HNNEpisode138

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #138

Recorded August 29, 2017 at G-Unit Studios in Rhode Island!

Episode Audio


Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. CIA Created Bogus Software Upgrade To Steal Data From NSA, FBI - The data-stealing Trojan was created as part of a CIA project called ExpressLane, a piece of software installed by CIA Office of Technical Service (OTS) agents under the guise of upgrading the CIA's biometric collection system. This biometric system is installed at the 'liaison services' or partners such as the NSA, Department of Homeland Security, and the FBI, according to WikiLeaks, which released the ExpressLane documents as part of its Vault 7 collection. and so: It's unlikely this specific version of ExpressLane is still supported given the documents are dated 2009 and describe functionality for Windows XP. I'm certain none of this activity is still happening today though....
    2. Microsoft yanks buggy patch of a buggy patch, KB 4039884 - There’s no official confirmation, and no explanation of course, but overnight Microsoft pulled a patch that was supposed to fix the main problems in this month’s Windows 7 security updates. Turns out the patch removes a DLL used by other software, such as the Dell Support Assistant, which you probably don't want to run anyhow, so I would call this patch a success! Still, the lack of details from Microsoft is very Apple like, so cut that out.
    3. SAP point-of-sale systems were totally hackable with $25 kit - Point-of-Sale systems from SAP had a vulnerability that allowed them to be hacked using a $25 Raspberry Pi or similar device, according to research unveiled at the Hack in the Box conference in Singapore last week. Critical vulnerabilities in SAP's POS – since resolved – created a means for hackers not only to steal customers' card data but to gain unfettered control over the server, enabling them to change prices of goods with the help of a simple device, according to ERPScan. Good news is, this has been fixed, well at the least the patch is available, bad news: Point-of-Sale systems from SAP had a vulnerability that allowed them to be hacked using a $25 Raspberry Pi or similar device, according to research unveiled at the Hack in the Box conference in Singapore last week.
    4. CVS App Sends Your Location To Outside Servers, Researchers Say - Thanks to a coding error with the CVS app, the massive US retail pharmacy has been inadvertently sharing users' locations with more than 40 web servers, privacy experts say. Basically this app sends you location data to other destinations other than CVS. This App is horrible, btw and I am not surprised by this finding. Being a user of this app makes me want to cry, and I can tell the development team was not top-notch. CVS also declined to comment, which also does not surprise me.
    5. Secret NSA Code In Intel Chips Opens Backdoor To Computers - It seems some government customers can request Intel's always-on Management Engine (ME) 'master controller' for its CPUs to be disabled.That's not an option for the general public, but researchers at Russian security firm Positive Technologies have found a way to use these government-only privileges to disable ME. Yea, so not cool implementing features, even if its disabling features as a feature, to only select customers.
    6. FTC to Issue Refunds Following Tech Support Scam - The Federal Trade Commission (FTC) is notifying victims of a tech support scheme who are eligible for partial refunds, the commission announced today. Hundreds of thousands of people were deceived in an operation that ran from April 2012 to November 2014. Love this positive news and there is a $10 million dollar pool of money to pay back to the victims.
    7. Telnet Credential Leak Reinforces Bleak State of IoT Security - This is not new, but a testament to this problem having no solution. JOhannes comments: “It remains to be seen if legislation is needed to secure these devices, or some form of certification that would be reflected in a simple to identify logo,” he added. “But I do think we may end up with some kind of legislation that may prohibit the sale of devices that are not considered safe, similar to what we have for food or electrical appliances.”
    8. WireX DDoS Botnet: An Army of Thousands of Hacked Android SmartPhones - A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones. Dubbed WireX, detected as "Android Clicker," the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks. Google has removed the offending apps, but two things 1) Google HAS to come up with a better way to improve the integrity of the Android app store and 2) its only a matter of time before ransomeware on Android becomes more widespread and forces Google's hand.
    9. Google wants you to bid farewell to SMS authentication

    Expert Commentary: Jason Wood, Paladin Security

    Judge scales back data demand on inauguration riot-related web host

    This blog post on the Naked Security blog gave a pretty good writeup on a search warrant issued by the Department of Justice in regards to violent protesting that occurred during the inauguration of Donald Trump. The reason for the warrant is pretty straight forward. The government believes that a website using the domain disruptj20.org was used to coordinate violent action ahead of the inauguration. A number of individuals were armed with hammers, crowbars, sticks, and other weapons. The government believes the group was coordinating their activity as they moved “as a cohesive unit” for a dozen city blocks and “engaged in violence and destruction” as they went. Six police offers were hurt by this group. The investigation by the government to find and prosecute those who injured others and engaged in destruction is understandable and commendable. I’m all for it.

    The website at disruptj20.org was hosted by Dreamhost, so they were the recipient of a search warrant to that requested any and all information associated with this web site. This would include all files, log files, etc. Dreamhost refused to comply with the search warrant and stated in their opposition motion that the warrant was too broad and would violate the First Amendment rights of protesters who also used the site, but did not engage in violent action.

    The federal government replied to this motion with their own motion stating that they were not interested in the individuals who engaged in protesting the president or prevent anyone form exercising their First Amendment rights. However the First Amendment does not cover those whose expression is used to incite lawless activity.

    If you read the motions, you will see there was additional legal wrangling that was going back and forth. Ultimately the judge overseeing the case implemented additional safeguards to protect the lawful protesters, narrowed the time window for the data to be collected and instructed prosecutors to explain why anything they want to seize is relevant to the investigation.

    Phew! Ok, so what is the takeaway here? The major point that stands out to me is that just because organizations receive a search warrant to seize data from a server, does not mean they do not have recourse to push back if they feel the warrant is overly broad. Dreamhost obviously felt that there were some issues with this warrant that required them to push back and narrow the warrant. Tech companies can find themselves in a tight spot in situations like this. They may have evidence needed by law enforcement to try and convict individuals for criminal activity. At the same time, it’s very easy for law enforcement and prosecutors to be lazy about putting together their warrants. Essentially saying “give us anything and everything” instead of determining what would be necessary. This situation was of additional sensitivity due to the political overtones of the case being investigated. I personally think Dreamhost did the right thing by filing their opposition to the warrant as it was originally written. Doing so certainly cost them some money, but it did force the government to think about what they were asking for and only ask for that which was justified by the investigation at hand. It’s important to protect our constitutional rights and that means sometimes we need to file our legal opposition to make the government think more closely about what it is requesting to do its job.

    https://nakedsecurity.sophos.com/2017/08/25/judge-scales-back-data-demand-on-inauguration-riot-related-web-host