Weekly infosec news summary for 2017.10.29 – 2017.11.05

Quotes

“Write the article you wish you found when you googled something.” ‏Chris Coyier‏

 

“The more ‘basic security tips’ that need to exist to use technology safely, the more we should be focusing on creating safe defaults. Safe defaults scale. An increasing volume of minimum required knowledge does not.” Ryan Huber‏

 

“Ugh. Someone committed their Cobalt Strike directory to GH, including data/, which has all of the sessions, targets, and credentials you got” ‏@redteamwrangler

 

“In @shodanhq 95% (roughly) of the #ElasticSearch (ELK) instances I found with #Ransomware notes were for intrusion detection. Ironic really.” ‏@StegoPax

 

Top stories

Mobile Pwn2Own

ZDI handed out $515K to researchers for exploiting a variety of devices (link). This competition takes place annually in Tokyo. Many devices were compromised through a variety of techniques including WiFi on an Apple iPhone 7, the baseband processor on the Samsung Galaxy S8, an attempt but failure against NFC, and different browsers. Prizes were as little as $25K for a Safari browser exploit against an iPhone 7, and as much as $100K for a baseband exploit. In one case, 11 bugs (plus some features) across 6 apps were used to execute code. In another case, 3 bugs were chained together to exploit wifi, but interestingly one of the bugs was already submitted by a competitor.

So what should we take-away from competitions like this?

• Finally reporters aren’t writing things like “owned within seconds”, as it’s finally understood that these vulns and their exploits can take months to find and write in advance of the competition.
• Pay-outs for these prizes are not good indicators of the actual “street” price for these, as the companies and individuals that compete are doing so for marketing for themselves. This is similar to some sports, such as golf, where the purse money is not nearly as much as the endorsement deals.
• That said, these exploits are viable, as Project Zero had also proved by demonstrating some of these this year.
• As Thinkst pointed out in their review of a 2011 Pwn2Own (link), 0-day happens, so make sure to plan for it. Specifically, use PAWs (Privileged Access Workstations) such that web browsing happens from one system and access to sensitive systems happens from other systems.

Conference materials and publications

• Enterprise security: A new hope - Haroon Meer: O’Reilly Security Conference keynote (there are other keynotes, but not as good). Requires free sign-up.
• ekoparty videos: Conference in Argentina.

Tools

• fireeye/gocrack: Software to manage and distribute password cracking across systems.
• CERTCC-Vulnerability-Analysis/trommel: Sifts through directories of files to identify indicators that may contain vulnerabilities.

Other reads

• Phish in a Barrel: Jordan Wright at Duo Security has a report on analyzing 66,000 phishing URLs from public feeds and finding 3,200 unique phishing kits.
• Phone numbers are the new social security numbers: Good summary of how phone numbers are not effective for account recovery for higher value targets.
• Fixing security bugs: Collin Greene walks through some of the ideas he’s used to get people to fix bugs.
• Operationalizing Carbon Black Response with Splunk: Step-by-step guide to using Splunk with Carbon Black.
• ripr v1.1: Function Arguments, Basic Block Mode, and more: ripr is a plugin for Binary Ninja that automatically extracts and packages snippets of machine code into a functionally identical python class backed by Unicorn-Engine.
• FancyBear emails: The Russian APT had used bitly to perform phishing attacks on 4,700 gmail users, some of which were targeted more than a dozen times over the course of a year, resulting in 19,000 malicious links created between the 14 month period of March 2015 and May 2016. One interesting bit was in a post about this (Tracing Fancy Bear’s paw prints), it was mentioned that the developer of the Ukrainian artillery guidance app was targeted as part of this, giving proof to that original accusation and showing how developers are being targetted.
• Twitter employee shut down US president’s twitter account: An important reminder about the abilities support staff at companies have.
• Day trader made $700K in a scheme targeting hacked online brokerage accounts: 110 accounts were compromised, resulting in an average of nearly $6400 per account.
• AWS Direct Connect Gateway – Inter-Region VPC Access: In order to have EC2 instances talk to each other in different regions you previously had to either give them public IP addresses or connect a VPN between the regions. Now you can just connect the VPCs. It’s unclear what encryption or other protections exist for these communications, so you’ll need to take that into consideration.

If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!