From Security Weekly Wiki
Jump to navigationJump to search

Hack Naked News #122

Recorded May 2, 2017 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Kali Linux 2017.1: The Professional Penetration-Testing Distro! - A new release of Kali Linux is now available, version 2017.1. Some new features include support for injection mode on RTL8812AU chipsets used in ALFA AWUS036ACH cards, streamlined support for CUDA GPU cracking, AWS and Azure support that now includes CUDA GPU cracking, and OpenVAS 9, which must be installed by hand as it is not included by default. Updated versions of Ophcrack, ZAP, WPScan and more are also included.
    2. Pen-tester gets past Microsoft VB macro barriers A dangerous new attack vector was disclosed privately to Microsoft this week, Sensepost's Etienne Stalmans found is that Outlook has a “forms” capability that with a lot of work can embed VB code – and the forms script engine is separate from the VM macro script engine, so the attack works even if macros are blocked.. Microsoft does not have plans to fix this stating: "The technique described in the blog is not a software vulnerability and can only be leveraged using an account that has already been compromised by another method. We encourage customers to set strong passwords, not share those passwords across multiple services and enable security features such as multi-factor authentication to help keep them protected." Rubbish.
    3. Meet, the site that doesnt allow password changes - The level of password security offered by web sites varies greatly, however there are some, like, that just plain suck.'s policy is to allow as short as a 4 character password and when you forget your password, it emails you an image, of your password. If that's not bad enough, there is no mechanism to change your password. This story has successfully killed any hopes of security on the Internet for me this week, and maybe forever.
    4. Hacker Steals And Shares Unreleased TV Shows - A hacker going by the handle "The Dark Overlord", who previously targeted healthcare systems, has stolen and released 10 episodes of the Netflix show Orange is the new black. Word on the street is more shows have been stolen, all pointing back to a production vendor that has been hacked. This story underscores the importance of your supply chain, whether you are producing widgets or content, its important.
    5. Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 - A bug in the management plane on select Intel processors has been discovered. the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." This could allow an attacker to hide from the operating system and any other compensating controls. The affected technology exists in most servers, not desktop products and to get a fix you have to contact your hardware manufacturer to get a signed firmware update. How many people will actually do that remains to be seen, as does malware in the wild that will take advantage of this feature.
    6. Why You Shouldn't Trust The "World's Most Secure" Email Service - a security startup, Nomx, an Arlington, Va.-based hardware maker founded by chief executive Will Donaldson, which builds (in his words) the "world's most secure" email service. The company promises "absolute security" in its email-in-a box offering for anyone who buys the $199 device. Turns out this is a Raspberry PI that, according to security researchers, contains a litany of serious security flaws. So much for being the world's most secure email platform.
    7. IBM Warns Of Malware On USB Drives Shipped To Customers - If you have one, you must destroy it immediately! IBM said an unspecified number of USB flash drives containing the Storewize initialisation tool for V3500, V3700, and V5000 Gen 1 systems are infected with malicious code.All infected USB flash drives were shipped with the number 01AC585, which IBM has told customers should be securely destroyed so it can't be reused. Points for most creative destruction method perhaps?
    8. Google Patches Six Critical Mediaserver Bugs in Android - Google pushed out its monthly Android patches Monday, addressing 17 critical vulnerabilities, six of which are tied to its problematic Mediaserver component. An additional four critical vulnerabilities related to Qualcomm components in Android handsets including Google’s own Nexus 6P, Pixel XL and Nexus 9 devices were also patched according to ZDNet. also worth noting that last week Google said two Nexus devices (6 and 9) released in November 2014 would no longer be “guaranteed” to receive security updates after October 2017.

    Expert Commentary: Jason Wood, Paladin Security

    The US Takes on the World in NATO's Cyber War Games

    Last year NATO organized a cyber-defense war game with 19 allied nations in a "live-fire" exercise to practice defending military technology assets. It was the US' first year in the exercise and they finished 19th out of 19. This year they came back to try to improve.

    The exercise is not designed to allow competitors to use offensive security and is strictly defense oriented. Estonia organized the event and acted as the red team for the exercise. As anyone who has done a defense exercise against an active red team knows, it was pretty chaotic. Things are happening on different fronts at the same time and it get's pretty intense. After the two day exercise was complete, the US had moved from 19th to 12th overall. Not what I would have hoped for, but it is a pretty big jump up. Moral of the story, this defense crap is hard and you need to practice at it to get better.

    It is unknown if they sat in a dark room with loud techno music blaring for two days during the exercise.