Weekly infosec news summary for 2017.03.05 – 2017.03.12
"The Defense Department can also drop a JDAM on your house or drive an Abrams over your car. Capability vs intent." Adam Rawnsley with regard to WikiLeaks rabble rousing with the statement that the CIA can listen in on you through your smart TV
"You are going to be phished long before you are going to be hit with CIA 0days. Enable 2FA and get a password manager." the grugq
WikiLeaks dumps "Vault 7: CIA Hacking Tools Revealed"
WikiLeaks released a trove of information from the CIA's hacking group (link to WikiLeaks). Despite WikiLeaks trying to mischaracterize this information, this dump was uninteresting. WikiLeaks made claims that the CIA can "bypass the encryption of WhatsApp, Signal, Telegram" and other encrypted communication apps, but really what they meant was that the CIA can exploit the device via other means and therefore see the unencrypted text once it's decrypted on the device. They also tried to make claims of the CIA interfering in the French elections or trying to attribute their own actions to Russia, but the released data do not support those claims.
The CIA dump was newsworthy for only two reasons. First, it showed that the CIA had been compromised at some point. Second, it was interesting for how uninteresting it was. There were no disclosures of magic or unexpected capabilities. This lack of revelations gives confirmation of many assumptions, such as that encryption of communication apps is actually effective.
Zero Days, Thousand of Nights
Lillian Ablon at RAND obtained access to a dataset of over 200 0-days spanning 14 years (2002–2016) and wrote a 100+ page paper on it (link). Where the data comes from is unknown, but appears to be from a government organization that finds and purchases 0-days, and uses them with a high degree of professionalism. Additionally, insights from private conversations with exploit vendors and vuln research teams are incorporated into the paper. The exploits target a variety of OS's (including Windows, OSX, Android, FreeBSD, Solaris), use a variety of techniques (SQLi, stack overflows, etc.), and target a variety of vendors (including Mozilla, LinkSys, Google, Citrix, AOL, Ethereal, Adobe, Alt-N Technologies, CryptoCat, and RealPlayer). The paper is primarily focused on exploring the political questions around "stockpiling" exploits, but gives insights into the exploit market. Some of the key findings:
- Exploits and their underlying vulns have a rather long average life expectancy (6.9 years).
- For a given set of zero-day vulns, after a year, less than 6% are discovered by an outside entity.
- 25% of discovered vulns will not survive for more than a year and a half, due to code refactoring and other killers.
- There are no vulnerabilities that are "stronger" or "weaker" than others in terms of resilience to being discovered and disclosed. Therefore, it may be most efficient and cost-effective to develop an exploit for whatever vulnerability is easiest to find or whatever vulnerabilities are most effective.
- The majority of the cost of a zero-day exploit does not come from labor, but rather the value inherent in them and the lack of supply. That said, top tier exploit developers make "mid-to-high six-figures" so as a business it's difficult to remain profitable, and "One company told us that 2015 was a negative payout from revenue, yet they continued to develop exploits because it is "a labor of love" that provides satisfaction beyond compensation", so companies switch to, or offset the costs by also engaging in, service models by performing pentests or other businesses.
- CA Technologies to acquire Veracode for $614M: The large B2B software company, CA Technologies, purchased the static source code analysis company Veracode. Veracode had previously announced in March 2015 (two years ago) that it was planning on IPO'ing after having most recently raised a Series F resulting in a total of $110M in funding at the time. They never filed a public S-1 filing though, and the market wasn't receptive to tech IPOs at the time, so that news fizzled.
- Home Depot to pay $25M in settlement for it's 2014 breach: Back in 2014, on the heels of the Target breach, Home Depot was also breached. The settlement also requires Home Depot representatives to make annual, on-premise visits to vendors that have access to the payment card information to ensure compliance with their security practices.
- Consumer Reports to consider cyber security in product reviews: The draft of standards these products will be evaluated against is here.
- Acra: Open-source postgres database proxy to enable front-end application code to selectively encrypt data with a set of encrypt-only keys.
- groob/moroz: The only option for implementing application white-listing on macOS that is worth considering is Google's open-source Santa project, but unfortunately Google only released the client side component and not the server side. Your only option for the server side until now was Zentral which also acts a server for Facebook's osquery. This minimal project, moroz, provides an alternative Santa server.
Conference materials and publications
- USENIX Enigma slides and videos: Conference in Oakland (next to San Francisco) at the end of January.
- Google Cloud Next videos: Over 200 videos of presentations from Google's conference focused on customers of not only Google Cloud, but also G Suite, and other topics related to Google products. Many of these are security focused such as Google Infrastructure Security Design and Gaining full control over your organization's cloud resources.
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf): This bug bounty researcher figured out that the URLs associated with Google Maps use Protobuf encodings. These had not been previously audited and he and was able to use that to get XSS.
- New Apache Struts2 0-day Under Attack: The Apache Struts library is widely used and contains a vulnerability that allows for RCE by specifying code in the content type in the HTTP requests. Talos describes some of the malicious requests they're seeing in the wild. An example exploit is here.