HNNEpisode139

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #139

Recorded September 5, 2017 at G-Unit Studios in Rhode Island!

Episode Audio


Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Router flaws put AT&T customers at hacking risk - four vulnerabilities have been disclosed by a independent researcher Joseph Hutchins affect AT&T's U-Verse Internet customers. One of the vulnerabilities is a hardcoded credential flaw that One estimation said as many as 138,000 routers are vulnerable to attackers, according to a tweet by Victor Gevers, chairman of the GDI Foundation, a Dutch non-profit organization dedicated to internet security. . Others requiring brute-forcing and a little more effort could potentiall affect millions of customers. Check out Joseph's blog here: https://www.nomotion.net/blog/sharknatto/ for information on how to remediate these vulnerabilities on your own as the manufacturer is "still investigating" and AT&T has not release a comment.
    2. Security-focused phone launches crowdfunding drive - Purism, a San Francisco-based company that makes security-focused laptops, which says it has “a strict belief in users’ rights to privacy, security, and freedom”. Purism said last month that it would be adding a smartphone (pictured) to its product range, the Librem 5, which it says will “empower users to protect their digital identity in an increasingly unsafe mobile world”. No doubt this will increase your privacy, however, many of your apps will rely on HTML5 in your browser and there are some plans to support Android in emulation mode. This may not see widespread adoption as customers choose the apps, not the platform, but may find a home for the more security nerds, like many of you listening.
    3. Oops! WikiLeaks Website Defaced By OurMine - The notorious hacking group, OurMine, is known for breaching into high-profile figures and companies' social media accounts, including Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey, Google CEO Sundar Pichai, HBO, Game of Thrones and Sony's PlayStation Network (PSN). According to screenshots circulating on Twitter, the official website of WikiLeaks has reportedly been defaced by the OurMine hacking group, who left a message on the site The motive? Your guess is as good as mine, my guess is street cred.
    4. Catching the hackers in the act - Cyber-criminals start attacking servers newly set up online about an hour after they are switched on, suggests research. The servers were part of an experiment the BBC asked a security company to carry out to judge the scale and calibre of cyber-attacks that firms face every day. About 71 minutes after the servers were set up online they were visited by automated attack tools that scanned them for weaknesses they could exploit, found security firm Cybereason.
    5. Leak of >1,700 valid passwords could make the IoT mess much worse - Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet. The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning
    6. Multiple Android Chipset Bootloader Bugs Discovered - Smartphone bootloader firmware should be secure even if the operating system is compromised. But researchers have found five flaws in major chipset vendors' code that leave the process vulnerable. The vulnerabilities have been found by a group of researchers from the University of California, Santa Barbara, who've built a tool called BootStomp to automatically detect security flaws in bootloaders, which load the OS kernel when devices are turned on. The tool identified six zero-day flaws in two bootloaders after analyzing code from four large chipset makers, including Qualcomm, MediaTek, Nvidia, and Huawei. They also rediscovered a known flaw in a Qualcomm bootloader using the tool. Five of the six new-found flaws have been confirmed by the vendors. It is important to note this breaks the entire chain of trust associated with the OS and all apps, and make take a long time to implement the fixes, if ever for some devices.
    7. Chinese Man Jailed Over Using VPNs To Evade State Blocks - In the "opposite of freedom" news: Deng Jiewei, from Guangdong, was charged with illegally selling programs known as virtual private networks (VPNs), according to court papers. VPNs are illegal in China because they let people avoid government monitoring of what they are doing. The sentence is part of a larger crackdown on the use of VPNs in China.

    Expert Commentary: Jason Wood, Paladin Security

    (The Lack of) Honor Among Thieves

    This is shocking! Can you imagine the nerve of malware authors selling you malware that gives the author a backdoor into YOUR botnet?? And yet this is what happens from time to time. The Naked Security blog had a write up today on a RAT named Cobain. The tool has all kinds of neat features such as a key logger, webcam control, remote code execution and screen capture capabilities. However, it has another unadvertised feature as well. An encrypted library that gives the Cobain developer access to everything you infect with your purchased malware!

    Cobain appears to be a Microsoft Excel file for initial infection. It has a secondary payload to see if the operator who purchased the malware is online or not. If they are, then Cobain works to evade detection and plays "nice". If the purchasing operator is offline, then Cobain downloads the IP addresses of the malware author's command and control and comes under the author's control. Thanks for paying for the privilege of spreading someone else's malware!

    So yes, it's easier to purchase malware than write it, but you may just find yourself out of money and out of a bonnet. There's no honor among thieves.

    https://nakedsecurity.sophos.com/2017/09/05/would-be-cyberattackers-caught-by-malware-with-a-sting-in-the-tail/