Weekly infosec news summary for 2017.05.21 – 2017.05.28

Quotes

“In Microsoft C++ there are inline, _inline, __inline, _forceinline and __forceinline specifiers, and none of them guarantees inlining.” Vladimir Reshetnikov‏

“Theory: you can find any relationship you want between malware samples. Example: I found 2 big equal function between Winnti and WannaCry.” Joxean Koret‏

Top stories

Samba exploit

With similarities to the exploit used by the WannaCry ransomware worm, this week a vuln for the Linux file sharing service Samba was announced (link). An exploit for it was quickly added to the Metasploit project (link). This seven year old vuln can be reliably exploited with only a single line of code.

Border crossings and travel mode

Some services, such as 1Password, are now offering a Travel Mode to ensure passwords to services are not accessible during periods such as border crossings (link). All they are doing is allowing you to avoid showing what accounts you have in the app. Similarly, a few weeks ago Basecamp released a travel guide for their employees when crossing borders (link). Being asked to unlock devices is happening not just at the US border, but other countries as well.

For 1Password and Basecamp, they make the assumption that you can prepare for a situation in which you will be forced to unlock your device, as you can plan for your border crossing. However, being forced to provide access to a service is a more general problem. What if the person gets across the border and re-enables their services and then is forced to unlock their devices? Or maybe they just get vanned in their own country by some criminal group. Maybe they don’t just unlock the device, but are forced to pull down a copy of a database or some other action, in which case it would be your actual employee doing these things, resulting in more of an insider threat problem. The need for segmentation, least-privilege, and two-man rules becomes more important under these considerations.

Tools

• Istio: Google, IBM, and Lyft released an open-source project to connect, secure, manage and monitor microservices, with an initial targeting of the Kubernetes environment. This framework provides load balancing, traffic encryption, service-to-service authentication and strong identity assertions, telemetry, and reporting.
• taviso/loadlibrary: Tool for porting Windows DLL’s to Linux, with the initial use case being to make fuzzing Windows Defender easier.
• macmade/KeychainCracker: Tool to brute force password attempts against the macOS keychain.
• Comae Stardust: Beta product to collect and analyze the memory of Windows systems from Windows XP to Windows 10.

Conference materials and publications

• AppSecEU videos: Conference in mid-may in Belfast, Northern Ireland.

Other reads

• Bug bounty: A HackerOne employee’s GitHub personal access token exposed in Travis CI build logs: This bug bounty shows the dangers of publicly exposing log files, in this case of Travis CI logs for the project rubysec.github.io, which included a token that granted access to Github repos as that owner. Travis CI has also taken steps to avoid leaking tokens like this in log (link).
• That Is Not My Child Process: Didier Stevens points out how on Windows you can manipulate a child process to make it look like it’s parent was a different process, which tricks many tools including sysmon and volatility. This is important because a number of detections are based around which processes are supposed to be allowed to start other processes.