Center for Cyber Security Studies
* Provided by CDR Pablo Breuer *
- CMU, FBI and TORDocker tightens security over container vulnerabilities: http://www.informationweek.com/cloud/platform-as-a-service/docker-tightens-security-over-container-vulnerabilities/d/d-id/1323178 I'm a big fan of containers and virtualization and it's nice to see the attention they're paying to try to make this as secure as possible.
- FBI: "The allegation that we paid CMU $1M to hack into Tor is inaccurate": http://arstechnica.com/tech-policy/2015/11/fbi-the-allegation-that-we-paid-cmu-1m-to-hack-into-tor-is-inaccurate/
- CMU denies FBI paid for Tor-Breaking Research: http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-breaking-research/
- Yahoo restricting mail accounts if it detects ad-blockers: http://www.engadget.com/2015/11/20/yahoo-ad-blocker-issue/ There are better ways to block ads than using ad blockers. Just the same, this will be an interesting arms race.
- Georgia sent out CDs of data from 6 million voters containing Privacy Act info: http://media.cmgdigital.com/shared/news/documents/2015/11/18/Data_Breach_Lawsuit.pdf
- New IBM tech lets apps authenticate you without personal data: http://www.csoonline.com/article/3007304/privacy/new-ibm-tech-lets-apps-authenticate-you-without-personal-data.html Interesting, but really the next evolutionary step over CAC or Yubico
- Ransomware is coming to medical devices: http://motherboard.vice.com/read/ransomware-is-coming-to-medical-devices Remember when I predicted medical was going on a hiring spree soon?
- CIOs are spending a third of their time on security: https://enterprisersproject.com/article/2015/11/these-4-responsibilities-just-jumped-top-cios-do-list
- This history of SQL Injection, the Hack that will never go away: http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away I'm going to go out on a limb and suggest that SQL is Turing complete.
- VMWare patches XXE bug: https://threatpost.com/vmware-patches-pesky-xxe-bug-in-flex-blazeds/115443/ Patch your stuff.
- Department of Education lambasted over database vulnerabilities: https://threatpost.com/department-of-education-lambasted-over-database-vulnerabilities/115433/ You only have to put ONE political appointee, SES or Commanding Officer in jail.... just one.
- Russian financial cybercrime: how it works: https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ Great primer on the RBN.
- Windows 10 update FBI has lead in probe of 1.2 billion stolen web credentials: http://www.reuters.com/article/2015/11/24/us-usa-cyberattack-russia-idUSKBN0TD2YN20151124?feedType=RSS&feedName=technologyNews
- Beware, latest Windows 10 update ay remove programs automatically: http://www.ghacks.net/2015/11/24/beware-latest-windows-10-update-may-remove-programs-automatically/ Confirmed. I saw this on one of my home boxes.
- Windows 10 November update was pulled for forgetting privacy settings; it's now back: http://arstechnica.com/information-technology/2015/11/windows-10-november-update-was-pulled-for-forgetting-privacy-settings-its-now-back/
- DARPA's Rapid Attack Detection, Isolation and Characterization (RADICS): https://www.fbo.gov/index?s=opportunity&mode=form&id=4ebb7ba441be3ed21322ac135e528a3e&tab=core&_cview=0 It sure would be fun if I could manage to get a tour out there working on these kind of fun projects.
- Huge breach at Hilton worldwide affected POS systems: http://news.hiltonworldwide.com/index.cfm/misc/guestupdate/hilton-worldwide-guest-update
- Lenovo patches vulnerabilities in system update service: https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-service-2/115482/ Gotta love vendor-ware
- PCs running Dell support app can be uniquely ID'd by snoops and scammers: http://arstechnica.com/security/2015/11/pcs-running-dell-support-app-can-be-uniquely-idd-by-snoops-and-scammers/ Without authentication for this app, it was only a matter of time. Yes, my new home vSphere server is a Dell; no, I don't run this app.
- Additional self-signed certs, private keys found on Dell machines: https://threatpost.com/additional-self-signed-certs-private-keys-found-on-dell-machines/115467/
- Dell apologizes for HTTPS certificate fiasco, provides removal tool: http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certificate-fiasco-provides-removal-tool/ Apparently Dell didn't learn from Lenovo's Superfish fiasco.
- Researchers poke hole in custom crypto for Amazon Web Services: http://arstechnica.com/science/2015/11/researchers-poke-hole-in-custom-crypto-protecting-amazon-web-services/ Crypto is hard. Crypto math is hard. Proper engineering implementation of crypto models is hard. Proper configuration of correct engineering implementation of good crypto math models is hard. Are we understanding yet?
- Chimera ransomware operations shutdown: https://threatpost.com/chimera-ransomware-operation-shut-down/115399/
- Children's toy maker VTech hacked: http://www.bbc.com/news/technology-34944140 Attribution dice say SQLi. More here: http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
- Critical 'Port Fail' vulnerability reveals real IP address of VPN users: http://thehackernews.com/2015/11/vpn-hacking.html?utm_source=dlvr.it&utm_medium=twitter This shouldn't affect most VPN users as they care more about protecting the content than their anonymity, but for some of us...
- Comcast using MiTM attack to warn subscribers of potential copyright infringement: http://www.techspot.com/news/62887-comcast-using-man-middle-attack-warn-subscribers-potential.html?utm_content=buffer263e2&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer This is NEVER ok. How else are they using MiTM?
- Malwarebytes exposes adware that disables antivirus: http://betanews.com/2015/11/25/malwarebytes-exposes-adware-that-disables-antivirus/?utm_content=bufferdf152&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer I've seen malware do this, but it's the first time I've seen Adware do it.
- Predictable SSH host keys in Raspberry Pi: https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=126892 As much as I love RPi, please remember it's a toy for prototyping and teaching electronics and computer science; it is NOT meant for final production projects.
- Cyber Spying is out, Cyber lying is in: https://foreignpolicy.com/2015/11/20/u-s-fears-hackers-will-manipulate-data-not-just-steal-it/ Now people are starting to get it. (Hat tip: Lincoln Trust, Weisstribe)
- IBM's CEO on Hackers: "Cyber crime is the greatest threat to every company in the world." http://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/ In case you've been under a rock
- Analyzing and attacking a Botnet for fun and profit: http://arxiv.org/pdf/1511.06090v1.pdf Great little read.
- Thunderstrike 2.0 EFI attack: https://trmm.net/Thunderstrike_2 Yeah, this. I might know a little something about this.
- New Dyre variant can target Windows 10 and Microsoft Edge users: http://www.net-security.org/malware_news.php?id=3156
- 600K cable modems have an easy to pop backdoor in a backdoor: http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/?mt=1448736535732 Ouch. I got bit by this one. It's a good thing I've got three firewalls between my modem and my computers. :p
- Trojanized adware family abuses accessibility service to install whatever app it wants: https://blog.lookout.com/blog/2015/11/19/shedun-trojanized-adware/ This is frightening.
- Android Google Search lets you use an app without installing it: http://arstechnica.com/gadgets/2015/11/android-google-search-lets-you-use-an-app-without-installing-it/ Interesting... This could be a good thing for security although, depending on the app, could also expose your sensitive information to the "cloud" (pronounced "someone else's computer")
- EE proposes restrictions on mobile adverts: http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/telecoms/12008197/EE-proposes-restrictions-on-mobile-adverts.html Given the rise of malvertising, this is a good thing.
- Connected cars aren't just for hacking: http://arstechnica.com/cars/2015/11/connected-cars-arent-just-for-hacking/ No argument that there are tremendously useful and helpful things with automation, however, we need to find a better, safer way to do them.
- Reverse Engineering the BMW i3 API: https://shkspr.mobi/blog/2015/11/reverse-engineering-the-bmw-i3-api/ So this is fun. (Hat tip: Weisstribe)
- Cyberattacks on vehicles to increase sharply in 2016, McAfee Labs predicts: http://www.canadianunderwriter.ca/news/cyberattacks-on-vehicles-to-increase-sharply-in-2016-mcafee-labs-predicts/1003904722/?er=NA&utm_content=23455015&utm_medium=social&utm_source=twitter This is a no-brainer.
IoT (Internet of Things):
- Ransomware on your TV: http://news.softpedia.com/news/ransomware-on-your-tv-get-ready-it-s-coming-496685.shtml This is going to get much worse before it gets any better.
- Green light or no, Nest cam never stops running: https://securityledger.com/2015/11/green-light-or-no-nest-cam-never-stops-watching/ Yup. I've never understood why people willing put devices like this, Google's hub or Amazon's Echo in their home.
- Reuse of cryptographic keys exposes millions of IoT devices: http://www.securityweek.com/reuse-cryptographic-keys-exposes-millions-iot-devices-study?utm_source=dlvr.it&utm_medium=twitter I can't even.
- Medical devices that are vulnerable to life-threatening hacks: http://www.wired.com/2015/11/medical-devices-that-are-vulnerable-to-life-threatening-hacks/?mbid=social_twitter I don't want a blue-tooth enabled hearing aid in my SCIF and I sure as hell don't want a pacemaker with no authentication and a weak protocol embedded in my chest.
- Simple devices protecting our water system: http://hackaday.com/2015/11/17/simple-devices-protecting-our-water-system/?utm_content=buffer0d045&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
- An electromagnetic arms race has begun: China is making railguns too: http://www.popsci.com/an-electromagnetic-arms-race-has-begun-china-is-making-railguns-too Rhetorical question: How much of this did China steal from DoD and US DIB?
- China is starting to spank the US with supercomputing resources: http://gizmodo.com/china-is-starting-to-spank-the-u-s-with-supercomputing-1743226910 While not good, the reality is the US still holds half of the top 10 spots including spots 2 and 3.
- WSJ: China's government wants homegrown, backdoor-free phones: http://www.engadget.com/2015/11/20/wsj-china-secure-phones/ It's funny when China wants backdoor free phones and the US gov wants to insert backdoors in all phones. (Hat tip: 3ncr1pt3d)
- Tor use skyrockets in Bangladesh after government bans social networks: http://www.dailydot.com/politics/bangladesh-social-media-ban-tor-encryption-anonymity-protests/ Is anyone surprised?
- US, China claim 'meaningful' progress on trade secrets theft: http://www.rightrelevance.com/search/articles/hero?article=7d28b96dd34c3185646aef2d4ff977dbfe651885&query=cyberwarfare&taccount=cyberwarfarre So I've got this bridge I want to sell you...
- US advised to hack China, days after world leaders' pact against commercial hacking: https://hacked.com/us-advised-hack-china-days-world-leaders-pact-commercial-hacking/ So OPSEC.
- When all you have a is a hammer, ISIS looks like a nail: http://www.theguardian.com/technology/2015/nov/20/isis-internet-copyright-anonymous-terror Anonymous is making the same mistakes that others have made. DoS is a brute force weapon that is often not informed by Intel Gain-Loss (IGL) discussions. Strategy is something that you should have before starting an op.
- Hackers replace dark web ISIS propaganda site with advert for Prozac: http://www.ibtimes.co.uk/hackers-replace-dark-web-isis-propaganda-site-advert-prozac-1530385 Ok, this is a little funny.
- Britain to build cyber attack forces to tackle IS, hackers: http://uk.reuters.com/article/2015/11/17/uk-britain-security-cybersecurity-idUKKCN0T600920151117 Interesting. The legal ramifications of coalition cyber ops are going to get very interesting. Remember, lawyers are advisory authorities - not decisional authorities.
- One GOP lawmaker's plan to stop ISIS: Censor the Internet: https://www.washingtonpost.com/news/the-switch/wp/2015/11/17/one-gop-lawmakers-plan-to-stop-isis-censor-the-internet/*sigh* How about no? Why don't we let the professionals handle this? Anonymous has already made a mess of the situation.
- ISIS using encrypted apps for communications; former intel officials blame Snowden: http://arstechnica.com/information-technology/2015/11/isis-encrypted-communications-with-paris-attackers-french-officials-say/ I'm just not going to comment.
- TelegramTop questions asked on the ISIS 'Help Desk': http://money.cnn.com/2015/11/18/technology/isis-jihad-help-desk/ It's interesting to me that ISIS and Exploit Kits have better customer support than legitimate corporations.
- Telegram encrypted messaging service cracks down on ISIS broadcasts: http://arstechnica.com/information-technology/2015/11/telegram-encrypted-messaging-service-cracks-down-on-isis-broadcasts/ Shutting streams down isn't always the best TTP. There are better and more devious ways to have greater operational effect.
- Telegram founder knew ISIS was using his service before Paris attacks: http://www.engadget.com/2015/11/19/telegram-founder-isis-before-paris/
- EU plans crackdown on Bitcoin and other anonymous online payment methods after Paris: http://www.reuters.com/article/2015/11/19/us-france-shoooting-eu-terrorism-funding-idUSKCN0T81BW20151119#jf64uC8gtghYUX9p.97 I'm afraid, good sirs, that Pandora's box has already been opened on that one.
- Facebook tipped off the US government to Iranian hackers: http://www.fastcompany.com/3054015/fast-feed/facebook-tipped-off-the-us-government-to-iranian-hackers About time Silicon Valley got in the game. This was a clear-cut case and not even EFF should have a problem here.
- Iranian hackers attack state dept via Social Media accounts: http://www.nytimes.com/2015/11/25/world/middleeast/iran-hackers-cyberespionage-state-department-social-media.html?_r=0 Why do we allow this from inside our networks. Seriously?
- How Islamic State teaches tech savvy to evade detection: http://www.wsj.com/articles/islamic-state-teaches-tech-savvy-1447720824?utm_content=24224734&utm_medium=social&utm_source=twitter Or, how most of us should operate on the Internet. More here: http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terrorist-group-security-protocols/?mbid=social_twitter
- Hammertoss: Stealthy tactics define Russian Cyber Threat Group: https://www.documentcloud.org/documents/2186063-apt29-hammertoss-stealthy-tactics-define-a.html Good read with solid analysis.
- Silent ear and tongue-tracking tech can control wearables: https://thestack.com/world/2015/11/18/silent-ear-and-tongue-tracking-tech-can-control-wearables/
- Headband detects obstacles and guides the blind haptically: http://www.engadget.com/2015/11/20/headband-detects-obstacles-and-guides-the-blind-haptically/
- MIT researchers develop ingestible sensors to measure vital signs: http://www.engadget.com/2015/11/20/mit-researchers-develop-ingestible-sensor-to-measure-vital-signs/ Cool tech with immediate applications in commercial and gov sectors.
- Quantum entanglement at room temperature achieved: http://news.uchicago.edu/article/2015/11/20/strange-quantum-phenomenon-achieved-room-temperature-semiconductor-wafers Awesome. We're making great strides on this and it could some day solve our key distribution problem for crypto.
- 'Outsiders' Crack 50-Year-Old Math Problem: https://www.quantamagazine.org/20151124-kadison-singer-math-problem/ Here's your head hurter of the day. I won't pretend to understand this, but I will say that this is a great example of how not being stuck in an echo chamber, and making use of outside perspectives, can help solve problems.
- At up to 455 exabytes on a single gram, DNA storage could create mankind's permanent record: http://www.extremetech.com/extreme/218241-at-up-to-455-exabytes-on-a-single-gram-dna-storage-could-create-mankinds-permanent-record?utm_source=twitterfeed&utm_medium=twitter This is particularly cool as it's got ECC built in! :)
- Manhattan DA steps up pressure on Google and Apple to open up encryption to government: http://manhattanda.org/sites/default/files/11%2018%2015%20DANY%20Financial%20Crimes%20and%20Cybersecurity%20Symposium%20Remarks%20As%20Prepared.pdf (archived)
- Track censored content on Facebook, Twitter, Google and other social media: http://betanews.com/2015/11/19/track-censored-content-on-facebook-twitter-google-and-other-social-media/
- Reuters issues a worldwide ban on RAW photos: http://petapixel.com/2015/11/18/reuters-issues-a-worldwide-ban-on-raw-photos/ They're curing the symptom....
- With this hire, the FCC could soon get tougher on privacy and security: https://www.washingtonpost.com/news/the-switch/wp/2015/11/24/with-this-hire-the-fcc-could-soon-get-tougher-on-privacy-and-security/ Bravo, FCC! I beat up a lot on my fellow government workers, but it's nice to see movement in a positive direction. I wonder how the EFF will respond.
- With US government as top donor, Tor project looks to crowdfunding: http://www.theverge.com/2015/11/24/9793232/tor-project-donate-crowdfund?utm_content=buffer53bc4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer If you don't see this as a huge PR fail, let's talk.
- Drone maker DJI adds technology to limit where its machines can fly: http://bits.blogs.nytimes.com/2015/11/17/drone-maker-dji-adds-technology-to-limit-where-its-machines-can-fly/?_r=0 Did I mention DJI is a Chinese company? I wonder if having a list of all the restricted spaces could ever become a vulnerability. ;)
- SpaceX is about to win its first-ever US military mission: http://gizmodo.com/spacex-is-about-to-win-its-first-ever-u-s-military-mis-1743243741
- China and US create a 'space hotline' to avoid conflicts: http://www.engadget.com/2015/11/22/china-us-space-hotline/ Interesting that we got this before cyber, but ok...
- Preparing for cyberwarfare in space: http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html?smid=fb-share&_r=0 Let's get this straight, if you're trying to handle kinetic anti-space, you're ignoring the completely vulnerable ground-control stations. NO THEY ARE NOT AIR-GAPPED no matter what they tell you. My PK for attacking space-based assets is 1.0
- Anti-RE techniques used by malware: https://www.malwinator.com/2015/11/22/anti-disassembly-used-in-malware-a-primer/ This are very introductory but good reading for the uninitiated.
- Getting started with Microsoft IoT: http://ms-iot.github.io/content/en-US/win10/StartCoding.htm
- Raspberry Pi Zero sells out within 24 hours: http://arstechnica.co.uk/gadgets/2015/11/raspberry-pi-zero-sells-out-within-24-hours/ at $5 you're out of excuses for experimenting. (Hat tip: RoboDojo)
- A collection of toy programs to teach buffer overflow vulnerabilities: https://github.com/rcoh/stacksmash Fun!
- PowerShell - Live disk forensics platform: https://github.com/Invoke-IR/PowerForensics (Hat tip: BNE)
- Using Shodan command-line to see which SSH fingerprints are most popular on the Internet: https://asciinema.org/a/27926?utm_content=buffer42c02&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer This is troubling.
- Static Analysis of Malicious Java Applets: http://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1390&context=etd_projects
- A beginner's guide to encryption and how to set it up: http://lifehacker.com/a-beginners-guide-to-encryption-what-it-is-and-how-to-1508196946?sidebar_promotions_icons=testingon&utm_expid=66866090-67.e9PWeE2DSnKObFD7vNEoqg.2&utm_referrer=http%3A%2F%2Flifehacker.com%2Fbypass-a-filevault-password-at-startup-by-rebooting-fro-1686770324%3Fsidebar_promotions_icons%3Dtestingon Encrypt all the things!
- On the x86 representation of OOP concepts for reverse engineers: https://www.sans.org/reading-room/whitepapers/malicious/x86-representation-object-oriented-programming-concepts-reverse-engineers-36457 Because C++ name mangling. :-/
- Program a virtual computer in Minecraft to control stuff in the real-world: http://motherboard.vice.com/read/program-a-virtual-computer-in-minecraft-to-control-stuff-in-the-real-world?utm_source=mbtwitter There is not spoon... (Bonus points for quote recognition)
- Rekall memory forensic framework: http://www.darknet.org.uk/2015/11/rekall-memory-forensic-framework/?utm_content=buffer113d6&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
- SSH tunneling with ProxyChains: http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (archived) Hey RedTeam, I'm looking at you!
- Windows tool for dumping PE files from memory back to disk for analysis: https://github.com/glmcdona/Process-Dump This is really the only way to look for DLL code injection.
- HTTP response header security scanner: https://github.com/riramar/hsecscan
- Automating Linux memory capture: https://digital-forensics.sans.org/summit-archives/dfir14/Automating_Linux_Memory_Capture_Hal_Pomeranz.pdf
- Plumbing the depths: Shellbags: https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/PlumbingtheDepthsShellBagsEricZimmerman.pdf For all you forensicators. More here: https://digital-forensics.sans.org/summit-archives/dfirprague14/Windows_Shellbags_Forensics_In_Depth_Vincent_Lo.pdf
- Evading defenses with Acidrain, Powershell, Github and Pastebin: https://files.sans.org/summit/hackfest2015/PDFs/Evading-Defenses-with-Acidrain-PowerShell-GitHub-and-PasteBin-Jay-Beale-and-Mike-Poor.pdf This makes me smile.
- Post exploitation without Meterpreter: http://blog.cobaltstrike.com/2015/11/18/flying-a-cylon-raider/ Because there's more than one way to skin a cat.
- Firmware RE analysis: http://firmware.re/ Cool project.
- Federal funding drop sending universities scrambling to pay for research: http://arstechnica.com/science/2015/11/federal-funding-drop-sending-universities-scrambling-to-pay-for-research/ I'm going to bite my tongue on this
- Python is on the Rise...While PHP falls: http://insights.dice.com/2015/11/16/pythons-on-the-rise-while-php-falls/ This is good and bad. It's a lot harder to do dangerous things on Python than it is on PHP - that's good. The bad is that Python, a scripting language, is being used to replace more formal programming languages and that's not ok.
- History and Culture of the 1960s to 1980s is disintegrating with the tapes that recorded it: http://www.smithsonianmag.com/smart-news/culture-and-history-1960s-80s-disintegrating-chemistry-can-save-it-180957267/?no-ist This is a serious problem. As we digitize more and more of our records, how will you ensure they're available in the long run. How many of you have zip, jazz or floppy drives still around? How many of you still have data on those types of media or know someone who does?
- Motivation, values and work design as drivers of participation in the R open source project for statistical computing: http://www.pnas.org/content/early/2015/11/04/1506047112 DoD could learn a lot from this. While I've long argued that we should allows military members (to include officers) to dedicate their entire careers to cyber (which includes code development), the reality is that we could take up an "open source" type effort to allow military members to contribute to DoD problem solutions via subsidizing a 20% FTE (for example).
- A cybersecurity generation gap: http://www.darkreading.com/operations/next-on-dark-reading-radio-a-cybersecurity-generation-gap/a/d-id/1323158? This is problematic.
- App lets you see cell towers, Wifi signals and satellites around you: http://gizmodo.com/this-beautiful-app-lets-you-see-the-cell-towers-wifi-s-1744609095 This is fun - in *SO* many fun and evil ways. (Hat tip: Lincoln Trust, Weistribe)
- WarGames for real: How one 1983 exercise nearly triggered WWIII: http://arstechnica.com/information-technology/2015/11/wargames-for-real-how-one-1983-exercise-nearly-triggered-wwiii/ Joshua?
- Harvard Law School launches "Free the Law" project to digitize US case law, provide free access: http://today.law.harvard.edu/harvard-law-school-launches-free-the-law-project-with-ravel-law-to-digitize-us-case-law-provide-free-access/?utm_source=twitter&utm_medium=social&utm_campaign=hls-twitter-general