HNNEpisode119

From Paul's Security Weekly
Jump to: navigation, search

News

Update 4/24/17 - It should be noted that the article on Signal vulnerabilities referenced in this episode (https://threatpost.com/breaking-signal-a-six-month-journey/124888/) has been updated with commentary from Moxie Marlinspike, essentially de-bunking any claims there are serious vulnerabilities, or even vulnerabilities that matter, in Signal. It should be further noted that Phil Zimmermann was asked on our show (Video Here) what he thought about Signal, and said it was a completely sound protocol and went into many details. Bottom line: Both Moxie and Phil state the protocols used by Signal and the App are sound, so take that into account in the future. Also, there was a independent security study of the Signal code-base (which passed with flying colors).

  1. Russian-Owned LiveJournal Bans Political Talk, Adds Risk of Spying - If you've ever considered using LiveJournal, well, you just shouldn't. Who uses Livejournal anymore? Recently the Russian owned Livejournal has banned “political solicitation”— which can mean anything that criticizes the Russian government, as well as pro-LGBTQ discussions. There are also concerns that users can be subject to Russian spying. Why they would do this to their user-base is puzzling, especially given the number of free blogging and publication sites available on the Internet today.
  2. Unsecured database exposed diabetics sensitive data
  3. Travel Routers, NAS Devices Among Easily Hacked IoT Devices - Security researcher Jan Hoersch discovered a number of vulnerabilities in several different IoT devices, nothing new, including a hardcoded root password that cannot be changed. Hoersch is quoted as saying: “Please let researchers help the dev guys,” Hoersch said, “It’s of the utmost importance that companies do bug bounty programs, even if you don’t give out bounties, just let them have a way to disclose bugs without having to write five emails, it just takes too much time – for some independent researchers it’s not possible.” - I'm not certain that five emails takes too much time, however the entire process for disclosure is non-existant at many IoT companies, which means it may take 5 emails before you even get to somone who will listen, and thats the best case scenario. Clearly we have our work cut out for us to raise awareness in circles outside of our own.
  4. Breaking Signal: A Six-Month Journey - Signal is a popular, so-called "secure", messaging application The encryption protocol was developed by Open Whisper Systems and is used by millions. It can be found in Signal’s own app and is also used in WhatsApp and Facebook’s Messenger “Secret Conversation” mode, and Google’s Allo encrypted messaging service. Researchers recently uncovered 6 flaws which have been privately disclosed and fixed. The researchers were also quick to point out that the Signal code base has not undergone much public scrutiny, which is often the downfall of many software applications, especially those implementing encryption. Good news is the bugs are fixed, and hopefully we see a bug bounty program in the future for Signal.
  5. Computer Engineer Charged with Theft of Proprietary Computer Code - Zhengquan Zhang of California has been arrested and charged by a US federal court with stealing trade secrets from his employer, a New York financial services firm. A US Department of Justice (DoJ) release says that between March 2016 and March 2017, Zhang stole over three million files of confidential data and computer code including the company’s source code for algorithmic trading models and trading platforms - Proof that insider threat is real, and while not the most frequently occurring security event, very damaging when it does happen.
  6. Hackers Set Off 156 Dallas Tornado Sirens Over A Dozen Times - Late Friday night and early Saturday morning, hackers set off 156 emergency sirens in and around the city of Dallas, Texas. The system was shut down entirely after confirming there was no actual emergency. We don't know who, and we don't know how, but city officials have confirmed that the system was in fact compromised.
  7. CIA's Alleged Hacking Tools Now Linked to 40 Hacks Around the World - Symantex reports ""Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group called Longhorn"" - Longhorn has been active since at least 2011, and has infiltrated targets in government, financial, telecoms, energy, aerospace, education, and natural resources sectors. Typically, these were all in the Middle East, Europe, Asia and Africa, although one computer was briefly infected in the United States.
  8. DNS record will help prevent unauthorized SSL certificates - While not a silver bullet, a CAA (Certification Authority Authorization) record in your DNS could help limit unauthorizated certificate issuance. The domain owner can specify the CAs allowed to issue the SSL/TLS certificate for that domain. The standard has been around since 2013, In March, the CA/B Forum voted to make CAA record checking mandatory as part of the certificate issuing process.
  9. Attackers using a Word zero-day to spread malware - Malware in the wild, including a banking trojan dubbed Dridex, has been found exploiting a 0day vulnerability in Microsoft Word. The vulnerability affects all current Office versions used on every Windows operating system, including the latest Office 2016 on Windows 10. The attack works by first downloading a Word document that prompts you to download an additional Word document. The subsequent Word document is a compiled HTML file containing the malicious code and does not prompt the user to enable macros as they are not necessary for a successful attack. Microsoft has not released a patch as of yet, however you can not open Word attachments in the mean time, which is probably the best defense. However, your users will still open Word attachments, and using a Word viewer program that is not vulnerable is a good line of defense. I'm curious as to how this attack works on Office 365, as it is similar to Google Docs in that it runs in the cloud...

Expert Commentary: Don Pezet, ITPro.TV

Don Pezet[1]