Downclimb

2016.09.04

Downclimb: Summit Route’s Weekly Infosec News Recap
2016.08.28 – 2016.09.04: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Pros own the infrastructure around the target / deliver the payload silently (avoiding headlines)” haroon meer

“People that need their software to work in order to make money invest more into engineering than those who don’t. Think about that next time you buy enterprise security software. Unless you pay only after it has stopped attacks ;)” thegrugq on malware authors A/B testing, localizing and testing their work before deployment

“Once you have found something you really like, you’ll become good at it and eventually you’ll find your own audience.” @angealbertini

Top stories

How to steal any developer’s local database

This post describes how a malicious website can use DNS rebinding to access locally hosted Redis, Memcached, and ElasticSearch databases (link). This technique bypasses the same-origin policy restrictions that browsers are supposed to follow, allowing for the exfil of information. There is a generic problem of malicious sites being capable of accessing local resources (localhost) or bouncing through the browser to the local LAN. For example, a few weeks ago we saw the JetBrains IDE RCE which involved similar activities (link). In theory, services only accessible locally on your system or network should not be accessible to the outside world, but this assumption is being proven incorrect and I’m not aware of a good generic solution to it.

Password breaches

The Identity and Access Management (IAM) company OneLogin was breached (link), but only one product of theirs is believed to be affected (Secure Notes). The key take-away is to ensure that secrets (in this case user passwords) stay out of logs, since it doesn’t matter how much hashing or encryption is used to store these in the place they are meant to be stored if they can be acquired elsewhere. Further, access to logs should be limited to employees that need to access them.

Similar to last week’s Opera syncing issue, news of a vulnerability in the Yandex browser’s syncing was disclosed in the post CSRF Vulnerability in Yandex Browser Allows Attackers to Steal Victim’s Browsing Data from Netsparker. This would have allowed an attacker to steal login info for different sites for any users of the Yandex web browser that sync their passwords.

This week also saw hashed password dumps from last.fm (link) and DropBox (link) for breaches that occurred in 2012. It’s odd that a number of breaches from 2012 are all being exposed in 2016.

PEGASUS iOS Kernel Vulnerability Explained

SektionEins discusses the recent iPhone 0-day (link). No samples have been made available and little public information, so in order to investigate, they first use their own private jailbreak so they can dump the kernel memory. Then they update and dump the memory again, and compare the diffs.

This issue has also been patched on OSX this week, which has remained vulnerable after iOS was patched last week. Apple does a lot of things right for security, but it’s proclivity to leave one platform vulnerable to exploitation for weeks after its other platform is patched is frustrating for security teams. A fundamental rule of security is to keep up with patches, because once a patch is out, it can be reversed, understood, and weaponized (as SectionEins has just shown, although they did not weaponize it). This has been evidenced in Windows, as there is a race to reverse the Patch Tuesday patches, and this problem is also the reason why Microsoft releases it’s patches on a specific day, so security teams can schedule it. Apple’s delays give attackers time to leverage the existing patches.

Conference materials and publications

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy: This paper from Google makes the case that CSP (Content Security Policy for mitigating XSS) is not improving the security of sites. The main point of the paper is to advocate the addition of nonces to CSP, similar to CSRF nonces. Some stats:
- Across 1.6M sites, there are 26K unique policies, of which 95% are trivially bypassable, meaning an attacker can use automated methods to find end-points for subverting the policy.
- 10% of policies are in report-only mode. The paper doesn’t explain why, but I’ll contend that although it is partially because sites are concerned about breaking their own functionality, it is also largely due to wanting to avoid losing customers that have browser plugins (usually adware) that break these policies and would result in those customers being blocked, and thus lost revenue.
- 88% of the policies use the ‘unsafe-inline’ keyword, which subverts these policies. This is due to popular web frameworks violating these policies, such as Google’s own Angular.
- Of the 15 top third-party domains with end-points that result in CSP subversion, 8 are Google domains. Most of the domains are for hosting static content (ex. jquery) or analytics. Although the paper advocate nonces, it could be argued that Google could additionally greatly improve CSP security by fixing their own sites.
- Their automatic policy analysis tool is not yet available, but that also would be greatly improve how people use CSP.
Infiltrate 2016 videos: This conference from April in Miami has posted a few of their videos. Slides for all talks are are here.
- Automatic Root Cause Identification For Crashing Executions - Sean Heelan
- All Your Browsers Are Belong To Us - Benjamin Watson