22. Life's a Breach
Coming up this week on Breaking Badness. Today we discuss: This New Bug Isn’t the Apple of my iMessage, Well That Escalated Quickly, and Grasshoppers and Security Personnel Descend Upon Vegas.
Here are a few highlights from each article we discussed:
- There were four vulnerabilities ranging in severity. Some included remote code execution, while others were less critical.
- All four of these have patches available from Apple in iOS 12.4.
- There’s still one bug that was supposedly patched by Apple (CVE-2019-8641); however, Silvanovich has not released the PoC for it because she said the patch from Apple didn’t fully remediate the issue. It affects the iPhone 5s and later, along with all iPads since the Air and all iPods since generation six and involves an out-of-bounds read, which allows remote attackers to cause unexpected application termination or arbitrary code execution.
- At least one of these vulnerabilities only affects devices with iMessage and iOS12, for the other 3 it’s unclear what version of iOS are affected. Any device that can run iMessage (iPhone, iPad) could be affected by these vulnerabilities.
- A lot of companies are moving to BYOD models, which has its own share of issues to resolve. Some companies may choose to use Mobile Device Management (MDM) software to ensure that their employees’ phones are on an approved operating system and only have approved applications. This includes wifi allowlisting so that random devices can’t just connect to the allowlist.
- Some corporations also have Work Profiles which allows the user’s data to be split into a separate “container” of sorts from work material, keeping it encrypted and relatively safe. When the user leaves the company, that work profile can be deleted without affecting the user’s personal data.
- As with any similar vulnerability, there is the possibility for some serious consequences if users don’t patch their stuff. Since these vulnerabilities can allow an attacker to read data from the device without the user knowing, they can be used for espionage or crime, or even from a creepy perspective by a stalker type if they’re technical enough. From a corporate perspective, this of course can be a nightmare from an espionage perspective, as most people have their entire lives and business on their phones. But the good news is that by updating to 12.4, you’ll patch these vulnerabilities and won’t have to worry anymore.
- I think a more severe implication here is that people tend to think “oh I have an iPhone, I’m secure by default.” This is not true, in much the same way it’s not true to say “I have a Mac, I can’t get malware on my machine.” Certainly the share of malware for PC and android may be higher, but that’s because the market share of PCs and Androids is higher worldwide. If iPhone users neglect to patch their devices or have other secure practices, they may be leaving themselves vulnerable to attacks.
- The alleged guilty party is Paige Thompson also known as Erratic, who exploited a configuration issue. From the affidavit it claims they assumed a WAF role on AWS that gave access to an S3 bucket that had sync permissions on a trove of credit card applications—social security numbers and lots of other PII.
- On Erratic’s Twitter there were some tweets that mentioned more details like pivoting through an EC2 instance and some more complicated living off the land type work to get to the WAF role, but unfortunately, yeah, those tweets were taken down before I could dig further and piece together the entire picture.
- From what I can tell, though it’s one of the many and increasingly common cloud misconfigurations. Security researchers—and bad actors—love to scan for these misconfigurations right now. Open S3 buckets are treasure troves of data for the curious and malicious. They’re really easy to fix as well. Some companies are making it their bread and butter to scan for and remediate these they are so common.
- This is one of the largest breaches since Equifax. 100 million credit card applications. Over 150,000 social security numbers and just under 80,000 bank account numbers. Right now though, life’s a breach—leaks are happening left and right. It’s certainly bad, but chances are pretty high your social security number is already floating around on Yuri’s server in Kyev you know. If it’s not Capital One it’s Target or someone else that didn’t even make the news public. We only hear about the ones that get caught too. Welcome to a world of breach fatigue.
- On top of Capital One, other companies may have been attacked as well. It looks like Vodafone, Ohio DoT and Ford Motor Company may be on the list of those erratic stole data from.
- All of this was announced to Capital One by someone who saw a directory listing on a public GitHub gist and sent them an email. Unlike other breaches, erratic posted about all of this in a public Slack workspace as well as on Twitter and Github, not covering their tracks at all and actually bragging about it on social media. Because of the public posts this took less than a month before a ZeroCool-esque raid on their Seattle home took them into custody—seriously though the publicly released video of the arrest looked just like the scene from Hackers: SWAT, assault rifles, the lot.
- Usually we wait years to see a legal case come together. It’s still unclear what erratic’s motivations were—if this was research or pure maliciousness. It’s odd. No evidence that they wanted to sell this information on the black market or profit from it. Just to watch the world burn I guess.
- In terms of lessons or takeaways from this breach, you need to be monitoring your configurations—particularly in the cloud. It’s so easy to leave an S3 bucket open or an exposed machine from a misconfigured security group. It’s that one foothold then into the rest of your infrastructure. AWS specifically has some compliance as code tools that aws labs puts out. Basically monitor your configurations as carefully as you monitor cost in the cloud. Use compliance as code to make sure everything conforms and alerts if it doesn’t.
- My first DEFCON was 8 at the Alexis Park Hotel. 2000 I think that was. I was 13 and my dad dropped me off in the minivan. It was as embarrassing as it sounds. Had a great time though, learned a lot. Got on the Wall of Sheep. Kind of set the stage for a lifetime of insecurity shenanigans.
- The main thing is to be an active participant. I’ve spent too many conferences wandering between lines for talks —such a waste of my time. Most all of the tools and techniques you’ll see have already been released online months before the conference circuit so you really aren’t going to get anything new without talking to other people. You have the entirety of the year to be antisocial behind your keyboard so spend the time wisely engaging with other people. I honestly avoid most talks now unless they’re unique and new, a SkyTalk or something from the BlackHat Arsenals. That’s the most bang for your buck in my opinion. Plus all the recorded talks will be online a few months afterward. Anything amazing that you missed can be watched later.
- According to Emily, here are a few that they are looking forward to:
- Bsides: China as the New Russia from Anne An, talking about the transition of Chinese non-state actor groups (crime rings) from small local networks to larger organized crime syndicates.
- BlackHat: Arsenal tools and shit, show and tell
- Defcon: Skytalks look cool, hacking ICS workshop, Tracelabs missing persons CTF
- Drink lots of water and there are amazing 24-hour tacos at Pepes Tacos. It’s worth expensing the 4am Uber ride and explaining it to your finance department later. They’re that good.
- Don’t over exert yourself! There’s a lot to do and a lot of people to network with, but don’t push yourself beyond your personal comfort levels and get exhausted by Wednesday. Pace yourself!
This Week’s Hoodie/Goodie Scale
This New Bug Isn’t the Apple of my iMessage
[Emily]: 7/10 Hoodies
[Chad]: 7/10 Hoodies
Well That Escalated Quickly
[Emily]: 5/10 Hoodies
[Chad]: 4/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!