HNNEpisode133

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #133

Recorded July 18, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Google wants you to bid farewell to SMS authentication - Google’s campaign to nudge its vast user base towards more secure two-step (2SV) and two-factor (2FA) authentication continues: from this week anyone logging into its services using SMS codes will start receiving notifications from something called “Google prompt”....The weakness of SMS is that data travels across a channel not controlled by Google itself. With prompt, data is still being sent back and forth, but using an encrypted channel. As long as the phone is within reach of a data connection, the user will also receive a real time warning every time someone – anyone – attempts to log into their Google account. - Or you could just use the Authenticator App, or you could use a hardware-based token.
    2. Black Hat USA 2017: whats on the agenda in Las Vegas - Thanks to Bill Brenner, here is a quick overview of the upcoming Blackhat Security Conference: Black Hat USA 2017 will take place July 22–27 at Mandalay Bay Convention Center. Among the talks: Facebook CSO Alex Stamos will present a talk called “Stepping up our game: Re-focusing the security community on defense and making security work for everyone” Briefings will focus on vulnerabilities in such areas as IoT, malware, smart grid and industrial security and AppSec.Black Hat Arsenal (Wednesday and Thursday, July 26-27) where independent researchers and the open source community will give live demos of their latest tools. The event will also include the Black Hat Business Hall (Wednesday and Thursday, July 26-27), featuring more than 270 security companies. There will also be a career zone, an innovation city and vendor sessions.
    3. Ubuntu Linux for Windows 10 Released Yes, You Read it Right - unlike a conventional Ubuntu installation, this Ubuntu version runs in a sandboxed alongside Windows 10 with limited interaction with the operating system and is focused on running regular command-line utilities like bash or SSH as a standalone installation through an Ubuntu Terminal. For now, Ubuntu is currently only available to Windows 10 Insiders users and would be made available to the public with the upcoming Windows 10 Fall Creator Update, which is expected to release in September/October 2017.
    4. Windows 10 Will Now Let You Reset Forgotten Password Directly From the Lock Screen - Microsoft is finally adding one of the much-requested features to Windows 10: Pin and Password recovery option directly from the lock screen. Yes, the next big update of Windows 10, among other features, will allow you to recover your forgotten pin and password, allowing you to reset your Windows password directly from the lock screen. In Windows 10 Fall Creators Update, you will see "Reset password" or "I forgot my PIN" options on the login screen along with the sign-in box,
    5. Over 70,000 Memcached Servers Still Vulnerable to Remote Hacking - Late last year, Cisco's Talos intelligence and research group discovered three critical remote code execution (RCE) vulnerabilities in Memcached that exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers. Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory. After comparing results from both the Internet scans, researchers learned that only 2,958 servers found vulnerable in February scan had been patched before July scan, while the remaining are still left vulnerable to the remote hack.
    6. Siemens Patches Authentication Bypass Flaw in SiPass Server - SiPass is the company’s integrated access control server managing physical access in a number of industries and use cases. The product supports card readers and integrates with video surveillance equipment, among other features and capabilities. Hospitals, airports and manufacturing facilities are listed by Siemens as ideal use cases for the server. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on Thursday posted an advisory warning users that they should update the server immediately to V2.70 as all prior versions are affected, the advisory said.“Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to the server to perform administrative operations,”
    7. FreeRADIUS Update Patches Bugs Static Analysis Tools Missed - FreeRADIUS, the popular open source RADIUS server, today published updates that include fixes for a number of security issues uncovered by a custom fuzzer built by Dutch researcher Guido Vranken. Vranken used a custom version of libFuzzer to find a handful of serious bugs in OpenVPN that were ultimately patched in late June. A memory leak related to misuse of the OpenSSL API in OpenVPN was also found in and disclosed to FreeRADIUS, prompting the project to commission Vranken to take a closer look at the server software.
    8. Botnet Tweeting, Spamming Porn Shut Down - An adult-themed botnet was found by researchers and dismantled by Twitter last month. The Twitter-based botnet consisted of 86,262 bot accounts, and over the past six months blasted out 8.6 million tweets that attempted to lure males to pornographic, dating, hookup and cheating-spouse websites. The live analysis of the botnet allowed ZeroFOX to determine the campaign had amassed 30 million unique clicks from victims who clicked on shortcut URLs between February and June 2017.
    9. It's Trivially Easy To Hack Any Myspace Account - This is lame, not sure if or when the password reset requirements changed, but apparentlky you only need first name, last name and DoB to reset your password. This just in: Also, Myspace Told Wired in a statement: "In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access. We take data security very seriously at Myspace. We plan to continue to refine and improve this process over time." WTF, who still uses MySpace?
    10. Cisco Plugs Command Injection Hole In WebEx - A malicious page, when visited by a vulnerable Windows machine, can exploit the security flaw (CVE-2017-6753) to run arbitrary commands and code with the same privileges as the browser. In other words, the page can abuse the installed plugins to hijack the PC. The hole is present in the Chrome and Firefox plugins for Cisco WebEx Meetings Server and Cisco WebEx Centers, and affects products including WebEx Meeting Center, Event Center, Training Center and Support Center. Internet Explorer and Edge are not considered vulnerable, and both OS X and Linux versions of Chrome and Firefox are also safe.

    Expert Commentary: Jason Wood, Paladin Security

    One of the more disheartening things for me to find during penetration tests are misconfigured systems that grant easy access to data or admin control of systems. Default credentials, lack of authentication of any type or extremely out of date software. They all hurt and they all let attackers in. We've had another series of public security incidents that occurred due to misconfiguration of systems, so I thought I'd pick on this issue. I don't like to blame victims, but at the same time we need to recognize when we've screwed up. So here it goes.

    We need to do so much better at the basics of security operations. We need to use good tools and we need to know how to use them properly. We need to stop being afraid of our tools and make sure they are really covering our environments. Sure, there are situations where an automated tool can cause some issues, but that has largely been resolved by very safe default configurations in scanning tools. When we find issues, we need to get them fixed. It's not sexy and it's not exciting. No one is going to do a presentation at BlackHat on downloading sensitive data from an S3 bucket that didn't require authentication, but that doesn't mean it isn't an important issue. A lot of pain could be avoided if we just do a better job of maintaining our systems and configuring them properly. Not doing so is an unforced error on our parts. Security incidents will happen, but let's make sure we are making the bad guys work for it.


    https://www.wired.com/story/amazon-s3-data-exposure
    https://threatpost.com/experts-warn-too-often-aws-s3-buckets-are-misconfigured-leak-data/126826