RSS feed

Weekly infosec news summary for 2017.10.29 – 2017.11.05


“Write the article you wish you found when you googled something.” ‏Chris Coyier‏


“The more ‘basic security tips’ that need to exist to use technology safely, the more we should be focusing on creating safe defaults. Safe defaults scale. An increasing volume of minimum required knowledge does not.” Ryan Huber‏


“Ugh. Someone committed their Cobalt Strike directory to GH, including data/, which has all of the sessions, targets, and credentials you got” ‏@redteamwrangler


“In @shodanhq 95% (roughly) of the #ElasticSearch (ELK) instances I found with #Ransomware notes were for intrusion detection. Ironic really.” ‏@StegoPax


Top stories

Mobile Pwn2Own

ZDI handed out $515K to researchers for exploiting a variety of devices (link). This competition takes place annually in Tokyo. Many devices were compromised through a variety of techniques including WiFi on an Apple iPhone 7, the baseband processor on the Samsung Galaxy S8, an attempt but failure against NFC, and different browsers. Prizes were as little as $25K for a Safari browser exploit against an iPhone 7, and as much as $100K for a baseband exploit. In one case, 11 bugs (plus some features) across 6 apps were used to execute code. In another case, 3 bugs were chained together to exploit wifi, but interestingly one of the bugs was already submitted by a competitor.

So what should we take-away from competitions like this?

  • Finally reporters aren’t writing things like “owned within seconds”, as it’s finally understood that these vulns and their exploits can take months to find and write in advance of the competition.
  • Pay-outs for these prizes are not good indicators of the actual “street” price for these, as the companies and individuals that compete are doing so for marketing for themselves. This is similar to some sports, such as golf, where the purse money is not nearly as much as the endorsement deals.
  • That said, these exploits are viable, as Project Zero had also proved by demonstrating some of these this year.
  • As Thinkst pointed out in their review of a 2011 Pwn2Own (link), 0-day happens, so make sure to plan for it. Specifically, use PAWs (Privileged Access Workstations) such that web browsing happens from one system and access to sensitive systems happens from other systems.

Conference materials and publications


Other reads

If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!