Weekly infosec news summary for 2017.07.23 – 2017.07.30
"Just to spell things out for everyone: PowerShell is getting too noisy and there are other languages with next to zero logging ability..." Matt Graeber
"Shout out to all the InfoSec pros not in Vegas, heads down, & defending us all this week. Your work is important." Adam Ely
"We have perfected the art of finding problems over and over again without addressing the root cause. [...] We have a real tendency to focus on the complexity of a flaw instead of focusing on the real human harm. [...] The truth is that adversaries will do the simplest thing that they need to do to affect the cause that they want. And in both security academia and in the security research community, we're still really focused on the really sexy difficult problems." Alex Stamos
The annual Las Vegas conference extravaganza happened this past week. Many Black Hat slides have been released on their site (link) and Defcon slides (link). For BSidesLV the presenters independently published their work, but I'll wait until the conference aggregates them all.
The video of the Black Hat keynote from Alex Stamos of Facebook has been published (link). Facebook is offering $1M for defense research, as part of their Internet Defense Prize. They previously have paid out $250K over the past 3 years for what is essentially what they view as the best USENIX paper. His keynote highlights the need to address more generic abuse problems including things like spam.
- Blackstone to buy 40% of NSO Group for $400M at a valuation of $1B: The large private equity firm Blackstone is buying a 40% stake in NSO Group, an exploit vendor. They are most known for their iPhone exploit and malware known as Pegasus and their frequent appearances in reports from Citizen Lab for their services being used against various groups protesting in some form or another against governments. For example, NSO Group was featured recently for their services being used by the Mexican government against scientist and public health campaigners working on a soda tax. To some, NSO Group has been viewed as one of their threats to be considered. The $1B valuation and $400M investment seem strikingly high for this type of business and should make defenders concerned. Also this week, Google announced that they've taken steps to block a new spyware family called Lipizzan for Android (link), that had ties to Chrysaor, which had been associated with NSO Group. This new malware is associated with a different Israeli company that employs many of the people that NSO Group did, possibly indicating a split in the business, or perhaps simply shell operations to help shield against legal issues.
- github/SoftU2F: Github released a soft-token version of U2F for macOS to increase adoption of the standard without people needing to buy yubikeys.
- airbnb/binaryalert: AirBnB released a serverless framework for scanning binary files with YARA on AWS.
- duo-labs/isthislegit and duo-labs/phinn: Duo released Phinn to generate an offline Chrome extension to detect phishing pages, and IsThisLegit to collect, analyze, and respond to the reported phishing emails. The chrome extension looks at the rendered web page to detect phishing pages before you enter in your password (using "a bespoke convolutional neural network"), whereas Google's own Password Alert extension that also tries to detect phishing, primarily does so by monitoring your key presses on a page and alerts you after you already typed in your password on a non-Google page. Phinn also works for sites beyond Google logins.
Conference materials and publications
- Using BGP to Acquire Bogus TLS Certificates: This paper describes how BGP attacks can be used to intercept DNS requests and thus allow an attacker to acquire TLS certificates for domains it does not own.
- Black Hat slides: Conference this past week in Las Vegas.
- Defcon slides: Conference this past week in Las Vegas.
- MacAdmins videos: Conference in Pennsylvania earlier this month focused on managing Apple devices, but many of the presentations are relevant to security.
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!: Orange Tsai put together an awesome chain of vulns to get RCE on Github enterprise. This chain involved finding vulns in different services and libraries in order to get all the pieces needed in the chain. It shows how each of these vulns can lead to bigger problems. Orange based his presentation at Black Hat around this work, which was about URL Parsing issues. The slides are here.
- IoT acting as network bridges: A coffee filter was plugged into both an "air-gapped" network and the Internet, resulting in the petrochemical plant being hit with ransomware (link). In another story, hackers compromised a fish tank at a casino, and used that as a foothold into the internal network (link). For isolated networks, you should watch for both new devices getting onto the network, and for "isolated" devices being exposed to the public Internet. For the first problem, you can use technologies such as 802.11x to restrict what can get on that network. It is also good to avoid using something like Ethernet and wifi on the isolated network, so people can't easily connect devices. For the problem of watching for isolated devices getting exposed to the Internet, you can have those devices attempt to regularly phone home to an Internet accessible server. That server should never get any call backs, because the clients are all on an isolated network, so if it does, then it means either there is a bridge out to the Internet somewhere on the isolated network, or an isolated system was moved to an Internet connection.
- YARA sigs for security best practices: In the last Downclimb, in response to a vuln in some games that lacked ASLR, I mentioned you should hunt for applications that lack basic exploit mitigations. In this post, I show how to do that using YARA.
- Flash being killed off in 2020: Adobe announced that it will stop distributing and updating Flash at the end of 2020. According to Google, only 17% of users today visit sites with Flash on it, whereas 3 years ago 80% did (link), so Flash has been on the decline for a while now even without this announcement.
- Starting the Avalanche: Netflix has released a couple of proof-of-concept tools to help with testing and identifying possible denial-of-service issues with microservices. Currently less than 1% of all DoS attacks are at the application layer, but we should expect to see more of this, as they can be disturbingly much more effective for attackers, especially as it can result in cascading failures. This whole post is a good read to explain the dangers and best practice mitigations.
- My $169 development Chromebook: Shows how to setup a chromebook securely to do development work without booting into developer mode or installing Ubuntu on it, which destroys many of the security benefits of using a Chromebook.
- Russia to ban proxies, private VPNs, and other anonymous communications: After having now passed the Russian Parliament, all that is left is for this bill to get signed by the Russian President before taking effect in January, with Internet providers needing to block any sites that provide these services.