Downclimb

2017.04.02

RSS feed

Weekly infosec news summary for 2017.03.26 – 2017.04.02

Quotes

“Good defense in information security isn’t about detecting overtly bad actions, it is about detecting the lead up to them.” Ryan Huber

 

“‘Just switch to a safer programming language!’ Is the infosec advice equivalent of ‘Just stop being poor!’” Don A. Bailey‏

Conference materials and publications

  • Black Hat Asia slides: Conference this past week in Singapore.
    • Hello from the Other Side: One of the more popular talks from this conference involved being able to run an ssh session between two AWS EC2 instances using a cache based covert channel. What this means is if an attacker gets RCE on your EC2, and your EC2 has its network communications locked down, and the attacker manages to get another EC2 running on the same physical hardware, then he could exfil data or otherwise communicate between the two EC2’s even though they aren’t supposed to be able to talk to each other. They include a video where they play a video on one EC2 that is stored on the other EC2 without any network traffic between them. They used dedicated EC2s which are EC2s that run on the same hardware and aren’t used by any other customers for compliance reasons, but this trick has been known about for a while, and is possible on non-dedicated EC2’s, although it takes some luck (and also some real-time knowledge of when the victim is spinning up instances, the attacker spinning up a few thousands instances to try to land on the same hardware, and some ability to identify when you happen to be on the same instances). The main advancement of this talk was improving the speed of the communication, and being able to show a better visual representation of what is happening. Given that an attacker needs RCE and the luck of running on the same hardware (which will be hard for them to determine), and that they are running blind, this attack should not raise too many concerns, but it is good to know about.
  • MacADUK videos: Mac Admin UK is a conference in London in early February that includes a number of talks relevant to securing Macs.

Tools

  • hteso/iaito: A GUI for the reversing tool radare2.
  • atlassian/localstack: A fully functional local AWS cloud stack for creating unit tests.
  • Monitor.app: Freeware GUI tool from FireEye for macOS to monitor and search through process execution events, file creates, network activity, and more.

Other reads

  • Lessons Learned in Detection Engineering: Ryan McGeehan (Magoo) discusses best practices for intrusion detection and response, highlighting projects from the various companies that are doing this well and talking about it.
  • Dimnie targeting owners of Github repos: Owners of github repos are being targeted with malicious email campaigns. The original Russian targeted campaign had text “I found your software is online. Can you write the code for my project? Terms of reference attached below. The price shall discuss, if you can make.” The more recent campaigns cleaned up the English a bit and expanded the targets with the text “I saw your GitHub repo and i’m pretty amazed. […] Please take a look into attachment to find details about company and job. Dont hesitate to contact me directly via email highlighted in the document below.” The attached document is a malicious Word document with macros that call powershell code, so this is initially targeting Windows systems. Targeting open-source developers leads to the possibility of backdooring or trojaning repos or executables. We are likely moving to a time when we need to disable auto-updates on all software and consider the vetting processes for applying updates.
  • LastPass: global properties can be modified across isolated worlds, allowing remote code execution: Tavis Ormandy again finds a bug in LastPass. Realize that the value of these bug reports and why I include them in Downclimb has nothing to do with LastPass, but rather the bug categories that Tavis is exposing. His bug report is like a tutorial that explains a lot about how extensions should work and the bugs they can have.
  • Incorporating AWS Security Best Practices Into Terraform Design: ThreatStack post on setting up an AWS environment, using Terraform, securely.
  • How Azure Security Center helps reveal a Cyberattack: This article from Azure shows how Microsoft is monitoring the servers in their cloud environment to alert their customers of security issues. This looks like a useful add-on service, and an interesting differentiator from AWS’s hands-off approach which has no access or insight into the instances running on its cloud.
  • Why you shouldn’t use ENV variables for secret data: This brief post from Diogo Monica explains how storing and passing secrets via environment variables should be avoided, and instead use secret management solutions.
  • Apple updates: Apple released security updates for macOS Sierra 10.12.4 and iOS 10.3.
  • IIS 6.0 exploit for Windows Server 2003 R2: This remote exploit was found being used in the wild against the out-dated IIS web server. It’s a classic buffer overflow with an alphanumeric shellcode, using a ROP chain. According to Shodan there are over 600K publicly accessible IIS 6.0 servers. This exploit does however require that WebDAV is enabled, so it is estimated that only 60K are impacted. There is no official patch for this because Microsoft ended support for Windows 2003 nearly 2 years ago. These stats, and an unofficial patch, are provided by 0patch.
  • Escaping a Python sandbox with a memory corruption bug: This article goes into exploiting a service that allows you to upload, and have executed, arbitrary python code, which they attempt to sandbox. Allowing someone to upload arbitrary code to have executed is a very hard thing to secure. What I liked about the article was the paragaph about how the researcher went looking for a vuln to exploit “Perhaps I should run a distributed network of AFL fuzzers? Or a symbolic execution engine? Or maybe I should scan them with a state of the art static analysis tool? Sure, I could have done any of those things. Or I could have just queried the bug trackers.” He then shows screen shots of github project searches of issues with the phrases “segmentation fault” and “segfault”.
  • APT29 Domain Fronting With TOR: This FireEye report discusses how the adversary installed what looks like Google Drive and it calls out to google.com, but the executable is actually malware and the communications are using domain fronting so although the traffic goes to google.com, it then gets sent to the C&C server. This is a very stealthy technique, but luckily for defenders, it also does some very noisy things, like change the Sticky Keys files, installed Tor services, and enabled Terminal Services.
  • Tabletops for Bug Bounty: Ryan McGeehan discusses some scenarios that can come up when you run a bug bounty program related to the interactions with the bug bounty researchers. This post reads well for people considering starting a bug bounty program alongside HackerOne’s recent Bug Bounty Field Manual, which discusses how to start and run a bug bounty program, without touching on these more difficult people problems that Ryan mentions.
  • Two Bugs, One Func(): Patrick Wardle walks through debugging a crash due to a kernel bug in macOS and reporting it to Apple.