From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #132

Recorded July 11, 2017 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.

  • News

    1. A New Google Project Sets Out to Solve Artificial Stupidity - Google's PAIR (Peaple + Artificial Intellgence Research) project is interesting as it aims to improve the interaction between humans and computers, however the article states: Virtual assistants get infuriating when they fail to do something we expect to be within their capabilities. Viégas says that she’s interested in studying how people form expectations about what such systems can and can’t do—and how virtual assistants themselves might be designed to nudge us toward only asking things that won’t lead to disappointment. So really, we need to think more like computers, which just seems really backwards to me.
    2. Decryption Key to Original Petya Ransomware Released - The master key to the original version of the Petya ransomware – not to be confused with the latest and massive Petya/ExPetr outbreak that swept through the Ukraine and parts of Europe last month – has been released, allowing all the victims of previous Petya attacks to unscramble their encrypted files. I always wonder why this happens, my guess is that the popularity of the ransomeware no longer makes it feasible to continue to produce and maintain it. So, then users will take the easy way to get their data back, and just decrypt it, rather than learn a hard lesson on backups and security. See, the malware authors want you to take the easy way out, so you can be the victim of the next campaign.
    3. Hackers Breached A Dozen US Nuclear Plants, Reports Say - It seems there is a LOT of missing information here: An urgent Department of Homeland Security (DHS) report indicated a foreign power, possibly Russia, was responsible, the New York Times said. Okay, lets just blame Russia, never mind how difficult actuall attribution is, Russia sounds good. Wolf Creek Nuclear Operating Corp declined to say if the plant was hacked but said there had been "no operational impact" at the plant. - I suppose aside from performing incident response and tying up personnel to determine that there was no operational impact. "The reason that is true is because the operational computer systems are completely separate from the corporate network," spokeswoman Jenny Hageman told Reuters. - Translation: Critical systems are air-gapped, therefore we are secure. I think I just threw up in my mouth a little while saying that.
    4. Trump Thinks We Should Create A Joint Cybersecurity Unit With Russia - So, Russia is largely known to be behind election hacking, so lets partner with them to make certain they don't hack anymore elections. This makes little sense to most of us, sleeping with the enemy doesn't necessarily make things any better, unless you're just after a cheap thrill.
    5. Google Guillotine Falls On Certificate Authorities - According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which have "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. Apple was also quick to follow, however this is a cat and mouse game that will continue for some time into the future, as long as SSL is built on trust...
    6. Satellite Phone Encryption Calls Can be Cracked in Fractions of a Second - The new attack method has been discovered by two Chinese security researchers and is based on previous research by German academicians in 2012, showing that the phone's encryption can be cracked so quickly that attackers can listen in on calls in real time. The research, disclosed in a paper published last week by the security researchers in the International Association for Cryptologic Research, focused on the GMR-2 encryption algorithm that is commonly being used in most modern satellite phones, including British satellite telecom Inmarsat, to encrypt voice calls in order to prevent eavesdropping. The new findings spark concerns surrounding the security of satellite phones, which are mostly used by field officers in war zones that protect our land, air, and water, as well as people in remote area precisely because of no other alternatives.
    7. Burner laptops for DEF CON - Attending the world's largest hacking conventions this summer? You may want to consider A LOT of things, such as a "burner" laptop. Lots of things to consider, and security blogger Robert Graham walks us through his choices. Personally, I will bring a Chromebook, encrypted local files, and two-factor auth Yubikey enabled. All wireless is disabled, and I will only tether via USB and use 4G. What are you doing to protect yourself at BH and Defcon this year?

    Expert Commentary: Jason Wood, Paladin Security

    FTC slaps $104m judgment on loan application firm

    I was thinking about the number of business that market loans to consumers the other day and how easy it would be to stand up a site and collect PII. And then Monday night I see this article on the Sophos Naked Security blog. Blue Global Media LLC settled with the FTC and received a $104 million fine for tricking consumers into filling out loan applications for loan offers from "trusted lending partners". Blue Media then sold the data in the loan applications to anyone who was willing to pay approximately $200 per lead for the data.

    The FTC had several problems with this. First, they weren't actually performing the service they claimed to provide. Second, they sold the data to anybody or any organization who was willing to pay for it regardless of whether a loan would be offered or even possible. And finally, they handled the consumer financial information in a sloppy fashion and made no attempt to ensure their "partners" would protect the data either. Fortunately, they have now gone bankrupt and are no longer functioning. Unfortunately, no payment will be made since they are broke.

    The moral of the story is that we need to be careful whenever handing over our financial information to companies online. Yes, the availability of financial services online can provide useful services to consumers, but it also provides unethical businesses the ability to siphon off confidential data and misuse it for their own profit. Be sure to share this story with your family members.