Downclimb: Summit Route’s Weekly Infosec News Recap
2016.05.22 – 2016.05.29: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“Information sharing is a political slogan not a solution. Let’s try securing the network instead.” Anup Ghosh, CEO of Invincea
“Linkedin stock up 2.74%. Their ad traffic is going through the roof, as everyone needs to log in to change their password.” Mikko Hypponen
“How to ensure #infosec practices you’ve insisted on for years are finally implemented: pay an outside consultant $$$ to recommend them.” Jan Schaumann
“W/ the MySpace hack, people will understand that passwords are like condoms. You aren’t supposed to use them at more than one place.” Matt Suiche
Top stories
RUAG espionage case
The Swiss CERT released a Technical Report about the RUAG espionage case. Unlike vendor reports that act as marketing to help sell products, a CERT report like this is released primarily to help others defend and investigate their networks. As such, it concludes with a number of recommendations. The APT involved is Turla, and among it’s tricks is using some infections as communication nodes, and some as workers. The workers only communicate with other nodes on the network (the communication nodes), and never directly back to the C&C, making them harder to detect. These local network communications also use Named Pipes to hide themselves. An excessive number of crypto algorithms are used throughout.
For me, the biggest indicator that this is government sponsored, or at least sponsored by some bureaucracy, was that the hidden file system the malware uses for a 100MB partition, is NTFS, instead of FAT or ext2, which indicates over-engineering and wasted code and space for the use case.
Account Take Over
One of the problems facing web companies is Account Take Over (ATO), which often involves an unrelated business being breached, their users’ passwords or hashes dumped, and then accounts of those people being taken over on other sites because the people use the same passwords everywhere. In the wake of LinkedIn’s 2012 dump last week, and news this week of a MySpace dump, many web companies are likely seeing spammers log into these accounts on their own sites to post spam of various sorts or access user’s content. The biggest problem with this for web companies is the loss of brand quality, which often results in lower engagement from users even after they regain control of their accounts.
Microsoft posted information about some of the steps they are taking to handle ATOs and research they’ve done into passwords. Microsoft’s research provides support that the following actually result in easier to breach passwords:
- Password length requirements
- Password “complexity” requirements
- Regular, periodic password expiration
The final point about regular, periodic password expirations being bad is backed up by the FTC and the UK’s CESG (part of GCHQ).
Many stronger authentication solutions (ex. 2FA), cannot be used due to the problem of users dropping off when being forced to do this.
Microsoft bans commonly used passwords, and dynamically blocks specific login sessions, either ones associated with IPs or other indicators. These techniques are used by other large companies as well, resulting in the comment: “Google is replacing passwords with more tracking.”
Conference materials and publications
- HITB Amsterdam slides: Hack In The Box is a conference with two locations, one in Malaysia, and one in Amsterdam. The Amsterdam conference took place this week.
- Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector: This paper describes using memory deduplication and Rowhammer, to exploit a browser (Microsoft Edge).
Tools
- CrowdStrike/falcon-orchestrator: This tool is basically a ticket management system (something like JIRA/redmine) with tie-ins to CrowdStrike Falcon. As it exists now, it’s not going to be useful if you don’t use CrowdStrike and probably not that useful even if you do but already have your own ticket management system. The choice of C#, as with Netflix’s FIDO, I believe will also limit it’s acceptance. That said, one of the problems of buying news tools is integrating them into the existing workflows and tools of users. CrowdStrike could have built plugins for one or more ticketing systems, but this option gives them a cleaner interface and more control of the UI. This makes this is an interesting project to watch.
- bitquark/dnspop: List of the most popular sub-domains for brute forcing to find hidden sub-domains.
- SkyLined/LocalNetworkScanner: PoC Javascript that scans your local network when you open a webpage using WebRTC + XHR.
- rabbitstack/fibratus: Tool for exploration and tracing of the Windows kernel. One place I could see this being used is in integrating it with Cuckoo Sandbox to trace malware executions.
Other reads
- Mid-2016 Tor bug retrospective, with lessons for future coding: The Tor project looked at their recent severe bugs, of which there were 70, and categorized them and identified steps that could have been taken to have avoided groups of these bugs.