Weekly infosec news summary for 2017.08.06 – 2017.08.13
"There's no such thing as war in space; there's just war. There's no such thing as war in cyber; there's just war." General John Hyten, head of United States Strategic Command
"Some days, it's more exhausting defending the network from employees than it is from massive malware campaigns..." Daniel Gallagher
"Release engineering and developer tooling are systematically under-invested in at nearly every 50-500 person company I know. This is annoyingly obscured by the fact that every 50-500 co spends too much time writing bespoke release/devtools code, because that's what gets them [...] promoted, and it's fun. not open source, not integrating 3rd party devtools services." Charity Majors
Joern at Recurity discovered that git repos could include a setting of the form
ssh://-oProxyCommand=some-command which would execute arbitrary commands when someone recursively clones a repo (link). This issue also affects subversion and mercurial, and because these tools are used by many other tools, many other things are impacted (ex. terraform).
For Mac users, you should expect to remain vulnerable for a while as Apple needs to fix this, as it needs to be fixed by the OS (replacing your own git/ssh will remove functionality such as integration with the keychain). Historically, Apple has not been timely with patching publicly known vulns that impact developers on macOS, such as the SSH Roaming vuln (CVE-2016-0777), in early 2016, which took Apple 2 months to fix after exploits had been publicly released.
Vodaphone breached to wire tap power company traffic
The telecommunications company Vodaphone was breached and the firmware of its routers changed so that the unencrypted traffic sent by Eirgrid (the state-owned company in Ireland that everyone there uses) could be MiTM'd (link). This story highlights the need to encrypt your traffic, no matter where it is, such that you take into account the possibility of your traffic being monitored and manipulated.
- $10k host header: Some of Google's internal sites, that are supposed to be protected by UberProxy (part of their Beyond Corp strategy to avoid having to VPN in to access internal resources) was trivially bypassed by changing the host header on the request. From my perspective, this report indicates deeper, underlying issues with how Google has chosen to implement some of their infrastructure security and how they are enforcing compliance across their various resources being protected by UberProxy. The makers of Burp recently released a good whitepaper around this concept titled "Cracking the Lens: Targeting HTTP's Hidden Attack Surface".
- Debian disables TLS 1.0 and 1.1: Debian has taken the commendable step of only allowing TLS 1.2 for OpenSSL, helping to deprecate the older crypto protocols.
- Defensive options when using AWS IAM roles: This week NCC Group showed the dangers of SSRF in AWS, where access to 169.254.169.254 lead to problems (link). Although the author mentions some mitigation options and how this problem could have been avoided, there are additional options that can be considered, so I documented them.
- Moving Beyond EMET II – Windows Defender Exploit Guard: Microsoft explains how the features of EMET are now built into Windows.
- Carbon Black drama: Some drama this week as a new cybersecurity startup attempted to punch up against an incumbent by pointing out that Carbon Black has the ability to share files with Virus Total, which would result in their exfil. Carbon Black does a good job of warning about this feature as shown in these screenshots here. On the one hand, if you only send hashes to Virus Total, Carbon Black won't do an effective job of detecting anything. On the other hand, not only will these files be exfilled, but additionally, the uploaded files may provide access to more content, if they happen to contain any sort of keys or passwords. You should error on the side of only sending hashes. Many security firms collect files (that's why all those antivirus software are free for consumers), so when you purchase and configure such software you want to confirm what (if anything) will be exfilled and what (if anything) will be shared outside of the security company. You should be cautious about even sharing files with your security firms as those are targets for attackers, as we saw back in 2015 when Kaspersky was targeted by Duqu 2.
- APT28 Targets Hospitality Sector, Presents Threat to Travelers: FireEye reports that travelers are being targeted on hotel networks by sniffing passwords from wifi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit. Some people in infosec will give the advice that you should always use a VPN, but because most wifi at hotels has captive portals (or an attacker could force such a thing), you will be forced to be off VPN for long enough to be exploited if your system is not patched against exploits such as EternalBlue, or your mail client tries to sync your email and doesn't force encryption, or a couple of other unfortunate scenarios. If you do use a VPN, you should be using one that you set up yourself (ex. algo), or your company set up for you, as almost all of the publicly available VPN services will cause additional security weaknesses, with the possible exception of F-Secure's FREEDOME.
- Hooking COM Classes: This post shows how to "hook" many functions on Windows by modifying CLSIDs. This is a massive ocean of ASEPs that have largely been unexplored.
- How to confirm a Google user's specific email address: This report, which Google has decided is intended behavior, allows a webpage to identify visitors if they are signed into Google by testing about 40 email addresses per second to confirm a match.
- All your devs are belong to us: how to backdoor the Atom editor: Thinkst is following up on their Black Hat presentation with a series of blog posts to better explain the ideas presented. In this post they show how to create a plugin for the Atom editor for people to download, and how easy it is to update that plugin to be malicious.