Downclimb

2016.09.25

Weekly infosec news summary for 2016.09.18 – 2016.09.25

Quotes

“Days since last integer overflow accident: -2,147,483,648” Alan Grow

“Some vendors build “toothbrush/toilet brush hybrids”, something that in theory can replace 2 tools with 1, but in real life won’t be used…” Anton Chuvakin

“Fuzzing results are the ore from which vulnerability reports can be smelted. Without a smelting process you mostly have a big pile of rocks.” Allen Householder

Top stories

Password storage

This week we saw yet another database dump of password hashes, this time 500M from Yahoo. Dropbox described it’s own process for storing database hashes (link), which has some good advice such as encrypting the hashes as opposed to hashing in a pepper. This spawned some discussion, which advised that you should store these hashes in a separate database and have an authentication service for making the comparisons.

Let’s take a step back though to understand what is being protected and against what. If an attacker has access to your database, the password hashes should not be the most valuable secrets you’re protecting. The attacker likely wants access to the data about the users which is directly accessible, or perhaps the attacker may wish to login as those users to more easily have the data presented to them, which they likely can do by using the session data that also is directly accessible.

Password hashes are useful from an attackers perspective for accessing user’s data in other services where they likely have reused their passwords, but it’s odd that companies bother to do this hashing at all. Hashing passwords is only helpful to users for the security of their accounts on other sites. It doesn’t do anything for the security of the company itself.

Haroon Meer pointed out:

“Looking at "large breaches" it’s worth noting that credit card & account theft mainly becomes public because of the nature of whats stolen.”

Password hashes get cracked and used against other sites to compromise accounts there, and credit cards made fraudulent purchases. Both of these actions are quickly identified and usually quickly traced back to the source of the problem (which company was hacked). Companies disclose these breaches because they are forced to because it becomes public knowledge that the breach happened.

Examining the costs and causes of cyber incidents

RAND used data from 12,000 cyber incidents recorded between 2004-2015, using the same data used by cyber insurers, which is biased toward incidents involving legal cases, but nonetheless is extensive and provides more precise numbers than things like estimated losses from stolen intellectual property (link). Some relevant quotes:

“we find that the cost of a typical cyber incident in our sample is less than $200,000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.”

“we find that cyber incidents cost firms only a 0.4% of their annual revenues, much lower than retail shrinkage (1.3%), online fraud (0.9%), and overall rates of corruption, financial misstatements, and billing fraud (5%).”

The paper concludes with the following statement regarding how cyber security is likely to be improved:

“It is conceivable that the primary motivation may come from the cyber insurance industry through its use of incentive-based reductions in premiums (or deductibles). Indeed, with over 70 carriers offering cyber insurance policies (based on conversations between the author and Advisen representatives), and an estimated $2 billion in US premiums (Romanosky 2015), insurance companies may already be driving a de facto national cyber security practice across insureds.”

Conference materials and publications

REcon videos: REcon is a conference focused on reverse engineering in Montreal in mid-June.

Tools

Cappsule: A hypervisor from Quarkslab to virtualize any software on the fly into lightweight VMs. Similar in some ways to Qubes OS, but is more user friendly by integrating with Ubuntu 16, while not pursuing to guard against some of the threats Qubes mitigates.
Hex-Rays Plug-In Contest 2016: The maker of IDA Pro posted the results of their annual plugin competition. This year’s winner was Ponce from Salesforce to add symbolic execution.