Weekly infosec news summary for 2017.10.01 – 2017.10.08
Quotes
“In terms of number of records breached, one thing 2017 taught us is the hacks can’t get much larger. There really aren’t any bigger targets. Another thing we know is cyber-criminals now have a notable ‘big data’ problem.” Jeremiah Grossman
“Only allow 0-9 A-F character set for users’ passwords to disguise their hashing method from attackers (and auditors!) when stored in your user database.” Secure Tips
“Red teamer/pentester pro tip: Develop “auditing” tools. Don’t develop “recon” tools. If a defender could benefit, market it as such.” Matt Graeber
“Want to see exploits in the wild? Search for metasploit hardcoded addresses in forums.” John Lambert
“‘Country-1 has disabled auto-updates on software from Country-2’ is the new ‘Country-1 has recalled their ambassadors from Country-2’” haroon meer
“The thing you could do with this vulnerability is you could write a value anywhere in kernel memory. […] But what you didn’t control was what the value was. […] That value was proportional to temperature of the GPU in the machine. So what these guys on my team figured out is, if you can get this value above ‘n’, then I can use it to corrupt the length of another field. […] So their actual exploit fired up the GPU, sent some shaders until it warmed up enough, and then when it warmed up, we took the value and over-wrote it.” Dave Weston
Top stories
Kaspersky and another NSA leak
Yet another contractor from the NSA brought home classified material to their home computer (link). The NSA has been doing a poor job with training employees and protecting classified documents. This incident took place in 2015, prior to Hal Martin’s similar incident. The person had Kaspersky software on their home computer which then collected these classified files. The story portrays Kaspersky as having been used by the Russian government to seek out and collect files from NSA employees (possibly by exploiting the software or by working with the company), which if true would be very bad. However, a different read of the story is that the files were flagged as malware (which potentially they were) and collected, which is what all personal antivirus does. For example, you can read about how Windows Defender does this here.
Whether or not Kaspersky then acted on this to collect more files of interest would be an important question, but otherwise this could just be an antivirus software doing its job. Let’s assume that it was simply files flagged as malware, assuming there were a fair number of them, some of which might be unique and unknown to Kaspersky, should an antivirus company take a more active interest in that system and more pro-actively look for more files of interest?
This incident occurred in 2015 (specific date unknown), and Kaspersky released its report on Equation Group (believed to be associated with NSA) in February, 2015, leading some to wonder if this incident assisted with the creation of that report (link). 2015 is also when Kaspersky found Duqu 2 on their own network (link), which is linked with Stuxnet which is believed to be associated with US intelligence. So ironically it seeems the US is upset that the Russians may have hacked Kaspersky when the US itself had done the same.
Your take-away from this story should be:
- Ensure that your security solutions are not exfilling your files, or to weigh the pros and cons of this. It may result in potentially better identification of malware and protections, but ideally you’d want your security solution to contact you to request the files of interest rather than pulling them themselves, which could result in sensitive documents being exfilled. Carbon Black was similarly in the news recently, where it was found to be capable of uploading customer files to Virus Total (link).
- Evaluate solutions for protecting and controlling your sensitive documents or ways of identifying when sensitive files have left your network, such as having canaries of some sort in them. This software normally goes by the name eDRM (enterprise DRM) or IRM (information rights management), or special file sharing solutions are called “virtual data rooms”. Realize that someone could always just take pictures of their screen with their phone or hand-transcribe documents to bypass the protections. Also, these solutions are all Windows focused. For Mac environments the only worthwhile solution I know of is the IRM built into Microsoft Office. Also beware that these solutions can often have a similar impact as ransomware, as they’re purpose is to encrypt your files, and can result in various sorts of lock-in, downtime, or data loss if the vendor experiences problems or certain workflows were not considered (ex. employee off-boarding or working without an Internet connectin).
- Ensure you give training to your employees not to put sensitive company files (or any company files) onto their home computers, or to access their work email from personal computers. Also consider personal phones in this policy.
Tools
- VulnScan: Tool from Microsoft that uses WinDbg and their recent Time Travel Debugging to identify the root cause of memory corruption issues.
- encrypted git: The keybase app now includes a “Git” tab to make hosted repos that use end-to-end crypto to allow you to create up to 100GB total of private repos.
- NotRuler: The creators of the tool Ruler, which is used to backdoor systems using Outlook, have created NotRuler to detect Ruler.
Conference materials and publications
- Agile Application Security: Enabling Security in a Continuous Delivery Pipeline: Book released this week.
- Red Teaming Windows: Building a better Windows by hacking it - BRK3079: Video from MSIgnite by Dave Weston.
Other reads
- Last Week in AWS: If you work on AWS, I recommend subscribing to the newsletter “Last Week in AWS” from Corey Quinn.
- Behind the Masq: Yet more DNS, and DHCP, vulnerabilities: From the article “Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.” Project Zero discovered 7 vulns, including 3 RCE. Simon Kelley, the author of dnsmasq, stated “Before Google, two other orgs have done security audits on dnsmasq - both OSS outfits. Neither found the long-existing CVE-2017-14491 vuln.”
- Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs: Another Project Zero post shows how security patches in one product by a vendor (Windows 10 in this case) can be used to find unpatched vulns in other products (Windows 7 in this case).
- Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices: This article from Project Zero digs deep into the tech used to get execution on the iPhone 7’s Wi-Fi chip. This shows an incredible amount of work needed to accomplish this, but does show that such attacks are possible.
- Cisco IOS and IOS XE Software DHCP Remote Code Execution Vulnerability: RCE against Cisco without any authentication needed.
- How I could have mass uploaded from every Flickr account: Interesting attack possible against Flickr accounts due to the low search space of a value that should be random and unguessable.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!