HNNEpisode150

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #150

Recorded November 21, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Don Pezet
    CTO and Co-Founder of ITProTV, EdutainmentLIVE host, industry veteran, Weird Al aficionado.
  • Annoucements

    • Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.

    News

    1. Google Collects Android Location Data Even When Location Service Is Disabled - Did you know Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled.. This is according to an independent study that also states this feature cannot be disabled. Although the company said that it never used or stored this location data it collected on its users and that it is now taking steps to end this practice, this data could be used to target location-based advertisement when the user enters any store or restaurant. According to Google, Android phones will no longer gather and send cell-tower location data back to Google by the end of this month.
    2. Microsoft abandons typical Patch Tuesday playbook to fix Equation Editor flaw - This is one of the more interesting fixes from Microsoft this year. After some careful analysis, it appears that Microsoft fixed this buffer overflow by directly modifying the binary, not re-compiling from source. Further evidence suggests that Microsoft may not have the source code, or permission to modify the source code, as the Equation editor was developed by a third-party. While interesting, this is still an out-of-band patch, which Microsoft typically only release if it's important, so get patchin'!
    3. Github To Devs: Now You'll Get Security Alerts On Flaws In Popular Software Libraries - If you are including vulnerable libraries in your code, Github will point them out to you. Nice feature, The alerts are based on public vulnerabilities in Ruby gems and NPM, the package manager for Node.js, on MITRE's Common Vulnerabilities and Exposures (CVE) List. GitHub will add Python to its vulnerability alert service in 2018. Now if only we could get a similar program for Wordpress...
    4. Amazon to fix Key home security vulnerability - Don't get me wrong, I hate it when I miss a package delivery, in fact, I missed one this morning. While annoying, I'm not certain it's a good idea to give delivery people access to your home or business, as is the case with Amazon's Key technology. Amazon Key allows the delivery person to unlock your door, then under careful surveillance of a webcam, leave your package(s) and exit. However, researchers discovered that they could jam the Wifi on the camera, freezing it in a known good state, then steal all of your belongings. Amazon claims it will fix the vulnerability.
    5. Germany slaps ban on kids' smartwatches for being 'secret spyware' - Germany takes privacy seriously The German telecoms regulator has banned the sale of children's smartwatches that allow users to secretly listen in on nearby conversations. They are recommending that the devices be destroyed! Yikes, explaining that one to your kids is going to be interesting.
    6. US-CERT Warns of ASLR Implementation Flaw In Windows - Will Dormann, a senior vulnerability analyst at CERT discovered that “Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard,” Dormann wrote. Under those specific conditions a flawed implementation could create an opportunity for an attacker to pull off a memory-based attack. No patch exists yet for this vulnerability, the US-CERT bulleting said. However, a workaround is offered starting with enabling system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR.
    7. Patch on way 'this week' for HP printer vulns - Sysadmins have been advised to watch for a coming HP printer firmware update that will plug a remote code execution vulnerability (among others) in its MFP-586 and the M553 printers. News of the threat emerged from a Foxglove Security deep-dive into printer security that saw the researchers warn HP of problems in August. The post, by Foxglove's Steeve Breen, said “HP notified us that a fix has been developed and is being released this week.”
    8. Intel Patches Management Engine for Critical Vulnerabilities - Intel has released patches for the firmware representing Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE). Researchers will be presenting the findings at the upcoming Blackhat Europe conference on December 6th. Pretty scary: "The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS." There is a detection tool, however, with the holiday break coming up this represents some bad timing.

    Amazon S3 Buckets with Don Pezet, ITProTV

    Don Pezet has been working in the IT industry for over 18 years. In addition to working with the technologies, he has also been training others for over 12 years. He is a certified trainer with many vendors including Microsoft and Cisco. His combination of real-world experience, textbook knowledge, and a questionable sense of humor have helped him to entertain and educate thousands of people.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+