Weekly infosec news summary for 2017.11.19 – 2017.11.25

Quotes

“Apple is replacing Intel as the root of hardware trust in their Macs. Google has done the same with their Titan chip for their servers in GCP.” Dino A. Dai Zovi‏

 

“Mandatory secure boot and encrypted firmware images have a negative security impact on consumer devices that have a high target value. Makes it a lot harder for the good guys to look into the system, while leaving motivated enough attackers a monopoly on security research.” @qwertyoruiopz

 

“Security folks should be trained in negotiation. Don’t ever say “no, we can’t do that” when you can say “yes, but…”. Give people options that are realistic & allow them to get what they want at a cost they can accept. Anytime you win a security argument & the other guy loses, you lose. If you can find a win-win solution, you gain credibility & political capital that make the next discussion even better.” Nathan Sweaney‏

 

“Ordinary bugs don’t have adversaries coercing them into occurring.” Thomas H. Ptáček‏

 

“Ransomware is not about encrypting data. It is the current implementation of a methodology that coerces the victim to act as an agent for the criminal (typically to acquire BTC.) Encrypting data just an implementation detail; it’s the “coerced agent” part that matters. There are infinite ways to coerce someone once you have access to their data. People will pay more to keep their secrets from their friends than to regain access to their data.” the grugq

 

Top stories

Intel ME vulnerabilities

Positive Technologies found a number of firmware vulnerabilities across many of Intel’s products in the Management Engine (ME) (link). Intel’s ME had been discussed back in May (link), when a vulnerability in the AMT part of the Management Engine had been found, and concern was raised as this is a whole other computer inside your computer that you don’t have access to, but that can control your computer. Few details have been released for the new vulnerability. The danger of this issue, as Positive Technologies has described it, is that it would allow an implant to be installed on your system that cannot be detected, and would be resistant to both OS and BIOS updates. No information is provided about how this implant could be installed, such as whether or not this is remotely exploitable.

You will need to check the website for your computer manufacturer (ex. Dell, Lenovo, Acer, etc) in order to obtain updates (link).

Uber paid a ransom

In October 2016, hackers stole data on 57M customers and drivers for Uber, which was concealed for more than a year, and involved $100K being paid to the hackers (link). Most of the data was only names, emails, and phone numbers, which is practically public information at this point given the number of other breaches that have happened. Drivers license numbers were also accessed for 600K drivers, which is slightly more interesting. No credit cards, trip reports, or other data were accessed. This appears to have made a lot of news because it’s Uber (which people like to hate) and because they didn’t report it, as is required by some jurisdictions. Unfortunately, history has shown that the penalties for failing to report breaches is minimal. For example, Uber previously paid a $20K fine in early 2016 for failing to disclose a much worse breach that included social security numbers, pictures of drivers licenses, tax forms, and more (link).

It is unclear if this was a breach or a bug bounty. If we assume it was a breach and a ransom was requested, then morally perhaps this is bad to pay because it incentivizes criminals, but it’s potentially in the best interest of customers and the business.

The breach happened when attackers accessed a private Github repo that seems to have had AWS credentials inside it.

Conference materials and publications

• SecTor slides and videos: Conference in Toronto from October. Great presentation in there by Jonathan Poling on Incident Response and Forensics in AWS.

Tools

• Windows 10 development VM: 20GB VMs from Microsoft of Windows 10 Fall Creators Update Enterprise with VS2017 and other development tools pre-installed.

Other reads

• Mobile Pwn2Own 2017 Results and the Economics of Mobile Exploits: Zuk Avraham summarizes the results from the recent Pwn2Own competition and comes to the thought-provoking conclusion that although iOS exploits may cost more than Android exploits, iOS exploits are most cost effective from an attacker’s point-of-view. This is due to the fragmentation of the Android market.

News from Summit Route

This Downclimb is a day early as I won’t have Internet access tomorrow. This is also going to be the last Downclimb. I plan on continuing to post things here, but will focus on my own research and guides, mostly around AWS security.