been convicted in Russia to 7 years in a penal colony.
- PerimeterX launches from stealth: PerimeterX adds javascipt to your site so it can detect and mitigate content scraping, ad fraud, and other concerns.
- Microsoft sues US government over secret data requests: Similar to Apple fighting the US government over trying to force them to unlock the San Bernadino's shooters phone, Microsoft is fighting the US government over forcing them to turn over customer data without being able to disclose these requests.
- Canadian police have BlackBerry global decryption key: Not much to say here, other than don't use BlackBerry.
Conference materials and publications
- Infiltrate 2016 slides: Slides for all presentations and a video of the keynote are up for this conference in Miami earlier this month.
- GitHub's CSP journey: Explains how Github created their CSP policy for protecting against XSS.