Weekly infosec news summary for 2017.02.05 – 2017.02.12
"The trick with fuzzing isn't finding bugs, it's finding bugs that people care to fix" John Regehr
ASD Strategies to Mitigate Cyber Security Incidents
The Australian Signals Directorate (ASD, the Australian version of the NSA), released an updated Strategies to Mitigate Cyber Security Incidents which they last updated in 2014 (see old version here). The previous guidance was a list of 35 items, with the top items being application white-listing, patch applications, patch the OS, and restrict admin privileges. Now the the list is broken up into sections for mitigation strategies to prevent malware delivery and execution, to limit the extent of cyber security incidents, to detect cyber security incidents and respond, to recover data and system availability, and to prevent malicious insiders.
There is a summary of changes at the bottom of the link, but some changes I found notable are:
- It is now essential to disable macros. Previously, this was mentioned under the strategy "User application configuration hardening", but is now it's own strategy to reflect the importance of this mitigation.
- It is now essential to configure browsers to block ads. This is included in the strategy "User application hardening" and is interesting to see the government advising this.
The infosec vendor conference RSA is happening next week in San Francisco, so we should expect to see even more business announcements next week.
- Sophos acquires Invincea: The AV company Sophos is acquiring Invincea which uses containers around commonly exploited applications.
- Accenture acquires iDefense and Endgame's federal services: The general consulting company Accenture acquired the threat intelligence company iDefense from Verisign (link) and the federal service's business of Endgame, which makes an EDR product (link).
- DuoBeyond: Duo has been working on solutions for the BeyondCorp strategy to do device attestation, remove the need to use a VPN, and to provide single sign-on to cloud services.
- Netflix/hubcommander: Netflix describes their new tool in their post Introducing HubCommander. This tool uses ChatOps to manage Github accounts, because to do certain operations, Github users have to be admins, but you don't all your users to be admins, so Netflix employees interact with this tool which acts as a proxy for those operations to apply Netflix's permission model.
- uber/pam-ussh: Uber released their tool for enabling continuous reauthentication of SSH keys. They describe it in their post Introducing the Uber SSH Certificate Authority
- Introducing Docker Secrets Management: Docker discusses their new tool for managing application secrets.
Conference materials and publications
- BlueHat IL videos and slides: Micrsoft security conference in Israel, in late January. The talk Defending the Cloud: Lessons from Intrusion Detection in SharePoint Online by Matt Swann is my favorite and shares some concepts with my post Iterative Defense and The Intruder's Dilemma.
- The Security Impact of HTTPS Interception: This paper discusses how antivirus and "middlebox" products that perform TLS interception can be detected by servers by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. They deployed these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. They found between 4%-11% of all traffic is intercepted. Up to 40% of these TLS interceptions allow for further degradation of the secure communication as they advertise support for known-broken ciphers (ex. RC4), and 58% had severe vulnerabilities (ex. incorrectly validating certificates).
- Type Juggling and PHP Object Injection, and SQLi, Oh My!: This epic exploitation against a target using Expression Engine involves SQL injection via PHP object injection and brute-forcing an MD5 signature. It's a pretty wild chain.
- Use After Free in Google Hangouts ActiveX: With some similarities to the recent webex vuln, this week brings a vuln with Google Hangouts. This only impacts the ActiveX plugin used for Internet Explorer and is much more complicated to exploit, involving a use-after-free and thus needs to bypass DEP and ASLR (the author did not get successful RCE, but proved it could be done). The webex vuln was much easier to exploit, but I'll admit, I mostly just like this article as it gives Google a taste of their own medicine for having a vulnerable video conferencing plugin. Much like Flash, Java, and Adobe Reader, there is a untapped treasure trove of vulnerabilities waiting to be found in other common plugins and extensions for browsers.
- New Attack, Old Tricks: analyzing a malicious document with a mac-specific payload: Mac's have macro malware now. harmj0y discussed this capability in his post from last May OS X Office Macros with EmPyre. Patrick Wardle, with the help of @noarfromspace and others in the #security macadmins Slack channel, analyzed this new sample.
- Slot machine cheating: In this entertaining Wired read, a number of slot machines have predictable random that can be cheated by recording videos of the gameplay and uploading those videos to servers, which can then be used to help tell the scammer when to spin, allowing them to win more than $10K per day. Because of the costs of replacing these machines, the author closes with "the smart financial move for casinos is to keep using them and accept the occasional loss to scammers." This is unfortunately a similar choice that infosec defenders often have to make.
- Enhanced Analysis of GRIZZLY STEPPE Activity: The DHS has provided much more extensive analysis of the GRIZZLY STEPPE actor that they originally described in a much less useful report in early January. The YARA signatures in the report have been gathered into a collection here.
- Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links: This article from CitizenLab points out how scientists in Mexico that are trying to get a sugar tax applied to soda are being targeted with 0-day iphone exploits. There's nothing of technical interest in this story, but I point it out to show the diversity of targets that exist for nation state hacking.