Downclimb: Summit Route’s Weekly Infosec News Recap
2016.04.17 – 2016.04.24: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“PsExec doesn’t steal credentials, hackers do.” Mark Russinovich
“Who returns IPs in decimal format?! Why do security vendors suck at APIs.” Kos
“If I ever publish one of them newfangled “Logo Vulns” it will be in libtiff and the exploit will be the logo itself.” Christien Rioux
Top stories
How I Hacked Facebook, and Found Someone’s Backdoor Script
This awesome bug bounty write-up discusses how the author figured out the software being used for an Internet accessible end-point at Facebook, then found 0-days in it, got in, and then discovered a backdoor already in place by at least one other attacker for stealing credentials of Facebook employees! In a post online, a Facebook employee mentions that the backdoor discovered was left behind by “another researcher who participates in our bounty program”. Crazy. This RCE discovery was awarded $10K and the same bug bounty hunter also received another $10K bounty for RCE on Uber this week (link).
Speaking of bug bounties, it’s interesting this directory traversal vuln, which is simple to find with automated tools, was awarded a $5K bounty from Imgur.
Evidence obtained from FBI malware thrown out
In a child pornography case, the FBI infected systems with malware to determine the identities of the culprits. The judge ruled “Since warrantless searches are presumptively unreasonable, and the good-faith exception is inapplicable, the evidence must be excluded.” (link).
Justice
- SpyEye makers sentenced to prison: Krebs article on the two developers behind the SpyEye botnet who received 9 and 15 years in prison in the state of Georgia. The latter received the longer prison sentence for actually running the botnet as opposed to only developing it’s code.
Business
- Dell SecureWorks IPOs and fizzles: The first tech IPO of 2016 happened this week with Dell SecureWorks, the cybersecurity unit of Dell. SecureWorks priced below its indicated range and opened the day even lower; it also cut the number of shares it was offering from 9 million to 8 million. These are all things that should cause the stock to shoot up. The shares closed Friday at $14, only slightly up from their opening price of $13.89.
- Bugcrowd Raises $15M in Series B: Bugcrowd provides a bug bounty security platform.
Newspaper news
- $10 router blamed in Bangladesh bank hack: The recent hack on Bangladesh’s central bank that resulted in $81M lost (and $1B attempted to be stolen) has been blamed on the use of second-hand $10 routers that were used to connect to the global financial networks. This cheap equipment meant that there was no firewalling and network segmentation.
Conference materials and publications
- Nullcon slides: Conference in Goa, India in early March.
Tools
- RansomWhere?: A new free tool from Objective-See for OSX that detects and blocks ransomware as it’s encrypting files by using a more complicated entropy check (to avoid detecting compressed files as opposed to encrypted files).
Other reads
- Understanding and Hardening Linux Containers: This 122 page paper discusses OS virtualization via Linux Containers, as implemented by LXC, Docker, and CoreOS Rocket, along with security recommendations.
- Windows Subsystem for Linux Overview: A few weeks ago it was announced that Windows would be able to run bash commands and even ELF binaries. In this article and accompanying video, Microsoft describes how it works.
- Free VPN integrated in Opera: The Opera web browser now has a free and unlimited VPN integrated into it “for better online privacy”. The Opera web browser however was bought by a Chinese group recently, so it’s unclear how this will play with the Great Firewall of China.
- Looting of the Fox: The Story of Sabotage at ShapeShift: The ShapeShift bitcoin exchange was hacked twice, first by an insider, and then by an outside hacker who obtained access from that same insider. The key take-away is about how even after an incident, you should be aware that there may be backdoors left behind on other systems. Also, that even if you focus on one attacker, you still need to be mindful of the other attackers that are out there. These take-aways are obvious, but it’s a good read.