Downclimb

2017.01.29

RSS feed

Weekly infosec news summary for 2017.01.22 – 2017.01.29

Quotes

"Back in my day, we called programs executing arbitrary commands "shells", but now I'm hearing kids call them "video conferencing software"." April King

Top stories

Webex vuln

Tavis Ormandy discovered a vuln in the webex plugin for Google Chrome allowing any web page to exploit arbitrary commands on visitors with this plugin. Although Project Zero has a 90 day disclosure timeline, Tavis did inform the Google Chrome Web Store who took immediate action by blocking any new installations of the extension. This action motivated Webex to rapidly deploy a fix. The fix though tried to limit the possibility of this arbitrary code execution to only *.webex.com which still allowed any XSS on that site to result in execution (or allow webex themselves to), or any arbitrary site can still end up showing a pop-up and if the user clicks OK they'll get exploited. New versions of the extension were rapidly deployed, likely as new workarounds and possibly other vulns were found.

Webex has released an announcement about this issue, confirming that it affects Chrome, Firefox, and IE (but not Edge), and is isolated to Windows. However, both the issue and the fix indicate bad security practices by Cisco, and this blood in the water should gather more sharks both against Webex and other extensions. Steps should be taken currently to uninstall webex, and you should expect to see other extensions impacted shortly as this bug class gets investigated further.

Brute force detection

In Akamai's article Improving Credential Abuse Threat Mitigation, they describe how they are able to detect a 13K member botnet that is being used to attempt to brute force accounts. With 13K unique IP addresses, it still only averages 1 login attempt every 2 hours per node against a single site which is very difficult to detect. However, by Akamai having coverage across 71 websites for this study, they are able to see that the total botnet, across all sites, attempts 203K login attempts per hour. That is still only 15 login attempts per hour per node across all monitored sites. A brute force attack that works so slowly, and across so many nodes is very difficult to detect. This is an area where data sharing becomes very useful as detection of these attacks is very difficult from a single point of observation.

Tools

  • cybertools/grap: Searches disassemblies for control flow graph patterns. Works as both a stand-alone tool with a disassembler (Capstone) and as an IDA plugin.

Conference materials and publications

  • Site Reliability Engineering: This book by Google is now free. Its focused on general DevOps, but some of it applies well to SOC work of responding to incidents. Unfortunately, the book reads like a "welcome to Google" guide for new hires by constantly mentioning the names of Google's internal projects instead of just using the industry standard terms or names of well-known open-source projects, but if you have no experience with keeping sites up it could be useful.

Other reads