HNNEpisode135

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #135

Recorded August 8, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • News

    1. Lawsuit Alleges Disney Illegally Tracks Children Via Apps - Shame on you Disney: The lawsuit goes on to allege that Disney and the defendants collected personal information belonging to children without their parents’ permission. There were no disclosures or mechanisms on the app that prompted the plaintiffs to give their consent also This is especially the case for Disney Princess Palace Pets, an app for Android and Apple devices made by Disney and is at the crux of the lawsuit. It all fun and games until you start collecting data on children without permission.
    2. After phishing attacks, Chrome extensions push adware to millions - In the "there is always a way" department: Google has poured hundreds of millions of dollars into fortifying the security of Chrome, making it resistant to the kinds of drive-by attacks that used to be common and still happen on occasion to competing browsers. But two Chrome extension account hijackings in five days suggest that extensions are one of the more effective ways attackers can target Chrome users.
    3. News in brief: Ariana Grande hacked] - Via Instagram and then they posted racist terms and profanity. I could not agree more with this statement: Naked Security we hope that Grande has enabled two-factor authentication on her account, which Instagram introduced back in March, and Ariana, if you’re reading this, do have a look at our tips for securing your account.
    4. Man Who Hacked his Former Employer Gets 18-Month Prison Sentence - This is not cool: Jason Needham, 45, was sentenced for breaching the computer networks and email of his former employer, Allen & Hoshall. Needham, a co-owner of HNA Engineering, admitted to breaking into Allen & Hoshall's servers over a two-year period to download copies of rendered engineering schematics and access more than 100 PDF documents with information including his rival's project proposals and budgetary documents.
    5. Critical Flaws Found in Solar Panels Could Shut Down Power Grids - demonstrates that it is possible for hackers to gain control of a large number of inverters and switch them OFF simultaneously, causing an imbalance in the power grid that could result in power outages in different parts of Europe. According to the researcher, the attack causes due to an imbalance in the power grid. Since the power grid needs to maintain a constant balance between the supply of power and demand of power, an exceed in supply or demand could cause outages. All of the vulnerabilities have been disclosed to the vendor and patches are being issued as we speak.
    6. SSD Advisory D-Link 850L Multiple Vulnerabilities (Hack2Win Contest) - The vulnerabilities were found by the following researchers, while participating in Beyond Security’s Hack2Win competition: Remote Command Execution via WAN and LAN: Zdenda Remote Unauthenticated Information Disclosure via WAN and LAN: Peter Geissler Unauthorized Remote Code Execution as root via LAN: Pierre Kim This is the same story we've covered for years, wireless routers run insecure firmware. Someday we hope to have security built-in to these devices, but this will require the security community to work harder as raising the bar for IoT device security and awareness.
    7. Google Patches 10 Critical Bugs in August Android Security Bulletin - The bulk of the vulnerabilities (49 in all) were tied to Android’s problem-plagued Media Framework that includes MediaServer, AudioServer, CameraServer and more. The update also included a slew of patches fixing elevation of privilege vulnerabilities ranked high and moderate affecting everything from the Android Kernel components and chipsets made by MediaTek, Broadcom and Qualcomm.
    8. Hotspot Shield VPN Accused of Spying On Its Users' Web Traffic - So not cool, FTC please put these folks out of business: The Hotspot Shield VPN app promises to "secure all online activities," hide users' IP addresses and their identities, protect them from tracking, and keep no connections logs while protecting its user’s internet traffic using an encrypted channel. However, according to research conducted by the CDT along with Carnegie Mellon University, the Hotspot Shield app fails to live up to all promises and instead logs connections, monitors users' browsing habits, and redirects online traffic and sells customer data to advertisers.
    9. US Military To Shoot Down Customer Drones - "We retain the right of self-defence and when it comes to... drones operating over military installations, this new guidance does afford us the ability to take action to stop those threats," Navy Captain Jeff Davis said in a written statement, adding that this included "tracking, disabling and destroying" the aircraft. Maybe capture rather than destroy?

    Expert Commentary: Hacking Back

    Marcus Hutchins arrested

    The original Date Bomb

    Transmission and Access

    Transmission means that the Defendant did somehow push the damage onto a computer in the custody of someone else

    US v. Sullivan (another date bomb) Shaw v. Toshiba -- faulty software deleted data on customers drives

    Access -- did you intentionally access a protected computer Without authorization means you don't have an account. Exceeding authorized access means usually an insider with credentials. WA can apply to just about any violation (accidentally deleting a file while breaking in) EAA would not apply to accident or negligence by employees.

    Damage -- Any impairment to the integrity or availability of data, a program, a system, or information. Damage occurs when an intruder changes the way a computer is instructed to operate Escalation of privilege is damage (US v. Middleton)

    References

    https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf - main story

    https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf - good reference

    http://www.pcworld.com/article/2038226/hacking-back-digital-revenge-is-sweet-but-risky.html

    Computer Fraud and Abuse Act CFAA, 1986. (18 U.S.C. § 1030)

    https://www.washingtonpost.com/business/technology/cyberattacks-trigger-talk-of-hacking-back/2014/10/09/6f0b7a24-4f02-11e4-8c24-487e92bc997b_story.html?utm_term=.8b2c15489acd