Downclimb: Summit Route’s Weekly Infosec News Recap
2016.07.31 – 2016.08.07: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Bitfinex, one of the largest Bitcoin exchanges, was hacked, leading to the loss of 119,756 bitcoins. That’s approximately $60M dollars. For reference, the largest physical bank heist was the Dunbar armored truck robbery in 1997, and it was only for $28M in today’s dollars. So, stealing money from Bitcoin banks is where the action is today.” Emin Gün Sirer

 

“You can make a lot of mistakes, but they should all be novel.” DHH, creator or Ruby on Rails

Top stories

Cyber Grand Challenge

DARPA’s Cyber Grand Challenge took place alongside Black Hat this week where teams ran automated software, called a CRS (Cyber Reasoning System), to find vulns in specially made software for the competition and attempt to automatically patch against exploits for those. It’s much like Defcon’s famous CTF, except with autonomous software instead of teams of humans, and in fact, the winning team from the Cyber Grand Challenge was invited to play in Defcon’s CTF, where it managed to get some points in and get ahead of some human teams.

The final scores for the Cyber Grand Challenge were very close, as all the teams use the same strategies. The winner took home a $2M prize. Read more about the Cyber Grand Challenge here, and their 3 minute high-light video is worth skimming.

Over 100 of the challenge binaries have been released since 2014, but they need to be run on a custom Linux-derived operating system that has no signals, no shared memory, no threads, and only seven system calls. Trail of Bits has released these for Linux, Windows, and OSX (link) to more easily allow researchers to try their tools against them and provide metrics for comparison for research.

Guided in-process fuzzing of Chrome components

The Google Security blog discusses how they constantly are fuzzing the Chromium code base (link). They tested 14 trillion unique test inputs in the past 30 days, which is 5 million tests per second. This resulted in 112 bugs filed, or an average of one bug for every 128 billion test inputs. In addition to Google writing and running their own fuzzers, they will also take submissions from researchers for their fuzzers and pay rewards for bugs those fuzzers find.

Business

• Veramine launches from stealth: Veramine provides a Windows EDR solution to compete against the likes of CrowdStrike and Carbon Black. Whereas those competitors do well at collecting process launch information and other data from systems, they don’t do as well on the “Detection” and “Response” side of things. Veramine has built in detections for things like kernel mode exploitation, credential theft (ie. Mimikatz), unusual remote threat creation (ex. Metasploit migrate techniques) and more, without using file signatures. It streams behavior to their cloud where analysis and further detections can occur. On top of this it can show things like systems that aren’t encrypted, or processes run that don’t use DEP and ASLR. Finally, it can actually remotely remediate systems if needed by killing processes. The most interesting part of this solution is the team behind it which includes ex-EMET developers and Microsoft developers such as Bruce Dang and Jonathan Ness.
• Apple launches bug bounty program: Apple is finally launching a bug bounty program, mostly focused on it’s lower-level security, with the highest possible bounty of $200K being offered for vulns in it’s secure boot firmware components, but also including $50K for access to a user’s iCloud account and $25K for a app sandbox escape. This bounty program is however invite only.

Conference materials and publications

• Black Hat slides: Conference in Las Vegas this week.
• Shakacon slides: Conference in Hawaii in mid-July.

Tools

• Office 365 Secure Score: New Microsoft service to check for security concerns in Office 365 usage. Mostly this is useful to identify admins that don’t have 2FA and a few other issues. Many of the “checks” are just if you’re using Microsoft add-on services for security.
• Keypatch: IDA Pro plugin to use the Keystone Assembler Engine to better patch binaries in IDA by allowing you to enter assembly and get back the instruction encoding.

Other reads

• Hijacking a User’s Shadow: Affiliate Fraud via Malicious Extensions: This post from PerimeterX describes malicious browser extensions that are used for click fraud. What I found most interesting was that to avoid detection, it will first wait for a period of a week or two before beginning it’s malicious activity. Next, in order to determine what sites to click on links for, it contains a list of MD5’s of domains, so every time the user visits a site, the domain is hashed and compared to this list, so no strings of domains ever exist in this extension. This extension is defrauding 14% of the Alexa Top 500.
• Addressing Security Blindspots through Culture: This article by Alex Stamos, CISO of Facebook, is mostly about how much of infosec research isn’t focused on the problems actually impacting people, and that “defensive security teams over-optimize for people with technical and cultural backgrounds similar to their own, even as billions of people with completely different experiences are coming online for the first time”. It also goes into the importance of getting people with those varying experiences involved. An important quote:

“Infosec also has a tendency to obsess over the technical sophistication of an attack instead of the impact it has on real people. Attacks in the wild do not get credit for the “difficulty score.” Professional adversaries are content to use the simplest method to meet their objective, even if that method would never earn a talk at a security con.”

• TOWL - Telemetry over Opportunistic WiFi Links: Cool project where the author builds a LoJack device for his car that connects to open wifi access points and beacons info about the vehicle location by tunneling over DNS to bypass captive portals, which is able to connect to the access points and beacon out at freeway speeds of 60mph.

• Xen exploitation part 3: XSA-182, Qubes escape: This post describes a vuln in Xen hypervisor, and shows an example of exploitation using Qubes OS. The main take-away is the conclusion statement:

“Paravirtualization security is really difficult to guarantee. It introduces very complex code and is highly subject to mistakes. Qubes OS have decided to get rid of paravirtualization and make hardware virtualization mandatory from Qubes OS 4.0”

• Driver Signing changes in Windows 10, version 1607: Last year, Microsoft announced that with Windows 10, kernel mode drivers would need to be submited to Microsoft to be signed by them, as opposed to developers just signing their drivers themselves. This ended up not being enforced, but now Microsoft says with Windows 10, version 1607, they will enforce this. Systems updating this version will still allow older drivers to be signed by developers, but new OS installations will enforce this.

• Remote Code Execution (RCE) on Microsoft’s ‘signout.live.com’: Microsoft uses Adobe Experience Manager (AEM) for their signout service, which unfortunately has bad filtering on which functions are allowed by remote users, resulting in RCE. This bug highlights the need to lock down and possibly proxy access to third-party developed services that have more “features” than are wanted.