HNNEpisode140

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #140

Recorded September 12, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software - Building on CrowdStrike's Alex Ionescu talk he gave at the Black Hat Europe 2016 security conference, Checkpoint researcher's have futher proven the ability of malicious code to execute via the LInux subsytem on Windows 10 computers. Microsoft is making this feature, Dubbed WSL (Windows Subsystem For Linux), stable in the October 2017 release of Windows 10. This means most anti-malware solutions won't pick up on commands run via the Linux subsystem, which turns them into Windows commands and processes, then sends them back to WSL. No word on if Microsoft will change the architecture or if security vendors will just have one more attack vector to protect against, most likely the latter.
    2. Android Users Vulnerable to High-Severity Overlay Attacks - Threatpost has reported the following vulnerabilty exists in all Android phones not running the latest Oreo release stating : Security researchers warned of a high-severity Android flaw on Thursday that stems from what they call a “toast attack” overlay vulnerability. Researchers say criminals could use the Android’s toast notification, a feature that provides simple feedback about an operation in a small pop up, in an attack scenario to obtain admin rights on targeted phones and take complete control of them. So, if you have a Pixel, you can be, and should be running Oreo. If your phone does not support Oreo, or you have no idea when your carrier will release an update, you may want to either 1) Get a pixel or 2) switch to an iPhone.
    3. Wireless BlueBorne Attacks Target Billions of Bluetooth Devices - according to researchers at IoT security firm Armis that found the attack vector, the so-called “BlueBorne” attacks can jump from one nearby Bluetooth device to another wirelessly. It estimates that there are 5.3 billion devices at risk. - So, it appears that this is a real threat. Several vulnerabilities have been discovered in the core Bluetooth stacks for all major platforms, including Android, Windows, iOS and Linux. For more detailed information please visit https://www.armis.com/blueborne/ to see which devices are affected and if there are patches available.
    4. Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses - US CERT has issued a warning because Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. New models are being planned for 2018, however in the mean time there are a handful of vulnerabilities, some of which could allow an attacker to manipulate the device remotely and affect patient care. Healthcare organizations have it rough when it comes to security as some recommendations for remediation include monitoring network activity for malicious servers, installing the pump on isolated networks, setting strong passwords, and regularly creating backups until patches are released. None of which actually fix the problem...
    5. Researcher Discloses 10 Zero-Day Flaws in D-Link 850L Wireless Routers - In the more IoT news is not good news department: These zero-day vulnerabilities were discovered by Pierre Kim—the same security researcher who last year discovered and reported multiple severe flaws in D-Link DWR-932B LTE router, but the company ignored the issues. According to Kim, "the Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused."
    6. Samsung Launches Bug Bounty Program Offering up to $200,000 in Rewards - Dubbed Mobile Security Rewards Program, the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company. The bounty will include a number of phones and even services such as Samsung Pay.
    7. Apache Struts 2 Flaws Affect Multiple Cisco Products - As this is typically the case when popular open-source software has some haneous vulnerabilities, major vendors are rushing to patch, including Cisco: Some of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws.


    Expert Commentary with Jason Wood

    Apple’s IOS 11 will make it even harder for cops to extract your data

    https://www.wired.com/story/apples-ios-11-will-make-it-even-harder-for-cops-to-extract-your-data


    Largely unheralded features of the upcoming IOS 11 steps Apple’s efforts to protect mobile devices up even further. Apple already has built the devices to where even they don’t have a way to bypass data security controls on the devices. This can lead to some tense situations with law enforcement when they determine they need access to forensic data on a device. An example of this is when the FBI and Apple went toe to toe over the iPhone of one of the San Bernardino shooters. That one needed an exploit by a third party security company to get around.


    Here are the new features included in IOS 11:

    - Trusting a new computer when connecting your iPhone to it requires the 6 digit PIN
    
    - IOS 11 includes an “SOS” feature that when you push the home button 5 times, it disables TouchID
    


    • This means that some cannot simply plug an unlocked phone into a computer, take a backup and then examine the data on their own. They still need the PIN to make the connection. I’m not sure how much this would really hamper law enforcement other than Customs and Border Protection. They have made use of the this process to make a copy of a phone and then examine the contents of phones without a warrant.
    • The interesting one to me is the SOS feature. Courts have ruled that defendants cannot invoke 5th amendment rights to prevent the use of their fingerprint to unlock a device. Where the defendant can refuse to divulge a PIN. They may still get slapped with contempt of court, but perhaps that’s preferable to what they were accused of. Now they have the chance to push the home button 5 times and boom, the phone no longer unlocks using TouchID. Even the act of forcing a prisoner to touch the home button becomes a riskier.
    • I’m a bit mixed on some of these defenses. Mobile devices are easy to walk off with and Apple’s made it pretty hard to compromise a device even with physical access. Government agencies appear to be getting pretty free with how they interpret searching through your data. At the same time, law enforcement has a legitimate need to access mobile devices to prosecute accused criminals. And at this point, just about any phone has valuable data on it even with crimes that don’t appear computer related. Mark this up as an security improvement that will increase tensions with law enforcement.