Weekly infosec news summary for 2017.11.05 – 2017.11.12
"Not so long ago, people used to design special vulnerable projects for teaching exploit writing. Today you can just buy an #IoT devices." Dmitriy Evdokimov
"the [Incident Response Team] must run its own infrastructure. The [Incident Response Team] cannot trust infra run by Corp IT. It's already owned." Richard Bejtlich on APT29 which monitors the security and IT organizations to track detection and response efforts
AWS MFA policy issues
This week Amazon fixed guidance they had provided to try to enforce multi-factor authentication (MFA). While working with Duo Security, myself and a team member there discovered a couple of issues with the original guidance, which would allow an attacker to bypass this MFA enforcement if they compromised a victim's AWS access keys. After working with Amazon to fix this, we're now able to discuss it (link). Update your MFA enforcement policies to fix these issues. Even AWS has trouble with IAM policies, so if you're interested in having your own IAM strategy or AWS usage reviewed, reach out to me.
Someone posted an image of a microphone embedded inside an ethernet cable this week (link). This appears to have been a made up scenario and not an actual spy device found. However, a number of weeks ago someone had pointed out a similar situation with USB cables that have GSM cards in them that are supposed to be tracking stolen vehicles and can also record any conversations. Those devices are real and someone bought one of these devices and reversed a lot of what it does (link).
When I was head of security, one of my employees once asked me "How do I prevent ghosts from watching me type my password in?" He was joking, but conceptually how do you deal with the possibility that someone has installed a camera over the area an employee works and can therefore watch them type in their password? Or are listening in to conversations? Or has installed some sort of other monitoring devices in your hardware? These devices are cheap enough and easily available to be concerns for more than just the targets of well-funded intelligence agencies. I believe within a year there will be a focus on stories where such devices have been found and used to compromise businesses. Along with this we'll see growth in businesses that offer sweeping for spy devices. Just like in the wake of Agent.BTZ in 2008 where we saw a focus on avoiding plugging in stray thumb-drives, we'll see a focus on avoiding bringing all sorts of "gifts" and "found devices" into offices.
Understanding the root cause of account takeover
Google released a paper on account takeover (ATO) (link). They state 15% of Internet users have reported accounts being taken over. The order of magnitute cause of these is interesting, with under 1M stolen through keyloggers, >10M stolen through phishing, and >1B acquired through third-party breaches. Of credentials exposed in breaches, 7-25% match a victim's Google account.
New details are out about the Asian focused APT OceanLotus, believed to be Vietnam (link). This actor compromised over a 100 sites that were regularly used by their victims in order to fingerprint them. Once targeted, victims are then prompted to grant OAuth authorizations to a malicious Google App which let's the attacker monitor all emails.
Conference materials and publications
- PacSec slides: Conference in Tokyo, Japan last week.
- Ruxcon slides: Conference in Melbourne, Australia, in October.
- AWS PrivateLink: On AWS, you can setup servers that can only talk to each other within a private network (a VPC), but if you wish to use most AWS services, you need to make calls out to the Internet. This can make it difficult to restrict access. AWS has now released a service to make it possible to connect to more of these services from within the VPC in a restricted way. The number of new services is fairly limited that can be used with this but this seems to be the strategy AWS will use moving forward. More details here.
- WikiLeaks: Vault 8: WikiLeaks has released information allegedly from the CIA that shows their backend infrastructure for implant callbacks. They point out that in one case this impersonates Kaspersky, which appears to be an attempt to make the case that the CIA abused Kaspersky just as it has been alleged that the Russian intelligence agencies had.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!