HNNEpisode117

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #117

Recorded March 28, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Israel Barak Cyberreason[1]




    News

    1. LastPass steps up quickly to fix vulnerabilities spotted by researchers - Tavis Ormandy, while in the shower reportedly, came up with a way to bypass controls in the browser plugins for Lastpass. Essentially, a malicious web site could read all of your credentials with a few lines of JavaScript. While this makes me feel uneasy, and wanting to reset all of my passwords, Lastpass immediately shut down the vulnerable service and got working on a patch. They are one of the best when it comes to vulnerability disclosure response. LastPass users running 4.1.36 (Firefox), 4.1.43 (Chrome), 4.1.30 (Edge) and 4.1.28 (Opera) are patched against the serious web connector issue. A second, overlapping vulnerability affects the older Firefox 3.3.2 version with the fix being an upgrade to 4.x.
    2. Instagram Adds Two-Factor Authentication - Instagram finally joins the ranks of Facebook, Twitter and LinkedIN by allowing users to enable 2-factor authentication. It uses SMS to send the code to your phone, but intersting how it generates backup codes: Upon turning the feature on, Instagram also supplies users with five different backup security codes in case a user can’t receive a security code by text. The codes – sets of eight digits – can also be used if a user’s phone has been stolen, compromised, or misplaced. The service automatically saves a screenshot of the codes to the user’s Photos section of their phone and also allows users to copy the codes to the device’s clipboard. Not sure I'm a huge fan of this method as access to your devices pictures is possible if someone has your phone (or if you use a backup service for your pictures).
    3. New Clues Surface on Shamoon 2s Destructive Behavior - Shamoon 2 uses a combination of legitimate tools, such as the open source utility PAExec, and batch scripts to evade detection and spread itself throughout a network, researchers at Palo Alto said Disttrack is the Shamoon malware component and is known for its hallmark destructive behavior, where it spreads through the company’s network and overwrites the Master Boot Record on every computer it finds. While there are components of metepreter, all of the other activity is conducted using techniques that are not unique to the malware itself in order to evade detection.
    4. Dishwasher has directory traversal bug - Yep, that's right, a bug in your dishwasher. Now, this particular model is for commercial uses, restaurants and bars and such. However researchers notified the manufacturer Miele in November of 2016. Not getting anywhere in the disclosure process, they've made the bug public. Details were posted about the directory traversal vulnerability, apparently running on a web server inside the embedded Linus system of the dish cleaning machines. I guess you do need to know what your dishwasher is up to, and IoT is here to save you, and screw you all at the same time. No word on just how clean the exploit is at this time, though the researchers did show the retrival of the /etc/shadow file, which is just dirty.
    5. FYI Docs.com users: You may have leaked passwords, personal info thousands have - Hooray for document sharing, that is, if you're conducting phishing or social engineering attacks against and organization. Microsoft's docs.com, which has been temporarily shut down, was found to be host to massive troves of sensitive information, such as user's passwords, social security numbers and more. The problem was two-fold. First, thousands of people – from Office 365 subscribers to others with Microsoft single-sign-on accounts – weren't marking sensitive documents as non-public; and second, Microsoft helpfully included a search bar of publicly available documents. The Internet is hard, but sharing your sensitive information apparently is easy.
    6. Ransomware scammers exploited Safari bug to extort porn-viewing iOS users - So, you clicked on a porn link. I mean, a lot of us have done it, so lets just come clean about it eh? Or maybe not? This particular ruse enticed you with some porn, then created a loop in your browser that continually asked you for payment. However, it was the lamest ransomeware every, as clearing your browser cache did the trick to get rid of it. However, some people were too ashamed to admit they clicked on porn, and paid the ransom. Lessons learned here: Don't click on stuff, and don't be afraid to tell your computer security friends you were trying to look at porn.
    7. Bloke, 48, accused of whaling two US tech leviathans out of $100m - And who says crime doesn't pay? Well, I mean he did get caught after all, however check this out: Acting US Attorney Joon Kim said: "From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control. This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cybercriminals."
    8. Hackers Are Already Targeting Our Critical Infrastructure - ICS security researcher Robert Lee says while there are issues with ICS security, we won't see a "Cyber Pearl Harbor" anytime soon. In an upcoming paper that Lee is previewing at an infrastructure hacking conference, he will reveal two new malware samples and campaigns found targeting ICS facilities. One used a PDF of a document about nuclear material management, which was laced with malware; and the second one pretends to be legitimate software to target Siemens programmable logic controllers, or PLCs, essentially the computers that control how industrial control systems operate. The malicious Siemens malware infected 10 sites across the world, mostly in the United States but also Europe and China, according to Lee.

    Here to talk a little more about ICS security and in integration of IT and OT is Isreal Barak, chief information security officer for Cyberreason. But first, a word from our sponsor!

    Expert Commentary: Israel Barak, Cybereason

    This week Israel Barak talks about Unifying Industrial Control Systems Security Operations into an Enterprise SOC