Weekly infosec news summary for 2016.10.16 – 2016.10.23
A massive DDoS hit the Internet on Friday, going after Dyn DNS resulting in problems for Twitter, Amazon, Tumblr, Reddit, Spotify, Netflix and many more (link). The DDoS involved IoT devices, such as DVR's and video cameras, with default passwords that had been taken over. In 2001-2003, various worms ran rampant on Windows systems, resulting in Microsoft Windows becoming more secure, and people putting firewalls, or at least routers for NATing, in front of their systems. It's surprising that so many devices are Internet accessible, and hopefully this will result in greater protections for these devices. For defenders, it's important to firewall off these devices and recognize their poor security. This event also points out the need to take your DNS into account in your runbooks, to understand your own site's dependence on different DNS providers.
Some comments on the event:
"In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters." Jeff Jarmoc
"Y'all, today is your Tech Snow Day. Do that risky maintenance. Try that spicy deploy. Blame everything on DNS." @alicegoldfuss
A privilege escalation exploit for Linux used in-the-wild was discovered by extracting the binary from a pcap that was collected from traffic going to a server (link). Exploits are publicly available (link). The vuln has been around for 9 years and impacts most systems.
In contrast to the often mentioned Zerodium exploit prices of $1.5M for an iOS exploit and only $200K for an Android exploit, COSEINC's PWN0RAMA is offering $700K for a full Android exploit and only $500K for iOS. These price differences potentially reflect different buyers and targets, or the "supply" of the exploit vendor (meaning perhaps COSEINC already has iOS exploits and so getting more isn't as important). The pricing also shows a number of "bonuses", as a basic Safari exploit on the iPhone is only $60K. In order to get the full $500K you would need the basic exploit ($60k) + escape to kernel ($140K), and it needs to be reliable, fast, generic, and provide persistence. It's important to understand that an exploit that works poorly and doesn't have a kernel escape or persistence, would still be as devastating to the victim and this only pays out $60K, instead of the full $1.5M that is supposedly possible from Zerodium. Although perhaps fewer people would be willing to sell to COSEINC, someone with a less capable exploit chain might.
DNC hack and DKIM validation
The DNC had been hacked due to phishing (link) and their emails dumped. There has been some questioning of whether some of the emails were doctored. Luckily, DKIM can help answer that question for some of the emails as it provides some cryptographic proof (link). However, as these types of dumps happen in the future, it may become common practice to try to manipulate these as well, which would require getting access to more than just the email dumps. I believe we can expect vulnerability discoveries and advances in email signing technologies such as S/MIME and DKIM as a result of these continued dumps.
- New proposed rules from banking regulators: The three federal banking regulatory agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) announced an advance notice of proposed rulemaking (ANPR) inviting comment on a set of potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. This would apply to holding companies with total consolidated assets of $50 billion or more, and would also apply to some degree to their partners as well.
Conference materials and publications
- PoC||GTFO 0x13: Of interest in this release is an article by James Forshaw on race condition exploitation.
- Hack.lu Videos: Conference in Luxembourg in October.
- google/csp-evaluator: CSP Evaluator, from Google, checks if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks.
- hardenize.com: From Ivan Ristic (creator of SSL Labs for testing SSL configs) and Scott Helme (creator of securityheaders.io for checking HTTP headers) comes a single site that combines these and other checks.
- Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016: Microsoft has released tools for locking down Windows further for environments with greater security goals.
- Securing Windows Workstations: Developing a Secure Baseline: This contains a collection of steps to lock down Windows to take advantage of various tools.
- Heappie: Open-source tool from Core Security for visualizing memory for the purpose of tracking heap sprays.
- VeraCrypt audited: VeraCrypt is a fork of TrueCrypt for full-disk encryption on Windows or creating encrypted images to mount and store data in. For full-disk encryption it's easier to just use BitLocker or on Mac's use FileVault. However, depending on configuration this can potentially expose you to risks of Microsoft or Apple being capable of decrypting your laptop, but both BitLocker and FileVault leverage the system's TPM, which VeraCrypt and TrueCrypt do not (the benefits of this can be argued). Using VeraCrypt or TrueCrypt to create an encrypted, mountable image is a good use case though. The link goes to an audit of VeraCrypt, where it found the use of old compression libraries and VeraCrypt decided to add support for the Russian GOST crypto algorithms, but mistakenly added weaker versions of the algorithms.
- Update 2016.10.24: I've been told FileVault does not use the TPM.
- Case 140: Heartbleed: Fun fable about why Heartbleed happened. The site contains many other thought provoking stories.
- Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393: Explanation of a new security mitigation in Windows 10 to avoid privilege escalation.
- Mass fingerprint case: In California, in May, law enforcement had a warrant requiring everyone on a premise to use their fingerprints to unlock their phones. The case argues that taking fingerprints is legal, so requiring suspects to unlock their phones using their fingerprints is legal.
- Dropbox/LinkedIn/Fromspring hacker indicted: A Russian man was arrested in the Czech Republic and accused of having been responsible for some of the recent breaches we've seen in the news. The indictment mentions that the hacker impersonated employees in order to get access to the data, so these database dumps were not the result of SQL injection, but were either phishing or laptop compromises.
To receive a weekly email notification of this newsletter, email email@example.com