Weekly infosec news summary for 2017.01.01 – 2017.01.08
"just found a Windows 10 install ISO on BitTorrent which includes a scheduled task to download and run ransomware exe after 90 days." Kevin Beaumont
"someone put invisible unicode characters into a regex in a correct answer for stackoverflow even i am blown away by that level of evil" @NO_BOOT_DEVICE
- Tidal Forces: The Trends Tearing Apart Security As We Know It: Many security companies are stuck trying to secure things by using an older model of how technology is used. Examples:
- End-points are more secure and can't run security software that provides any value (ex. iOS).
- SaaS products, such as gmail, are more heavily used (you can't run your security software on their servers) and their access is encrypted (you can't monitor the activity).
- IaaS, such as AWS, does't allow you to incorporate hardware security devices and they control what you're allowed to do and how you should do it.
- FTC is going after D-Link: The router maker D-Link is being sued by the FTC for its claim that their devices are "Easy to secure" with "Advanced network security". In an interesting and rapid move, a competitor, Netgear, started a bug bounty for their products (link), offering up to $15K in rewards. This is an excellent move by Netgear to not only improve their security, but also to exhibit to the FTC their own due diligence in attempting to provide a secure product to avoid being sued by the FTC. The FTC's move had no impact on D-Link's stock price, which is reasonable given the historically weak actions the FTC has taken against tech companies. The FTC historically has simply told companies to have a security program and have an external security audit performed every two years for the next 20 years, which were the settlements for ASUS and TrendNet. These penalties are so below what should be reasonably expected of the companies as to make the only real expenses of this litigation be court fees and marketing expenses to combat the allegations in the minds of consumers.
- PagerDuty's Incident Response Documentation: The company many use to help them with their IR (usually devops related incident response) has released the docs they use to guide their own internal IR.
- dxa4481/truffleHog: There are a number of tools to search through git repos for secrets (ex. AWS keys), but this project additionally looks through the git histories for access keys that may still work but were attempted to be removed. Make sure you roll credentials any time you find they were exposed.
- Assessing Russian Activities and Intentions in Recent US Elections: The DNI (Director of National Intelligence) released a report on Russian activity involved with the US election, and specifically identifying Russia as having hacked the DNC email servers and provided the emails to wikileaks. There is nothing new in the report that most people didn't assume anyway. One interesting bit is "DHS assesses that the types of systems Russian actors targeted or compromised were not involved in vote tallying", so although a propaganda campaign was waged, votes themselves were not tampered with. Much like last week's GRIZZLY STEPPE related political actions and US CERT information, this report is disappointing, mostly because it reveals nothing new. No evidence is provided for any of claims, but the existence of the report itself, and that the CIA, NSA, FBI, and DHS all were involved should be proof enough, except to those for whom no proof would be good enough.
- Mac Malware of 2016: Patrick Wardle of Objective-See gives analysis on all the malware (6 strains) that affected macOS this year.
- Thread from @pwnallthethings on the DNC hack: @pwnallthethings provides analysis on why a group of professionals was behind the DNC hack, and not a lone amateur.
- The GRU-Ukraine Artillery Hack That May Never Have Happened: In opposition to Crowdstrike's annuncement two weeks ago that the Russians had infected an android app used by Ukrainian artillery units leading to soldier deaths, Jeffrey Carr makes the case that the app had no ability to identify the location of the soldiers or anything else that would have been valuable to the Russians. This is further supported by Technical details on the Fancy Bear Android malware (poprd30.apk) from CrySys, and most importantly by the Ukrainian military themselves which posted a Press release (in Ukrainian) that further denies the impact of this app. An unrelated post discusses The Cost of Bad Threat Intelligence which is relevant here, as it appears CrowdStrike may have been more interested in pushing a story than having it backed up by facts.
- Best Buy's Role in a Kiddie Porn Bust Raises Privacy Questions: System's brought to Best Buy to be fixed are sent to a main repair facility in Kentucky, and there, they have been searched for kiddie porn at the request of the FBI. "FBI and Best Buy made sure that during the period from 2007 to the present, there was always at least one supervisor who was an active informant." This raises questions about the privacy expectations that one should expect when getting computers fixed. If you have encrypted hard-drives at your company, but your employees login or hand over passwords to places like Best Buy, Apple's Genius bar, or other repair shops to fix problems, those individuals could access the sensitive information you've tried to encrypt or services that the employee has saved passwords for. As such, you should have policies that restrict employees to only having their systems fixed by your own staff.
- GitHub Enterprise SQL Injection: Describes how to get access to the code of an enterprise VM solution (Github Enterprise), a SQL injection vulnerability found within in their Rails app, and how to reverse back out to figure out how to exploit the vulnerability. Flexing SQL muscle for parsing an MS db on OSX: This post describes how to parse the configuration files used by Microsoft Office on macOS systems.
- Review where you get your news from. There has been a lot of talk in mainstream news recently about fake news, and in general today we are bombarded by news. No one can keep up with everything. Many news sources have biases. If you read articles from vendors you'll find they are biased towards selling you on the problems they solve and herding you to toward their solution. Many security news sites are paid by PR firms that are paid by vendors. I posted this week about what I think are some good news sources here. Consider what value you get, if it informs you of things you didn't know otherwise, and how it changes your understanding of things. If you do choose to not read Downclimb, I'd love to hear your feedback.