A bunch of things that were noteworthy from 2020 that might have been missed
I’m doing this because i’ve got too many Trello tickets with little interesting tidbits in them, which sound like something worth sharing.
Thanks to littlemaninmyhead, which can be found at https://littlemaninmyhead.wordpress.com/2015/11/22/cautionary-note-uuids-should-generally-not-be-used-for-authentication-tokens/
Summarised as “Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.”
https://wordlists.assetnote.io/
Assetnote published some wordlists, they’re pretty good, go check them out. They’re meant to be automatically generated, which seems to be failing since December last year (https://github.com/assetnote/wordlists/runs/1617218746?check_suite_focus=true)
https://github.com/vxunderground/MalwareSourceCode
I’m unsure when these guys came to play, but they’ve been putting up source code for some fairly high profile implants. Curiously, they dump anything ‘APT’ too, which might be of interest if you’re looking to make some better tooling.
https://www.jpost.com/breaking-news/gps-glitches-overwhelm-phones-in-tehran-653667
More instances of GPS being ‘glitchy’ are becoming more common.
ZXSecurity did a cool talk on what would be illegal, but also what could go wrong if someone was tampering with RF: https://paper.seebug.org/papers/Security%20Conf/Defcon/2017/DEFCON-25-Karit-ZX-Security-Using-GPS-Spoofing-To-Control-Time.pdf
Chrome changed to automatically treat all cookies as samesite lax, making CSRF attacks seem a thing of the past. This happened back in Feburary 2020, nothing major seemed to break - perhaps this is another successful case of removing an entire bug class.
Curious to see if Pentesting shops stop reporting CSRF now? However:
So CSRF isn’t dead but only because people are still using old or stupid (Safari) browsers.
Everyone knows, I’m sure it’s still used in critical places.
Unfortunately, Silverlight is still around until 2021 - https://support.microsoft.com/en-us/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788
Although not in 2020, a talk seemed to go by mostly unnoticed - where an RSA guy fiddles with outbound comms to command and control, resulting in crashes, weird behaviour, or just pissing off operators significantly. A lot more work could be done here, albeit it depends on the successful identification and reverse engineering of communications.
https://www.youtube.com/watch?v=Z1-4-amGdaM&feature=youtu.be
Still works.
A reputable team does a writeup, mostly coming down to communicating with your team rather than fancy tools.
https://www.tracelabs.org/blog/shandy-perspective
The creators of JA3 (https://github.com/salesforce/ja3) make a tool to fingerprint systems based on hashing responses to TLS handshakes (options, how it handles things). Turns out, it’s good enough to spot weird things like Cobalt Strike servers in the wild with pretty good (ie low false positive) rates. The hashes are fuzzy, meaning you can kind of tell if something is close to something else.
A really good writeup is at https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
Probably worth looking into if you’re a defensive team and trying to understand more about a server you’re clients are communicating with.
Check it out at https://github.com/salesforce/jarm
An Azimuth employee gets approval to publish a blog post based on an internal talk, showing you the calibre of their staff.
(For those who didn’t know, Project Hell was Uber’s way of fucking with their competitors, Lyft - https://techcrunch.com/2017/04/12/hell-o-uber/)
https://threatpost.com/ticketmaster-10-million-fine-hacking-rival/162695/
Turns out you should probably offboard employees properly and revoke their access when they leave, otherwise they’ll be stupid enough to re-use them and tell the executives about their accesses, in writing.
The short edition is as follows:
The funny highlights out of the case (https://www.justice.gov/usao-edny/press-release/file/1349741/download - page 22, ‘Attachment A - Statement of Facts’):
It’s unclear how they were caught though, other than their shitty opsec and that his account was attributed directly to him, although it’s unclear where the other account credentials came from.