Downclimb

2016.05.22

RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.05.15 – 2016.05.22: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“having per-app sandboxes, rather per-domain, is usually meaningless (at least user data security-wise). Consider e.g. ‘PDF Viewer’ app: it opens all sorts of PDFs there: work, personal, sensitive, garbage, etc. If app compromised can steal all.” Joanna Rutkowska

 

“At time of its finding, Furtim showed a 0% detection rate in VirusTotal, signifying that the developers were awarded partial success in their attempt to remain hidden.” Yotam Gottesman

 

“Reminder to security folks: being good with a sledgehammer does not make you smarter than the engineer who designed the bridge.” Kyle Maxwell

 

Top stories

Inside Nuclear’s Core

Whereas there are many reports on APT’s and malware, and maybe the callback infrastructure of the malware, there aren’t as many in-depth reports on exploit kits. Check Point discusses the Nuclear EK in their post, and PDF report, where they were able to get access to Nuclear’s source code. This is Part 2 of their series on this exploit kit, with Part 1 here, from April.

Chromebooks surge past Macs in the U.S. for the first time

This article points to sales figures showing Chromebooks outsold Macs in the US for Q1 2016. No reasoning is given, other than K-12 are big buyers, but based on what I see in the Bay Area, I’d bet many of the big buyers are also tech companies.

Conference materials and publications

Tools

  • Netlix BLESS for short-lived client certs: When it comes to client cert security, Netflix is probably the most mature company, or at least most open and mature. They have now released code to help others do what they’ve been doing with client certs, to help manage them and keep them short-lived.
  • Sysdig falcon: A behavioral activity monitor designed that uses system calls to detect anomalous activity.
  • ProtoFuzz: A Protobuf Fuzzer from Trail of Bits.
  • CrowdResponse Release and new @Tasks modules: First released back in March, 2014, CrowdResponse from CrowdStrike is much like Redline from Mandiant/FireEye.

Other reads

  • Apple updates: Vulns fixed for the new OSX 10.11.5 and iOS 9.3.2.
  • Attacks on SWIFT Banking System Benefit From Insider Knowledge: In the wake of the Bangladesh bank transfer, this week SWIFT sent another warning without details about another bank, this time in Vietnam that was compromised, where $1M was transferred out in December 2015. This malware installs itself as a fake version of the Foxit PDF reader, in the location of the real Foxit reader. This technique, of replacing or trojaning legitimate executables, can be very difficult to detect.
  • [Scope of 2012 LinkedIn breach expands] (http://krebsonsecurity.com/2016/05/as-scope-of-2012-breach-expands-linkedin-to-again-reset-passwords-for-some-users/): In 2012, 6.5M LinkedIn password hashes were breached. It’s now been discovered that the number of password hashes exposed was 112M.
  • TeslaCrypt shuts down and Releases Master Decryption Key: The developers of the ransomware TeslaCrypt have shutdown their business and given out the decryption key, although most of the distributors of the software have switched over to a ransomwware. It’s important to recognize though, that even if you successfully recover your files, you probably still have malware on your system, and very likely still have security issues which allowed the ransomware to get there in the first place.
  • Detecting KMDs (Kernel Mode Debuggers) with a single instruction: Low-level technique for detecting debuggers.
  • HackerOne: Yahoo Bug Bounty Case Study: The main take-away from this brief ad, are the stats that Yahoo has received 12,000+ reports with 2,200+ earning payment, and 2,200+ reporters of whom 600+ have found verified bugs. To put this another way, 82% of reported bugs are false positives, and 73% of bug bounty hunters that report bugs have only ever reported false positives.