Hack Naked News #134
Recorded August 2, 2017 at G-Unit Studios in Rhode Island!
- Sorry, psycho bosses, it's not OK to keylog your employees - The company discovered their employee's extra-curricular activities thanks to software it had installed on all of the staff's computers with a warning that all "internet traffic" would be logged. The software did much more than that, however – it recorded every keyboard stroke and took screenshots at regular intervals and stored them on a company server. This is a really important lesson on many fronts, including being completely transparent when it comes to monitoring, and yes, "Internet traffic" is very different from "keystrokes". Also interesting is the article states that if evidence had been collected to support a criminal investigation, this would have been okay. So, there you have it.
- Microsoft expands bug bounty program to cover any Windows flaw - Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000. This is not the first time the program has expanded since its inception in 2013, hat tip Katie.
- Putin Bans VPN Use In Russia - Russian President Vladimir Putin has signed a law prohibiting the use of technology that provides access to websites banned in the country. The law signed on Sunday is already approved by the Duma, the lower house of parliament, and will come into effect on November 1, 2017. See also: Apple removes VPN apps from China App Store to comply with government It will ban the use of virtual private networks (VPNs) and other technologies, known as anonymisers, that allow people to surf the web anonymously. Leonid Levin, the head of Duma's information policy committee, has said the law is not intended to impose restrictions on law-abiding citizens but is meant only to block access to "unlawful content", RIA news agency said.
- It's 2017 And Hayes AT Modem Commands Can Hack Luxury Cars - A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit. Two interesting points, with physical access you can use modem AT commands, such as AT+STKPROF, AT+XAPP, AT+XLOG and AT+FNS to trigger a stack-based buffer overflow. The second – which is remotely exploitable if you can get a 2G connection – lets an attacker “access and control memory” for “remote code execution on the baseband radio processor of the TCU.” The discoverers, note in the presentation that the exploits for the firmware in question were outlined by Ralf-Philip Weinmann in the iOS Hacker's Handbook in 2016.
- Hackers Dump Files Supposedly From Mandiant FireEye Breach - Hackers have leaked what they claim is information stolen from FireEye/Mandiant after apparently breaking into the incident response biz's network. Mandiant has denied this. It appears on Pastebin, that the leak is from one workstation only, and may not be something to get into a tizzy about. The official statement is: We are aware of reports that a Mandiant employee's social media accounts were compromised. We immediately began investigating this situation, and took steps to limit further exposure. Our investigation continues, but thus far, we have found no evidence FireEye or Mandiant systems were compromised.
- Amazon Echo Hack Can Make Your Speaker Spy On You - Research by MWR InfoSecurity found it's possible to turn an Amazon Echo into a covert listening device without affecting its overall functionality. One big limiting factor: the process does involve the attacker being able to gain access to the physical unit, but it's possible to tamper with the Echo without leaving any evidence. So yea, cool attack if you are sending one as a gift or have access to the supply chain. Otherwise, with physical access you can put any number of listening devices, however an echo backdoor is cool because it is easily hidden.
- Game Of Thrones Script Stolen In HBO Hack - A group of hackers claims to have stolen the script for a forthcoming Game of Thrones episode and other data in a breach at entertainment firm HBO. No details on how, buc HBO stated it was a "Cyber" breach, and likely not the last to target the entertainment industry.
- Hackers Exploit Voting Machine Vulnerabilities at DefCon - A number of security researchers were successful in their attempts, including Carsten Schurmann, who was able to gain remote access to a WinVote machine that was actually used in a local election in 2014. The system had an open port that allowed Windows Remote Desktop sessions, according to Schurmann, adding that the port was discovered simply by running the open-source Wireshark network packet capture program. Other hackers in the Voting Village also used Wireshark to compromise voting machines that had known vulnerabilities simply with the open-source Metasploit penetration testing framework.
- How the Federal Government Wants to Improve IoT Security - Its really sad that this has to be proposed in a law: Among the common-sense security requirements outlined in the IoT Cybersecurity Improvement Act is that vendors have to make sure that the devices they sell the U.S. Government can be patched for security flaws. Additionally the Act requires that IoT vendors not include hard-coded passwords on devices that cannot be changed. The IoT Cybersecurity Improvement Act also directs vendors to ensure that devices to not include any known vulnerabilities and that devices use industry standard protocols for connectivity and encryption.
Expert Commentary: One Bad Click (Nearly) Kills a Product
Picture this scenario: an official looking email arrives to explain that there is a problem with your Chrome plugin. It is violating the Chrome Web Store rules and will be removed if you do not act to move it into compliance. You click the link to make the change and BOOM; you just lost control of your product and it is now serving ads inappropriately. That was the experience of A9t9 last Saturday. Fortunately they were able to recover as of Aug 1 and have the application back under their control.
The company received the email on Saturday and one of their developers clicked on the link to respond to it. Upon accessing the page, an authentication box appeared, the employee entered in the company's developer account password, and then the app was moved to the attacker's developer account. It was updated to a new version and started displaying ads in browsers that used the plugin. The company stated that the employee should have noticed that the link in the email was a bit.ly link and that Google probably doesn't use a free version of Freshdesk.
People make mistakes when they get worried and aren't paying attention. However, two things jumped out at me. Why were they using what sounds like a single shared account? There should have been multiple accounts in use that allowed day to day operations and don't require what is essentially the "root" account. Second, why wasn't 2FA in use? Google Authenticator works great and if you want to pop a few dollars you can get a Yubikey hardware device. A9t9 had a bad week, but was able to regain control of their app. Hopefully they will make some changes to keep control of it.