Hack Naked News 105 January 3 2017
Hack Naked News Announcements
This week, 0day vulnerabilities in storage devices, hacking all the things, on the Internet or not, VMware sucks at key management, the importance of security on airplanes, and a bug in a PHP application, all that and more on this edition of Hack Naked News.
ITPro.TV Annoucenment: "Upcoming courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, and Microsoft System Center. ITProTV is introducing a new membership level on February 1st. All current Premium Members as of February 1st will be granted the highest membership level available, so sign up today! Visit itpro.tv/hacknaked and use code HN30."
Hack Naked News Stories
- QNAP Storage Devices Heap Overflow in 'cgi.cgi' Lets Remote Users Execute Arbitrary Code - A 0day vulnerability, and associated exploit was revealed for QNAP storage devices recently. Knowledge of a valid user name is required, however knowledge of the password is not. Successful exploitation provides the attacker with a root shell on affected devices. No word from the vendor on a patch just yet, however probably not a good idea to expose admin interfaces of devices to the Internet. I also recommend, if the device allows it, users change the default usernames in addition to the default passwords on IoT devices.
- VMSA-2016-0024 - Proof that its easy to screw up authentication and encryption, VMware has patched VDP (vSphere Data Protection) to change the private SSH key upon deployment. Apparently VMware used the same key, and the same passphrase, on all deployed devices, affecting all current versions of VDP. An attacker with access to this key can unlock administrative access to all VDP instances with root privileges. Its amazing how flaws such as this still slip through the cracks...
- PHPMailer could put your website at risk: here’s what you need to know - A pretty awesome vulnerability was disclosed in PHPMailer this week. Its a two stage attack, requiring an email be sent with some special options and some PHP code in the body. Once that email gets processed, the attacker must trigger the log files to be read, and from there the code is executed provided a remote shell. Love these two-stage attacks, they are historically difficult to test for, but modern application scanners are catching on, as are security researchers. Its important to have a quality QA team and a penetration test by a human to pick up flaws such as these, but not everyone follows this process.
- Programmer finds way to liberate ransomware'd Google Smart TVs - This story shows you how to unransomeware your Google TV. This has been my fear for some time, that attackers will figure out ways to monetize security vulnerabilities in IoT devices, and ransomeware on your TV is a good way, except this one is pretty easy to undo on your own. However, I believe this will be a continuing trend and hopefully raise awareness amoungst consumers, who will then by nature put pressure on IoT device manufacturers to apply some security. Once attackers start interfering with the device function, all bets are off on people not caring about IoT security.
- "New Android-infecting malware brew hijacks devices. Why - Many of the articles offering advice on IoT devices will tell you to not enable remote administration and never expose your device to the Internet. However, this is poor security, obscuring the vulnerabilities will not protect you. Especially when the attackers can be successful with attacks that go like this: Switcher brute-forces access to the network's router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server, security researchers at Kaspersky Lab report. All bets are off, attackers are going to find weaknesses in your IoT devices and exploit them for profit. This is yet another attack vector that represents my worst fears coming true about IoT security.
- "Surging Bitcoin breaks through $1 - Thinking of investing in Bitcoin? Okay, most of us probably have not, however you are too late: The value of Bitcoin surged above $1,000 on Monday as the digital unit continues a dizzying rise that made it the best-performing currency of 2016. Its value has more than doubled in the last year and it was trading at around $1,024 in afternoon European trading on Monday, after breaking through the $1,000 mark on Sunday.
- White House fails to make case that Russian hackers tampered with election - It turns out attribution is hard, despite what the media wants you to believe, Arstechnica reports: While security companies in the private sector have said for months the hacking campaign was the work of people working for the Russian government, anonymous people tied to the leaks have claimed they are lone wolves. Many independent security experts said there was little way to know the true origins of the attacks. Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity.
- Gogo Aims to Improve Airline WiFi Security with Bug Bounty Program - Airplane Wifi provider Gogo has implemented a bug bounty program. This is interesting as over the years I've heard conflicting reports of how systems on aircraft are tied together, and whether or not passengers could "Hack" their way through the Wifi and gain access to in-flight controls. I'm sure the answer is "it depends", but begs the question "how safe do you feel on an airplane with Wifi provided by a company with a bug bounty?". For me, I'm more concerned about turbulance affecting my ability to get my free cocktail.