Weekly infosec news summary for 2016.10.30 – 2016.11.06
"Two most difficult aspects of pentesting isn't getting access; it's 1.) Conveying accurate & useful reports with great mitigation strategies and 2.) Mimicking and compressing everything a real world attacker has several months to do in a time span of a 1 to 2 week" Greg Linares
"Everybody has a testing environment. Some people are lucky enough to have totally separate environment to run production in." @stahnma
Britain's National Cyber Security Strategy 2016 to 2021
The 84 page National Cyber Security Strategy 2016 to 2021 sets out the British government's plan to make secure the Internet for businesses and people in the UK (link). This plan nearly doubles the amount of funding to over $2B over the previous 4 years. A lot of the plan includes your standard fluff about improving education, information sharing, working with organizational bodies to promote security, etc. However, there are some more concrete areas they've identified as well, which are expanded on further in a post by Ian Levy, the GCHQ's current Technical Director of Cyber Security (link). These include:
- Notify users who are running out-of-date browsers.
- Invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast Identity Online (FIDO).
- Changing the implementation of the BGP and SS7 protocols so we "can stop trivial re-routing of UK traffic". "The SS7 hardening work should allow us to make traffic re-routing harder but also to make smishing (that's phishing over text message if you've not heard of it) harder in the UK for certain SMS." What they're saying here implies that they are seeing SMS message spoofing.
- Ian Levy writes "The current advice given to people 'don't open an attachment or click a link in an email unless you trust it' is dumb." To make email better trusted he mentions both DMARC and "a reputation system for email domains and addresses, run by the industry"
- They mention running a DNS filtering service that users can opt out of.
- Provide a 'WebCheck' service. "This is a relatively simple web vulnerability scanning service that we'll provide for free to all public sector organisations."
- "We want to build reputation services to help digital service owners make transaction risk decisions. Initially this service will give reputation information for IP addresses connecting to the service and credentials that are used, but we're looking to extend that over time."
- "We're also looking to experiment on government with novel cyber security techniques and capabilities. One example is a software agent that runs at low privilege on a government workstation and sends metadata back to a central processing facility for analysis. The question is can you detect unknown attacks and exploits using this sort of technique?"
- "We're still going to do things to demotivate our adversaries in ways that only GCHQ can do"
Ian Levy's post closes with "It's time to stop talking about what the winged ninja cyber monkeys can do and start countering in an automated way the stuff we see at massive scale that causes real damage to citizens and businesses alike every day."
Moving Beyond EMET
It's been rumored for a while, and now publicly announced, that Microsoft is no longer supporting EMET in their post Moving Beyond EMET. EMET was first released in 2009 and was a stop-gap for helping some applications to take advantage of Windows mitigations and additionally adding some ROP mitigation hurdles. I reversed and wrote extensively on EMET in 2013 in my paper EMET 4.1 Uncovered. Depending on the application and exploit, EMET's protections could always be bypassed, leading some pentest shops to seek 5 minutes of fame by announcing their bypasses.
EMET's usefulness has declined, largely by common applications now being compiled with modern defenses, the decline of Java and Flash, and the addition of sandboxing to browsers. Additionally, there are modern mitigations such as Control Flow Guard, that EMET can't add on, as this needs to be added at compile time. Much of the original team for EMET has also left Microsoft to start Veramine.
There are some capabilities of EMET such as the ROP mitigations that although they are bypassable, introduce hurdles to attackers, and help protect older applications, so EMET still has value, but it's usefulness has been declining.
Conference materials and publications
- Ruxcon slides: Conference in Melbourne, Australia from October.
- SaintCon videos: Conference in Utah, from October.
- Microsoft Build 2016 videos: Microsoft conference from back in March in San Francisco.
- Black Hat EU slides: Conference this past week in London.
- Tesla sued for criminal hacking: In this crazy story, the CEO of an oil company allegedly sent a fake email from the account email@example.com to the CFO of Tesla trying to get proprietary information. What makes the story interesting is someone associated with Telsa then allegedly hacked into the CEO's Twitter account. To do so they sent someone to a near by Best Buy to use one of their computers in order to break into the Twitter account. Although alleged, access to the Twitter account from the IP of the Best Buy was made, so someone got in.
- Return Flow Guard: Tencent provides some information on a new mitigation added to Windows 10 last month called Return Flow Guard, that builds on Control Flow Guard.
- Trident vulnerabilities: All the technical details in one place: This massive report from Lookout covers the three vulnerabilities and persistence mechanism used by the Pegasus attacks which were 0-days for iOS.
- TLS 1.2 comes to Mono: Posted a month ago, this announcement is both great news and horribly disconcerting. Mono is the open-source implementation of C#, and TLS 1.2 came out in 2008. The official C# project from Microsoft didn't get TLS 1.2 until 2012 with the release of .NET 4.5, which is also worrying that it took so long, but especially disconcerting that this open-source alternative has just now incorporated it.
- Gentoo updates vulnerable to MiTM: Gentoo downloads, but does not verify the GPG signatures of it's updates.
- Stuck in Traffic with J Wolfgang Goerlich: I just discovered these videos that are put out every few days to discuss some aspect of infosec or recent infosec news from more of the CISO perspective. There is a podcast and other ways of receiving these videos as well.
- Bypassing Two-Factor Authentication on OWA & Office365 Portals: This post shows how to bypass 2FA on Microsoft's email service. You still need to know the username and password, but don't need to use the second form of authentication, by using the service's API as opposed to it's UI.
- Malicious Email Mitigation Strategies: The ASD (Australia's version of the NSA) released a document on email mitigation. Normally, the ASD provides great advice (for example their Strategies to Mitigate Targeted Cyber Intrusions), but in this case, I think they're out of touch.
The ASD's advice assumes you have complete control of the entire email infrastructure your employees will be using, which may work on some government systems, but most businesses allow (or aren't capable of not allowing) employees to access personal email. There is no guidance for that reality, and that's as big a source of attacks as work email is. This is especially true today after so many online services have been hacked and their databases of emails made available. Need to know the personal email addresses for all of them employees at a company? There's a breach for that. Need to know all of their varied interests so you can write artisanal hand-crafted target specific phishing? There are many breaches for that, by taking the personal email found previously, searching the other dumps for it, then looking at the public information of their user account on these services to find their favorite music, etc.
We can see this in effect with the 0-day Google recently dropped against Microsoft (link), which caused some uproar from the usual participants in the disclosure policy debate. What's interesting though is this 0-day was being actively used by Strontium (Russian APT that targets governments). So how did Google come into possession malware targeting governments? The grugq points out that Google was likely scanning gmail attachments and came across it (link). If so, this would likely mean that it came in to someone's personal email account, since I don't believe many government's allow Google for Work email (ie. G Suite, Google's recent renaming). That's a chain of assumptions on my part I'll admit, but there are other cases of infections into businesses occurring through personal email.
To receive a weekly email notification of this newsletter, email firstname.lastname@example.org