From Paul's Security Weekly
Hack Naked News #136
Recorded August 15, 2017 at G-Unit Studios in Rhode Island!
- Too many big online brands allow terrible passwords - Dashlane, a company providing secure authentication mind you, has evaluated the password security of major sites in the following ways: This doesn’t disqualify the company’s findings however, which were measured against five criteria: minimum password length, the enforcement of alphanumeric passwords, whether a strength assessment is offered, resistance to brute-forcing (in other words, locking accounts after too many incorrect answers), and whether or not multi-factor authentication is available. Some big sites have scored a 0 our of 5 in the aforementioned categories: Uber, Spotify, Pandora and Netflix, with Walmart, Instagram, Pinterest, SoundCloud, Evernote, Macy’s and Dropbox. While this type of news never seems to go away, it will take some time before 1) average users are choosing passphrases instead of passwords and 2) everyone is using some type of two-factor auth. Until that day, well, usability will rule.
- APT28 Using EternalBlue to Attack Hotels in Europe, Middle East - One of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye. So, when traveling, trust no one, not even the hotel network. Tether on your phone, it works much better usually and provides a better level of security, in theory anyhow.
- Researchers encode malware in DNA, compromise DNA sequencing software - INSecurity, its on our DNA: With everyone from academics to Microsoft looking at the prospect of storing data using DNA, it was probably inevitable that someone would start looking at the security implications. Apparently, they're worse than most people might have expected. It turns out it's possible to encode computer malware in DNA and use it to attack vulnerabilities on the computer that analyzes the sequence of that DNA. The researchers didn't find an actual vulnerability in DNA analysis software—instead, they specifically made a version of some software with an exploitable vulnerability to show that the risk is more than hypothetical. Still, an audit of some open source DNA analysis software shows that the academics who have been writing it haven't been paying much attention to security best practices.
- Hackers Mock FireEye With Second Data Dump - I've been unable to confirm any details on this second leak, and it would seem that someone has a bone to pick with Mandiant. However, and again, there is no real evidence yet of a major breach and some of the reporting sites (such as the second pastbin leak link) are not available at the time of this show. Just putting the word out there, don't believe everything you read on the Internet.
- Indian Police Arrest Four For Game Of Thrones Leak - Indian police have arrested four people suspected of leaking an episode of the hugely popular TV show Game of Thrones before it was aired. Three of the accused are current employees of Prime Focus Technology, while one is a former employee.
- Gmail now warns iOS users about suspicious links, in fight against phishing threats - Google announced last week that it is bringing anti-phishing security checks to its Gmail app for iOS, displaying a warning when a user clicks on a suspicious link in a Gmail message on an iPhone or iPad. This is good, users need all the help they can get. I just hope this will not cause pop-up fatigue, and users will then be more inclined to click past security alerts.
- Hundreds of 'smart' locks bricked by flubbed remote update - With RemoteLock 6i models, Airbnb hosts create custom access codes for each of their guests without giving them the lock's physical key. As such, they sleep easy at night knowing a former guest can't burgle their rental property using a stolen key or discarded access code. Those custom access codes are stored on LockState's servers. Meaning? A RemoteLock 6i needs connectivity, or no one's getting in with a code. Wait, you mean all the codes for all the locks are stored on the Internet? This could have been much worse!
- WannaCry Security Researcher Pleads Not Guilty to Creating Malware - Security researcher Marcus Hutchins, also known by his online alias 'MalwareTech' has entered a plea of not guilty against charges he created the Kronos banking trojan. Hutchins entered the plea in a Milwaukee, WI federal courthouse on August 14. Hutchins is being represented by Marcia Hoffman, and attorny for the EFF. The more I read about this story, the more it seems like Marcus is the good guy, esp. if the EFF, and Marcia Hoffman, are representing him.
Expert Commentary: Don Pezet, ITProTV
Critical vulnerability in Juniper routers and switches: