Weekly infosec news summary for 2016.11.06 – 2016.11.13

Quotes

“Easily improve a Red Team: Require final report that avoids documenting gratuitous success and values documenting attacker friction instead.” Ryan McGeehan

Business

• Synopsys acquired Cigital: Synopsys mostly does business with semiconductor companies. Cigital provides services for identifying and preventing vulnerabilities.

Conference materials and publications

• How You Actually Get Hacked – Ben Hughes at PuppetConf 2016: Ben gives realistic advice about securing businesses, such as the importance of using 2FA before putting grsecurity on your servers.

Tools

• slackhq/go-audit: Apparently not publicly announced yet, but many of us who knew about this tool have been waiting for a year to get it (with a recurring weekly calendar event telling us to check if it’s out yet). This allows you to log auditd information in a usable way. auditd is a configurable Linux service that allows you to log information about file accesses, process executions, and more. The logs of auditd are nearly unusable though, so this tool makes them usable.
• TheHive: Open source incident response platform from the CERT-BDF, a team that handles security incidents that could impact the French central bank. It’s basically a case management system (ticketing system) focused on the IR workflow.
• mempodippy/vlany: Extensive, open source, LD_PRELOAD rootkit for Linux.

Other reads

• Smashing The Stack For Fun And Profit: Aleph One’s famous phrack article appeared 20 years ago this week.
• Extending linux executable logging with the integrity measurement architecture: FireEye post on a feature of Linux that allows you to capture the filename, PID, PPID, and file hash of every process executed on Linux. When coupled with auditd, this provides valuable information on par with Windows’ sysmon.
• WindTalker: Inferring your mobile phone password via wifi signals: This post describes using wifi signal analysis to identify the 6 digit PIN code entered into a phone, with a recovery rate as high as 68.3%. As of now, it requires control of the access point, the user to be within 1.5m, know when the user is entering their PIN, and one pre-training sample. These can be improved, but there are also many other side channels, such as using audio can supposedly recover PINs with 94% accuracy.
• From Equation to Equations: Report from Antiy Labs about the Equation Group. Antiy Labs is sort of the equivalent of FireEye and CrowdStrike in China, in that it obtains marketing for itself by outing American hacking in the same way those companies out Chinese hacking. Most of its reports are in Chinese and untranslatable by Google Translate or other automated means (the original report came out last week in Chinese, but the translation made it unreadable). In this report, they discuss the Equation Group’s code components that target Solaris and Linux platforms based on samples they discovered. Antiy is an antivirus company in China.
• CIS Apple OSX 10.12 Benchmark: New guidance for securing macOS 10.12 from the Center for Internet Security.
• PwnFest: The Power of Community conference in Korea hosted PwnFest, a contest to exploit various fully patched systems. Three Chinese teams competed, taking down Google’s new Pixel phone ($120K), VMware Workstation ($150K), Microsoft Edge on Windows 10 ($120K), and Safari on macOS ($80K).
• That’s It. I’ve Had Enough!: Kaspersky argues that Microsoft is being anti-competitive against companies with Windows 10. Some of the points may have some validity, but it also shows the effectiveness of Windows’ own antivirus and the rest of its security, that software like Kaspersky may not be needed.
• Addressing recently disclosed vulnerabilities in the Jenkins CLI: There is an RCE vulnerability for Jenkins. No details out yet. Jenkins can accurately be described as RCE-as-a-service. That is the value proposition of the service. RCE is what it does and why you installed it. As such, whether or not there is a vulnerability for it, you need to be careful about who it is exposed to and how you are protecting it. RCE vulns have cropped up in it regularly, and if you run it in such a way that this is a big event, you likely need to rethink your use case and architecture for this reality.

To receive a weekly email notification of this newsletter, email scott@summitroute.com