As previously mentioned, the first O’Reilly Security Conference just wrapped up in NYC. I opted to attend last minute and was glad I chose to, due to a number of really good conversations with other attendees.

Some of the highlights:

O’Reilly provided ‘office hours’ with most of the speakers, giving attendees the opportunity to pick the brains on speakers. I took advantage of this to sit down at a table with Cory Doctorow, who was one of the keynote speakers. This ended up being people going around, introducing themselves and describing what they are up to. I described my current job at SecurityScorecard, to which Cory expressed interest and thought it was pretty cool.

Had a great conversation with one of the guys from SourceClear about their work. They claim to have a vulnerability that is 50% greater than the NIST Vulnerability Database, accomplished by scanning Github for PRs related to security, as well as using that data to find similar patterns. They have some interesting scaling challenges, as they manually verify all the vulnerabilities. They then use this data to let people scan their dependencies and get a list of dependencies with vulnerabilities. We chatted about vulnerability databases in general, as well as Mitre’s occasional slowness in providing details.

Went to a great talk from HackerOne on Hacker Quantified Security, which went over some of the data they have collected from their bug bounties, showing security trends from making this a bit more public. I talked to their CTO about possibly working on an API where they can expose what companies are running bug bounty programs, and perhaps some of the metrics that are already available on their site.

Had a hallway conversation with one of the founders of Cobalt.io, a crowdsourcing pentest company, where they match up pentesters to specific engagements, and wrap that in some management and a good web platform. We talked about how security is becoming more and more transparent, and how it might be interesting if companies were able to share a subset of pentest results in a verifiable way.

Sat in on Jay Jacob’s talk on Security Data Beyond Operations. He went over some interesting things, like clustering security breaches by industry, and not seeing any cross industry patterns, so much as patterns within industries. He also went over Bitsight’s recent research on malware/torrent correlation.

Kelly Harrington from the Google Safe Browsing team gave a talk on their efforts entitled “Are we out of the woods? The current state of web malware”. They have covered a number of these things in their blog, but it was nice to see a talk that expands on the topics and pulls it all together.

There were two talks in particular where I was exposed to a lot of new information.

The first was Deriving actionable intelligence from spoofed domain registrations where Kyle Ehmke from ThreatConnect went over some research where they observed spikes in typosquat registration for domains that were later attacked. He went over various ways in which they try to correlate some of the data to find out more about attackers and related potentially malicious domains.

The second was Dan Kaminsky’s ‘A technical dive into defensive trickery’. Prefaced with the comment ‘I am tired of doing keynotes, let me tell you the cool projects I am working on’, and then went into a LOT of experiments in:

• DDoS attacks, and how to better communicate around these events. He is experimenting with shipping a subset of netflow data to destination networks. You can check out some of this in his overflowd project.
• Crypto/TLS Deployment. Let’s Encrypt makes this easier, but he suggests the easiest thing would probably be to jump to full encryption, which is a wrapper that will act as a TLS wrapper on any port, and provision TLS certificates on the fly.
• Data Loss Prevention. Experimentation in rate limiting data access through a proxy. Example was for querying password data at a rate of 7 requests/second. At that rate, querying for 500M users would take 2.26 years to exfiltrate the data.
• Code Safety. How to protect end users from executing bad code. Experimenting with making it easy to sandbox every application, via VMs/docker and syscall firewalling.

The first O’Reilly Security Conference just wrapped up in NYC. I opted to attend last minute and was glad I chose to, due to a number of really good conversations with other attendees. I plan to share a separate write up of some of the highlights in the near future.

Let’s keep following the Mirai after effects:

• Cloudflare mentions the impact to their systems, and their own observations, on the Dyn attack. Additionally, they detail how they have set up their architecture to deal with large scale attacks, which includes speading load across tens of thousands of servers.
• ThreatPost reveals some exploits in the Mirai codebase can be used to stop attacks. However, ‘hacking back’ is not legal in the USA.
• Wirecutter, a gadgets and gear review site, has published an article asking ‘Are Smart Homes Open Houses for Hackers?’. Tying in the recent attack and giving a review of some fairly prominent device exploits, it is a good read.
• Engadget has a similar piece on ‘That time your smart toaster broke the internet’, going over the recent problems, as well as some of the history of botnets and connected devices.
• Rapid7 goes into how to avoid ‘Default Fail’ for wireless systems, of which IoT devices use.
• News has been circulating about a new IoT botnet, taking lessons from Mirai, building on top of Aidra from 2013, and apparently infecting 3500 machines in its first 5 days.
• HackForums.net has shut down a portion of their site which advertised ‘Stress Testing Services’, some of which may have been DDoS as a Service providers in disguise.

Google has indicated that Chrome will only trust certificates that participate in the certificate transparency standard. Google intends this to encourage Certificate Authorities to tighten up their own security, and cut down mis-issues certificates that can be used maliciously. One downside, however, is this would require certificates for inside corporate networks to be part of Certificate Transparency, which would leak internal networking details. Additionally, Google has indicated that they will stop trusting certificates signed by WoSign and StartCom due to certificate misuse.

Google has also disclosed the existence of a Windows zero day vulnerability being exploited, ahead of an announcement by Microsoft. While Google is acting under a long standing disclosure policy for ‘critical flaws under active exploitation’, but Microsoft suggests they are not being responsible for ‘coordinated vulnerability disclosure’ and putting customers at risk. Coincidentally, Rapid 7 has an article on Coordinated Vulnerability Disclosure Advice for Researchers.

A new named exploit called Atombombing has been detailed. The exploit rely’s on ‘atom tables’, an area of Windows where apps can share data. Researchers have discovered a way in which malware can share malicious code, and then trick legitimate apps into loading and executing the payload.

Sophos tells the tale of the recent Paypal 2FA bypass. It appears that the client side was submitting the questions AND the answers, and simply deleting both could bypass 2FA.

Breakpoint Labs continues their series on ‘How We Get Into Your System’. This week features Multicast Name Resolution Poisoning, which takes advantage of some local networking protocols to harvest username/password hashes.

Troy Hunt tells us how an anonymous user happened to find a chunk of Australian Red Cross blood donor records online, where they happened to have accidentally been exposed via a database backup that was accidentally exposed on a partner’s website. Troy tells the whole story, as well as why he decided NOT to load the data into Have I Been Pwned.

This week’s Ransomware Roundup by BleepingComputer contains more variants (including one that makes you fill out a survey!) and a malware developer who tried to sell security researchers decrypt keys when the researcher had already exploited the C&C to harvest decryption keys.

Biggest news this week is, of course, the big DDoS attacks against Dyn from Mirai infected electronic devices. Dyn has provided some details of the attacks, the first which lasted ~2 hours, and the second of which lasted ~3.5 hours. Initial analysis leads them to say there were traffic surges 40-50x higher than normal. They are not able to confirm independent reports of the size and volume of the attack at this time.

The rest of the internet is abuzz with commentary:

• Rapid 7 has put together a Mirai FAQ.

• Incapsular analyzes the Mirai source code. Includes the password list, what hosts NOT to scan, and attempts to clean out other intruders.

• Krebs provided lots of coverage. Notably, a summary of the sudden increase in DDoS volume, demonstrating potential ties between Mirai and vDOS botnets, as well as new on one chinese electronics firm who has vowed to issue a recall for a number of vulnerable devices.

• A Motherboard article suggests that white hat hackers could write a virus to hack vulnerable devices and update them such that Mirai no longer works.

• Meanwhile, some senators are expressing concern that there is no standards and no liability for device manufacturers, which some hope will cause manufacturers to sit up and self regulate before the government imposes potentially harsher regulations.

• Threatpost indicates that only 10% of the devices infected by Mirai may have been used in the attack, and that since Mirai went open source, the number of infections has doubled.

In related news, another DDoS mitigation provider has noticed a growing number of LDAP servers participating in DDoS attacks. As some LDAP server variants work over UDP, this allows attackers to perform UDP amplification attacks, while hiding the source of the overall attack.

In other news:

Dirty Cow also landed on Friday. A nine year old Linux vulnerability that is based on a race condition that allows people to write to files they don’t normally have permissions for. This, of course, includes files for usernames and passwords to gain more access to the machine.

Mozilla has already baked in TLS 1.3 support into Firefox, but they have also announced that they will turn it on by default March 2017. They join Cloudflare and Google in being proactive about pushing this new standard forward.

Sucuri has covered a number of credit card stealers for eCommerce sites, and goes into depth for a specific version they found infecting Prestashop instances, as well as one that impacts Magento. The latter is interesting in that it dumps data into image files, and legitimate looking image files as well, making it harder for people to detect the data being collected, as well as the data being exfiltrated via a regular file access.

Breakpoint labs continues their series on how they break into networks. This week is Web Application Vulnerabilities. Sadly standard fare, such as failing to update software and plugins, as well as not sanitizing user inputs.

The DoD is apparently expanding on the ‘Hack the Pentagon’ initiative and launching a more long term bug bounty program.

Security researchers have demonstrated bit flipping attacks on Android. Labelled ‘Drummer’, it relies on continuously accessing memory to induce an error state and flip a bit to produce undesired behaviour, enabling apps to do things like break out of security sandboxes and obtain root permissions on a device. The research indicates this could even be triggered by javascript in a browser.

Checkpoint has released the September edition of ‘Most Wanted’ Malware. Conficker is still #1. Locky has made it to #3, making the first time ransomware has been in the top 3. ThreatPost indicates that Locky has at least 10 downloader variants as of this writing, and still evolves in the way in which it evades detection and infects systems.

BleepingComputer provides the rest of the Ransomware Roundup. Some minor new players, but one variant that includes a game, and Talos Intel providing a tool to block updates to the Master Boot Record to mitigate ransomware attacks that use this strategy.

Not quite as much IoT news this week. The highlight is that Mirai has evolved to infect cellular modems, including ones that connect automotive and industrial equipment.

Firefox’s data collection has indicated that their users see roughly 50% of the internet encrypted, in comparison to 40% at the end of 2015. This is at least partially attributed to free SSL provider’s like Let’s Encrypt.

Security researchers have discovered a vulnerability in some Foxconn hardware used to power several phones. This vulnerability, dubbed “Pork Explosion”.

HTML5 potentially adds additional threat vectors to the browser, in this article that highlights some CORS vulnerabilities, as well as how XSS can enable attacks on local browser storage.

Sophos breaks down DNS hijacking, including how easy it could be to just social engineer a hijack. The comparison is to recent SIM card hijacks, with a simple phone call transfering ownership until the actual owner takes steps to recover.

Breakpoint labs details 5 ways in which they break into a network. Phishing, unpatched applications, and poor account policies are no surprise. Poisoning netbios name resolution to collect user and password hashes? That is a bit different. They appear to be going in depth into these topics, with the first being phishing.

Facebook recently celebrated the 5th anniversary of their bug bounty program. Some interesting stats: More than $5 million paid to 900 researchers over those 5 years. ~$612K of that was this year, due to no fewer than 9K reports since January 1st.

Bleeping computer provides the ransomware roundup. This week includes a number of new variants, including VenisRansomware which not only encrypts files but includes modules for things like remote access and password stealing. On the defensive side, Talos Group has developed a program that dumps the configuration of several variants of Locky.

Stories about hacking the internet of things continue to roll out.

• Hackaday goes into how cheap devices open up security holes via UPnP.
• Cloudflare has their own analysis on a large attack, specifically ones using HTTP to eat up server resources.
• As does Akamai, who points out one form of attack labelled SSHowDowN Proxy.
• The European Union is looking to draft stern laws requiring security for devices.
• Meanwhile, MITRE has launched a competition/bounty to uniquely identify IoT devices that are on a network, in a non-intrusive fashion.
• Krebs On Security (a recent victim of IoT DDoS) has an article detailing some findings from an IoT honeypot, where devices are being turned into SOCKS proxies and rented out for various malicious activities.
• A security researcher recently investigated MatrixSSL, an SSL stack for IoT devices. and found three vulnerabilities, similar to how closer scruitiny of OpenSSL has uncovered a number of vulnerabilities in the last year.

Speaking of SSL, a few months ago I mentioned nonce reuse. Cloudflare has a great article on the concept as well as going into how various versions of TLS manage nonces, and what future versions are doing to reduce the ability for nonce misuse.

Researchers warn that 1024 bit keys in the Diffie-Hellman key exchange can be trapdoored, allowing attackers to decrypt data. While NIST has recommended 2048 bit keys since 2010, some big areas still use 1024 bit keys, including a number of SSL certs, Java 8 only supporting 1024 bit keys, and DNSSEC limiting keys to a maximum of 1024 bits as well. At this time, while the researchers are able to create a trapdoor, they don’t have a way to identify what published primes might actually be trapdoored.

Amazon has joined the group of companies that analyze data leaks and proactively reset customer passwords.

Researches at Checkpoint have written a whitepaper on sandbox evasion, specifically targeting the Cuckoo Sandbox, to educate sandbox makers on the evolving field of sandbox evasion. Among other things, I have now learned that malware takes advantage of some specific malware detection/virtual environment processes to actually make itself crash before doing anything malicious, to avoid detection.

Today I learned of the existence of Sucuri’s Lab Notes, due to them now starting to put together a monthly recap. The last month has included exploiting various CMSes (Drupal, Magento, vBulletin), how to target mobile devices for malware, and an attacker attempting to hijack Paypal donations.

BinaryEdge has published their own Internet Security Exposure report. Similar to other reports, key findings include slow to be updated software, which leaves potential security flaws to be exploited, as well as plenty of databases, smart devices and other systems not using authentication mechanisms.

A former NSA staffer has demonstrated how malware can leverage your camera by piggybacking on any recording that is already happening. Since on OSX, the video light will already be on, users won’t realize that other programs are making use of the camera. The researcher has also published a program that will identify and alert when an application goes to make use of the camera, to mitigate this problem.

Checkpoint has an interesting article on “Crypto Failures in Malware”. From ransomware that used default values and was easily decrypted, to not really random seeds, to rolling your own encryption (never a good idea) complete with real world examples of where malware authors did the wrong thing.

Bleeping Computer rounds up the ransomware. This week features lots of new variants, but it appears that many are really just spins on existing versions, rather than in increase of sophistication.