From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #128

Recorded June 5, 2017 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. The Major Security Issues Surrounding Virtual Personal Assistants - Through Siri, Google Now and Cortana on your smartphone, your conversations *could* be recorded. This article explains how this could happen and states The Security risks with Virtual Personal Assistants will grow even more complex as it gets further intertwined into the Internet of Things (IoT) . A good read for everyone to serve as a rminder that privacy is in fact, dead.
    2. WannaCry Exploit Could Infect Windows 10 - Researchers at RiskSense stripped the original leaked version of EternalBlue down to its essential components and deemed parts of the data unnecessary for exploitation. They found they could bypass detection rules recommended by governments and antivirus vendors, says RiskSense senior security researcher Sean Dillon. EternalBlue gives instant un-credentialed remote access to Windows machines without the MS17-010 patch update. While it's difficult to port EternalBlue to additional versions of Windows, it's not impossible. Unpatched Windows 10 machines are at risk, despite the fact that Microsoft's newest OS receives exploit mitigations that earlier versions don't. Yikes, despite Microsoft's best efforts, these researchers have proven that the exploit can be used against native Windows 10 systems. Not a huge deal, something we all should have been anticipating.
    3. Boffins get routers spilling secrets through their LEDs - So lets say you've hacked into a camera at a location. And, it just so happens that the camera is pointed at the front of an IoT device with LED lights, you know, the ones that blink like crazy when they are passing traffic. So, lets also say you have access to said device and gain unauthorized access. Researchers have shown that uploading a malicious script and/or firmware can transmit data by blinking the LEDs on and off. This one, is well, yea way out there. If an attacker already has access to your router, its game over. In fact, if they have access to your network, your router is the weakest link. I don't see this in widespread use to say the least.
    4. Two cheers for Googles native Chrome ad-blocker - However, should we be cheering? This comes in two forms in a potential 2018 release of Chrome: The first is to allow Chrome to control ads that don’t adhere to rules agreed by the industry Coalition for Better Ads. Arguably, this isn’t blocking because it only stops ads that transgress in very specific ways, such as auto-playing videos, prestitial ads with countdown timers (which block a homepage for a given period) and sticky ads (which persist even after scrolling). Then there is a new feature called Funding choices. Still in limited beta, this is a way to charge users who refuse to turn off their ad-blocker. The revenue from this, stored in a Google digital wallet, will be split between the publisher and – you guessed it – Google.
    5. Vulnerabilities Could Unlock Brand-New Subarus - Interesting research: Guzman focused on how the iOS and Android mobile apps and the web app communicate with Subaru's Starlink servers. He found eight vulnerabilities, which when used in various combinations, could allow him to add other users to a Starlink account. Those users would then be able to access the vehicle's usage history, including location, as well as unlock doors and honk the horn. Starlink, however, doesn't control kinetic functions such as braking or acceleration. Charlie miller wieghed in and stated: "Unlike Facebook or Twitter, people don't communicate with the Subaru servers very often, and so it is a very difficult attack to pull off," he says. "Compare this to the Jeep attack where the only requirement was the car is on. It required no proximity or interaction by the victim." Good news though Most of the flaws have been fixed, although Guzman has continued to keep a close eye on updates to the apps.
    6. Hacker Mimicked Thousands Of Real Twitter Users - This story references research from 2012: Davies first tried out his experiment at the end of 2012, he didn't use Twitter's own API as he assumed it would be monitored for abuse. But it turned out if you used Twitter with a very old web browser like Internet Explorer 6, the site presented an easy-to-script-for plain HTML version of the site. At the time, Twitter also required users to complete a CAPTCHA during account creation, so Davies spent $10 on a CAPTCHA breaking service. He believes it would still work today, and Twitter's official response is that they try to crack down on this stuff. Right. Still, be aware of fake Twitter account, they are easy to spot by the often provocative female images used as the "persons" photo.
    7. Outdated OSes, Unpatched Browsers Expose Companies to Risk - Duo Security's 2017 Trusted Access Report, released on June 5. The report, which provides insight into the security status of 4.6 million devices that Duo Security helps to manage, found that although Windows 7 has already been superseded by Windows 10, it remains the most widely deployed version of Microsoft's operating system. On the mobile side, the majority of Android users are not running devices with the latest patches. Adobe's Flash is also a problem, with 53 percent of endpoints analyzed by Duo Security running out-of-date and vulnerable versions.

    Expert Commentary: Jason Wood, Paladin Security

    Researchers Use Ridesharing Cars to Sniff Out a Secret Spying Tool

    A closely protected tool in the arsenal of law enforcement are the Stingray systems used to monitor a suspect's location and activity using their cell phone. The devices act as a cell tower and report the connection information to law enforcement. The use of these devices is controversial since they can be used without a search warrant and information on their use is a closely held secret by law enforcement. Researchers at the University of Washington decided to see if they could get more information about their use in the Seattle and Milwaukee areas.

    Their idea was pretty clever. Since it isn't possible for them to try to war drive for this information themselves, they came up with a novel way to distribute their monitoring. They paid $25 to an unknown ride sharing company to carry $500 in computer equipment in their cars for a week. The cases contained a GPS module, GSM modem, a raspberry pi, a cellular hotspot and an Android phone running SnoopSnitch. The system recorded information about every radio device that connected to them and allowed the researchers to map 1400 cell towers in Seattle and another 700 in Milwaukee.

    After two months of collection, they found a few outliers that they suspect could be Stingray systems that are run by law enforcement. Of the three anomalies they found, one could be a false positive from their monitoring system. In fact, the researchers say that while they were able to gather quite a bit of information, their data is still limited based on the number of drivers they had carrying the devices and whether or not any Stingray systems were in active use at that point. Regardless this is an interesting proof of concept.