Weekly infosec news summary for 2017.04.16 – 2017.04.23

Quotes

“To this day I always test bugs without a debugger. 100 miles worth of lessons learned.” Laughing_Mantis

“I have a rule that any protocol that has ‘Simple’ in the acronym isn’t, like ‘People’s Democratic Republics’ aren’t.” hillbrad

“We’re seeing an actor using a lure about an overdue library book to deliver ransomware. That seems particularly evil.” Sherrod DeGrippo

“It should now be incredibly obvious to everyone that we’re moving to flat, unsegmented networks and authZ happening at Layer 7. Network-based solutions for segmentation/authorization/IDS/IPS/DLP/whatever have their days numbered. […] If an IDS can read your traffic, you’re already not doing the right thing.” Diogo Mónica

Business

• Tanium and Cylance issues: Tanium and Cylance have separately been in the news for various issues in the past month for negative reasons. Cylance supposedly laid off 20% of their workforce, their CTO resigned, and most recently they manipulated the testing of their product by creating their own malware that they could detect, but others could not. Tanium on the other hand has had 9 senior executives leave in the past 8 months, fires workers before they can collect stock options, and the CEO allegedly insults employees in staff meetings for being fat and other reasons (link). The most distressing news from Tanium is their unauthorized use of a customer network (a hospital) for sales demos (link). These issues aren’t good, but it’s interesting seeing a sudden wave of negative PR against them. For example the Tanium demo issue was from 2015, but written about this week.

Tools

• uber/focuson: Experimental static analysis tool for Python to try to identify areas of code that should be investigated with a good signal to noise ratio, with some similarities to github.com/python-security/pyt

Conference materials and publications

• Black Hat 2017 keynote video: Thomas Dullien (Halvar Flake) presents “Why We are Not Building a Defendable Internet”.
• BSides Lisbon keynote video: Dan Guido from Trail of Bits presents “The Smart Fuzzer Revolution”.

Other reads

• Delegated Account Recovery: In January, Facebook and Github announced collaboration on a concept called Delegated Account Recovery where if you forget/lose your login credentials to Github, but still maintain your Facebook access, then you could recover your Github account via Facebook. They’ve now open-sourced their implementations (github, facebook).
• Phishing with Unicode Domains: Using Punycode, it was possible to register domains and SSL certs that look like legitimate domains when viewed in Chrome or Firefox. Chrome’s latest release this week fixes this issue.