Downclimb

2016.08.28

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2016.08.21 – 2016.08.28: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Top stories

iPhone 0-days

A political activist in the UAE received an SMS message containing a link, which he took a screenshot of and sent to CitizenLab which, with the help of Lookout, determined this was a chain of iPhone 0-day exploits, resulting in Apple pushing out a patch for the iPhone this week (CitizenLab link, Lookout link).

My comments:

  • The Citizen Lab article is titled "The Million Dollar Dissident" in reference to iPhone 0-days supposedly being rewarded for $1M by exploit brokers, but take note that if the buyer planned on using this exploit against say 1,000 people (maybe all the attendees to some conference) and if it did cost $1M, then their cost per exploitation would be $1K, which seems much more reasonable. Even if this guy did manage to avoid being exploited, it's likely many others were not so lucky.
  • Their method of delivery (sending an SMS) seems sloppy. If someone goes through the work of obtaining a valuable exploit, you would think they would use a means of delivery that is less likely to be cause concern and allow for it to be passed to a security company.
  • Apple once again has decided to patch an exploit on one platform and not others. It is assumed that everyone running macOS is still vulnerable to at least the Safari exploit involved. This is similar to the Airdrop vulnerability that was patched in iOS on September 9, 2015, but not patched in OSX until September 30.

St. Jude Medical shorted by hedge fund with announcement of security issues

St. Jude Medical makes cardiac devices, such as pacemakers, and is planned to be purchased by Abbott Laboratories. Carson Block is a renowned short-seller and founder of research firm Muddy Waters. MedSec is a company of security researchers that identified vulnerabilities in St. Jude's devices, and approached Muddy Waters to tell them about their findings so that Muddy Waters would short St. Jude and give MedSec a cut of the profits (link).

This strategy is likely legal. It is only viable against device companies that will be legally required to patch their equipment and have to physically recall their devices to do so. So this limits the types of companies that could be impacted by this strategy.

It caused the stock, which has a beta of 1.05 (meaning it normally doesn't make big swings out of line with the market average) to drop 5%, and it went from an average trade volume of 1.8M/day for the prior month to 33M on the day of the announcement. So this strategy likely was profitable.

This strategy of shorting companies prior to announcing security vulnerabilities had previously been discussed and planned by weev (an infamous Internet troll) in 2014 with the hedge fund to be named TRO LLC, but seems to have never been developed (link).

Opera server breach incident

The Opera web browser's sync servers, which store the encrypted passwords and usernames used by users to automatically log into sites, were breached (link). As has been seen by Tavis Ormandy's vulnerability research against password managers lately, such as Dashlane and Lastpass, it is best to avoid using the password managers that integrate with browsers and sync remotely.

Conference materials and publications

  • HITB GSEC Slides: This conference took place in Singapore this week. One interesting talk is Look Mom, I don’t use Shellcode from @moritzj which includes discussion of IE God Mode, which was a trick from 2014 where you could flip a byte to allow your javascript to run outside of the browser against the host. This was protected, but moritzj discovered that in Windows 10, this protection had disappared, and according to Microsoft was due to a internal compiler change. It's important to continously validate assumptions about some protections, especially ones that are low-level and can be effected by compiler changes. moritzj was awarded $100K for this and the rest of his work in that presentation.
  • Linux Security Summit slides: Conference from this week in Toronto.
  • BSides Las Vegas videos: Conference from early August in Las Vegas.

Tools

  • talos-vulndev/TalosIntelPtDriver and FuzzFlow: Talos has released a driver that implements the Intel Processor Trace functionality in Intel Skylake architecture for Microsoft Windows, along with a fuzzing management system. Neither has much documentation on usage yet.
  • dhs-ncats/pshtt: A tool apparently from the Department of Homeland Security to push large organizations (ie. the .gov) to adopt HTTPS by helping to check some HTTPS settings, similar to SSL Labs.
  • Observatory by Mozilla: Tool from Mozilla to check the HTTP security headers of a site, similar to securityheaders.io.

Other reads

  • Click File, App Opens: reversing os x's launch services, to understand 'document handlers': Patrick Wardle digs into new macOS malware 'Mac File Opener' which persists itself by registering as the default file handler. This technique is not as reliable as other methods, but as long as the user opens files after reboots, this will get execution. One benefit of this technique is malware detonation environments won't detect it.
  • sweet32: A new crypto issue was disclosed this week. The mitigation is not to use 3DES or Blowfish, as they use block sizes of 64 bits. OpenVPN defaults to Blowfish. It's already been well-established that old ciphers shouldn't be used, so nothing new here for most defenders.
  • ERNW Hardening OS X EL Captain: Guide to lockdown macOS.
  • Bake your own EXTRABACON: Post about taking one of the exploits from the Shadow Brokers dump and extending it to new versions.
  • German federal police hacked terror suspects' Telegram accounts by intercepting SMS code: German police registered their own devices to suspect's Telegram accounts, whereupon Telegram sends the suspect an SMS with an authorization code. The German police can intercept this and enter the verification code and register as their own device. We are reminded once again that SMS is as bad as using unencrypted HTTP to send confidential info.