"A security incident that doesn't result in change to the root cause is an interest-only payment on technical debt." @bfist
"When the presidential election could come down to the hack of an email server, it's likely time to start paying attention to cybersecurity." Aaron Levie, CEO of Box
"If infosec was an NBA defense it would spend 100% of practice time stopping half-court shots, 0% on everything else. I heard the NSA uses all half-court shots. Half-court shots get conference talks. Our half-court shot blocker will solve your security probs. New government program aims to stop half-court shots. Your defense is worthless. How is it going to stop someone shooting from half court?" scriptjunkie
Editor's Note: This Downclimb catches up on everything that has happened since the last one 6 weeks ago. Future Downclimbs will resume their weekly schedule.
CrowdStrike broke news that the Russians had hacked the Democratic National Convention email, then someone named Guccifier 2.0 claimed responsibility as a lone attacker, not affiliated with Russia or it's government. This spawned a mess of theories such as Guccifier 2.0 being a false flag from the Russians. We also saw Sentinel One report on nation state malware that Damballa then claimed was generic malware (link), and some other similar arguments.
It doesn't matter much who hacked the DNC or any other attribution. Attribution matters for very few people, of which none voice their opinions publicly. What matters, for the DNC hack, is that people learn the importance of end-to-end encryption via S/MIME or PGP for email, and people start focusing more on those problems. (How do you improve it's usability so people use it and use it correctly? How do you efficiently and securely search your encrypted email?).
- Microsoft has been reversing an older APT, Dubnium (aka DarkHotel), in a couple of posts (here and here).
- Cymmetria announced their discovery of Patchwork, an APT that is, as the name indicates, a patchwork of known attack tools such as Meterpreter and AutoIt and Powershell scripts.
- Bitdefender announced their discovery of Pacifier, an APT that is injected in browser processes, or as a browser extension.
How we broke PHP, hacked Pornhub and earned $20,000
This post describes a vulnerability discovered in PHP's unserialization code, and how this team used that to get RCE on Pornhub in order to win a bounty. They also have another post on Fuzzing Unserialize for finding this vulnerability. This is a great combination showing not only how to discover a vulnerability in a library, and then find where that library is getting used, but then additionally how to actually exploit it remotely.
- SentinelOne guarantees against ransomware: For a $5/end-point additional fee, SentinelOne will pay up to $1M, to free up systems infected with ransomware (up to 1000 systems for $1K/system). This is great to see a company guarantee it's product like this, however, this pricing is mostly in-line with normal cyber insurance rates, and not really any discount. Jeremiah Grossman of SentinelOne himself mentioned separately on cyber insurance rates, "the premiums for protection are range roughly 0.5% - 2% (avg 1%) of the coverage amount. i.e. $1MM policy costs ~$10K", and what Sentinel One is offering is a $1M policy for $5K for only one specific threat, with further limitations on coverage.
- Symantec acquired Blue Coat for $4.65B: The antivirus company Symantec has acquired the web gateway company Blue Coat.
- Cisco acquires CloudLock for $293M: The networking giant Cisco acquired the CASB CloudLock.
- Avast acquires AVG for $1.3B: These two Czech antivirus companies are merging.
- Core Security acquiring Damballa for an undisclosed amount: Core Security provides vulnerability management tools, and Damballa provides network detection tools.
- Hack/secure invests in kolide: A new early stage investment syndicate called Hack/secure formed to jumpstart 100 cybersecurity companies in 3 years, with it's first investment in Kolide, a new startup to leverage osquery from some of the original developers of that open-source project.
Conference materials and publications
- Security Fest videos: Conference in Gothenburg, Sweden from the start of June.
- HitCon slides: Conference in Taiwan in late July.
- MacAdmins slides and video: Conference in Pennsylvania from late June focusing on management of Apple computers, with some talks specifically how to secure Mac fleets.
- MacDevOps videos: Conference in late June in Vancouver, that similar to the MacAdmins talk is mostly about managing Apple fleets, with some security talks.
- HITB CommSec Videos and AMS videos: Conference in Amsterdam.
- FIRST slides: Conference in Seoul from mid-June focused on incident responders.
- Area41 slides and videos: Conference in Switzerland from mid-June.
- Modular Protections against Non-control Data Attacks: Microsoft paper introducing YARRA, an extension to C to protect applications from non-control data attacks, such as those that modify only a single value in order to achieve the goals of the attacker as opposed to introducing shellcode.
- Secure Software Distribution in an Adversarial World: Duo Tech Talk by Diogo Mónica of Docker.
- godaddy/procfilter: This tool allows you to create your own YARA rules to block processes from running on Windows.
- ivanfratric/winafl: A fork of AFL for fuzzing Windows binaries from Ivan Fratric (he publishes things once a year, and it's consistently awesome, see http://ifsec.blogspot.com/ for his posts).
- square/sharkey: Tool to avoid the SSH problem of TOFU (Trust On First Use) where you connect to an SSH server and accept it's signature. This tool automatically seeds your client with the short-lived certificates of the trusted servers.
- dev-sec.io: Chef, Puppet, and Ansible scripts for hardening servers.
- Binary Ninja: New reversing tool for $99, similar to IDA Pro. Example use case can be seen in the post 2000 cuts with Binary Ninja which highlights it's automation abilities.
- trailofbits/algo: Set of Ansible scripts that simplifies the setup of an IPSEC VPN.
- NIST deprecated SMS 2FA: In NIST's publication on digital authentication, they have now deprecated SMS as a form of 2FA, due to the risk that SMS messages may be intercepted or redirected. It is better to use FIDO, Google Authenticator, or apps such as Duo for 2FA.
- Hacker pleads guilty in first case of cyber terrorism: A hacker broke into company networks to find names, addresses, and financial information of US government employees and provided the info to ISIS. This is the first time a hacker has been prosecuted on charges of terrorism.
- Paypal Bug bounty 2016 - Exploiting Blind SQLI using OOB technique: This two minute video shows an interesting bug bounty against Paypal where the researcher used a "blind" SQL injection attack using DNS requests to see the results.
- OSX malware: Two new families of OSX malware have been found Eleanor (which uses pastebin and Tor for C&C) and Keydnap.
- Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability: This in-depth post from @osxreverser is largely about how to reverse engineer a real-world application on OSX that uses a kernel driver, and in doing so explains how this type of coding works and also describes some bugs found along the way.
- Fuzzing with AFL is an Art: The author of this post, @moyix, is an awesome researcher to watch, as he works at this crazy edge of security research that seems like insanity, as he's not exactly giving practical results, but then a year or two down the road, his work becomes the bleeding edge of the practitioners. For example, most recently he's been working on automating adding bugs to programs (not removing them). Through that work he then investigated how well AFL does at finding his bugs, and discovered that AFL ends up missing these, which means that many of those that have been using AFL to do fuzzing have likely been missing many bugs as well. This post explains one of the ways in which AFL can miss finding bugs.
- This week in 4N6: This is a weekly post much like Downclimb, but focused entirely on the world of digital forensics.
- LastPass vulns: The popular password manager had vulns announced from Project Zero and Detectify. In my opinion, it's better to use a password manager that just abstracts a local encrypted file, such as KeePassX.
- How to Dramatically Improve Corporate IT Security without
Spending Millions: This paper from Praetorian, which does security assessments, identifies the top ways in which they compromised corporate networks in 100 assessments across 75 companies. The top problems they leveraged were:
- Weak Domain User Passwords
- Broadcast Name Resolution Poisoning (aka WPAD)
- Local Administrator Attack (aka Pass the Hash)
- Cleartext Passwords Stored in Memory (aka Mimikatz)
- Insufficient Network Access Controls