Weekly infosec news summary for 2017.07.16 – 2017.07.23

Quotes

“If your crypto is controlled by the Javascript content on a web page, you’re not end to end. You’re (cough) end-to-pretend.” tqbf

Top stories

Parity wallet hacked, $30M stolen. Vigilantes steal/save $150M

Another cryptocurrency was robbed, but this time due to a vulnerability in the “code” of the currency (link). Parity is based on Ethereum which allows scripting to support contracts, and those scripts had a flaw that was abused. The scripting language used, Solidity, has some horrible language design problems, so more problems like this should be expected (link).

Cryptocurrency hacks and ransomware have been an interesting phenomenon in infosec as they provide very clear understandings of the impacts of security issues. There are few security compromises that evidence the timing of the compromise so immediately, or the cost so precisely. For example, when intellectual property is stolen, you often don’t know how long it has been happening for, or sometimes if it really even did happen, and then you don’t know the real costs. Further, with cryptocurrencies specifically, the hacks are often more sophisticated than simple phishing attacks that breach most companies. The simplicity of the variables involved along with the more advanced techniques make them interesting case studies. Ryan McGeehan has collected information on these incidents in his Blockchain Graveyard.

One interesting event in this Parity wallet hack is vigilante white-hats figured out what was happening and “stole” the remaining $150M from the at-risk wallets before the thief could, so they could keep the money safe for their original owners (link).

In another cryptocurrency hack, Coindash was hacked on opening day, resulting in $7.4M stolen. (link). Coindash announced its initial offering, and 4 minutes later it announced it had been hacked. $7.4M had already been transferred in and subsequently stolen within that period. The hack was simply to change the address of the wallet on the homepage to a wallet under the attacker’s control so when people made their initial deposit, it went to the attacker instead of Coindash. A lot of people assume that they have some time once they launch their start-up to get things secure later. First they want to make sure the start-up is viable, then get some VC money, and then at some later point hopefully secure it. Depending on the risks involved that might be an acceptable strategy, but bitcoin exchanges need to ensure everything is secure from the start.

RCE in Source games

Valve’s Source SDK, which is used by games including “Counter Strike” and “Team Fortress”, contained a buffer overflow vuln which allowed RCE on clients and servers (link). The vuln was exploited by killing a player, which caused a specially crafted model to be loaded. The DLL used in these games does not have ASLR, allowing for easier exploitation.

One of the easiest YARA signatures to write is one that looks for DEP missing from .exe files and ASLR missing from EXE’s and DLL’s. You should hunt for these as you would malware and remove them from your networks or work with the vendors to improve the security of their software. You should also have policies and controls to deny games from being played on your enterprises resources. For a drag-and-drop solution to check all the files in a folder for DEP and ASLR, you can use my tool Serene.

Business

• Rapid7 acquires Komand: Rapid7, known for its Metasploit tool and pentesting, has acquired the security orchestration and automation company Komand.
• FedEx impacted by NotPetya in their 10-K: FedEx released their annual 10-K SEC filing, and identified NotPetya (referred to in the 10-K as Petya), as having impacted their shipments, resulting in “material losses” and with no insurance to cover this. This is an important infosec event to keep an eye on because most incidents, such as Target’s credit card breach, don’t impact the core business. An incident that stops FedEx from being able to make shipments affects their core business. FedEx dropped 3.4% on release of this 10-K.
• Lloyd’s cyber exposure report: Lloyd’s (an insurer) discusses the possible cataclysmic risks it considers with regard to cyber insurance. Whereas property insurers would be worried about things like major floods or hurricanes, cyber insurers worry about things like vulnerabilities in widely used software, especially the Xen hypervisor, or the loss of a cloud provider. One of the biggest take-aways from this report is if you considered insurers to not “get” infosec, this report will thoroughly destroy that prejudice, as they correctly make references to things like WannaCry, cDc’s Back Orifice, Xen hypervisor escapes, and more. This paper models a number of scenarios and provides dollar figures for what they estimate the financial losses would be.

Tools

• RolfRolles/SynesthesiaYS: Tool for automated shellcode generation under encoding restrictions.
• SSH Observatory: Mozilla’s TLS observatory project now also includes the ability to scan ssh servers for best practices.

Conferences

• Recon slides: Conference in Montreal, Canada in June.
• LevelUp videos: Virtual conference put on by BugCrowd in mid-July.

Other reads

• Amazon S3 bucket warnings: Amazon has taken the step of sending out emails to its customers that have publicly exposed S3 buckets to warn them about the potential dangers of that. This is a good step for providers to ensure their customers are using their products securely, even when those products are secure by default, especially as AWS has been in the news every week for this issue. As an interesting side effect of this though, Frans Rosen noted “The AWS email about readable S3 buckets has resulted in influx of deleted buckets but not removed DNS-RRs. Subdomain takeovers en masse.”
• gnome-exe-thumbnailer: CVE-2017-11421: Another exploit has come about due to browsers automatically being able to download files which then cause the OS to automatically do something with those files. In this case, GNOME’s thumb-nailing code will execute MSI files by calling wine to call cscript code to call vbscript code. That functionality should not exist.
• Six Security Vulnerabilities from a Year of HackerOne: The company Flexport discusses some of the vulnerabilities that were reported to them in the past year. The first issue resulted in XSS even though they use React, which is supposed to protect against that. The problem was they were using another library that bypassed the protections of React. They also had two different 2FA bypasses due to the libraries provided by Authy. For companies like Authy, this high-lights the need to ensure that the libraries you provide to customers are both secure and easy to use in such a way that they account for issues that customers might blame on you. One of the issues was because Authy’s library doesn’t do rate-limiting itself, but most people would expect Authy to provide that, and therefore they should by default, even if some users might implement rate-limiting some other way.
• WebEx vulnerable again: Cisco’s WebEx extension once again had an RCE vuln found by Tavis Ormandy. As I said last time about WebEx, you should not allow your employees to use it. WebEx is the new Flash in terms of vulns.
• macOS and iOS security updates released.