Weekly infosec news summary for 2016.10.09 – 2016.10.16

Top stories

Broken crypto in ransomware

The first golang ransomware was discovered (link), which isn’t that interesting as ransomware can be written in any language, but golang is known for have solid crypto libraries, making it easier to do crypto correctly. This ransomware, like many, still managed to do it’s crypto poorly. Ransomware is interesting in how often it messes up it’s crypto, usually it’s key management which is the hardest part of crypto. Crypto is a solved problem for most use cases, specifically those needed by ransomware. Ransomware only needs to do crypto well enough though to be profitable. End-to-end crypto in things like email, or securely implementing DRM technologies for businesses keeping track of their documents, are also mistake ridden, but the mistakes don’t provide as immediate feedback cycles as ransomware does. Jeremiah Grossman made the observation:

“Thought: Soon cyber-criminals will get better than us at encrypting ‘our’ data at rest. #ransomware”

Conference materials and publications

• Black Hat USA Videos: Conference in Las Vegas in August.
• MacSysAdmin videos: Conference in Gothenberg, Sweden in early October. It includes a number of good talks including one by Jonathan Levin explaining some of the macOS vulns that have happened in recent years.
• AWS 2016 Videos: There are a couple of AWS videos that have been posted in the past month explaining how some cybersecurity companies are using AWS.
  • This is My Architecture – Check Point Software Technologies, Scaling Security:
  • This is My Architecture – Sumo Logic – Ingesting Massive Amounts of Logs:
  • This Is My Architecture – Sophos – Inbound & Outbound Traffic Inspection:
  • This Is My Architecture – Palo Alto Networks – Auto Scaling the VM-Series for AWS:

Tools

• google/fuzzer-test-suite: This is a set of tests (benchmarks) for fuzzing engines (fuzzers), so that fuzzers can be compared and tested.

Other reads

• Cyber: Ignore the Penetration Testers: The grugq gives a good explanation of the actual teams required in performing the actions of an APT. It also includes key insights such as “An APT is literally the instantiation of a nation state’s will. It is not a toolchain.”
• Compromised eCommerce Sites Lead to “Magecart”: A number of ecommerce sites were found to have javascript keyloggers added to them. It appears the underlying CMS platforms were hacked.
• Windows Troubleshooting Platform Leveraged to Deliver Malware: Proofpoint uncovered a new technique from attackers against Windows, using Windows Troubleshooting Platform (WTP), which is intended for troubleshooting problems, to trick users into executing malware.
• GlobalSign certificate error means top websites marked as unsafe: The Certificate Authority GlobalSign accidentally added an intermediate CA certificate to it’s OCSP database, resulting in many top sites (such as wikipedia) being marked as unsafe by browsers. This incident highlights the need for companies to be able to quickly roll their certs, potentially moving to a different CA, whether it’s due to a compromise, or in this case, due to a mistake by the CA.

To receive a weekly email notification of this newsletter, email scott@summitroute.com