Weekly infosec news summary for 2017.01.29 – 2017.02.05

Quotes

“Mimikatz: The AK47 of cyber. No matter the adversary (nation-state or e-crime), it is almost always present in intrusions on Windows targets” Dmitri Alperovitch

 

“If you are trying to improve security, and you do so by adding code instead of removing code, odds are that you are doing it wrong. […] I am (in)famous for my opposition to soft mitigations - many do not stop attackers, but add unnecessary (and risky) complexity. […] In short: If your mitigation doesn’t stop the bug dead (/GS in some cases) but merely shakes the table of the artist, it will be hard to convince me of the value of the mitigation.” halvarflake

 

Top stories

Insider threat recruitment

RedOwl and Intsights released a report titled Monetizing the Insider, wherein they describe recruitment efforts on forums to monetize insider access. This includes access to insider trading information, assistance with cashing out stolen credit cards at retailers, and help installing malware on bank computers. Combating these problems is difficult and can involve background checks on employees, monitoring of them (screen capture recording and video cameras), and processes that involve two people. You should also leverage strategies that mitigate other more general security issues, such as applying least privilege to all accounts, auditing and alerting on concerning actions, and segregation of duties, which can mitigate the effects of compromised accounts and other issues in addition to insider threats.

Delegated Recovery

Facebook, in collaboration with Github, posted Improving account security with delegated recovery and released a protocol spec for being able to use one service (Facebook) to recover an account on a different service (Github). Github has also posted how they are doing this (link). The concept is that “secret questions” and password recovery emails have various limitations and that if you lose your phone that is used for two-factor authentication, this can be further complicated. Access to the Facebook account doesn’t directly grant someone the ability to access your Github account, but instead Github can use this as a piece of the decision making process in granting access to someone trying to recover their account.

G Suite Enterprise

Google has announced their Enterprise edition of their email (reportedly $25/user/mo) as a new class beyond their Business class ($10/user/month). They moved some of their features (such as DLP functionality to monitor for credit cards in emails) up to their Enterprise class, but the most interesting feature is their addition of hosted S/MIME. With this, you are required to provide Google with your private S/MIME keys. This defeats one of the main reasons people use S/MIME which is for when you don’t want to have to completely trust your email provider. That said, S/MIME certificate management in most enterprises is usually not ideal, and this provides better encryption in communication and better validation of communications.

Email snooping due to transactional email services

There have been a number of bounties related to mail issues over the past year when using SendGrid, Mailgun, and likely others, that are allowing attackers to receive email destined for various companies that use those services. Examples:

• Gitlab using Mailgun (link).
• Slack using an unnamed service (an MX lookup shows they use Mailgun) (link).
• Uber using SendGrid (link).
• Facebook and Yelp using G Suite (link).
  • Correction 2017.02.06: Originally this article stated they were using SendGrid, but it was pointed out by the author of that article, @Uranium238, that this was a G Suite issue.

The problem appears to be that these businesses are using these services to send emails, but don’t care about using them to receive responses. These email services then fail to perform any domain verification, allowing any user of the service to register other business’s domains to receive the email responses. This is very troubling that these email services are not taking any measures to avoid this. Even if fixed, be aware of the ability of these services to receive emails on your behalf which opens up concerns about attackers targeting them or social engineering them to redirect things like your password resets. See an example of this attack attempted against a company named ChunkHost that uses SendGrid here.

Similarly, there is a post on ‘Deep Thoughts’ on Subdomain Takeover Vulnerabilities that is a somewhat similar problem of shared hosting providers that don’t explicitly validate the subdomain claiming process. The author makes the claim of referring to “subdomain takeover as the new XSS”. He advises that you need to “maintain a list of all the web services you host with shared hosting providers” and “add/remove vendors from the list as services are created/transitioned/deprecated. When doing so, you must be very sure to rigorously manage the DNS entries that point to these services because a dangling DNS entry pointed as a service provider where you’re not claiming the domain is a recipe for getting tripped up on a subdomain takeover.”

Business

• When the Market Can’t Deliver, Change the Market: Hudson Thrift at Uber discusses the decision making process in working with a start-up to deliver the solution they wanted as opposed to building it themselves (expensive) or buying it from the market (would only provide an 80% solution). We should expect to see these types of relationships happen more often.
• Zimperium Announces Its Exploit Acquisition Program for N-Days: The mobile defense company has announced it will buy old exploits that no longer work due to being patched or are otherwise less valuable so that they can test their product. They’ll additionally hand over the exploits to the affected vendors. This is a great way to ensure the effectiveness of their solution and to test it with actual exploits and better spot trends and techniques, much like pwn2own competitions that allow the vendors to identify various tactics needed in exploit chains as opposed to simply vulnerabilities.

Tools

• airbnb/streamalert: AirBnB’s StreamAlert was introduced at the Enigma conference and with the post StreamAlert: Real-time Data Analysis and Alerting. This is heavily integrated with Amazon AWS, making use of AWS Lambda to read AWS Kinesis Streams, and making use of Hashicorp’s Terraform. This allows for real-time alerting of events in a scalable way, as opposed to the way many alerting systems work by first ingesting the data into something like ElasticSearch and then periodically scanning the events for things to alert from.
• Cloud Canary: Thinkst’s Canary deception product (not free) now runs on AWS.
• Chrome on iOS: Google open-sourced Chrome for iOS.

Conference materials and publications

• Haroon Meer #t2 keynote: The conference #t2 in Helsinki, Finland released their keynote from October.
• ShmooCon videos: Conference in Washington, DC in mid-January.

Other reads

• Log Driven Development: Luqi Pan (a former coworker) discusses how logs can be used by AppSec teams to drive code changes by providing a better understanding of how and why code paths exist.
• XXE in Code42 CrashPlan: (from last week) This write-up describes a vuln discovered in Code42 CrashPlan in order to obtain a $9K bounty from Uber. CrashPlan is used for making backups of end-user systems, mostly Macs, but also Windows. The researcher found a pre-auth XXE in the CrashPlan server hosted by Uber.
• Printer exploits: Issue affecting every PostScript printer for the past 32 years, as solely legitimate PostScript language constructs are abused. It can be accomplished by USB or network. “It can even be carried out by a malicious website, using advanced cross-site printing techniques in combination with a novel technique we call ‘CORS spoofing’ (see ‘Cross-Site Printing and CORS Spoofing’ section).” The researchers also discuss other flaws with printers here.
• Escape and Evasion Egressing Restricted Networks: Optiv describes how malware can escape networks that white-list network communication by using domain fronting. CDNs, such as Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly, and Akamai can all be used to point to unexpected domains under the attacker’s control. This technique was used by Signal to bypass restrictions in Egypt. Raphael Mudge put together a good video describing this technique.
• Assessing the Draft Cyber Executive Order: An Executive Order on “Strengthening US Cyber Security and Capabilities” was supposed to be made this week, but delayed for unknown reasons. A copy of the draft is here. As it exists, there isn’t much unexpected about it (compared with other recent Executive Orders). It does however assign some work to unexpected places, such as leaving out the FBI entirely and puts the Secretary of Defense in charge of defining the “U.S. educational system to maintain its competitive advantage into the future”. Once announced officially, I’ll dig into it more deeply.
• Gitlab ran into problems this week and had issues recovering from their backups. They were extremely transparent, including a post-mortem write-up and they even live-streamed their response which now exists as an 8 hour recording, which is mostly 8 hours of silence showing engineers staring at screens. They mention their backups weren’t working and they didn’t have any alerting in place to detect that. This is one of the points I made in my post Creating Disaster Recovery backups, that you need to test your backups and set alerts to ensure they happen as frequently as you expect. I also posted this week on Using AWS for backups, which is in addition to my post on Using Google for backups.