RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2016.05.01 – 2016.05.08:
To receive a weekly email notification of this newsletter, email


"The password to the attached ZIP is 'AES-256' as you requested." Mikko Hypponen


"A common fallacy is to assume authors of incomprehensible code will somehow be able to express themselves lucidly and clearly in comments." Kevlin Henney


Top stories

Microsoft Security Intelligence Report Volume 20

Unlike Verizon's DBIR released last week, Microsoft's quarterly SIR is based on real data. Sections of it are dedicated to actual exploits and malware they see with their telemetry data from hosts running their products globally, and it breaks out stats for various countries, home user vs enterprise, and other categories. Other sections are somewhat Microsoft advertising to show how great their solutions are at detecting and protecting against certain things.

The most interesting section begins on page 141, and is about Microsoft's own IT for their 150,000 employees, and 600,000 workstation computers and devices (4 managed devices per employee seems high). They have 98% compliance across their devices, and acknowledge that 100% compliance would be too costly and unsustainable. Their devices have encountered about 2.5 million malicious files in the 3 month period. That is the sum of numbers in Figure 101. That means more than 4 malicious files reached each device this quarter, which seems very high, as most malware should be blocked by the browser (via IE's SmartScreen or Chrome's SafeBrowsing), by the email service's spam filtering, or other methods. However, they have only had 43 infections (Figure 104), which is a 0.007% infection rate, which seems very low considering that many malicious files are actually making their way to the devices.


This playful branded vulnerability with it's own website, discusses multiple vulns in ImageMagick, a package commonly used by web services to process images. One of the vulns was actively being exploited ITW (in the wild) and can lead to RCE. It's well understood that ImageMagick is not a well hardened application, but it is widely used, and when this particular set of vulnerabilities was announced in a blog post, it only had a hundred reads. By creating the logo'd website, they had thousands of hits in minutes, so they felt that in order to get word out, the website was needed.


Conference materials and publications

  • Phrack 69: After 4 years, a new Phrack is finally out! Many of the articles had been seen previously in Phrack's Paper Feed.


  • Introducing Syslog to AWS Kinesis via Osquery: Airbnb posted it's first security blog post where they discuss some of their contributions to the osquery project. Their two contributions allow local logs to be queried and collected, and then for osquery data to be sent to Amazon Kinesis for log collection.

Other reads