{"id":9998,"date":"2017-10-19T15:40:02","date_gmt":"2017-10-19T23:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/19\/news-3771\/"},"modified":"2017-10-19T15:40:02","modified_gmt":"2017-10-19T23:40:02","slug":"news-3771","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/19\/news-3771\/","title":{"rendered":"Security Research News in Brief &#8211; August 2017 Edition"},"content":{"rendered":"<p><strong>Credit to Author: Axelle Apvrille| Date: Thu, 19 Oct 2017 16:50:59 +0000<\/strong><\/p>\n<div class=\"entry\">\n<p cid=\"n2\" mdtype=\"paragraph\">Welcome back to our monthly review of some of the most interesting security research publications.<\/p>\n<p cid=\"n4\" mdtype=\"paragraph\">Past editions:<\/p>\n<ul cid=\"n6\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n7\" mdtype=\"list_item\">\n<p cid=\"n8\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/09\/07\/security-research-news-in-brief-july-2017-edition\" spellcheck=\"false\">July 2017<\/a><\/p>\n<\/li>\n<li cid=\"n10\" mdtype=\"list_item\">\n<p cid=\"n11\" mdtype=\"paragraph\"><a href=\"https:\/\/blog.fortinet.com\/2017\/07\/04\/sstic-2017-in-a-nutshell\" spellcheck=\"false\">June 2017<\/a><\/p>\n<\/li>\n<li cid=\"n13\" mdtype=\"list_item\">\n<p cid=\"n14\" mdtype=\"paragraph\"><a href=\"https:\/\/blog.fortinet.com\/2017\/06\/22\/security-research-news-in-brief-may-2017-edition\" spellcheck=\"false\">May 2017<\/a><\/p>\n<\/li>\n<li cid=\"n16\" mdtype=\"list_item\">\n<p cid=\"n17\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/05\/10\/security-research-news-in-brief-april-2017-edition\" spellcheck=\"false\">April 2017<\/a><\/p>\n<\/li>\n<li cid=\"n19\" mdtype=\"list_item\">\n<p cid=\"n20\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/03\/24\/security-research-news-in-brief-march-2017-edition\" spellcheck=\"false\">March 2017<\/a><\/p>\n<\/li>\n<\/ul>\n<h2 cid=\"n22\" mdtype=\"heading\">Antonakakis et al. Understanding the Mirai botnet, USENIX Security [<a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/usenixsecurity17\/sec17-antonakakis.pdf\" spellcheck=\"false\">paper<\/a>]<\/h2>\n<p cid=\"n23\" mdtype=\"paragraph\">Basically, this paper explains everything you need to know in terms of the <strong>evolution of the <a href=\"http:\/\/blog.fortinet.com\/2016\/10\/31\/iot-based-linux-mirai-frequently-asked-questions\" spellcheck=\"false\">Mirai<\/a> botnet<\/strong>: the various attack campaigns (nothing new, but it is well explained), geographical spread, infected devices, bandwidth, etc.<\/p>\n<blockquote cid=\"n25\" mdtype=\"blockquote\">\n<p cid=\"n26\" mdtype=\"paragraph\">Actually, many findings in this paper are not <em>&quot;new.&quot;<\/em> Indeed, we already published lots of content on Mirai months ago (see below). The value I see in this paper personally is (1) it summarizes the situation quite well and clearly, (2) the study of the botnet&#39;s size and bandwidth is very detailed, and (3) the authors explain the tools they used, such as a network telescope, honeypots, DDoS, and DNS logs.To fingerprint infected devices, we use a different technique &#8211; <a href=\"http:\/\/blog.fortinet.com\/2017\/03\/06\/fortiguard-labs-telemetry-roundup-and-comparison-of-2015-and-2016-iot-threats\" spellcheck=\"false\">from our FortiGuard Labs Telemetry<\/a> &#8211; but fortunately our results concur \ud83d\ude09<\/p>\n<\/blockquote>\n<p cid=\"n29\" mdtype=\"paragraph\">The paper highlights some interesting points:<\/p>\n<ul cid=\"n31\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n32\" mdtype=\"list_item\">\n<p cid=\"n33\" mdtype=\"paragraph\">Mirai infected <strong>600,000 devices<\/strong> at its peak.<\/p>\n<\/li>\n<li cid=\"n35\" mdtype=\"list_item\">\n<p cid=\"n36\" mdtype=\"paragraph\"><strong>Compared to other worms like CodeRed, the initial spread was not very high<\/strong>. Side note: like diseases, it is not necessarily the most contagious infections which spread the most.<\/p>\n<\/li>\n<li cid=\"n38\" mdtype=\"list_item\">\n<p cid=\"n39\" mdtype=\"paragraph\">The infection started in Brazil, Columbia, and Vietnam, whereas CodeRed initially targeted the US.<\/p>\n<\/li>\n<\/ul>\n<h3 cid=\"n41\" mdtype=\"heading\">Our Mirai-related blog posts:<\/h3>\n<ul cid=\"n42\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n43\" mdtype=\"list_item\">\n<p cid=\"n44\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/03\/06\/fortiguard-labs-telemetry-roundup-and-comparison-of-2015-and-2016-iot-threats\" spellcheck=\"false\">FortiGuard Labs Telemetry &#8211; Roundup and Comparison of 2015 and 2016 IoT Threats<\/a>, Mar 6 2017<\/p>\n<\/li>\n<li cid=\"n46\" mdtype=\"list_item\">\n<p cid=\"n47\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2016\/12\/08\/disassembling-linux-mirai-b-worm\" spellcheck=\"false\">Research: Disassembling Linux\/Mirai.B!worm<\/a>, Dec 8, 2016<\/p>\n<\/li>\n<li cid=\"n49\" mdtype=\"list_item\">\n<p cid=\"n50\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2016\/10\/31\/iot-based-linux-mirai-frequently-asked-questions\" spellcheck=\"false\">IoT-based Linux\/Mirai: Frequently Asked Questions<\/a>, Oct 31 2016<\/p>\n<\/li>\n<li cid=\"n52\" mdtype=\"list_item\">\n<p cid=\"n53\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2016\/10\/24\/iot-malware-are-coming-will-you-listen-to-me-now\" spellcheck=\"false\">IoT malware are coming. Will you listen to me now?<\/a>, Oct 24 2016<\/p>\n<\/li>\n<li cid=\"n55\" mdtype=\"list_item\">\n<p cid=\"n56\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2016\/10\/24\/mirai-botnet-protect-your-infrastructure-with-fortiddos\" spellcheck=\"false\">Mirai Botnet: Protect Your Infrastructure with FortiDDoS<\/a>, Oct 24 2016<\/p>\n<\/li>\n<\/ul>\n<h2 cid=\"n58\" mdtype=\"heading\">P. Hulin et al. AutoCTF:Creating Diverse Pwnables via Automated Bug Injection, WOOT, [<a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/woot17\/woot17-paper-hulin.pdf\" spellcheck=\"false\">paper<\/a>]<\/h2>\n<p cid=\"n59\" mdtype=\"paragraph\">In this paper, the authors present an <strong>automated system to create challenges for a Capture The Flag<\/strong> session. The motivation is that creating CTF competitions is very time consuming because each challenge is specifically created, researched, implemented, and tested.<\/p>\n<p cid=\"n61\" mdtype=\"paragraph\">The authors use a <strong>bug injection system<\/strong> called LAVA to insert vulnerabilities into code, such as integer overflow, stack pointer corruption, etc. To create a CTF challenge, LAVA is provided with a C source program, and then various challenges can be automatically generated based on this source.<\/p>\n<h3 cid=\"n63\" mdtype=\"heading\">Why I think this is more suitable to lab sessions than CTFs<\/h3>\n<p cid=\"n64\" mdtype=\"paragraph\">The idea is <em>interesting<\/em>, but <strong>I don&#39;t think this is good for CTFs<\/strong>. Several reasons for that, IMHO:<\/p>\n<ul cid=\"n66\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n67\" mdtype=\"list_item\">\n<p cid=\"n68\" mdtype=\"paragraph\"><strong>Generated challenges are repetitive<\/strong>. They said they tested this over the course of a week, and had conflicting responses as to whether this repetition was annoying or not. However, they also stated that their participants were not very used to CTFs. As a regular CTF player, I can definetely answer this: for me, this is a strong issue. You may have 2 or 3 similar challenges, but an entire CTF? No way. This would be <strong>boring<\/strong>.<\/p>\n<\/li>\n<li cid=\"n70\" mdtype=\"list_item\">\n<p cid=\"n71\" mdtype=\"paragraph\">This is limited to challenges where the <strong>source code is available in C<\/strong>.<\/p>\n<\/li>\n<li cid=\"n73\" mdtype=\"list_item\">\n<p cid=\"n74\" mdtype=\"paragraph\">This is also inherently limited to challenges where the participants need to <strong>exploit vulnerabilities<\/strong>. There are many other types of challenges that need to be included that this tool cannot help, such as steganography.<\/p>\n<\/li>\n<\/ul>\n<blockquote cid=\"n76\" mdtype=\"blockquote\">\n<p cid=\"n77\" mdtype=\"paragraph\"><strong>I would rather apply this idea to the creation of exercises in workshops \/ lab sessions<\/strong>. In fact, I believe it would be quite valuable in that case.<\/p>\n<\/blockquote>\n<h3 cid=\"n79\" mdtype=\"heading\"><a href=\"https:\/\/ph0wn.org\" spellcheck=\"false\">Ph0wn<\/a><\/h3>\n<p cid=\"n80\" mdtype=\"paragraph\" style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/logo-ph0wn.png\" style=\"width: 200px; height: 84px;\" \/><\/p>\n<p cid=\"n82\" mdtype=\"paragraph\" style=\"text-align: center;\"><em>Smart devices CTF sponsored by Fortinet<\/em><\/p>\n<p cid=\"n84\" mdtype=\"paragraph\">This is excellent timing to let you know that <strong>we are organizing a smart-devices CTF<\/strong>, <a href=\"https:\/\/ph0wn.org\" spellcheck=\"false\">Ph0wn<\/a>, on <strong>Nov 29 2017 on the French riviera<\/strong>. As an organizer, I will certainly admit that preparing a CTF is time consuming \ud83d\ude41 but we also <em>learn<\/em> a lot doing so. And if you are wondering, <strong>none of our challenges will be automatically generated<\/strong>. \ud83d\ude09 Even if we had wanted to, I am not sure LAVA\/AutoCTF would have easily adapted to the context of IoT, etc.<\/p>\n<blockquote cid=\"n86\" mdtype=\"blockquote\">\n<p cid=\"n87\" mdtype=\"paragraph\">You are all <strong>welcome<\/strong> to attend! Come and challenge yourselves on a variety of smart devices.<\/p>\n<\/blockquote>\n<h2 cid=\"n89\" mdtype=\"heading\">S. Kleber et al. Automated PCB reverse engineering, WOOT [<a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/woot17\/woot17-paper-kleber.pdf\" spellcheck=\"false\">paper<\/a>]<\/h2>\n<p cid=\"n90\" mdtype=\"paragraph\" style=\"text-align: center;\"><img decoding=\"async\" onerror=\"var  data-cke-saved-src = window.removeLastModifyQuery(this.getAttribute( src = window.removeLastModifyQuery(this.getAttribute('src'));if(!src.trim()) return;if (failImgCache.length &gt; 5000) {failImgCache = [];}if(failImgCache.indexOf(src) == -1 &amp;&amp; src.trim().length){failImgCache.push(src);}$(this).closest('.md-image').addClass('md-img-error').removeClass('md-img-loaded');\" onload=\"var src = window.removeLastModifyQuery(this.getAttribute('src'));if(!src.trim()) return;if(loadedImgCache.indexOf(src) == -1 &amp;&amp; src.trim().length){loadedImgCache.push(src);}$(this).closest('.md-image').addClass('md-img-loaded').removeClass('md-img-error');\" src=\"file:\/\/C:UsersAlowensteinDocumentsCommunicationsBlogsaugust-blogaugust-blogimagesaug2017pcb.png?lastModify=1508257831\" \/><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/pcb.png\" style=\"width: 300px; height: 300px;\" \/><\/p>\n<p cid=\"n92\" mdtype=\"paragraph\">The goal of PCB (Printed Circuit Board) reverse engineering consists in understanding its hardware implementation without having any insider information. It typically involves <a href=\"https:\/\/www.defcon.org\/images\/defcon-22\/dc-22-presentations\/Grand\/DEFCON-22-Joe-Grand-Deconstructing-the-Circuit-Board-Sandwich.pdf\" spellcheck=\"false\">expensive tools such as microscopes, lasers or other specific equipments such as sand blasting machines or chemicals<\/a>.<\/p>\n<p cid=\"n94\" mdtype=\"paragraph\">This paper proposes a cheaper and simpler solution, which works <strong>based on high resolution pictures taken by a camera<\/strong> of good quality, but that is still affordable. Once those are available, they have implemented a prototype which works on those pictures. For instance, it recognizes characters on the PCB to get the model of a given chip or other information. The pictures are also analyzed to follow the paths between components. Finally, a <strong>web search is automatically conducted to find documentation<\/strong> for detected components. Even better, <strong>the documentation is automatically parsed to find specific points of interest<\/strong> such as a pin-signal tables map.<\/p>\n<blockquote cid=\"n97\" mdtype=\"blockquote\">\n<p cid=\"n98\" mdtype=\"paragraph\">Sadly, the implementation is <strong>not currently publicly available<\/strong>. The only issue I see to this method is that, to my understanding, <strong>it is not able to extract information from multiple layers of a PCB, only from the top and bottom layers<\/strong>, as the other layers are not visible to the camera&#8230;<\/p>\n<\/blockquote>\n<h2 cid=\"n103\" mdtype=\"heading\">More papers<\/h2>\n<ul cid=\"n104\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n105\" mdtype=\"list_item\">\n<p cid=\"n106\" mdtype=\"paragraph\"><a href=\"https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\" spellcheck=\"false\">USENIX Security papers<\/a><\/p>\n<\/li>\n<li cid=\"n108\" mdtype=\"list_item\">\n<p cid=\"n109\" mdtype=\"paragraph\"><a href=\"https:\/\/www.usenix.org\/conference\/woot17\/workshop-program\" spellcheck=\"false\">WOOT<\/a> workshop<\/p>\n<\/li>\n<\/ul>\n<p cid=\"n111\" mdtype=\"paragraph\"><em>&#8212; the Crypto Girl<\/em><\/p>\n<\/div<br \/><a href=\"https:\/\/blog.fortinet.com\/2017\/10\/19\/security-research-news-in-brief-august-2017-edition\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/logo-ph0wn.png\"\/><\/p>\n<p><strong>Credit to Author: Axelle Apvrille| Date: Thu, 19 Oct 2017 16:50:59 +0000<\/strong><\/p>\n<p>Welcome back to our monthly review of some of the most interesting security research publications.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-9998","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9998"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9998\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9998"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}