HNNEpisode115

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #115

Recorded March 15, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Lip reading: biometrics you can reset just like passwords - Read my lips, biometrics makes for fun stories to cover on our podcasts. This very well could be your new password, as researchers in Hong Kong have a system that reads lips and makes a decision as to whether or not its you talking, or not. The nice part about this system is that the password can be changed, but still associated with your biometrics (unlike fingerprints or retina scans, which, without severe body modification, cannot be changes, well, unless you become pregnant). I just can't wait to say "My voice is my passport. Verify me" into my phone, which I still do anyhow and then use my fingerprint to authenticate, because, well, I'm a nerd.
    2. 38 Android Devices Infected with Malware Preinstalled in Supply Chain - Check Point Software Technologies said that it found 38 Android handsets were infected with adware, information-stealing malware and ransomware, a collection of malicious code as sundry as the number of different manufacturers. And here I was thinking I am safer because I use a Google nexus device, but those were on the list (Version 5 anyhow). The malware was added to the devices before they were in the users’ hands, and were not part of the vendor’s original ROM. For six of the devices, the attacker had system privileges for the device and the malware could not be removed without re-flashing the phone. This is concerning, and something we've talked about for some time, what if all our devices are pre-pwned, that is backdoored before we even get to use them? There must be some sort of testing or standard in place that will spot this activity before things come into the market, right? how is this different from eating tainted meat? Okay, I may be going a bit too far, however we must work together to get the appropriate measures in place to protect our devices.
    3. Adobe Fixes Six Code Execution Bugs in Flash - And the exploits just keep on coming for Adobe Flash. Seven vulnerabilities were announced yesterday, and 6 are reported to be in the category of remote code execution. The vulnerabilities exist in versions 24.0.0.221 and earlier of Flash, according to a security bulletin issued by the company Tuesday morning. No, this isn't a news report from last week, last month, last year or seven years ago, this dropped yesterday. And speaking of dropping, you should drop Adobe Flash off your system, like now.
    4. Patch Tuesday Returns; Microsoft Quiet on Postponement - Microsoft FINALLY has a patch Tuesday for us. When asked by Threatpost to explain why they skipped last month, this was Microsoft's response: "Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. We extensively test our updates prior to release and are confident that our systems are working as expected and the issue that delayed the February updates is resolved." Gee, thanks for clearing that up for us Microsoft! The good news is among the 18 security bulletins, eight were rated critical, including separate bulletins for Edge and IE that patched the two Google-disclosed bugs. MS17-006 patches 12 vulnerabilities in IE, including CVE-2017-0037—which is also patched in Edge—disclosed by researcher Ivan Fratric, who privately disclosed the flaw to Microsoft last Friday. Happy patching!
    5. More Brits' IDs stolen than ever before - UK identity fraud has hit its highest recorded levels, according to a new report.Fraud prevention service Cifas recorded 172,919 identity frauds in 2016 more than in any other previous year. Identity fraud now represents over half (53.3 per cent) of all fraud recorded. No reason is given for the rise in identity theft, but take these surveys with a grain of salt. An increase in certain types of behavior can be attributed to many things, including a better and more accurate measuring process, and the fact that more people have computers and the Internet.
    6. We-Vibe Vibrator Creator To Pay Damages After Spying On User Sex Lives - Finally coming to a point of resolution, Sex toy company Standard Innovation Corp. has agreed to settle a class-action lawsuit. You may remember, or even be a user of the sex toy product We-Vibe. Using Bluetooth connectivity you and your partner can remotely use the toy together. While this may sound fun, your personal information including the time, duration and temperature settings, alond with your email address, were being collected and stored, without your permission. As a result of the law suit, as reported by the National Post, the Ottawa, Canada-based firm must pay out four million Canadian dollars ($2.9 million) under the terms of a settlement. Standard Innovation has also agreed to destroy all of the personal information collected from users. Anyone who purchased a vibrator with the accompanying app before September 26, 2016, is entitled to damages of up to $10,000. Those who bought the vibrator without the app can also claim $199. I mean, you didn't think we were just going to let this company get off did you? i digress....
    7. Apache Struts 2 Bug Bites Canada, Cisco, VMware, And Others - The Apache Struts vulnerability is making the rounds, The Canadian Revenue Agency web site was hacked, reportly as a result of this bug. A host of other products that embed this technology are vulnerable. So far, only Cisco's Identity Services Engine, Prime Service Catalog Virtual Appliance, and Unified SIP Proxy Software need fixing. There is, however, an extensive list of products still under investigation. VMware's also run up a warning flag, issuing an advisory reporting exposures in Horizon Desktop as-a-Service, vCenter Server, vRealize Operations Manager and vRealize Hyperic Server. Patches are pending. Best to check that list and get patching.
    8. Government Spyware Maker Doxes Itself - Dox is a bit of an overstatement on this one as sometimes hackers make mistakes, like leaving a link to the website of the company that developed the malware in the malware code itself. That's what happened with a piece of Android malware designed to spy on its victims that turned up in Asia last year. Security company BitDefender found the spyware and noted at the time that it seemed to "have been developed by Italian speakers targeting specific Android devices, selecting their victims based on their devices' IMEI codes," without going farther in its attribution. turns out the spyware was developed by a company called GR Sistemi, yet another firm that got sloppy in the rush to get a cut of the booming and often unscrupulous surveillance business. (The company did not respond to multiple requests for comment.)
    9. Software Patches Could Prevent Most Breaches, Study Finds - The survey of 318 companies, conducted by research firm Voke Media in late 2016, found that 27 percent of companies reported a failed audit in the prior 18 months, of which 81 percent could have been prevented with a patch or configuration change. Similarly, 26 percent reported a breach, of which 79 percent could have been prevented with those two measures. Look, I like to see at least 600 respondents in a survey before I take it seriously. Also, patch and configuration change are sometimes two very different things. However, they are both important, and you should do both of them, and like lots of other stuff to secure your organization. You can't learn about those things from a focused survey, or the results. Its just not that cut and dry of an issue! Processes, people and technology must come to gather and constantly evolve to have a great security program.

    Expert Commentary: Jason Wood, Paladin Security

    The Wikipedia for Spies — And Where It Goes From Here