Downclimb

2016.08.21

RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.08.14 – 2016.08.21: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“which field would you say is more scientific, astrology or cyber attribution?” Tavis Ormandy

Top stories

Equation Group “hacked”

A massive dump of hacking tools appeared this week, allegedly from the Equation Group (link). Where it’s from, who dumped it, and how it was obtained, isn’t as relevant to defenders as what’s in it. The dump mostly contains exploits and tooling for network firewalls. The dump is believed to be from 2013, so many of the vulns are patched or for older equipment, but it does contain exploits for previously unknown vulnerabilities. Cisco responded to this dump here. There are other vendors affected, including Fortigate, Juniper, and TOPSEC (a Chinese vendor).

Firewalls and networking equipment have had many vulnerabilities identified in them previously, and so this incident reminds us of the importance of:

  • Defense-in-depth (assume your firewall will fail because of a 0-day, misconfiguration by an admin, or other problem)
  • Assume that something upstream will MiTM your traffic (possibly even something within your own environment) so ensure end-to-end encryption
  • Identify all your assets (including network gear) and keep up with patches.

Back during the Juniper router backdoor news of December, 2015, there was some discussion on using multiple firewalls, from different vendors, in series, which is another possible mitigation for some of these issues, although it doubles your expenses both in terms of hardware and needing to know how to configure and maintain them.

Conference materials and publications

  • Black Hat videos: Not all videos, are up, but my favorite is Behind the Scenes of iOS Security. Slides for the talks had been released two weeks ago here.
  • Securing DevOps: New book by Julien Vehent, of Mozilla’s security team, only a quarter finished, but off to a great start, showing how to secure modern web apps, with the example application being a golang app, on AWS, making use of Beanstalk there for auto-scaling. It shows how to integrate security checks in the Continuous Integration of development of the app, and it still has 300 more pages to be written.
  • juliocesarfort/public-pentesting-reports: Public code audits of software from different auditing companies.

Tools

Other reads

  • JetBrains IDE Remote Code Execution and Local File Disclosure: All JetBrains IDE’s (ex. PyCharm and IntelliJ) from 2013 until May 2016, were vulnerable to issues that allowed for malicious sites a user might visit in their browser to read their private code or even obtain RCE. Discovery and reporting of this issue resulted in a $50K bounty.
  • A Defcon 2016 Retrospective: Great write-up on Defcon CTF 2016 that was formatted to allow the Cyber Grand Challenge winner (a computer program) to compete against the human teams. It goes a lot into the strategies employed in a game like this, such as assuming that other teams will steal their patches, so they backdoored their patches, and other teams even when they knew it was backdoored still applied them because those teams decided that although it would let one team score points easily, it would still keep the other teams out.
  • CerberRing: This report from CheckPoint describes a ransomware-as-a-service offering. What I found interesting was the infection beacons home stats by spraying IPs with UDP messages containing this info. The benefit of this technique is it hides the true address of the server, because no response is given or needed for UDP. The researchers were also able to learn a lot about the victims and payments and determined that the highest number of infections and payments was in South Korea, with China and Taiwan also making up a larger portion of the victims.
  • [demo.paypal.com] Node.js code injection (RCE): Bug bounty hunter fuzzes HTTP URL parameters, uses that to identify the platform and library used by demo.paypal.com based on the error messages. From there, the researcher finds a bug in the library (a javascript eval run on the user input) and uses that to get RCE.
  • We found over 10000 bugs in various open source projects: Viva64 are the creators of PVS-Studio, a static code analyzer. One great way they both help the world and get press is by finding bugs in open-source projects using their tool. They run it on big name projects such as Qt, Linux kernel, VirtualBox, LibreOffice, Firefox, Boost, Tor, and other C, C++, and C# code bases. They’ve now found over 10,000 bugs across 262 projects, and are sharing examples of all the different types of bugs they find, which include a number of interesting checks.
  • Multiple Vulnerabilities in BHU WiFi “uRouter”: IOActive post on a Chinese home router containing multiple vulnerabilities and how these were discovered.
  • GPG Patches 18 year old bug libgcrypt RNG bug: The researcher has a pre-release paper on how this was discovered here.
  • Fake Linus Torvalds’ Key Found in the Wild, No More Short-IDs.: Short key IDs (ex. 0x70096AD1), which are 32-bits and used to refer to GPG keys, have been known to be a bad idea for a long time. Twenty years ago this was referred to as the “Dead beef” attack. People are redisovering this exact concern and so some noise was made about fake keys being found in the wild for Linus Torvald and others.
  • On the benefits of real-time: The developer of the open-source LimaCharlie EDR solution describes the benefits and use-case of real-time reaction capabilities of agents.