Weekly infosec news summary for 2017.01.22 – 2017.01.29

Quotes

“Back in my day, we called programs executing arbitrary commands “shells”, but now I’m hearing kids call them “video conferencing software”.” April King

Top stories

Webex vuln

Tavis Ormandy discovered a vuln in the webex plugin for Google Chrome allowing any web page to exploit arbitrary commands on visitors with this plugin. Although Project Zero has a 90 day disclosure timeline, Tavis did inform the Google Chrome Web Store who took immediate action by blocking any new installations of the extension. This action motivated Webex to rapidly deploy a fix. The fix though tried to limit the possibility of this arbitrary code execution to only *.webex.com which still allowed any XSS on that site to result in execution (or allow webex themselves to), or any arbitrary site can still end up showing a pop-up and if the user clicks OK they’ll get exploited. New versions of the extension were rapidly deployed, likely as new workarounds and possibly other vulns were found.

Webex has released an announcement about this issue, confirming that it affects Chrome, Firefox, and IE (but not Edge), and is isolated to Windows. However, both the issue and the fix indicate bad security practices by Cisco, and this blood in the water should gather more sharks both against Webex and other extensions. Steps should be taken currently to uninstall webex, and you should expect to see other extensions impacted shortly as this bug class gets investigated further.

Brute force detection

In Akamai’s article Improving Credential Abuse Threat Mitigation, they describe how they are able to detect a 13K member botnet that is being used to attempt to brute force accounts. With 13K unique IP addresses, it still only averages 1 login attempt every 2 hours per node against a single site which is very difficult to detect. However, by Akamai having coverage across 71 websites for this study, they are able to see that the total botnet, across all sites, attempts 203K login attempts per hour. That is still only 15 login attempts per hour per node across all monitored sites. A brute force attack that works so slowly, and across so many nodes is very difficult to detect. This is an area where data sharing becomes very useful as detection of these attacks is very difficult from a single point of observation.

Tools

• cybertools/grap: Searches disassemblies for control flow graph patterns. Works as both a stand-alone tool with a disassembler (Capstone) and as an IDA plugin.

Conference materials and publications

• Site Reliability Engineering: This book by Google is now free. Its focused on general DevOps, but some of it applies well to SOC work of responding to incidents. Unfortunately, the book reads like a “welcome to Google” guide for new hires by constantly mentioning the names of Google’s internal projects instead of just using the industry standard terms or names of well-known open-source projects, but if you have no experience with keeping sites up it could be useful.

Other reads

• Cloud-AI – An Artificial Intelligence on the Cloud: An AI system was taught to use LinkedIn, and from there it discovered IDOR vulns. The article doesn’t describe how the discoveries were made or identified as vulnerabilities, but this could lead to some interesting research areas.
• Federated to Microsoft Cloud and Account Lockouts: Guidance from Microsoft on how to avoid account lock-outs from brute force attempts against users when using SSO that verifies back against Windows ADFS (Active Directory Federated Services).
• Carbon Black Cb Response Multiple XSS: Vulns found in CarbonBlack’s tool to investigate remote systems could be used to compromise an entire network by first compromising one end-point, then the callback server, then the network.
• Facebook now offers U2F support: Facebook joins Github and Google as sites that offer U2F (Fido) support.
• An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps: This study of 283 Android VPN apps found 18% do not encrypt traffic at all, 84% leak user traffic, and 66% use third party tracking libraries.
• Gmail will block .js file attachments starting February 13, 2017: Google is finally going to block .js attachments by default, whose main use case thus far has been deployment of ransomware to Windows systems.
• phrack: Cyber Grand Shellphish: The Cyber Grand Challenge team Shellphish discusses aspects of what they built. This isn’t so much a classic phrack article, and more a journal whitepaper in ascii form of other articles from Team Shellphish such as How We Fared in the Cyber Grand Challenge.
• Software updates
  • Chrome updates: Google Chrome 56 released to stable.
  • Apple security updates: Apple released updates this week for iOS, macOS, and some of their other software. Apple also was prompt in releasing the source code for the new macOS 10.12.3, which is great, as normally there is more delay between updates and their source code release.