Weekly infosec news summary for 2016.12.18 – 2016.12.25

Quotes

“I get a big kick out of the fact so many insisting AV is worthless because it’s bypassable use adblockers with even dumber signature engines” @scriptjunkie1

Top stories

Learning From A Year of Security Breaches

Ryan McGeehan (@magoo) discusses lessons learned from a year of freelance incident response work for startups (he comes from Facebook’s IR team) (link). He begins by discussing the need for centralized logging. Once you have that, be sure to start creating alert rules for these logs, I discuss in How to write security alerts. He points out that you may not always find the root cause of a breach, which makes your lessons learned and follow-up actions much more difficult.

He shows how attackers will target personal email accounts, not just work accounts. This issue is why I’m personally on the fence about the value of Secure Email Gateways (ex. Proofpoint), because it causes people to focus and devote time toward one avenue of attack while other ways of communicating with employees (their personal email, chat applications, support or sales communications) remain open to all the same attacks (phishing for login credentials, malicious file sending).

He briefly dives into a couple other areas and is well worth a read.

Fancy Bear Tracking of Ukrainian Field Artillery Units

CrowdStrike reports on the same malware used to hack the DNC has also been associated with malware in an Android app used by Ukrainian artillery units (link). The specific artillery unit this app was made for has endured losses of 80%, “the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.” Although acquiring and using this app shows failings in the practices of the Ukrainian military, it also gives evidence of the failings of the security in a software platform resulting in war casualties.

Business

• UK’s Cyber Security Regulation and Incentives Review: As the UK is leaving the EU, they will no longer fall under the GPDR (General Data Protection Regulation), which requires reporting breaches and imposing fines for them. The UK is therefore taking action to regulate this themselves and plans to begin enforcement in May 2018. One thing I like about the UK’s plan here is “key essential services and key digital service providers operating in the EU, e.g. cloud computing services, will be subject to additional risk management and reporting requirements.” In contrast, the US tends to have a more isolated view of critical infrastructure, and doesn’t take into account the full ecosystem they function in.

Tools

• Serene: Project I released to allow you to quickly and easily identify if executable binaries are adhering to best practices in their compilation process.
• google/wycheproof: Tests crypto libraries against known attacks.
• tunz/js-vuln-db: Collection of CVE’s for javascript vulnerabilities and their associated POCs.
• ELF Parser: Open-source project to parse elf binary files and recognize functions via signatures.

Other reads

• $3-5M in Ad Fraud Daily from ‘Methbot’: Krebs reports on a ad fraud group that causes a staggering $3M-$5M in ad fraud per day. At the low end, that is over $1B/year. Online ad fraud is a $7B/year problem, and total online ad revenue is $60B/year. This suggests that this one group was responsible for 15%-25% of all online ad fraud. The bots “watched” as many as 300M video ads per day. They operated over 571K IP addresses, which were legitimately registered (not simply bot take-overs of people’s computers), which were used as proxies back to 800-1200 servers that did the “watching”. The value of ownership of the IP addresses is estimated at $4M. They were able to disguise their ownership of the IPs by making them look like known ISPs for home users. This is perhaps the most disturbing part, that no one noticed that the contact info for “AT&T Services Inc.” and “Comcast Cable Communications, Inc.” for two of the IP addresses was “adw0rd.yandex.ru@gmail.com”. You would think that ad sites would be using services that score the legitimacy of IP addresses and that those services would take things like this into account. You would further assume that IANA (the organization responsible for IP allotments) would do something about this.
• Docker being exploited in Cisco CloudCenter Orchestrator: The Cisco CloudCenter Orchestrator (CCO; formerly CliQr) exposed the Docker Engine management port outside of the system, allowing attackers to upload Docker containers to obtain root on the system. The Cisco Product Security Incident Response Team (PSIRT) is aware of this being exploited in the wild.
• Firefox getting sandboxing: Firefox has been rolling out a multi-process version to users since Firefox 48 released in August. This has only taken affect for a limited number of users without extensions, and has been expanding its coverage. They will now begin implementing a Windows sandbox for the processes.
• Apple back-pedaling on enforcing TLS: In June at WWDC, Apple announced that they would be enforcing TLS, via their App Transport Security (ATS) by the end of the year on all apps. Unfortunately, they just announced that they will not be enforcing this, and have no updates on when it may be enforced.

Action items

• Do you have people on call over the holidays that they would normally celebrate? Review what incidents happened over the holiday and thank those who were on call. Make sure they get time off in future. Don’t forget there are people working behind the scenes keeping your business running. In opposition to this, also review whether your expectations of response handling fell apart over the holidays.
• Run some of the executables in your environment through my new tool Serene and follow-up with any vendors that aren’t using best practices in their development processes.
• Ensure you have backups in the event of a disaster. Follow my two new guides for help: Creating Disaster Recovery backups and Using Google for backups.

To receive a weekly email notification of this newsletter, email scott@summitroute.com