Weekly infosec news summary for 2017.10.08 – 2017.10.15

Quotes

“Vendor security assessment protip: explicitly ask if mechanical turk or similar crowd-sourcing solutions are in use.” Josh Yavor‏

 

“Me explaining blue boxing to youngsters: “It’s like a SQL injection where standard keyboards aren’t shipped with the ‘quote’ key”” Nicolas Grégoire

 

“The EICAR test file is now just a MS Word document with a red SECRET header.” Michael Myers‏

 

“If you’re having skilled employees hacking back, what you’re really doing is trying to keep them busy while you avoid figuring out how to get your organization to implement their advice or findings to improve your own security.” Artturi Lehtiö‏

Top stories

Antivirus companies hacked

The big news this week was of Kaspersky having been hacked by Israel in 2015, where they found the Russian gov was using it to scan for American government classified programs (link). It’s not stated whether Kaspersky was complicit in the Russian gov’s use of them or if they were hacked by the Russian gov as well. In either case, it seems the Israelis must have planned on doing something similar.

In a separate situation it was learned this week that North Koreans hacked a South Korean antivirus, named Hauri, which was installed on South Korea’s military systems (link). Their air-gapped network was not properly air-gapped, and this software was used for the exfil.

We also have the recent CCleaner incident from two weeks ago, which was yet another security solution that was used to exfil data from networks.

Many have used this as an opportunity to make claims that AV is not to be trusted, whereas the reality is that any software could have had this done to it, and there are incidents of exactly that happening, for example in 2015 when the screenshot software puush had updates pushed out to geo-ip restricted targets in order to steal passwords (link). In the case of AV, it’s just harder to detect because it’s purpose is to look at all files on a system, it has system level access and performs most of it’s work from kernel drivers that are more difficult to monitor, and it’s updates are more frequent and more important to keep timely. I believe that we are mostly running into a Streetlight effect, where people in infosec are paying so much more attention to security vendors because that is what they know, much like the person that looks for their keys under the streetlight because that’s where the light is. This goes for not only defenders, but also for the attackers when selecting targets.

You should reduce your attack surface by reducing the amount of software you run on your networks. Try to control the updates yourself, for example with your servers you can host your own yum repos. Software such as backup tools or file sharing software can also be abused to exfil data in a way that would be difficult to discover. With so much data moving into the cloud though where it is accessed largely through the browser, it’s also important to reduce the number of browser extensions you have, and the number of plugins/extensions used in editors. An example of this was about a year ago when a spell checking plugin for VS Code was found to be uploading every file that was opened back to a company’s servers (link). A more recent example is this week someone pointed out that CircleCI, which is used for deployments, loads javascript from 8 analytics companies, any of which would be able to steal source code and API tokens if compromised (link).

Crypto Anchors: Exfiltration Resistant Infrastructure

Diogo Mónica discusses the concept that him and Nathan McCauley laid out back in 2014 of using crypto anchors (link). The concept is to force attacker to work inside your environment by forcing decryption to be done there, instead of doing a smash and grab. This slows them down and gives you a greater ability to detect and react to them, hopefully containing any damage that might be done.

Tools

• Testing Security Keys: Adam Langley has tested a couple of U2F keys to look for crypto or other issues. The summary of this article is to buy Yubico’s U2F Security Keys which had no flaws found.

Conference materials and publications

• AppSec USA videos: Conference in Orlando, Florida in September.

Other reads

• Your Node.js authentication tutorial is (probably) wrong: The author points out a number of authentication flaws that can happen, and notes that every node.js tutorial on authentication suffers from at least one of these problems. This is a good read to learn about the problem space of authentication issues.
• GitHub will soon warn developers of insecure dependencies: Github will soon shows a dependency graph for repos they host to show all the other packages that feed into a repo. This then will be used to identify dependencies with vulnerabilities.
• My First CloudFront Domain Takeover/Hijack: Cloudfront sub-domain hijacks are looking to be as prevalent as exposeed S3 buckets. Make sure all your sub-domains point to resources you control.
• TPM vulnerability: The TPM used by Chrome OS in a number of Chromebook models was found to be vulnerable to a possible attack on the RSA it uses. Updating to the latest Chrome OS will update the firmware and fix this issue.
• iOS Privacy: steal.password - Easily get the user’s Apple ID password, just by asking: This article shows how the password prompt for a user’s Apple ID on an iPhone can easily be spoofed. The best explanation for this problem is from Eric Law in his article about the The Line of Death. An important, but often under not well thought out, security feature is identifying where it’s ok to ask for authentication credentials or out-of-band messages to a user. For any device or application that allows any arbitrary content, you need a way to clearly differentiate when a prompt or message is just the content of an application, and when it is some higher level communication.
• Microsoft Outlook S/MIME cleartext disclosure: For at the least the last 6 months Outlook has been sending both an encrypted version of emails that were supposed to be S/MIME encrypted, along with a copy of the unencrypted contents.
• A Bug Has No Name: Multiple Heap Buffer Overflows In the Windows DNS Client: Vulns with the DNS software used by Windows.
• Chrome Extension Uses Your Gmail to Register Domains Names & Injects Coinhive: This malicious chrome extension performs crypto-currency mining in the victims browser, but what is more interesting is it uses the person’s gmail account to register free domain names. It’s interesting that the attacker would go through the effort of automating gmail interactions for such a boring purpose.
• Real-time cellular data: This article shows how by using just your IP, when using your mobile phone, mobile providers are selling access to who you are and your location. This article is a good reminder that for many breaches and hacks you hear about, the data stolen can just be bought. You can find out the names and current locations of every person in the US legally if you pay for it.

If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!