Weekly infosec news summary for 2017.02.26 – 2017.03.05
"Now that InfoSec has society-wide impact like law and medicine, we need to absorb their ideals on pro bono and universal access." Alex Stamos with regard to helping at local domestic violence centers
This week I released the flAWS challenge at flaws.cloud which teaches lessons related to AWS security including common mistakes, attack techniques, and other concepts to help pentesters, devops, and defenders (link). It has been quite popular, with over 8K unique IPs hitting it and 2.5M GET requests in the first week. Most of those GET requests are due to automated tools against it, which will not be useful for the challenge.
- NY Cybersecurity Regulation in Effect: New York State Cybersecurity Requirements for Financial Services Companies went into effect on March 1, with a 180 day transitional period for companies to comply. This requires covered entities to conduct a risk assessment to evaluate and identify cybersecurity risks to the organization, designate a CISO, perform annual pentests, enforce certain controls, and report cybersecurity incidents within 72 hours to the state's Department of Financial Services (DFS), among other requirements.
- Yahoo CEO Marissa Mayer to receive no bonus due to breaches: In Yahoo's 10-K filing to the SEC it was announced that "In response to the Independent Committee's findings related to the 2014 Security Incident, the Board determined not to award to the Chief Executive Officer a cash bonus for 2016 that was otherwise expected to be paid to her. In addition, in discussions with the Board, the Chief Executive Officer offered to forgo any 2017 annual equity award given that the 2014 Security Incident occurred during her tenure and the Board accepted her offer." The General Counsel (ie. head lawyer) resigned and the filing states "No payments are being made to Mr. Bell in connection with his resignation", meaning he isn't being given a golden parachute. This follows on news from Feb 21 that Verizon, who is going to buy Yahoo, has cut the price by $350M to account for the breach disclosures (link).
- marumari/laboratory: Firefox extension to help create Content Security Policy (CSP) headers. See this video for more.
- Professor-plum/Reflective-Driver-Loader: Waylon Grange released code to load a Windows kernel driver into memory based on the injection technique Reflective DLL injection by Stephen Fewer.
- bbva/odsc: Open Security Dependency Checker Service was built to solve the problem that there are many different tools for analyzing third party vulnerabilities for many languages, but there is not a single tool that works well for all of them.
This project chooses the most suitable tools for each language and returns the results in a unified way.
- gargoyle: A technique for hiding all of a program’s executable code in non-executable memory.
Conference materials and publications
- RSA videos: RSA is a vendor focused conference in San Francisco in mid-February. There are over 200 videos, with 13 keynotes alone. However, this infosec conference is not for announcing new research, but rather focused on explaining things to the C-Suite, so the presentations are more business focused and buzzword heavy.
- Securi-Tay videos: This conference at Abertay University in Scotland was held last week.
- Bad Medicine: Contraindications of Bug Bounty Programs: This 16 minute presentation from LinkedIn's CISO Cory Scott discusses problems of bug bounty programs. He mentions some of the negative incentives that occur in bug bounty programs due to researchers focusing more on maximizing profit rather than maximizing improved security. He also mentions that despite there being a lot of hype around bug bounty programs, they should be a much lower priority than other cyber security focuses.
- Remote Code Execution as Root via ESET Endpoint Antivirus 6: The ESET antivirus product for macOS includes an out-dated and vulnerable open-source XML parsing library. When the product attempts to validate its license over an HTTPS connection, the service does not validate the SSL cert, so a MiTM attack is possible.
- Upcoming Windows 10 Feature Lets Users Block Installation of Win32 Apps: The latest Windows 10 will allow administrators to block the installation of Win32 apps, so only apps from the Windows Store can be installed.
- Operation Rosehub: 50 Google employees have been working to patch the Apache Commons Collections Deserialization Vulnerability that is used by thousands of open source projects. They've been sending pull requests to different projects to have them stop using the vulnerable versions of libraries.
- Analyze Security, Compliance, and Operational Activity Using AWS CloudTrail and Amazon Athena: Amazon shows how to use their new Athena product which provides SQL querying capabilities against arbitrary files. They use this against Cloudtrail data, which is the log of API calls made in an AWS account. I'm unsure what to think of this, as it doesn't look very user friendly or cost effective (it's $5/TB scanned), but it's potentially a useful building block or to use to extract out the more useful data in logs into another tool.
- 0patching a 0-day: Windows gdi32.dll memory disclosure (CVE-2017-0038): Microsoft, for unknown reasons, didn't put out patches in February. Google's Project Zero disclosed an unpatched memory disclosure in IE (link) as it passed the 90 day disclosure window. In this post by 0patch, a platform and market for patches that aren't from the vendors, they discuss how a patch was created for this. The article itself isn't that interesting, but the concept and business model is potentially valuable, as this case demonstrates where a known vulnerability (just a memory disclosure) now exists in the wild without a vendor patch, but this third-party patch is available.
- 2017 visual studio code workspace settings code execution: This vuln could be exploited by having the victim clone a git repo and open it in Visual Studio Code, resulting in RCE. Vulnerabilities against developer tools like this are somewhat unnecessary because chances are if a developer is cloning a git repo, they are going to compile and run whatever is in it anyway. However, this is interesting because IDE's such as Visual Studio Code and Atom seem to be relatively unexplored territories for vulns, but they are becoming more complex and having them exploited could be very impactful to organizations.
- Jamf Pro Hotfix: JAMF suddenly warned its customers via email and a forum post about a security hotfix to be released, then released it 24 hours later, but have not given any indication of what it is. This is not normal for JAMF, and given what JAMF does (controls deploying software to all the Macs in an organization) it has people a little scared.
- S3 outage: On the morning of February 28th an AWS employee fat fingered a command, causing a cascade of problems that resulted in S3 being down in the us-east-1 region, causing other AWS services to have issues, resulting in a large number of Internet sites to experience problems. It took a few hours for AWS to recover and then a little after that for most other sites to recover as many had operations that were queued. S3 is designed for 99.999999999% durability (meaning not losing files), but their stated expected uptime is only 99.99% (four 9's) meaning it's expected to be down for a total of 1 hour per year. This event exceeded that, but S3's actual SLA (link) is 99.9% (three 9's) per month, meaning up to 43 minutes of downtime per month, before they'll credit you 10% of your S3 expenses, or 99% (two 9's) per month, meaning 7 hours of downtime per month, before they'll credit you 25% of your S3 expenses. Getting a few dollars off your bill is not going to make you feel better in the face of the amount of lost business you likely experienced, although you can take solace in the fact that most of the rest of the Internet was down as well. This incident does provide an example of the need to ensure disaster recovery planning and avoiding being completely reliant on AWS for your business, with plans and capability to switch cloud providers in the event of a disaster. You should ask yourself questions such as, what if AWS was down for a week? What if they lost files?