Weekly infosec news summary for 2017.10.22 – 2017.10.29
"If fail2ban sounds like it might be worthwhile for your environment, you are doing something gravely wrong." Thomas H. Ptáček, seemingly stated due to SSH should no longer allow password logins in the first place
Not much happened this week. A lot of people talked about BadRabbit and more discussion about Kaspersky, but I don't think there is much to say for either of those stories. BadRabbit is just an updated version of Nyetya, that isn't specifically targeting Ukraine. The Kaspersky drama is too shrouded in propaganda from both sides to make sense of.
Conference materials and publications
- Hack.lu videos: Conference in Luxembourg two weeks ago.
- Gmail Add-ons: Gmail has added better support for plugins, potentially opening the door to better end-to-end crypto solutions for the platform and better phishing detection. However, Google also has provided no ability for admins to control or monitor which plugins can be added. Similar to the "Google Docs" Oauth worm of May, we should expect new attacks targeting this functionality to come soon unless G-Suite better arms admins.
- How to post-process YARA rules generated by yarGen: Florian Roth follows up on his post last week on improving YARA rules (link), with a post on improving rules generated from yarGen.
- DUHK: New crypto attack due to a pseudorandom number generator, called ANSI X9.31, that until 2016 was FIPS approved. This pseduo-RNG has been known for decades to produce bad random if its seed value is known. Matthew Green's team "developed a sophisticated analytic technique called 'making a graduate student read every FIPS document on the CMVP website'." Using this technique, they noted a number of vendors had language indicating these keys were not being generated at each device startup. One of these vendors is Fortinet, which they reversed and confirmed this problem in. There are other vendors apparently, but they are not named. Using this attack VPN connections can be decrypted. 25K Fortinet devices are exposed on the Internet and vulnerable to this attack.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!