Downclimb: Summit Route’s Weekly Infosec News Recap
2016.05.01 – 2016.05.08: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“The password to the attached ZIP is ‘AES-256’ as you requested.” Mikko Hypponen

“A common fallacy is to assume authors of incomprehensible code will somehow be able to express themselves lucidly and clearly in comments.” Kevlin Henney

Top stories

Microsoft Security Intelligence Report Volume 20

Unlike Verizon’s DBIR released last week, Microsoft’s quarterly SIR is based on real data. Sections of it are dedicated to actual exploits and malware they see with their telemetry data from hosts running their products globally, and it breaks out stats for various countries, home user vs enterprise, and other categories. Other sections are somewhat Microsoft advertising to show how great their solutions are at detecting and protecting against certain things.

The most interesting section begins on page 141, and is about Microsoft’s own IT for their 150,000 employees, and 600,000 workstation computers and devices (4 managed devices per employee seems high). They have 98% compliance across their devices, and acknowledge that 100% compliance would be too costly and unsustainable. Their devices have encountered about 2.5 million malicious files in the 3 month period. That is the sum of numbers in Figure 101. That means more than 4 malicious files reached each device this quarter, which seems very high, as most malware should be blocked by the browser (via IE’s SmartScreen or Chrome’s SafeBrowsing), by the email service’s spam filtering, or other methods. However, they have only had 43 infections (Figure 104), which is a 0.007% infection rate, which seems very low considering that many malicious files are actually making their way to the devices.

ImageTragick

This playful branded vulnerability with it’s own website imagetragick.com, discusses multiple vulns in ImageMagick, a package commonly used by web services to process images. One of the vulns was actively being exploited ITW (in the wild) and can lead to RCE. It’s well understood that ImageMagick is not a well hardened application, but it is widely used, and when this particular set of vulnerabilities was announced in a blog post, it only had a hundred reads. By creating the logo’d website, they had thousands of hits in minutes, so they felt that in order to get word out, the website was needed.

Business

• Momentum Partners: Cybersecurity Market Review Q1 2016: Momentum Partners puts together the most comprehensive reports on the cybersecurity vendor landscape quarterly. It’s mostly a summary of all the M&A and funding activity that has happened.

Conference materials and publications

• Phrack 69: After 4 years, a new Phrack is finally out! Many of the articles had been seen previously in Phrack’s Paper Feed.

Tools

• Introducing Syslog to AWS Kinesis via Osquery: Airbnb posted it’s first security blog post where they discuss some of their contributions to the osquery project. Their two contributions allow local logs to be queried and collected, and then for osquery data to be sent to Amazon Kinesis for log collection.

Other reads

• Prince of Persia: Infy Malware Active In Decade of Targeted Attacks: Palo Alto Networks reports the discovery of this threat actor which by deploying only a few, targeted attacks has managed to stay undiscovered for nearly a decade. Although many of the samples for the past five years have matched generic signatures, they weren’t identified as being the same threat.
• Adventure Time – Warsaw OSX: Warsaw is software that banks in Brazil require be installed on user’s computers that wish to do online banking. It’s always interesting when countries mandate people use certain software, as it usually works out poorly. This post looks into some of the internals of this software on OSX.
• winternl: Hello World!: Solid introductory post on Windows shell-code writing for modern Windows.
• Owning the Image Object File Format, the Compiler Toolchain, and the Operating System: Solving Intractable Performance Problems Through Vertical Engineering: Alex Ionescu discusses a new security feature of Windows for dynamic relocation and how it can only exist because Microsoft owns the OS, compiler, and executable file format.