RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2016.05.29 – 2016.06.05:
To receive a weekly email notification of this newsletter, email


"You need to select people who tend to be dissatisfied. As they go about their daily experiences, they notice that little things are broken in the world and they want to fix them. Inventors have a divine discontent." Jeff Bezos, Founder of Amazon


"Bitcoins are WAY cheaper than Mandiant" Jerry Bell


"Central claim: lack of critical thinking and gullibility for hype in infosec leads to poor security decisions, perverse priorities, and questionable ethics" Brad Spengler


Top stories

HTTP Updates

Duo Security released a report on OEM software and vulns in it's updaters which download their updates over HTTP without any checks, allowing for MiTM RCE. These vulns are in Acer, Asus, Dell, HP, and Lenovo. Also this week came news that the popular password manager, KeePass, similarly downloads it's updates over HTTP. In this case, the developer of the tool refuses to move to HTTPS for fear of losing ad revenue, presumably because the updates are hosted in the same place as the web page.

Auto-updates are a constant source of problems, and is one of the main concerns for using public wifi. The tool infobyte/evilgrade has been updated with with modules to exploit all of these problems.

It's good to auto-update software, in order to ensure vulns are patched, but this should be done securely. Google's Omaha project is a good reference for how to do this. The main things that need to be understood are:

  1. Use HTTPS everywhere.
  2. Sign and check the updates and any other important communications.
  3. Keep the signing keys offline and secured.

Plugin exfil

A popular spell checking plugin for the code editor VS Code was found to exfil all of the code it analyzes home to their servers over HTTP. Many online were frustrated that this would be done over HTTP, but most businesses should find it disturbing that the exfil was happening at all. Although mentioned in the terms of the spell checker, many users are unlikely to read or consider this. Similarly, a few months ago, a new editor named Kite was announced that would help you write code by suggesting snippets written by others as all code written or viewed in it was beaconed home. As tools become more connected, this type of activity is encountering less resistance from people.

TeamViewer possibly hacked

Reports have been coming in that over the past month, TeamViewer accounts have been hacked into. TeamViewer provides remote access to systems, and is used much like Remote Desktop but in cases where the the system is behind firewalls. The common story from the victims is that they discover TeamViewer is in use, their mouse moves to their browser, and fraudulent purchases are attempted with any saved browser passwords. For those that weren't around, they just discover the charges in the morning. TeamViewer insists that people are just using bad passwords, so this seems to be some of the fall-out of the ATO story discussed last week. It's unknown if TeamViewer has actually been hacked or not, but you should uninstall it until this calms down.


  • How an Aussie hacker used information leakage to trade stocks: Scant on details, this post discusses an old trick of estimating or figuring out non-public data in order to trade stocks. The only example provided is how the hacker figured out how to determine the number of Creative Cloud subscribers for Adobe, allowing him to make stock trades due to analyst estimates being out of line with the actual figures.
  • P.F. Chang’s Cyber Coverage - Not As Expected?: In 2014, the restaurant chain PF Chang's was breached and 60,000 credit card's obtained, much like the Target hack and dozens of others. P.F. Chang's had cyber insurance, and it's insurance paid out $1.7M to pay for forensics and litigation. However, it's credit card service providers then charged P.F. Chang's an additional $2M, which P.F. Chang's tried to get it's insurer also to cover, but they refused. This week courts rejected P.F. Chang's attempt to recover the additional money. The court filing can be found here.
  • twilio files S-1: Twilio is a business to programmatically make and receive phone calls and text messages. With regard to security, it is widely used for 2FA solutions to provide text messages, specifically through it's February 2015 acquisition of Authy. In 2015 it brought in $167M in revenue, of which 17% ($28M) was from WhatsApp to verify new and existing users.


  • Arrests made in $45M Russian Bank Hack: 50 people were arrested in Russia in connection with a 5-year operation to steal from Russia's largest bank. The hackers used malware called Lurk, and a trojaned Android app that would monitor SMS messages (used for 2FA).

Conference materials and publications

  • SSTIC: This conference took place in Rennes, France this week. Slides and video are available for many of the presentations, but are in French. The keynote slides from spender of grsecurity however are in English and are well worth reading.
  • phdays slides: Conference in Moscow, Russia in mid-May.
  • Fastly Speaker Series: The Fastly Speaker Series is my favorite infosec meetup in the Bay Area. In this second meetup from them, they had two talks "Defending, detecting, and responding to hardware and firmware attacks" from Teddy Reed from Facebook, and "Side channel analysis and fault injection, or: how physical access can still imply security" from Jasper van Woudenberg from Riscure North America.


  • keystone: Keystone is an open-source multi-architecture assembler framework, developed by the same folks that did capstone (a disassembler) and unicorn (an emulator).
  • mandatoryprogrammer/xsshunter: A portable version of for finding XSS and blind-XSS vulns.
  • vrtadmin/ROPMEMU: A framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools, with presentation from AsiaCCS. Blog post here.

Other reads

  • OS X Office Macros with EmPyre: This post shows how Microsoft Office macros can be just as effective on OSX as they are on Windows.
  • Dead RATs: Exploiting malware C2 servers: Reverses PoisonIvy and DarkComet RATs to find vulns that could be used to exploit them if you have MiTM. This type of work has use cases to other crypto comms outside of RATs.
  • A Universal Windows Bootkit: This post describes reversing the HDRoot malware, issues with Kaspersky's write-up of it, and best of all the author provides not just the hashes of the binaries reversed, and not just the binaries, but also the IDA .idb files.
  • Security challenges for the Qubes build process: QubesOS has one of the most secure build processes. This post describes it, and a weakness in it that was discovered and fixed. The build process includes not only forcing verification checks on all downloaded files, but also downloading those packages over Tor to attempt to avoid targeted packages being inserted into their build process.
  • Emerging Defense in Android Kernel: Keen Team, which now works at Tencent, is blogging, with their first post diving into Android kernel security.
  • Tracking Down Heap Overflows with rr: Shows how to use the tool rr, which can record, replay, and do reverse execution, with a gdb front-end, in order to quickly and easily track down the source of a crash.
  • How to create an autorun USB drive by yourself, which works on any Windows: Microsoft turned autorun off for all USB devices in Windows 7 and higher. However, it did not turn off CD autorun. You can make a USB look like a CD drive (requires modifying it's flash), and have it autorun executables.