HNNEpisode142

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #142

Recorded September 26, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. Passwords For 540,000 Car Tracking Devices Leaked Online - In the leaked S3 buckets deparment: The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. No one is certain if this information was accessed by attackers, according to the article, which is really concerning. So, you had a bunch of PII and you did nothing to monitor, control or limit access? Unreal...
    2. First Android Malware Found Exploiting Dirty COW Linux Flaw to Gain Root Privileges - While this vulnerability, dubbed Dirty Cow, has been patched by Google, malware has caught on and is using it to escelate privleges on Android devices to install malware. More reasons why you should never own an Android phone that does not get the latest Android updates.
    3. iOS 11 Update includes Patches for Eight Vulnerabilities - A slew of new vulnerabilities have been patched with the introduction of iOS 11: The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Address bar spoofing is one, and you should be updating your Apple devices as we speak.
    4. Samba Update Patches Two SMB-Related MiTM Bugs More updates for Samba: Samba this week released three security updates, including two related to SMB connections that could be abused by an attacker already on the network to hijack connections and manipulate traffic or data sent from a client. The most serious of the bugs is CVE-2017-12150 where with certain configurations, Samba fails to enforce SMB signing in versions 1, 2 and 3. While this may sound like something you can wait to patch, it really isn't as it allows for easier credential theft.
    5. 2016 SEC Hack May Have Benefited Insider Trading - In the delaying breach disclosure department the SEC reports: “In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”
    6. Android Lockscreen Patterns Less Secure Than PINs - This is really funny, as the attacker has to be shoulder surfing: An academic study set out to prove whether it’s better to protect your Android phone with a PIN or a swipe pattern. The answer is PIN. At least when it comes to proximity attacks, namely someone lurking about trying to guess your PIN or unlock pattern.
    7. High Sierra Gets His By Password Theft 0-Day - There's a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday. That's the same day the widely anticipated update was released. Apple, of course, puts it on the user not to allow malicious apps, and does not have a bug bounty program for macOS. According to Patrick Wardle: There's a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday. That's the same day the widely anticipated update was released.
    8. Adobe's security team reveals its private PGP key The security blunder of the week goes to Adobe, who leaked their private PGP key, Adobe says: Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.
    9. Equifax CEO Richard Smith Retires as Breach Fallout Continues - This continues to be a "feel good" measure by Equifax, replacing senior management in an attempt to improve the companies reputation. Last week we reported other senior mangers had either retired or left, now its the CEO. Lets hope the new management is able to build a security culture.


    Expert Commentary

    Phantom Squad Threatens DDoS Unless Protection Fee is Paid

    https://www.welivesecurity.com/2017/09/25/email-ddos-threat/

    The protection racket continues to thrive online! Yesterday a colleague I know announced in Slack that they had received an email from the Phantom Squad threatening to take down their website unless .2 bitcoin was paid to them. Then I saw this blog post by Graham Cluley that gave more information. Emails supposedly sent by the Phantom Squad have been arriving in business inboxes demanding that a protection fee be paid to keep your network online.

    Phantom Squad may be a familiar name to you already. After all, they were the group who targeted Xbox Live, Sony Playstation Network, and other video game services with DDoS attacks in December 2015. At this point it is not known whether this threat is from the original Phantom Squad or someone trading on their name. Regardless, these emails are being spammed out without any apparent pattern. It could be a real threat or it could be a complete fake in the attempt to scare money out of victims. Their email adds urgency to the threat by stating:

    “If you don’t pay by Sept 30st 2017, attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.”

    Right now, .2 bitcoin is about $785. 20 bitcoin is about $78,500. The daily 10 BTC increase represents about $39,000. Pretty freaky sounding if you aren’t prepared for it. Suddenly paying $785 doesn’t sound quite as bad.

    So what can you do about it? You can ignore it entirely, with the expectation that this is just a random attempt to defraud you. There’s a good chance that this is all that’s occurring. I might suggest taking the additional step of adding some protection against DDoS. If you are a small business without a lot of money to spend, I’d recommend taking a look at Cloudflare or someone similar to them. These organizations offer DDoS protection at a fairly low price. Using a DDoS protection service raises the bar a bit for the attacker, makes your site more resilient and could make the attacker spend more of their resources in the attempt to take you down.