HNNEpisode137

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #137

Recorded August 22, 2017 at G-Unit Studios in Rhode Island!

Episode Audio


Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Raspberry Pi OS refresh: Raspbian's update to Debian Stretch is out now | ZDNet - includes new versions of pre-installed Raspbian applications, Bluetooth improvements, changes to the default login, and a key security fix. Also, the pi user will no longer have sudo access without a password. Good to see some security improvements to the raspbian distribution, though I do wish they would force a user to set a password for the pi user, instead of just disabling SSH by default.
    2. Two zero-day vulnerabilities disclosed after Foxit refuses to patch PDF Reader - Two code execution vulnerabilities were discovered by two separate researchers in Foxit's PDF reader. Both researchers contacted Foxit about the issues shortly thereafter with the intention of following a 120-day responsible disclosure timeline. But they ultimately decided to disclose the flaws early after Foxit revealed it had no intention of fixing the bugs. Rather than just fixing the vulnerabilities, Foxit said this: "Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions."
    3. Game Developers Warned of Remote Vulnerability in Unity - The popular Unity game platform—used by professionals and hobbyists alike—is vulnerable to remote compromise because of a flaw in the Windows game editor, the company warned on Aug. 18.Unity advised developers who use the Windows version of its editor to update immediately. Users of the Mac version of the editor are not affected, but the company released a new Mac version as well to keep the software synced between the two platforms. Not much in the way of details are available, however distributing a vulnerable library, or worse a backdoored library, is seemingly more common today.
    4. Killer robots are coming, and Elon Musk is worried - Executives are worried about the real-life version of Skynet: "Lethal autonomous weapons threaten to become the third revolution in warfare," the group of CEOs and CTOs wrote in an open letter organized by the Future of Life Institute and released Sunday. "Once developed, they will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways." I do believe we have more pressing issues, but good to ready your EMP when the machines start attacking.
    5. Doctor Implanted 6 MicroChips Under His Skin to Unlock Doors and Secure Data - It has been reported that a Siberian doctor has already implanted not one, but at least six microchips underneath his skin and turned his body into a multi-functional gadget for doing a number of jobs by just a wave of his hands. Now typically these devices are based on RFID technology. In fact, Security Weekly host Larry Pesce implanted one in his hand, in my kitchen mind you, and was recorded as a segment which has since been misplaced. We need to find it. We did this several years ago and I believe it is still implanted to this day. Other researchers have implanted NFC chips in their hands to more easily hack into your smartphone. This sits somewhere between biometrics and hardware-based multi-factor authentication, as it is not-so-easy to change, but does solve the problem of you authentication token not being close-by when you need, or easily lost. Is this the future? perhaps, in the mean time PLEASE DO NOT attempt any of this at home. Please, just don't!
    6. Secret chips in replacement parts can completely hijack your phones security - The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Worst part of this is detectability, it is very difficult to differentiate a valid replacement part from a malicious one, visually anyhow. This is an interesting attack,and should make us question where parts are coming from and the best way to test them for backdoors.
    7. Facebook Awards $100K to Researchers for Credential Spearphishing Detection Method - The technique, Directed Anomaly Scoring (DAS), operates in a non-parametric fashion, cherrypicking what Ho and company call the most suspicious events from an unlabeled dataset. The technique ranks events by how dubious they appear. Interesting, sounds pretty close to what is being termed as machine learning. It should be noted the team was able to detect 6 of 9 KNOWN spear phishing attacks. It remains to be seen if they technology will be useful in the real world.

    Expert Commentary: Jason Wood, Paladin Security

    Sonar-based attack could help hackers infer when you're having sex

    Here's some cool, but rather freaky, research from four researchers at the University of Washington. The researchers questioned whether a smartphone device could be used to track an individual without their knowledge, then set out to find a new way of doing so. Their answer to this question was to use the same principles behind sonar to track people as they moved around in a room. They were able to use the stock speakers and microphones in phones and TVs to perform their analysis. They created an Android app to perform the spying.

    The speakers played the sonar “pings” at high volume at 18-20 kHz, which is generally difficult to hear. They went further to disguise the pings by playing them along with music with strong percussion. The sound waves then bounced off of the individual moving around the room and were picked up by the device’s microphones. From this they were able to build a 2D map of where the target was in the room, detect how long they were in a position and when they started moving again. It gets better though. The technique worked when the device was in another room and the door between them was closed. They were also able to tell when someone was moving around while in the same position. Such as doing pushups or “other” exercises. The differences were described as linear motion and rhythmic motion. Using some analysis, the attacker would be be able to determine whether someone was doing their exercise in bed and if there was more than one person there.

    There are a number of caveats here for this to work. The attacker would need their target to install their application and play music via substantial enough speaker to be heard through out the private space. The attacker would also need to pick this data up some how to review. In this project it was done via Bluetooth. Still, it’s a pretty clever bit of work and they did a nice job demonstrating their work. It does have the potential to look at your Alexa or other smart device a bit closer, as it is always listening to what we are doing and is frequently used to control and play music. Just another example of how we are increasingly allowing third parties into our homes and how they could be abused.

    https://www.grahamcluley.com/sonar-based-attack-could-help-hackers-infer-when-youre-having-sex/