RSS feed

Weekly infosec news summary for 2016.11.27 – 2016.12.04


"Governments have decreed mass slaughter of potentially infected cattle: surely taking down internet-of-crap devices can be legalized." SkyLined


"Some perspective:
Tomahawk missile: $1.4M
Hellfire: $110K
Firefox 0day: $30k

Some people are worth the 0day." Josh Pitts

Top stories

Shamoon is back

In 2012, malware called Shamoon hit the Saudi Aramco oil company and bricked 30,000 hard-drives on computers there. At the time, there was flooding in Thailand where hard-drives are made, so there was a limited supply of hard-drives, so Aramco flew private jets to Thailand and bought out all the remaining supply. Saudi Aramco is planned to IPO soon in the largest IPO ever and OPEC just made supply cuts for the first time in 8 years, increasing the price of oil by nearly 9% this week. Shamoon has resurfaced in Saudi Arabia, although the target is unknown. This variant of Shamoon was configured to go off on Thursday night (the start of the weekend in Saudi Arabia) on November 17th, so whoever the target was has already been hit. Symantec broke the story here, and more in-depth analysis was provided by Palo Alto here, which dives in the communications which is relevant in this case and relevant to Palo Alto who makes network equipment, but keep in the mind the following comment:

"If you rely on detecting C2, remember that purposefully destructive malware doesn't need to call out." Dan Guido

Report on Securing and Growing the Digital Economy

Back in February of this year, President Obama passed an Executive Order establishing the Commission on Enhancing National Cybersecurity (link) to "make detailed recommendations to strengthen cybersecurity". This week they released their report (link). Unfortunately, the report is almost entirely recommendations to keep doing what you're doing, and convene more meetings. The only worthwhile recommendations I could find in the report were:

  • Recommendation 1.3: Advises increasing the use of strong authentication. This has the specific recommendation of advocating for greater adoption of FIDO.
  • Recommendation 5.1: Advocates for consolidating IT infrastructure, as today every civilian agency (ie. non-military) procures and manages its own IT infrastructure. A single agency should manage this. "To protect the integrity of this network, the agency should have the authority to modify or remove connected devices, services, or agencies that fail to meet [their] requirements."

In contrast to this report, Britain's National Cyber Security Strategy released last month is a much better plan with specific recommendations.

AWS re:Invent

Amazon hosted its annual event for AWS this past week in Las Vegas where they announced new services and had presentations from AWS employees and customers about how to use different services. The new services most relevant to security are:

  • AWS Shield: A managed DDoS protection service. Their standard AWS Shield service can be applied for free, although it's unclear what all it will do. Their Advanced protection costs $3K/mo and among some possible protections, it also acts as an insurance policy of sorts, because AWS will provide credits to subscribers who have to scale and use more AWS resources in response to a DDoS attack.
  • IPv6 Support for EC2: This is important from a security perspective because you can't have private addresses with this. Every address is internet-routable and can talk to the Internet by default, so you'll need to rethink your network security architecture if you use this new feature.


  • Cymmetria offering $1M warranty for APT attacks: Cymmetria makes a deception product and announced an add-on service that will pay up to $1M for damages from APT attacks for customers using their product. No pricing info is provided. We're seeing more cyber insurance being offered in conjunction with security products, which is good, but in most cases the premiums have little correlation to the product, meaning that the insurance would cost you the same whether or not you're using the product. The result is that these announcements are little more than marketing for both the insurance backer and the product, as opposed to their being discounted rates which would indicate confidence in the effectiveness fo the product.

    In this particular case, it is interesting that only APT attacks are covered and only damages. APT attacks often do not incur damages, as normally your costs involve lost IP (which may be difficult to prove) and cleanup.

  • MMC Cyber Risk Handbook: MMC (Marsh & McLennan Companies) is the largest insurance broker in the world by revenue. They released a big report (mostly fluff) related to cyber insurance. The link summarizes that document. One interesting point is that the current cyber insurance market pays $2B annually in premiums.

    Another interesting part for me was learning about the General Data Protection Regulation (GDPR) which was adopted by the EU in April, 2016 and will go into affect in May, 2018 (two years later). The insurance world is excited because it requires disclosure of data breaches. This regulation also has severe penalties with fines of up to EUR 20M ($21M) or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. Note that percentage is based on turnover (ie. revenue, not just profit) and is a worldwide figure, not isolated to the country. This is much more aggressive than Europe has been historically. For example if you look at TalkTalk's hack where it was fined GBP 400K ($509K), as the maximum fine for something like this in the UK is only GBP 500K ($636K). Some countries have started putting parts of this into affect already, and the result is that we're starting to find out about breaches happening in Europe, which historically has been quiet about this matter in comparison to US companies.

Conference materials and publications


  • FIRST: Talos's Function Identification and Recovery Signature Tool (FIRST) is an open-source framework for IDA Pro that allows sharing of knowledge about similar functions. As reversers identify functions and provide a name, comments, etc., they can upload the signature of this function along with the metadata they added to a central repo that other reversers can use to quickly identify similar functions.
  • SAMRi10: Hardening tool for SAM Remote Access in Windows 10/Server 2016.
  • CyberChef: GCHQ web app to perform various conversions such as to/from hex and base64.

Other reads

  • New Mirai Worm Knocks 900K Germans Offline: Krebs reports on a new variant of the Mirai worm that has infected 900K german ISP customers' routers. It seems the reason these routers went offline is because the worm was too aggressive in its infections, resulting in crashes. The routers were vulnerable because their management interface is externally exposed. The exploit is more complicated than just providing default creds, but a public PoC is available (here).
  • News from Google's Project Zero: They provide a lot of high quality articles and interesting announcements, which I'll collect here:
  • Early Warning Detectors Using AWS Access Keys as Honeytokens: Komand security shows how to create AWS IAM access keys that can be used as deception traps for detection.
  • Investigating CloudTrail Logs: Ryan McGeehan describes how to collect and investigate the AWS log files that describe all the AWS API calls made in an AWS environment, such as new EC2 instances being created.
  • Neutralize ME firmware on SandyBridge and IvyBridge platforms: This article describes how to remove the Management Engine (ME) from Intel firmware, which is a whole separate computer, including processor, memory, and network access, that has access to manage the rest of the computer.
  • Police 'mug' suspect to get data: In order to get access to a phone without needing to break the passcode, police snatched it out of a suspect's hand while he was on a call. This story represents an important weakness in device protections that if the device is unlocked already, someone can get access to it. For laptops, there are solutions such as kicking out the power cable out to lock the screen (using scriptjunkie's WinTheftProtection).
  • Bypassing Apple's System Integrity Protection: Objective-See shows how to abuse Apple's installers to disable SIP, a problem that is going to be hard for Apple to fix.

To receive a weekly email notification of this newsletter, email