Hack Naked News 102 November 29 2016
Hack Naked News Announcements
This week, Wordpress security gets another black mark, free transit rides for all in San Francisco, routers are hacked again, NTP is vulnerable, why buy when you can rent....a botnet that is, backdooring Android, and a popular porn site is the victim of a data breach. all that and more on this edition of Hack Naked News.
Check out our Listener Feedback Survey at https://wwww.securityweekly.com/survey to tell us how we can make your podcasting Experience with us more enjoyable!
ITPro.TV Annoucenment: "Upcoming courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, and Microsoft System Center. ITProTV is introducing a new membership level on February 1st. All current Premium Members as of February 1st will be granted the highest membership level available, so sign up today! Visit itpro.tv/hacknaked and use code HN30."
Hack Naked News Stories
Hi everyone this is Paul Asadoorian reporting live from G Unit studios in Rhode Island for November 29, 2016. In the news this week:
- Hacking 27% of the Web via WordPress Auto-Update - A vulnerability was reported through HackerOne that allowed a remote attacker to compromise the Wordpress automatic update server. Yep, that's right, there was a remote code execution vulnerability in the Wordpress automatic update server, which if exploited by an attacker, would allow them to compromise 27% of the Wordpress sites on the Internet. That's a lot of web sites. The vulnerability has been fixed, but does not work to improve people's confidence in the security of Wordpress. If the awful handing of plugins for Wordpress isn't enough, this is just one more strike against Wordpress as a platform. The good news is the vulnerability was fixed in hours of being reported and there are no reported that the update servers were in fact compromised.
- CVE-2016-7434 ntpd remote pre-auth Denial of Service - In one line of bash you can craft and send a packet to an NTP server and cause it to crash. Why would you want to do this? It has often been speculated that attackers would take out the NTP server of an organization in an effort to through off logging and mask attacks. A patch has been released and you can configure rules in your NTP server to prevent this attack. This vulnerabillity affects ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94.
- You, Too, Can Rent the Murai Botnet - Why own when you can rent? Boing Boing reports: Two criminals, Bestbuy and Popopret -- previously implicated in mass-scale corporate espionage -- are spamming the XMPP/Jabber instant messaging protocol with offers to rent out a 400,000-strong botnet of Mirai-infected devices, and the ad promises that their botnet is a significant improvement on the earlier Mirai infections, equipped with IP-address spoofing features that make it harder for the botnet's victims to block the incoming traffic. The backstory on this one goes back many years as several researchers, myself included, have warned the industry that lack of security on IoT devices could have severe impacts and a very negative way. This warning has gone largely ignored by IoT device manufacturers, consumers and the federal Government, allowing attackers to create botnets for their evil biddings. Just how bad does the problem need to get before we do something to fix it? Only time will tell.
- Backdoor Found in Firmware of Some Android Devices - A vulnerability in the firmware of about 2.8 million Android devices is vulnerable to remote code execution due to improper handling of over the air updates. Get this, two of the domains contacted by the firmware for the updates were unregistered, meaning anyone could have registered them and taken full control of these Android devices. The domains have been claimed and retailers such as BestBuy and Amazon who sell these phones have been notified. No word on a fix, though it will likely require a firmware update, over an unencrypted and vulnerable OTA update process. Ugh.
- Hackers Are Trading Thousands Of xHamster Porn Acounts - 380,000 usernames, emails and passwords of users who registered for an account on the porn site XHamster are being traded on the Internet. And now, some hilarious facts: The database includes some 40 email addresses belonging to the US Army, and 30 related to various US, UK, and other countries’ government bodies. Motherboard attempted to contact a number of individuals implicated by the breach, but did not receive a response. An xHamster spokesperson told Motherboard in an email, “The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured.” Yet, the passwords are hashed using MD5. One thing is clear, this type of penetration should not be tolerated....
- Office Depot caught claiming out-of-box PCs showed symptoms of malware - OfficeMax included free anti-virus software that reported brand new PCs had viruses, when in fact they did not as discovered by IOActive. However, consumers reported dished out as much as $180 to remove malware that never existed in the first place. Deplorable, I say, deplorable.
- Elegant 0-day unicorn underscores serious concerns about Linux security
- Newly discovered router flaw being hammered by in-the-wild attacks - A vulnerability in the management protocol TR-064, used by ISPs to manage firewalls, has been used to compromise potentially millions of devices. The attack uses the TR-064 management protocol to open the HTTP management port on the router. it also retrieves the Wifi password, which also happens to be the admin login password to the web interface, you know, for convenience. The code then fixes the vulnerability by closing the port used for the exploit, tcp port 7547. This is consistent with vulnerabilities I've researched in the past, including the complete lack of security.
- San Francisco transit ransomware attacker likely used year-old Java exploit
- San Francisco Transit System Hit by Ransomware Attack - The San Francisco Municipal Transportation Agency (MUNI) was the victim of a ransomware attack on Nov. 25 and Nov. 26 with system terminals and fare payment machines throughout the MUNI fare payment network displaying the message "You Hacked, ALL Data Encrypted." In response to the attack, MUNI gates were left open and users were able to ride the transit system for free. There was no direct impact to the actual physical operations of the MUNI, with transit vehicles operating normally, despite the fare terminal attack. The attackers reportedly demanded 100 bitcoins, or $73,000, however there is not confirmation of the ransom being paid or not. A year-old vulnerability in server-side Java (likely JBoss) is reported to be the culprit of the successful ransomeware attack. Despite what some believe, patching is important.