Downclimb: Summit Route’s Weekly Infosec News Recap
2016.04.24 – 2016.05.01: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“You win automatically when your exfil time is less than log aggregation and analysis periods.” Sasha
“Security Heavyweight Breaks Scales” Ben Nagy on Tavis Ormandy’s latest vuln found in a bathroom scale.
“Also don’t put your credit card number or secret recipe for bbq sauce on GitHub either.” Ryan Huber on news this week that hundreds of private Slack keys were in public Github repos, which would allow someone to see their chat messages.
“Why I love the field of applied crypto: when it works, we take credit for it. When it doesn’t work, we just blame the software people.” Matthew Green
“falling in love, breaking into a bank, bringing down the govt…they all look the same right now: they look like typing” PennyRed
“Working in defence recently has given me the insight that companies care much less if they get owned than offence thinks they do.” @semibogan
“Most hackers could not write a web browser, a web app from scratch, would not attend the committee meetings to get a protocol to happen in the first place. Yet through some hard work and intelligence find a bug, that in some cases pops a shell, and they’re cleverer than the person who made it in the first place? That isn’t how reality works. It’s just sadly how infosec works.” Ben Hughes on imposter syndrome in infosec
Top stories
Platinum Group
Microsoft released a report on a threat they call “PLATINUM”. It’s been operating since 2009 and targets only government institutions in South and Southeast Asia, primarily Malaysia, and uses the information obtained for indirect economic advantage, not direct financial gain. It uses spear phishing, and then a total of four 0-day exploits, along with a number of new attack techniques. They work against target’s personal email accounts (which the victims then open on work computers) in order get into the intended organizations. The first stage of the emails fingerprints the browsers plugins, and the exploits remotely load the next stage components so that they will only be delivered once and could be catered to the environment. It uses Windows hot patching as a means of code injection that will evade detection by end-point security solutions, and allows for DLLs to be loaded without them touching disk. The hot patching technique is further explained here.
ISIS Targeted by Cyberattacks in a New U.S. Line of Combat
This article describes how computer-network attacks are being used against ISIS alongside traditional weapons. From the article, “the plan is to imitate them or to alter their messages, with the aim of redirecting militants to areas more vulnerable to attack by American drones or local ground forces.” Consider the similarities of this to phishers spoofing CEO’s to get people to wire money, and the devestating effects this could have on enterprises if communications misdirected activities.
Newspaper news
- Verizon’s 2016 Data Breach Investigations Report. This annual report, started in 2008, gives breach stats and charts. It attempts too much humor for my tastes in a serious report and it’s data and visualizations of that data leave much to be desired. For example, the report lists the top 10 exploited vulns of the year, and two of them are for the FREAK attack, which is a MiTM issue. This is extremely unexpected and assumed incorrect. Given these issues and many others, I recommend you not read this, and you shouldn’t refer to this report for evidence of anything.
Conference materials and publications
- Black Hat Asia Keynote video: Talk by Dino Dai Zovi on “Devaluing Attack: Disincentivizing Threats Against The Next Billion Devices”.
- OWASP AppSec California 2016 videos: Conference in California in January.
Tools
- google/nogotofail: A network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications.
- Sysmon v4.0: Some of the popular sysinternals tools have been updated, with the most useful improvement being in sysmon, which now allows for filtering rules for what will be recorded.
Other reads
- Towelroot and Leaked Hacking Team Exploits Used to Deliver “Dogspectus” Ransomware to Android Devices: There is ransomware against Android devices that is using exploits from the leaked Hacking Team data to deliver the malware against older devices without any user interaction other than visiting the web pages where the exploit kits are located.
- Two bytes to $951M: This article looks at a couple of samples that were submitted to VirusTotal that were likely involved in the recent Bangladesh Bank theft. Whereas previous stories indicated that the bank had very low levels of sophistication, and it was expected that the attackers as well likely lacked sophistication, especially given that that they missed out on ~$900M due to a spelling mistake, this article shows that this attack might have actually been fairly sophisticated, as they appear to have used patched executables to bypass checks and hide evidence.
- Protecting against unintentional regressions to cleartext traffic in your Android apps: New feature for Android apps allows you to specify the app does not use cleartext (HTTP), so if it ever encounters it, it will block or for QA builds can log or crash whenever non-TLS traffic is encountered.
- Who hacked Facebook?: Follow-up story from last week’s Facebook bounty where the hacker found someone else’s backdoor. In this well-researched article by Violet Blue, she finds that the company behind the product the bug hunter had found “0-days” in, had actually already identified and patched the vulns that were used. So this bug hunter’s entry could have been avoided through better patch management. However, the other intruder whose backdoor was discovered did use these vulns prior to them being known, so one could argue that Facebook’s lapse in patch management actually enabled them to discover the other intruder by allowing the bug hunter to get in and poke around. Violet’s article shines light on many of the more political issues exposed in this event.
- Magical Thinking in Internet Security: Paul Vixie discusses the dangers of how we’re trying to fix complex software by adding more complexity. One important comment is with regard to our cybersecurity spending, where he comments “at $70B, our spending is in the same order of magnitude as our losses.” To put it another way, we’re globally spending about as much on infosec as we’re losing. Both our spending and losses are increasing, which is not good.
- Hacking Mattermost: From Unauthenticated to System Admin: Post from Andreas Lindh on bugs he found in Mattermost (a Slack alternative), that’s written in Go, so it’s interesting to see the bugs that still exist in that relatively safe language.
- Empty DDoS Threats: Meet the Armada Collective: Since March, many companies have been receiving threats from the Armada Collective, demanding bitcoins, or their sites will be DDoS’d. Searching online, there are a number of stories about powerful attacks from the Armada Collective, but in this latest string of extortions, these were just empty threats, as it seems the real Armada Collective no longer exists. You shouldn’t pay protection money, but if you do, you should be sure there is actually a threat that’s worth paying to protect yourself against.