From Paul's Security Weekly
Hack Naked News #151
Recorded November 28, 2017 at G-Unit Studios in Rhode Island!
- Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.
- Hear from Larry Pesce and Paul Asadoorian, our resident wireless security enthusiasts, about the current attack landscape for wireless devices. Paul Paget joins us to show how Pwnie Express’ Pwn Pulse tool is helping organizations get a handle on the problem. This webcast is being held on Thursday, December 7, 2017 from 3-4pm EST. Register now at securityweekly.com/pwnie!
- Chris Martin steps into the hot seat on this webcast to talk about LogRhythm’s point-of-view on today’s threat landscape! This webcast is being held on Wednesday December 13, 2017 from 3-4pm EST. Register now at securityweekly.com/logrhythm.
- Exim-ergency! Unix mailer has RCE, DoS vulnerabilities - "According to a November 2017 study by E-Soft, Exim is by far the most popular MTA on the Internet, in use on nearly 57 per cent of MX servers it identified." which means, there are a lot of people who need to get patching as a remote code execution bug was discovered, and apparently publically disclosed. The good news is this line: chunking_advertise_hosts =" will protect you until an official patch is tested and released.
- Imgur Confirms 2014 Breach of 1.7 Million User Accounts - Data breaches are bad, but inevitable in today's world. Imur has 1.7 million records that, well, no longer only belong to Imgur. Troy Hunt said out that of the 1.7 million passwords and email address pairs he reported to Imgur last week, 60 percent of the passwords and email addresses were already in the HaveIBeenPwned repository and also stated Imgur did a great job with the response. Make sure you regularly check the haveibeenpwned.com website to see if any of your accounts have been leaked and change your passwords.
- Firefox To Warn Users When Visiting Pwned SItes - I mean, or you could just run an upcoming version of Firefox: Mozilla developers revealed the organisation's Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks. in collboration with, you guessed it, haveibeenpwned.com.
- SAML Post-Intrusion Attack Mirrors Golden Ticket - CyberArk researchers summed up the issue nicely: “Golden SAML poses a serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,”. This is similar to the Golden Ticket attacks against Kerberos as implemented in Active Directory. Not much in the way of defense, and no help from Microsoft: Microsoft doesn’t consider this a vulnerability because in order to carry out a Golden SAML attack an adversary must already have compromised a company’s network and have domain admin access Booo.
- Uber paid hackers $100,000 to keep data breach quiet - So, last week it was discovered that a 2016 Uber data breach resulted in the theft of 57 million records, including passengers and drivers names, email addresses, and phone numbers. According to reports, here's how it happened: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company. Further reports state: "[Uber] paid hackers $100,000 to delete the data and keep the breach quiet."
- Open source nameserver used by millions needs patching - El Reg reports: Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today. None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways.
- New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina - No word on just how large this botnet has become, however: The targeted port scans on ports 2323 and 23 TCP are actively looking for vulnerable internet-connected devices manufactured by ZyXEL Communications using two default telnet credential combinations—admin/CentryL1nk and admin/QwestM0dem—to gain root privileges on the targeted devices.
- $10,000 Facebook Bug Deleted Photos And Rigged Polls - A security researcher discovered an interesting way to delete images from other people's Facebook accounts using a flaw that (quote): allowed him to preview pictures uploaded online by strangers, and add them to a poll, and when he deleted that poll, the attached images were permanently deleted from the social network as well. Facebook fixed this bug and rolled it out in the span of two days. Nice response.
Expert Commentary: Voting (In)Security
- $400 Million to secure future elections... interesting. Why that number? Because that's what is left over from the 2002 "Help America Vote Act"
- Proposed: replace machines
- Also included: blame Russia ... actually, stop (because there is no evidence)
- On the upside, a Cybersecurity Campaign Playbook has some good ideas (but easy to express isn't always easy to execute)
- Notable suggestions: use "proven" systems instead of homegrown, use MFA, etc.
- It points out that campaigns collect info, are quickly staffed, and scale rapidly – thus hot targets; this is important broader than campaigns, too
- Bottom line: don't waste money on technology we don't understand (or even need) for the sake of "doing something" - instead, let's focus on the real problems we need to solve and find a way to advance them together - across the industry and community