HNNEpisode116

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #116

Recorded March 21, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Fappening 2.0: Private Pictures/Videos Of More Celebrities Leaked Online | Here's How To Stay Safe - The list of targeted celebrities in the “Fappening 2.0” naked pictures and videos leaks is growing. The recent additions to this list are celebrities like WWE star Paige, actress Dylan Penn, and Arrow star Katie Cassidy. Just like the initial leaks, this dump surfaced on 4chan and soon spread to Reddit. As dangers like Fappening are bound to get scarier in future, people can ensure their security by taking some simple precautions. Here's the thing you need to know to stay safe, from my goof friend Patrick Laverty who states: rule 1, don't take nudes of yourself and store them on devices, rule 2, there is no rule 2, only rule 1. I will also add that two-factor authentication helps in situations like this. Also, encrypting your cloud backups.
    2. Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version and Vulnerability Disclosed in Ubquiti Networks Admin Interface - Ubuquity was in the news this week when a remote command injection flaw was found in 44 affected products running AirOS. There was some drama as well, as Ubiquiti initially marked the issue as a duplicate, then promised a patch in a future stable release. The flaw was found in a PHP script that allows the admin to ping another device from the web interface, one of the more common and older vulnerabilities in IoT. In this case the PHP server dates back to 1997. What I also find interesting is that Ubiquity has a bug bounty program setup with HackerOne, why would you do this knowing you were still running PHP from 1997? The good news is that patches are coming and the next release of AirOS version 8.0.1, scheduled for release "soon". I really do like Ubiquity products and use several of the Unifi line of APs, AirOS is in use in a different product line. I truly hope they solve the communications issues and perform a code audit to rid all product lines of outdated software.
    3. GitHub Enterprise Remote Code Execution - Building on an exploit method previously published to Phrack magazine on Ruby on rails security, and attacker was able to successfully compromise Github Enterprise. GitHub awarded the researher a $10,000 bounty, a T-Shirt, a few stickers and a free lifetime personal plan. And a place in the hall of fame. Awesome! Patches have been made available by Github.
    4. Park uses facial recognition to wipe out toilet paper thieves - A popular park adjacent to popular tourist attractions in Bejing, China has installed devices in the restrooms to limit the consumption of toilet paper. Apparently elderly residents were snatching up large quantities of said toilet paper and using it in their homes. The solution was of course a facial recognition IoT device that emits exactly 60cm of toilet paper. Need more? You have to wait 9 minutes per person to get some more toilet paper! I want to know who had to figure out that 60cm was the appropriate amount? It will also be interesting to see when these devices are hacked, and how a hat and sunglasses could fool the device. In all, this is a pretty crappy situation for tourists.
    5. Local Windows Admins Can Hijack Sessions Without Credentials - Researcher Alexander Korznikov on Friday published a report in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users’ sessions—even sessions that have been disconnected for some time—with one command. What does this mean? After verification from other security researchers: full blown RDP session hijacking, with a single command.” Korznikov has not reported this bug to Microsoft or a bug bounty program because it exploits a design flaw, so he just went public with it. A flaw in the system in so many ways, lets hope Microsoft gives us a patch soon, and no I could not say that with a straight face after the non-existant February Tuesday with no explanation debacle.
    6. Intel Touts Bug Bounties To Hardware Hackers - This is good: The chip maker has partnered with specialist bug bounty outfit HackerOne to create a scheme that aims to encourage hackers to hunt for flaws in Intel's hardware, firmware and software. Intel will pay up to $30,000 for critical hardware vulnerabilities (less for firmware or software holes). The more severe the impact of the vulnerability and the harder it is to mitigate, the bigger the payout. However Intel Security products (McAfee) products are not in scope.
    7. A simple command allows the CIA to commandeer 318 models of Cisco switches - Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options. Cisco and network operations groups have been criticized for using Telnet. But don't believe the hype. While Telnet is being used, in this case it is to support clustering. Proper systems administration deems that you apply ACLs so only the switches themselves, in this case, may access the Telnet protocol to provide the clustering functionality. Patches will be made available Cisco said, at an undisclosed date. You will want to audit your network for this configuration and apply the appropriate ACLs in the mean time, which should stay there even after you patch!
    8. Hackers Escape VMware Virtual Machine Isolation at Pwn2Own 2017 - Escaping from a guest operating system to a host operating system has been done before, and much security research has been put into attempting to identify this problem. Two separate teams at the CANSECWEST Pwn20wn event this year did just that. Using 3 chained exploits Team Sniper researchers to escape from the guest virtual machine to attach the host system. For its efforts, Team Sniper was awarded $100,000. The flaw used by 360 Security was a memory heap overflow vulnerability in Microsoft's Edge web browser. The browser flaw was accompanied by a type confusion vulnerability in the Microsoft Windows kernel. The Edge and Windows vulnerabilities alone, however, weren't enough to escape the confines of the VMware Workstation hypervisor isolation. The 360 Security researchers also had to include a zero-day uninitialized buffer vulnerability in VMware Workstation to successfully execute the virtual machine escape.

    Expert Commentary: Don Pezet, ITPro.TV

    Don Pezet talk about how to handle online back ups and what you can do to stay safe.