Weekly infosec news summary for 2017.09.24 – 2017.10.01
"EICAR is my Lorum ipsum." @ra6bit
"In a sense, the entire bug bounty market is a breeding ground for a species that can collect extremely low impact web vulnerabilities into a life sustaining nutrient cycle, like the crabs on volcanic plumes in the depths of the Pacific. Likewise, learning everything about RMI is enough to be everywhere, or .Net serialization, or CCleaner. In cyber, where there's a way there's a will." Dave Aitel
"protip: if you outsource dev to someone and they have a github account, check it for publicly available creds #equifaxbreach" andre protas
"In this cyber threat actor map we don't see the any US or European actors. [...] If you want to be serious about "threat intel", please be neutral and don't hide anything from your customers." @x0rz on CrowdStrike
"That’s pretty amazing discipline from the attackers. They discard 5 9's of infections to focus on a tiny subset. No chance that’s criminals" the grugq on the CCleaner hackers
"Bugs are not the main issue in most breaches, operational issues and technical debt are." Jessica Payne
"The belief attackers needs to subvert security systems in order to achieve their goals is a false belief in the orderliness of human systems" @SwiftOnSecurity
One of the talks from USENIX last week was about an attack called CLKSCREW, which is similar in some respects to rowhammer in its unexpectedness and difficulty in fixing. The attack abuses energy management to perform fault injection. The researchers were able use this technique to identify the AES key used in ARM's TrustZone (similar to Intel's SGX). An overview of the attack is here, and the video and paper can be found here.
- Time Travel Debugging is now available in WinDbg Preview: The Windows debugging tool, windbg, now supports Time Travel Debugging, allowing you to go backwards in time while debugging.
Conference materials and publications
- Your attacker thinks like my attacker: A common threat model to create better defense: Talk from MSIgnite conference by Elia Florio and Jessica Payne.
- The Apple of Your EFI: Mac Firmware Security Research: Rich Smith and Pepijn Bruienne of Duo show that of 73K Macs they analyzed, 4.2% had the wrong firmware version. This means the updates being applied to them are, in some cases, not working, and leaving them vulnerable to attacks such as Thunderstrike. Despite this being focused on Macs, this issue likely applies to Windows as well.
- Deloitte breach: The internal email systems of one of the big four consulting firms was breached. Little information has been released.
- How I got $13337 bounty From Google: Funny write-up where the bug bounty hunter accidentally entered an empty password and gained internal access to a Google system.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!