Weekly infosec news summary for 2016.12.11 – 2016.12.18
Quotes
“Incentivizing security updates with new emoji is absolutely brilliant. Has anything else had a higher impact on consumer patch rates?” Tim Douglas on Apple’s iOS update including an Avocado emoji along with security fixes
Action items
- Schedule time with your HR department for training related to W-2 phishing scams. Last year these started hitting at the beginning of January and ran until April. Remind those that have access to names and salaries of employees that this information is confidential and should only be provided via approved means. See Kreb’s story Phishers Spoof CEO, Request W2 Forms from last year for more details. Seagate, Snapchat, and more were victims of this scam resulting in the tax refunds of their employees being stolen.
- Register to receive emails every time an SSL certificate is issued for one of your domains, using Facebook’s Certificate Transparency Monitoring mentioned in the Tools section below. This takes 5 seconds and will inform of you possible attacks, or just help keep you informed when you’re Ops team is creating new services.
Top stories
Microsoft Security Intelligence Report (SIR) 21: 1H26
The most interesting part for me of Microsoft’s SIR reports (link) is their “Malware at Microsoft” section where they describe the security stats of Microsoft’s own fleet (their employee computers). This includes 600K devices for 150K users, and their stats are across 1H16 (first half of 2016).
It starts by explaining they average 97.8% compliance, so on average 13K devices are running Windows Defender with signatures that are older than 6 days, or real-time protection is disabled.
“Microsoft IT believes that a compliance rate in excess of 97.8 percent among approximately half a million computers is an acceptable level of compliance. In most cases, attempting to boost a large organization’s compliance rate the rest of the way to 100 percent will likely be a costly endeavor, and the end result— 100 percent compliance—will be unsustainable over time.”
They had about 2.25M threats detected, of which 810K were PUA (Potentially Unwanted Applications). This seems high, as that averages out to more than one threat per user every two weeks. These are however blocked before infection occurs. Interestingly, these are largely .exe threats, and no .pdf, .doc, or .js files in the top 10 file type threats as I would expect. However, in terms of actual infections (threats that were not detected or blocked prior to infection), .doc and .js were the top two threat vectors.
They had what looks like 103 infections, or 0.02% of their devices infected over 6 months.
My favorite quote from the paper was:
“Use AppLocker to block the installation and use of unwanted software such as Java”
Yahoo breach
([link] (https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users)) Following on reports from September of half a billion accounts compromised in 2013, Yahoo has now disclosed at least a full billion have been compromised in that breach, with attackers figuring out how to access accounts without even using a password by forging cookies. In this statement, Yahoo discloses “we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.” This likely means that a secret value used to sign cookies was learned. These values are critical to keep out of code, as code ends up shared fairly widely. It should be ensured that production servers use a different secret value than developers have access to, and this value ideally should be stored in a secret manager (ex. Hashicorp’s vault). I covered much of this in my post from a year ago “Instagram’s Million Dollar Bug”: Case study for defense.
As a result of this announcement, Yahoo shares fell as much as 6.5%, the biggest intraday decline since February, on fears that Verizon may explore a lower price or exit from their deal to purchase Yahoo (link).
It was also learned in the breach announcement that the passwords were hashed with MD5, as opposed to a computationally intensive hash such as bcrypt. Personally, I think having a secret in your source code is worse, but this is an issue that could have been caught by any static analyzer or just a simple grep search for known “bad” crypto.
It’s clear from this and other issues that Yahoo’s security team did not have authority to act on issues and were not included in important security related discussions. It is important that security teams have the authority to act as gates to allow or deny things, to require changes be made, and be made aware of things that could impact security. One way of helping to accomplish this is to have “security champions” throughout the company to help inform and implement the security team’s goals. This could be an official title, or simply friends of people of security team at the company. Spend time with other teams, have a bucket of free candy at your desks to get people to come by, announce open meetings for people to come talk to you team, or whatever else might get people to come talk to you about security concerns or help empower them to do things that benefit security by being able to tell their management “the security team said I should do this”.
Business
- Ashley Madison fined $1.6M by FTC for breach: The dating website for married people seeking extramarital affairs will pay the FTC for its failure to protect the account information of 36M users, for failing to delete account information after regretful users paid a $19 fee, and for luring users with fake accounts of “female” users.
- Privacy policies of tech companies causing concern: Forbes ran an article on Evernote allowing employees to read notes for the sake of improving its machine learning. Uber had articles about employees actually abusing their abilities by looking up trip histories of celebrities, ex-lovers, and politicians. As security professionals you have take precautions to limit, log, and audit the access your employees have of your customer data. Much of this can also detect external attackers, or a compromised employee account, but you should also be concerned about legitimate employees and the accesses they need to do their jobs. Consider how you can limit their access and how you could determine if they are abusing their access.
- Florida court rules Americans must turn over passwords to the cops: In a case that is likely to be challenged, a Florida court has decided that not only can individuals be forced to provide their fingerprints to unlock phones, but now also their passwords.
Tools
- Certificate Transparency Monitoring: Facebook is offering a simple service to send you emails every time an SSL certificate is issued for domains of your choosing.
- williballenthin/hint_calls.py: IDA Pro plugin to show a function’s summary (calls, strings) as hover hints. See the author’s screenshot here.
- Cisco Umbrella 1 Million: Cisco Umbrella (which runs OpenDNS) is providing a list of the top 1M domains it sees accessed, after Alexa decided to stop running their service. OpenDNS is in many ways a much better list, because a lot of the traffic it sees are from enterprises, as opposed to people that install toolbars in their browsers. Alexa also only has visibility into HTTP requests. One immediately apparent difference therefore is half as many porn related domains. Cisco Umbrella’s data doesn’t have a domain with the word “porn” in it until nearly 5000, whereas Alexa’s first hit is at 50. This therefore represents a more “corporate” swath of Internet traffic.
- Intel XED: Intel open-sourced their X86 Encoder Decoder (XED) for IA32 and Intel64. XED is the encoder/decoder used by Pin and many other projects both at Intel and elsewhere.
Conference materials and publications
- ZeroNights Slides: Conference in Moscow, Russia from mid-November.
- SANS DFIR Summit videos: Conference in Austin, TX in June.
Other reads
- Reliably compromising Ubuntu desktops by attacking the crash reporter: Excellent write-up on a non-memory corruption exploit identifying the default file handlers Ubuntu Desktop, determining which application to focus on, and how to research it to find a vulnerability.
- Meet Algo, the VPN that works: Trail of Bits describes their open-source VPN project and its benefits over other projects. Filippo Valsorda pointed out that unfortunately the installer currently creates a CA that can be used to sign HTTPS certs for any sites browsed through the VPN (ie. MiTM against SSL traffic), which does mean you have to trust the VPN and where it is hosted, but this is being worked on.
- McAfee Virus Scan for Linux: Many vulnerabilities found in McAfee’s Linux product.
- Mobile Security News Update December 2016: Downclimb does not feature a lot of mobile security news. Collin Mulliner does a good monthly link round-up.
- Chakra JIT CFG bypass: Method to bypass Microsoft’s Control Flow Guard (CFG) when attacking Internet Explorer by leveraging the Chakra JIT and a race condition to modify the code being created by the JIT compiler before the JIT compiler completes.
- Chrome OS exploit: one byte overflow and symlinks: Chrome OS exploit in an HTTP proxy, called shill, that was simply removed as part of the fix. What I found most interesting was the statement “It’s convenient that shill and chrome are separate processes, so if the exploit fails and crashes shill, it doesn’t bring down chrome and shill is restarted automatically.” This is an important detail, because it allows the attacker to repeatedly try exploits. This means that if something like ASLR were to mitigate an exploit, or if the exploit needed to be version dependent but the attacker didn’t know the version, they could try again and again until their exploit worked.
- Implementing Inexpensive Honeytrap Techniques: Daniel Miessler gives some excellent ideas for honeytraps you can use to detect bad guys.
- Reversing Huawei Router: 5 part series on reverse engineering a router (Huawei HG533).
- shoppify paying massive bounties: Shopify opened up a bug bounty program on HackerOne a month ago for Shopify Scripts which is “a ruby gem based on MRuby, developed at Shopify. It provides a sandboxed, lightweight environment where untrusted Ruby scripts can safely be run in a way that isolates them from Shopify’s native Ruby environment.” On Dec 16, they started paying out bounties for the bugs they had been receiving, with pretty large pay-outs of up to $20K, resulting in 49 bounties paid for a total of $368K paid in one month. They then decided to implement “seccomp-bpf sandboxing and process isolation” and drop their bounties by 10%. This unfortunately was very much the wrong way to implement a bug bounty program. First, they should have had a decent security review to advise them to implement those mitigations prior to the bug bounty (cost ~$10K). Next, they should have started their bug bounty program with much lower bounties to weed out the low-hanging fruit and get a better understanding of how hackable their system is (at maybe $200, as opposed to $20,000). Once the bug bounty hunters stopped showing up, then they should have increased the bounties to draw them back in and draw in perhaps more sophisticated researchers. Additionally, they should have started with a private bug bounty, since with those high pay-outs they were likely flooded with bad reports and a private bounty would have helped ensure higher quality bug reports even at that high pay-out. Their CEO describes his thought process for why he did this (link), coming to a different conclusion than I do, stating “we decided to overspent as a kind of “marketing” investment”.
- Patch Tuesday: Microsoft and Adobe put out their monthly patches this week. Nothing too exciting.
Apple stories
- Security content for patches for iOS 10.2 and macOS 10.12.2
- System Integrity Protection (SIP) changes in macOS Sierra 10.12.2: macOS now allows SIP to be re-enabled without needing to boot into a recovery partition. This is important as people have reported that as much as 95% of new Macs mistakenly were sold by Apple without SIP enabled. A reboot is still required for this to take effect.
- macOS FileVault2 Password Retrieval: Fixed in the latest macOS 10.12.2 update, this attack uses Thunderbolt to identify the clear text password in the memory of a sleeping or locked Mac.
To receive a weekly email notification of this newsletter, email scott@summitroute.com