HNNEpisode149

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #149

Recorded November 15, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Michael Santarcangelo
    Founder of Security Catalyst, author of Into the Breach, and creator of the Straight Talk Framework.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements

    • Onapsis has a webcast on November 16 from 3-4pm. The Onapsis research team uncovered four vulnerabilities in SAP and fifteen in Oracle business applications. Sebastian Bortnik, Head of Onapsis Research Labs, will join Paul for this webcast to talk about the technical details and the risk to your organization! Visit securityweekly.com/onapsis to register today.
    • Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.

    News

    OnePlus inadvertently left a backdoor on its phones

    https://www.engadget.com/2017/11/14/oneplus-leaves-backdoor-on-phones/

    • Phones from the last few years (including the OnePlus 5) include EngineerMode — a root-level testing app
    • If an attacker has physical access, they can use this to access your phone without having to unlock the bootloader
    • OnePlus issued a statement they are going to issue an update to remove it

    Retail Chain Forever 21 Warns of Data Breach

    https://www.wsj.com/articles/retail-chain-forever-21-warns-of-data-breach-1510700746

    • Investigation focused on card transactions in stores from March until last month
    • Received the report from third-party that payment-card systems in some stores may have been breached
    • Of interest: “The company said it appears that some registers in some Forever 21 stores were affected when the encryption wasn’t operating.”

    Consumers Don't Trust Businesses Can Protect Their Data

    https://www.darkreading.com/mobile/consumers-dont-trust-businesses-can-protect-their-data/d/d-id/1330321

    • “Companies failing to handle their customers' data responsibly may find 87% of their customers will take their business elsewhere, according to the PwC survey.” — total crap
    • “Financial firms face a 3%-point increase in customer churn if they fail to explain to customers why the incident or breach happened in the first place, the Carnegie Mellon report states.”
    • These stories keep popping up, but they are perception and opinion based and don’t yet match actual actions. Keep that in mind before using these as leverage or “proof” in your efforts.

    Most People Aren't Using This Critical Web Security Feature

    http://fortune.com/2017/11/07/cybersecurity-2fa-two-factor-authentication/

    • Turns out it’s 2FA or MFA
    • According to a survey by Duo Security - only 28% are using 2FA and 56% hadn’t even heard of it
    • “One source of the problem may be the jargon—”2FA” or “two-factor authentication”—used to describe a simple security concept: the requirement for an extra step, such as a text message code, when someone tries to login from an unfamiliar device.”
    • Are companies doing enough? Are you?

    With Amazon Key’s launch, customers and lawyers have lots of questions

    https://arstechnica.com/tech-policy/2017/11/whose-fault-is-it-if-something-goes-wrong-after-you-install-amazon-key/

    • Would you give Amazon access to unlock your door? What if there was a camera?
    • Wait, what does Amazon see?
    • Interesting concept with lots of issues we’ll wade through

    ADT Expands Cybersecurity Business with Purchase of Datashield

    https://www.darkreading.com/threat-intelligence/adt-expands-cybersecurity-business-with-purchase-of-datashield/d/d-id/1330417 http://www.zdnet.com/article/adt-acquires-datashield-aims-to-blend-physical-and-cyber-security/

    • Going after large enterprises and mid-sized companies
    • Interesting merger of physical and cyber capabilities (managed detection and response)
    • This is just the beginning; this might drive some exciting changes, too.

    SEC Says Companies Can Expect New Guidelines on Reporting Cybersecurity Breaches

    https://www.wsj.com/articles/sec-says-companies-can-expect-new-guidelines-on-reporting-cybersecurity-breaches-1510267201 http://www.thinkadvisor.com/2017/11/13/secs-top-3-enforcement-priorities

    • Cybersecurity is a top three priority; not just for individual accounts, but for broader market maniuplation
    • Announced last week that public companies will “soon face new guidelines for how they report cybersecurity breaches to investors.”
    • Keep in mind that breaches are only symptoms; are we focusing on the wrong things?
    • Maybe they’ll look into when a company needs to actually disclose. Or insider trading?
    • Guidelines aren’t regulation, but they can’t easily be ignored, either. We’ll keep watching.

    More IT Professionals Turn to Cybersecurity Roles

    https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/more-it-professionals-turn-to-cybersecurity-roles.aspx

    • 6 million tech jobs in the US; 2 million are cybersecurity!
    • 8 out of 10 tech professionals are “mostly satisfied,” but 51% are interested in working on/in cybersecurity issues
    • Aside: 30% interested in IoT and 20% interested in AI — both big players in the security space

    Expert Commentary: Boeing 757 Testing Shows Airplanes Vulnerable to Hacking

    Here’s an interesting bit of news in the “wow, they did that!” category. According to a November 8, 2017 article by Avionics Today, the US Department of Homeland Security was able to compromise a Boeing 757 remotely using RF communication on September 21, 2016. The DHS team was made up of “government, industry and academic” individuals who were able to remotely compromise an airplane sitting on the tarmac. I’ll let that settle in for a second before we continue…

    So what is the story here? Well, for some reason the DHS decided to take one of the airplanes that it owned and dedicate it to some security testing for little while. Perhaps it was Chris Roberts’ posts about using wireless networks for passengers to attack the flight controls caught someone’s attention. Either way, the DHS decided to see what they could do. According to Dr. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate, they received the aircraft on September 19, 2016 and within two days had compromised the plane via a previously known RF weakness. This wasn’t done in a lab environment, nor did they have an initial foothold somewhere. Dr. Hickey went on to say, ““[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”

    This event apparently shocked the heck out of commercial pilots when they were told of the issue during a technical briefing. So while the weakness was known to some segment of the aviation world, the pilots themselves had no idea that the issue existed. Unfortunately (or fortunately) for us, the actual details of the test are classified, so this is about all the information that is known.

    Now before anyone starts to panic, keep in mind that this was an older Boeing 757. Systems in planes change over the years as new models are released. Systems that are in a Boeing plane for the 80s probably aren’t in an Airbus built in the 90s or even a Boeing built in the 90s. What’s probably not news to anyone listening to this podcast is that complicated systems that make extensive use of software and communications with external systems end up having security flaws. The plane that was tested was built in a time when no one thought about protecting from someone hacking an airplane. Reportedly that has changed, with newer models of airplanes such as the 787 being designed with security defenses in mind. Hopefully that’s a rigorous design process with lots of testing to try to make it fail.

    Very, very few of us have an influence in this situation, however here’s the thing that we can take away from it. There are more and more products being implemented that have lots of interaction with people. Automobiles are a prime example. We’ve got IoT gear that is controlling access to our homes, deploying microphones throughout them, and watching us via cameras. People and companies are coming up with all kinds of wild stuff. These are all being built with limited focus on security and primary focus on getting to market. They can be very complicated systems and will have security flaws in them. These flaws will lead to impacts that no one expects. We have to all be evangelists for security in our organizations, even if security isn’t in our job title. There are lots of news articles available to demonstrate what happens when security is not taken into design. Use relevant articles to show what could apply to your organization. It may be understandable why a plane built in 1983 didn’t have security designed into it, but it’s 2017 and there’s lots of evidence why we security needs to be a component of design now.

    Links

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+