HNNEpisode126

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #126

Recorded May 23, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Recorded on May 23, 2017

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News


    1. Freetards left wide open to malware fired from booby-trapped subtitles - Users of popular media players such as Kodi and Popcorn Time are warned that subtitles can be used as a vehicle to gain control of your computer system. Being a fan of forigen language films, I can totally see this playing out. There are many different sources of subtitles, offered in various languages and formats. The media player's job is to parse all of this, and anytime you have to parse, you open yourself up for accepting the wrong data from the user, and in this case triggers remote code execution. VLC and other projects have been updated and patched, so best to check if you've got the latest version! Researchers from Checkpoint disclosed the flaws, but have not published any details yet.
    2. Digital watermark leads police straight to Bollywood pirates - More news on the entertainment front, as it seems folks will use many different methods to pirate a film, and not the trend seems to be collecting a ransom to avoid your precious content from being leaked. In this case however, the theives were not so smart as the article states: In most instances when movies are tracked in this manner, it’s because a watermark identifying the location has been transferred to a ‘cam’ copy. However, in this case the original ‘pirate’ copy had been made digitally. This meant that someone had managed to get hold of the encryption key used to decrypt titles subject to digital distribution.. Better quality than a cam, however this one landed the movie pirates in jail.
    3. Yahoobleed flaw leaked private e-mail attachments and credentials - Yahoo just can't catch a break: For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets. Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory. The easy-to-exploit flaws resided in ImageMagick, an image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other programming languages. One version of Yahoobleed was the result of Yahoo failing to install a critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers fixed only recently after receiving a private report from Evans. If you have ImageMagick, well, just don't have it if you want security.
    4. Netgear 'fixes' router by adding phone-home features that record your IP and MAC address - Not telling your users how you handle their data is a no-no, and one just exposed by a curious Netgear user who states: “Such data may include information regarding the router’s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network.” Yep, this data is now sent as a result of a firmware update to fix a vulnerability. Shame on your Netgear, on so many accounts.
    5. FCC Votes To Overturn Net Neutrality Rules - As predicted, Net Neutraility is on the chopping block, and closer than ever to being a thing of the past. It is open for public commentary, though that system is overun with bots. Please do comment if you are a human and have an opinion on this issue.
    6. EternalRocks Worm Spreads Seven NSA SMB Exploits - You got it, more worms based on the NSA's leaked exploits. Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May. Researcher Miroslav Stampar, a member of the Croatian government’s CERT, captured a sample of the worm last Wednesday in a Windows 7 honeypot he runs, and posted a report over the weekend on his Github page. The worm, which Stampar calls EternalRocks, currently has no payload and spreads in two stages over a 24-hour period. '' Also interesting are the statistics of infected machines, which seems to point to Windows 7 being the most popular platform, not Windows XP. Happy patching everyone!

    Expert Commentary: Jason Wood, Paladin Security

    "US politicians think companies should be allowed to 'hack back' after WannaCry"

    https://www.grahamcluley.com/us-politicians-think-companies-allowed-hack-back-wannacry/

    Tom Graves (R - Georgia) and Krysten Sinema (D - Arizona) are writing a bill called Active Cyber Defense Certainty (ACDC) which would provide organizations the ability to hack back at those who are attacking them. The representatives believe that the spread of WannaCry could have been impeded if organizations were allowed to fight back. The idea of hacking back is not a new one, but it has never gained much traction. Why is that?

    1 - When your systems are under attack and you are in crisis mode, you are focusing more on keeping things running than determining where the attack came from.

    2 - Most organizations employ blue teamers and offensive security is not their primary skill set.

    3 - Do you really know who is attacking you or are you attacking another victim?

    On the plus side for penetration testing firms, if this became law then it's a new potential service to sell. "Hire us to hack the bad guys who are hacking you."