From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #127

Recorded May 30, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Recorded on May 30, 2017


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Thousands Of Known Bugs Found In Pacemaker Code - Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. It should also be noted that the late Barnaby Jack presented research on this topic in 2012.
    2. Chipotle: Hackers did to our registers what our burritos did to your colon - Fast-food chain Chipotle says hackers infected its point of sale terminals to gain access to card data from stores in 47 states and Washington, DC.The self-described "Mexican Grill" says that the malware was active earlier this year from March 24 to April 18, when it was detected, triggering the company to issue an alert. "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in its latest summary of the incident. "There is no indication that other customer information was affected." The last part is PR hand waving for sure!
    3. Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw - Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could enable remote code execution. Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft.
    4. Network Time Protocol updated to spook-harden user comms - The Internet Engineering Task Force has taken another small step in protecting everybody's privacy – this time, in making the Network Time Protocol a bit less spaffy. This Internet Draft, published last week, calls for changes in Network Time Protocol (NTP) clients – and devs will be pleased to hear it won't be that difficult to implement. As the draft explains, the RFCs that define NTP have what amounts to a convenience feature: packets going from client to server have the same set of fields as packets sent from servers to clients. This feature will no longer be required, as the information contained in the packets can be used to fingerprint and track client. Small win, small wins are still wins.
    5. Popular RADIUS server exploitable with TLS session caching - A caching bug, referred to as inner authentication has been discovered in the popular FreeRadius code. The bug affects FreeRADIUS 2.2.x (a deprecated version still included in some Linux distributions); all versions before 3.0.14 in the stable branch; and all versions before February in the development branches 3.1.x and 4.0.x. In the mean time, you can protect yourself by disabling TLS session caching.
    6. Awfully Polite Hackers Allegedly Hijacked This Mall Billboard "We suggest you improve your security. Sincerely, your friendly neighborhood hackers," the message allegedly read, according to a photo first uploaded to Reddit on Sunday. Thats the message that was displated at Liverpool One, a shopping area in the UK. Nice attackers? Perhaps, as it could have been goatse worse, however still embarrassing. No one from Liverpool One has been available for comment.
    7. "Forgetting" Smartphone Password In Court Can Lead To Jail - On May 30, two suspects accused of extorting the so-called "Queen of Snapchat" as part of a sex-tape scandal are scheduled to appear in a Florida court. But as wild as the premise sounds, primarily the accused need only to answer a simple question on this visit. Miami-Dade Circuit Judge Charles Johnson wants an explanation as to why Hencha Voigt and her then boyfriend, Wesley Victor, can't remember the passcodes to their mobile phones. If he doesn't believe them or if they remain silent, the two suspects face possible contempt charges and indefinite jail time for refusing a court order to unlock their phones so prosecutors can examine text messages.
    8. Shadow Brokers double down on zero-day subscription service - Shortly after its leak of NSA exploit tools enabled the spread of WannaCry, the Shadow Brokers hacking group promised to launch a monthly subscription service for more zero days. Tuesday, it started offering details. To get in on the action, Shadow Brokers requires that subscribers send them 100 ZEC (Zcash cryptocurrency) or $21,000 per month. The group emptied its Bitcoin wallet yesterday, then switched over to Zcash, though the group said it could require a different currency the following month. All that to get random 0day, worth it? Maybe....

    Expert Commentary: Jason Wood, Paladin Security

    I'm going to step into government regulation today. The main article that spurred this was from Bruce Schneier, titled Ransomeware and the Internet of Things.

    Bruce is stating that the number and types of devices that are being connected to networks require government regulation to require more from manufacturers in regards to the security of their devices. There are strong market forces around creating new devices and getting them connected, but that there is a complete market failure in regards to safety. He states, "Like every other instance of product safety, this problem will never be solved without considerable government involvement." He then goes into illustrate a number of issues that we are seeing right now in security and what types of devices we are deploying.

    A second article I found supports some of Bruce's concerns without really meaning to. Asaf Atzmon posted an article on Infosec Island about the trends in connected cars titled "The Cyber Car: The Intimate Tango of the 21st Century". In this article he lays out the complexity of car computer systems and their attack surface. He also points out that the trend is to add more connectivity and complexity rather than less. "The automotive industry is at the point of no return. Cyber is here to stay..." Asaf then goes into potential defenses for these vehicles.

    I'm not a huge fan of regulation overall, but neither do I think that economic markets are the solution to all issues. At some point someone with a big enough stick needs to step in to force companies down a path that they'd prefer not to go, but are in the best interests of society. Crash testing and safety requirements for vehicles came about due to government regulation. Air quality is another area where things have not changed until the government stepped in and forced things. Despite much I hate the emissions equipment on my vehicles, I'm better off with them there. I suspect Bruce is right and no matter how much I hate being forced down a path (and paying for it's costs), we need governments to step in and start forcing at least some level of "network safety" into our devices.

    Links: Ransomware and the Internet of Things -

    The Cyber Car: The Intimate Tango of the 21st Century