Weekly infosec news summary for 2017.02.19 – 2017.02.26
"TIL: There are bots on Github that create pull requests to projects using CI replacing all code with bitcoin-mining code." Aleksey Palazhchenko
"OH: attackers use $0 tools written in 2005 to run rings round $m+ tools built in 2017, via bugs in 2010 code that we knew how to fix in 2001" @pwnallthethings
Tavis Ormandy of Google’s Project Zero uncovered a major vulnerability in Cloudflare (link), which is used by over 2 million websites to handle their TLS. From September 22, 2016 until last weekend (February 20, 2017) Web requests to sites using Cloudflare received answers which included random information from other Cloudflare-backed sites. The impact of this event, which is being referred to as Cloudbleed, is that the content of some web requests (such as usernames and passwords, secret tokens in cookies for authentication, and other sensitive information) ended up being leaked into web requests from other users, including web crawlers such as Google, such that the data is now cached by various search engines.
Cloudflare has claimed that the likelihood of you being impacted is low (see their response), with only 0.00003% of web requests being impacted, but that's every web request. I'd bet an average user probably makes at least 100 per day to sites behind Cloudflare considering css, images, etc. and this has been going on for a while, so the likelihood of at least one of your web requests being impacted is a lot higher. However, then you need to guess at the likelihood that web request was cached by a web crawler or could otherwise be abused now that this problem is known. So it's very hard to estimate the likelihood of you being affected. Ryan McGeehan has a good post on how to deal with this event. Depending on your risk appetite, you may want to roll passwords and other secrets for your users of your site if you're behind Cloudflare, and for yourself and your employees for the various third-parties they use that are behind Cloudflare.
SHA-1 collision found
In October, 2015, news broke of the "SHAppening" (link), where researchers had identified a freestart collision of SHA1, which means part of a collision was found for a weakened version of SHA1. At the time, the researchers estimated that a full collision could be found for about $100K. Surprisingly, it took over a year before someone, in this case Google, decided they might as well do that and announced it (link) and made the site and logo at shattered.io.
Google states that this took the equivalent of 6,500 years of single-CPU computations and 110 years of single-GPU computations, which might sound like a decent amount of work at first, but according to @ErrataRob, "Bitcoin miners are crunching numbers at the equivalent rate of solving a SHA1 collision every second".
Chrome and Firefox have deprecated SHA-1 certs, and you haven't been able to buy a new SHA-1 cert for SSL since the start of 2016. SHA-1 is still used by a number of applications, including source control systems. In an attempt to make a test for this issue, the source control for webkit was broken for SVN users (link). TPM 1.2 only supports SHA-1 and uses hashes to attest firmware and BIOS, therefore collisions could defeat trusted boot. Bittorrent uses SHA-1 to check the integrity of chunks. We're likely to see a number of systems break and possibly exploited as collisions like this are abused.
SHA-1 stands for Secure Hash Algorithm 1 and is a standard designed by the NSA and was advocated by NIST. You should ensure you are using the more recent and secure standards SHA-2 or SHA-3, or an alternative such as Blake2 that is not associated with NIST.
The Rise of Dridex and the Role of ESPs
The Swiss CERT identified a Dridex email campaign being sent out to Swiss Internet users where the emails seemed to be real and from legitimate domains (link). The SPF record and rDNS were valid. Somehow the attackers were able to get SendGrid, an Email Service Provider (ESP), to deliver the emails. This follows on news of SendGrid being abused by bug bounty hunters earlier this month as reported in Downclimb (link). SendGrid has not announced how this is happening, but you should be wary if you're a customer of them or other ESPs.
Apple server firmware infected
An incident in mid-2016 at Apple led them to purge all of the servers in their data center built by Supermicro (link). Apple identified the firmware was infected, and the infected firmware is still available on Supermicro's site, although no one has yet identified which download it is or what the infection involves. Supermicro previously made the news in 2014 when it was identified that the baseboard management controller (BMC) exposes the admin password in cleartext via a simple GET request and 32,000 servers at the time were exposed on the Internet with this issue (link).
Waymo sues Uber for insider theft
The self-driving company Waymo (owned by Alphabet, ie Google) is suing Uber due to them having purchased a company called Otto who had used data stolen from them (link). A Waymo employee downloaded proprietary design files for Waymo's various hardware systems, connected an external drive, and then wiped and reformatted the laptop before resigning to go to Otto. Other Waymo employees, now at Otto and Uber, did similar things. This came about when a supplier sent Waymo an attachment (apparently inadvertently) of machine drawings of what was purported to be Uber's, but was strikingly similar to Waymo's own design. This brings up a couple of issues such as being able to detect insider threats, the legal risks involved in acquisitions, and ensuring that suppliers are not accidentally sending confidential information to competitors.
Matt Miller (aka skape) wrote a post on some of the exploit mitigations and isolation performed by the Edge browser on Windows (link). Internet Explorer, and by association Edge, has had a bad reputation over the years of being insecure do to a number of exploits that have happened against it. However, a significant investment has been made in improving Edge's security, and because Microsoft controls the OS and development tool chain that Edge runs on, Edge is able to more quickly take advantage of new security improvements than other browsers on Windows. Justin Schuh, the engineering lead for Chrome Security, responded with a surprisingly unbiased post comparing some of these exploit mitigations of Edge vs Chrome (link). He points out that the general difference in strategy has been for Chrome to focus more on isolation (so successful RCE will not be able to do anything) whereas Edge has focused more on avoiding that RCE in the first place. The conclusion from this is Edge actually does have a lot of strong security features and is worth considering.
- Detectify Crowdsource: The company Detectify is allowing security researchers to submit their newly discovered exploits to Detectify who will then incorporate those into their automated security service. Every time a reported issue is found on any of their customer's websites, the researcher is rewarded.
- Netflix/Stethoscope: Netflix announced a new tool for what they call "User Focused Security", which helps employees at a company take action to improve their security by pointing out out-of-date devices and other issues. It can consume data from LANDESK (for Windows), JAMF (for Macs), and Google MDM (for mobile devices) currently, with plans for osquery in the future.
- dropbox/securitybot: Building on an idea from Ryan Huber of Slack from a year ago on Distributed Security Alerting, Dropbox has released a tool where alerts that normally would go only to the security team are also sent to the individual responsible for the alert to ask why they did what they did as a way of reducing and helping to prioritize the alerts that the security team needs to review.
- Update: This idea comes originally from Diogo Mónica at Square at the time (link).
- spotify/Google Cloud Security Toolbox: Spotify released two tools for Google Cloud. The first called GCP Audit is similar to nccgroup/Scout2 or Netflix/security_monkey which are tools to audit Amazon Web Service accounts, but this tool is for Google Cloud. The second tool GCP-Firewall-Enforcer helps the security team maintain control of firewall policies while allowing for reviews by network specialists.
- gaasedelen/lighthouse: Plugin for IDA Pro to to map, explore, and visualize externally collected code coverage data using DynamoRIO's drcov.
- blockade.io: Chrome browser extension to block malicious resources from being viewed or loaded, by using threat intelligence from multiple sources and analysts.
- kholia/OSX-KVM: Project to run Mac OS X El Capitan and macOS Sierra on QEMU/KVM
- putty 0.68: The Windows ssh tool finally has DEP, ASLR, and an x64 version.
- kwin/macdependency: MacDependency shows all dependent libraries and frameworks of a given executable, dynamic library or framework on Mac OS X, similar to the Windows tool Depends.
Conference materials and publications
- BSides NOVA videos: Conference near DC this week.
- Fun with incident response on Twitter: Ryan McGeehan has started a twitter account @badthingsdaily of fictitious incidents based on real world incidents to open discussion for your own company on how you would respond and what you could do to avoid it. You'll likely have little heart-attacks if you follow this account as you see it's tweets in your feed and then realize these are just scenarios to consider. However, many of these tweets reflect current infosec events so you might actually need to respond to the incidents it mentions.
- SMTP over XXE − how to send emails using Java's XML parser: This post shows how similarities in the FTP and SMTP protocols can be abused to send emails with Java's FTP client code when it parses XML files. The same author also has an interesting post this week on Fingerprinting Firefox users with cached intermediate CA certificates.
- The Challenges of Deploying Security Mitigations: Trail of Bits compares clang's implementation of control flow integrity (CFI) against Visual Studio's Control Flow Guard (CFG), concluding that clang's CFI is more secure, but too strict to easily apply to some code bases and cannot be applied progressively like Visual Studio's CFG.
- Operation BugDrop: A malware campaign targeting Ukraine was discovered that uses the microphone to listen in on conversations and exfiltrates data via DropBox.