Weekly infosec news summary for 2017.05.28 – 2017.06.04
"Honest Q. The most open, blatant hack-back has been malware.lu's. Has anyone distrusted Luxembourg as a result? If you want to know what will happen when people do X, should you not start with what has happened when people do that exact thing? My timeline is filled with "If people tried hack-back, this would happen!" but you don't have to hypothesize. You can see what did happen. [...] I believe the portrayal of the bill as a free-for-all legalizing damaging attacks is inaccurate & the lawsuit risks will still dissuade most. I also believe many techniques have little to no risk to 3rd parties (e.g. honeytokens with macros) & we should consider allowing them." scriptjunkie on a proposed "hack-back" bill called the Active Cyber Defense Certainty Act
"The nature of WAFs is that they will be bypassed. Don’t waste your time on it. Fix something instead." Ivan Ristic on WAF bypass research
This week OneLogin announced it had been breached (Krebs on Security writeup link). OneLogin is an SSO provider for a number of companies, meaning that it provides a service to allow employees at companies to log into their accounts at all the services that company uses using a single username and password for each employee. It seems OneLogin was fully compromised, so the impact is that an attacker could login as admin (or any user) to any of the services that their customers use. This is really bad. At 2am an actor used the AWS API and "created several instances in our infrastructure to do reconnaissance." This likely means they were putting EC2s into different subnets in order to bypass "firewalls" (network ACLs and Security Group rules). This is like being able to plug your laptop into anywhere you like in a datacenter. At 9am OneLogin was alerted of the activity and disabled access, but not before the actor had gained access to the database.
This breach follows on an an incident from August of last year at OneLogin where its Secure Notes facility was breached, allowing for an intruder to read these notes in clear text, which are often shared admin passwords used in places where OneLogin cannot be used (link).
- sakurity/securelogin: Egor Homakov, who has found a number of issues with Oauth applications, has created his own passwordless login protocol. Descriptin post here.
- Ganxo: Opensource API hooking framework for x64 Windows from Elias Bachaalany, who is one of the authors of the excellent book "Practical Reverse Engineering".
Conference materials and publications
- Cloud Post Exploitation Techniques: Video from Infiltrate in April by Andrew Johnson and Sacha Faust.
- Security Fest video: Conference in Gothenburg, Sweden this week.
- Pivoting from blind SSRF to RCE with HashiCorp Consul: This awesome bug bounty write-up shows how the researcher looked at a webapp that would make calls to a server of the attacker's choosing to get data. Using this, he was able to discover that HashiCorp Consul service was running on the server, and knowing that Ruby and Python HTTP libraries usually handle
\r\npoorly, he was able to get RCE. This bounty strings together a number of issues including the incorrectly parsing of the HTTP header, being able to direct the webapp to point to it's own services, and issues with HashiCorp Consul.
He has used this same issue with HashiCorp Consul against a number of other companies as well, which again gives evidence of the poor communication between companies of thinking beyond themselves when confronted with security issues, which is an interesting concern that bug bounties are continuously exposing. One major issue with this is that companies are reacting with the minimal effort to avoid the problem exposed by the bounty instead of thinking through the problem in depth. The HashiCorp team was not aware of this issue until this blog post, meaning that none of the companies that had been exploited by this had reached out to HashiCorp about the issue, meaning they may not have been fixing these problems thoroughly.
- Exposed AWS files: A public AWS S3 bucket was found that included the files of defense contractor (Booz Allen Hamilton) to the NGA (National Geospatial-Intelligence Agency) (link). Although it did not appear to include classified information, it did have private SSH keys and files related to government projects. Public AWS EBS snapshots were also found (this means images of the the hard-drives of EC2 instances) that contained sensitive files such as private TLS keys (link).
- How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com: We're reminded once again here that phone numbers can fairly easily be taken over by adversaries and should not be relied on as a security control.
- G-Suite security additions: Google added two new features to its G-Suite (gmail for enterprises). One is the ability to selectively delay suspicious emails, so that they will take a little longer to arrive in employee's inboxes to give Google time to analyze them better (link). The other new feature shows you a warning when you are replying to an email from someone that is not in your contacts or part of your organization (link).
- Maybe Skip SHA-3: Adam Langley makes the case that SHA-3 doesn't seem to really be needed and you should stick with SHA-2. I'm not a cryppie, so I can't speak much to this, but Adam is well-respected and other well-respected cryppies have chimed in with their support of this view.
- Docker for AWS and Azure: NCC Group has provided public reports of their audits of using Docker on the AWS and Azure clouds, with both proving to be secure by default.