Weekly infosec news summary for 2017.09.03 – 2017.09.10
"Logs are like ice cream, if you keep them out, they are going to melt and will be of no use, consume them at your earliest and enjoy." Nag Medida
"If you have an EDR or Sysmon deployed, probably the best thing you can do with it is identify attack surface you don't use and kill it. If you're spending all of your time authoring and deploying detections for stuff 1% of your users actually need, time to rethink the approach" Dave dwizzzle Weston
"Reminder that it’s 2017 and there’s still no reliable built-in way to encrypt a file to send to a peer on any mainstream OS. [...] Encrypting a file is an unbelievably simple cryptographic problem; literally the “hello world” of the problem space. And nothing does it. You will have a TLS handshake with not one but two different post-quantum key exchanges before you have simple file encryption." Thomas H. Ptáček
"When you look into compilers long enough, the compilers also look into you and point out your inefficiencies." flacs
"the kernel has 5 separate ASN.1 parsers" Edge Security
"Hack Like Nobody's Watching (because it is highly likely that nobody is watching)" ryan huber
"'Just encrypt it' is the favorite go-to suggestion of the semi-informed. Services that have to provide plaintext data need other protections. Encryption can be a very strong mechanism for internal access control and to reduce certain attack surfaces. But we gotta be realistic about the irreducible risks posed by services that must magically decrypt to work." Alex Stamos
"Equifax is an example of how cybersecurity operates as a market failure. Little pressure for day-to-day prevention before the breach. Sounds odd perhaps, but ongoing systematic cybersecurity is expensive. Cost of infrequent brand-hit + crisis firm often cheaper than defence. Especially when defence costs dollars now, breach costs unknown dollars later. And defence reduces but doesn't eliminate threat of breaches. Need to push up the cost of breaches to the point where folks insure against them. Then the insurance premiums will rapidly start depending on your security posture. And then cybersecurity team looks less like a net cost." @pwnallthethings
One of the "big-three" U.S. credit bureaus, Equifax, announced it was breached, which may impact 143M Americans (link). There are a lot of bad aspects to what happened, in addition to credit histories being stolen. Here are some:
- As part of the breach notification (link) the company created the site www.equifaxsecurity2017.com "to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection." You have to pay to sign up for that. The domain looks like a phishing site and was so new that many security products did not trust it. In order to see if you were impacted you had to wave some legal rights, such as filing a class-action law-suit. That aspect was quickly jumped on by district attorneys to fight against.
- The breach was discovered on July 29, but not reported publicly until September 7 (40 days). Upon disclosure, the stock dropped 13.5% in after-hours trading. Within a few days of the breach discovery, and before it was public, a handful of execs, including the CFO, sold shares of stock outside of 10b5-1 scheduled trading plans (link). For those not versed in such things, for an executive to sell stock in the company they work at without it looking like insider trading, they normally announce and schedule their activities 90 days in advance of the sale so they can't take advantage of sudden decisions or news. It is possible to legally make trades outside of these schedules, but should involve approvals from other execs, so we should expect these trades to be investigated to see who knew of the breach before making them.
- Two days prior to the breach announcement, an employee at FireEye (which was the incident response company brought in to investigate this), purchased the domain equihax[.]com. It is hard to imagine a good reason for that domain purchase, so FireEye is going to need to firm up their NDA contracts and employee training.
As a consumer, there isn't anything you should do for this situation to protect yourself individually, as most of this information likely already was available in some form to people. You should regularly review your credit report as needed (as in whenever you want to have good credit to buy a house for example) which you can get for free quarterly or get one for free more often from banks. See this write-up from Patrick McKenzie which explains this more thoroughly and what to do if you find something on that credit report that is fraudulent. If you want (although this isn't really needed), you could put a freeze on your credit file as Krebs explains here.
For companies, this breach highlights the problems with identifying people, as it is assumed yet more PII about people has been stolen. You should not rely on things like social security numbers to identify people or to correlate them with other databases. They are not a shared secret. Avoid using them for anything. Consider all of your identifiers and your assumptions about them. Many people, as much as it may surprise you, share computers, smart phones, credit cards, phone numbers, email accounts, and various other online accounts with family members, coworkers, and more. Things you think might be secret for them (such as all of them aforementioned items) may not be, and worse they can end up being compromised in ways outside of the users control, such as this Equifax breach highlights for one such set of "secrets".
Additionally, assume someone knows who all of the employees at your company are with financial issues who can most easily be blackmailed. Some background checks involve credit history checks for this reason.
Conference materials and publications
- Sophisticuffs: The Rumble over adversary sophistication: Presentation by Paul Jaramillo on measuring attacker sophistication through his ACTOR method.
- salesforce/ja3: A team at Salesforce has released a tool for fingerprinting the SSL/TLS client application as detected via a network sensor or device, such as Bro or Suricata, and is able to use that to detect applications such as Chrome running on OSX, the Dyre malware family running on Windows, or Metasploit's Meterpreter running on Linux.
- Struts vuln: Apache Struts had some vulns found in it this week, which are undergoing active exploitation. Looking at CVE's reported in Struts (link), it has had 20 RCE vulns in it since 2012, so this framework is no stranger to being exploited. The latest RCE vuln was in the deserialization library, which is where many vulns are always found in projects. Deserialization vulns are so much a problem that PHP simply decided to stop caring about these vulns (link). An exploit for this has been added to Metasploit (link). This latest flaw has existed in Struts for 9 years. It may have been used in the Equifax breach, as reported by the Apache Foundation (link). However, it is my assumption that this is simply Equifax trying to capitalize on the recent news of that vuln to avoid looking negligent, as many people have pointed out various security concerns with the large number of subdomains that Equifax controls.
- Beginners guide to securing AWS S3: An excellent guide by Nag Medida that includes both beginner and more advanced techniques at securing S3 buckets.
- Understanding the Security Questionnaire: Ryan McGeehan describes how companies should respond to security questionairies from their potential customers. Consideration also needs to be made from the other side, that is, if you're sending questionaires to potential vendors, consider what you are trying to learn and how you make any decisions based on the responses you receive.
- Mastercard Internet Gateway Service: Hashing Design Flaw: Unfixed issues exist in Mastercard payment protocols.
- CFire: In this post from Rhino Security they aggregate a number of known techniques for discovering the IP addresses of services being protected by CloudFlare. Attackers would want to know this IP address because this allows them to circumvent the WAF and DDoS protection that CloudFlare provides.
- Uber Bug Bounty: Gaining Access To An Internal Chat System: A bug bounty researcher was able to abuse vulns in the SAML implementation protecting the internal chat of Uber, allowing him to login and view the chats happening.
- Travel Safe: Mikhail Sosonkin of SynAck investigates a travel router and finds its security lacking. Personal routers are well-known to have bad security, but I liked this write-up for how well it explains the investigation process.
- Cryptographic vulnerabilities in IOTA: The 8th largest cryptocurrency with a $1.9B market cap was found to have been vulnerable to hash collisions. This write-up on the currency and issue found exposes the circus that so much of the crypto-currency world has become, showing one bad decision after another by the designers of this currency purely for the novelty of it, it seems, such as using a base-3 numbering system.
- New Security Measures in iOS 11 and Their Forensic Implications: Elcomsoft is a top forensics company, and they've written up an article for the new iOS 11, with the summary being it is more secure and will make things much more difficult for forensic investigators than it already was. One new thing to know is that pressing the Power button 5 times in rapid succession will allow you to make an emergency call, but what is important about this is it also disables the Touch ID until you enter your passcode, which may help people avoid some of the legal confusion happening recently around police being able to force people to unlock their phones with their fingerprint.
- An Update On Information Operations On Facebook: Facebook disclosed that they had found $100K in ad spending on 3,000 ads related to the 2016 US election and Russian interference in the electoral process. This highlights the need to not only consider spammers on the service you run, but also more sophisticated and better financed groups that may be abusing your services for other reasons.
- Exposing the inner-workings of the ransomware economy: This paper estimates that ransomware makes $25M/yr globally. They are only calculating based on bitcoin transactions that can be tracked, and only from malware samples they have access to with bitcoin addresses, so this number is less than the total amount made, but still must account for a large percentage. That number is very small when considered against the amount of damage it has caused and the amount of money spent on defending against it. For example, one source online believes that $8B was spent on ransomware protection in 2016 (link), meaning ransomware made 0.3% of the total money that has been spent on defending against it. I'm curious though on what the ratio is in other protection businesses for the money spent on defense vs how much the attackers make. One data point I found is Somali pirates made $160M in ransoms in 2011, while ~$6.9B was spent on protection, so attackers made 2.3% of what was spent on protecting against it (link).
- Lenovo Superfish fine: The computer maker Lenovo was in the news in early 2015 for adding a root CA to its computers for the purpose of MiTM'ing SSL traffic and injecting ads (link). This was especially concerning because the same root CA, along with the private key, was installed on all computers, allowing for anyone to MiTM the traffic. Some states sued, as Lenovo has to pay a $3.5M fine for this.
- Dual Canadian/Chinese Citizen Arrested for Attempting to Steal Trade Secrets and Computer Information: A man was found by the CEO of a company sitting in the conference room of the company's secured space with three open laptops. When confronted the man told a couple of lies, including that he was there to see the CEO, not realizing that he was talking to the CEO. He has been charged with attempted theft of trade secrets. This incident highlights the importance of physical security.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams.