Infosec Digest – March 2017

--

@author Randy Gingeleski

@since 03/28/2017

@see infosec digest

--

Maybe the biggest thing to happen this month was the Vault 7 leak. Our friends at /r/netsec are analyzing and commenting on it here. That’s probably the best place to learn about it. BUT as someone with an active DoD clearance I’m staying away from the leak stuff.

Though I did see this tweet from Kim Dotcom, something you should be aware of…

And I’ve seen other tweets suggesting car tampering. That was a big topic at the last DEFCON so I’m not surprised. Rethinking self-driving cars yet? 😆

Anyway. Here’s the latest I’ve seen of “holy-shit-what” ways to compromise servers through a side channel: leaking data out of air-gapped machines with the hard drive light.

pentest.blog released the 3rd post in their “art of anti-detection series” … I just skimmed, but the series seems legit. Start with post #1.

StackOverflow released some 2017 developer hiring trends. What does that mean for us security people? More newly developed targets built with React and Go, cloud security becoming more important as more goes to the cloud. There’s not a lot of WordPress hiring going on though there are a lot of WordPress people to hire.

I re-read an old (2016) article from Phrack Magazine writer Strauss titled “The Fall of Hacker Groups.” It’s short and philosophical and I highly recommend it. You’ll get introspective tech thoughts like an episode of Black Mirror.

There’s an interesting example in the Ruby on Rails security guide of exploiting an “activate your account” route to log into the app as admin. Between 6 and 6.1 if you follow this link. The idea is the related SQL query to get the user might check for (users.activation_code IS NULL) LIMIT 1 … which means if you hit that route without supplying a code you’ll get the first account, usually admin. Example: http://localhost:3006/user/activate&id=

Speaking of Rails security did you see this remote code execution on Airbnb, caused by Rails’ string interpolation?

” … open source components proliferating digital risk at an alarming rate. … A single popular component with a critical vulnerability spread to more than 80,000 other software components, which were in turn then used in the development of potentially millions of software programs.” (source)

“AppSec requires a unique (and uncommon) combination of both information security skills and application development skills, making this shortage even more chronic.” Ego stroke! Colin Domoney’s whole article on building an appsec team is pretty good.

The Chaos Computer Club Congress (say it 1,337 times fast) recently posted a bunch of talks’ videos. One that stood out was Vincent Haupert’s entertaining appsec presentation Shut Up and Take My Money!

Amazon got called out by the No Starch Press founder for selling counterfeit books (not third-party sellers selling on Amazon but Amazon itself). No Starch publishes some great infosec titles.

Farmers are hacking their tractors with cracks from invite-only Ukrainian forums.

Swift on Security brought up what everyone was thinking but didn’t say – what does IBM do?

And here was a last minute thing with potentially yuuuuge implications – Cybellum’s DoubleAgent attack for Windows. You need to read it to believe it.

Happy hacking! 👽