RSS feed

Weekly infosec news summary for 2016.11.20 – 2016.11.27


“There’s always conspiracies about the AV industry writing the viruses, but we don’t, we just rename the same ones 300 times.” @MalwareTechBlog


“You were just told state-associated hackers attacked your account. Congratulations! You’ve joined a select club and your work has received recognition. But, probably not of the variety for which you were hoping. According to Google, less than 0.1% of accounts unlock this achievement.” Sergio Caltagirone after Google sent out warnings this week to what is believed to be thousands of journalists and professors that state sponsored actors are attempting to get access to their accounts (link).

Top stories

Syscall Auditing at Scale

Ryan Huber of Slack discusses his tool go-audit (link). This converts auditd events into json messages for easy parsing. auditd is a mechanism on Linux for recording syscalls, so with this you can log every new process created, files touched, or most any other activity.

Hacking 27% of the Web via WordPress Auto-Update

Researchers discovered a vulnerability with that Wordpress servers pull their automatic updates from (link). This vulnerability would allow the researchers to provide malicious updates to all Wordpress servers. Wordpress updates are not authenticated. This serves as a reminder about the importance of auto-update servers.

Conference materials and publications

  • AppSecUSA videos: Conference in Washington, DC in mid-October.
  • Hacktivity videos: Conference in Budapest, Hungary in mid-October.
  • Utah Mac Managers meeting videos: This monthly meeting in Utah included presentations on using Zentral for for Event Aggregation with osquery & Santa, and what’s new in managing Office 2016 for Macs.


  • Katai web IDE: The Katai project has been around for almost a year now to visualize parsing of file formats in hex dumps, but it required a fair bit of setup including installing Java. They’ve now ported their project to a web IDE. It’s file format support is currently much less than similar tools like 010 Editor.
  • Sysinternals updates: Sysmon v5 has added support for monitoring file creation and registry modifications. Process Explorer adds support for reporting of Control Flow Guard (CFG) status.

Other reads

  • How to write security alerts: I posted an article describing how I write rules for security alerts.
  • Advancing exploitation: a scriptless 0day exploit against Linux desktops: Described as the “hardest exploit I ever wrote”, Chris Evans (@scarybeasts) again this week full-discloses on another gstreamer vuln. The reason this exploit is difficult is because on the target system (Fedora), gstreeamer is compiled with ASLR and other protections, and there is no scripting engine. Chris works around these mitigations and limitations through a number of exploit primitives.
  • Windows 10 Cannot Protect Insecure Applications Like EMET Can: Post from CERT/CC describing some of the protections EMET provides that Windows does not, as a rebuttal to Microsoft’s decision to end-of-life EMET.
  • Securing Local AWS Credentials: Ryan McGeehan provides some nice AWS IAM policies to enforce 2FA on AWS activities. He also posted this week about Securing Customer Support.
  • Azure bug bounty Pwning Red Hat Enterprise Linux: This article describes an issue Microsoft Azure had with it’s Red Hat update servers they host which would allow anyone to compromise them. The impact of this would be being able to provide bad updates to any Red Hat server running in Azure or withhold updates for new vulns. You don’t often hear about vulns and issues with cloud providers unless AWS bricks the entire eastern seaboard as they do periodically, so it’s interesting to learn the types of security issues cloud providers can have.

To receive a weekly email notification of this newsletter, email