HNNEpisode156

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #156

Recorded January 9, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Annoucements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Also check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand. Currently On-Demand we have webcasts with: Cybereason, Onapsis, Signal Sciences, and Stealthbits!

    News

    1. With WPA3, Wi-Fi will be secure this time, really, wireless bods promise - the Wi-Fi Alliance on Monday announced the arrival of WPA3 as the successor to WPA2, the flawed but widely used network security protocol for Wi-Fi communication today. WPA2 has some security issues as it allows anyone within range to boot people off a Wi-Fi network with a DEAUTH attack, and then, of course, there is Kraken. WPA3-certified devices should start appearing later this year. They will include features like improved protection when users choose weak passwords and improved security setup on devices with limited or no interface screens. WPA3 will introduce some new encryption techniques, including Opportunistic Wireless Encryption (OWE).
    2. Critical Unpatched Flaws Disclosed In Western Digital 'My Cloud' Storage Devices - Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device. My Cloud devices create a "Private cloud" which means, remote access to your files that live in your home network. In addition to a remote file upload vulnerability in a PHP script, yup, I just said that Researchers also found the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" and password "abc12345cba," which is hardcoded into the binary and cannot be changed. Other vulnerabilities included CSRF and command injection. Upgrading firmware to version 2.30.174 may fix some of the issues, however, they researchers have not tested these resolutions, and some users are reporting some of the vulnerabilities remain.
    3. Bad docs and blue screens make Microsoft suspend Spectre patch for AMD machines - Microsoft has suspended delivering the latest Windows update to certain systems with AMD processors after reports that the update was causing the machines to crash with a blue screen of death when booting. The update contains countermeasures against both the Meltdown and Spectre attacks; although AMD systems are not affected by Meltdown, they're vulnerable to Spectre. Apparently, some issues were found in the documentation for AMD chips, according to Microsoft, which led to the issues. Pass the buck anyone?
    4. Until your anti-virus adds this Registry key, you aren't getting any more Windows security updates - Microsoft has said that customers who are running certain anti-virus products will not receive its bundle of January 2018 security patches (including mitigations against the Spectre and Meltdown CPU flaws) unless their products certify that they don't make unsupported calls into Windows kernel memory. For an updated list, see here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
    5. Apple Releases Multiple Security Updates - If you own any Apple devices, you will likely be applying updates: NCCIC/US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates to macOS High Sierra 10.13.2 , OS X El Capitan 10.11.6 and macOS Sierra 10.12.6 , iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

    Expert Commentary: Doug White, The Flaw in our CPU Stars

    AMD Security Flaw

    Google Cloud Security Team found a vulnerability in TPM (trusted platform module) of AMD Secure Processing


    Part of the Coprocessor Component (PSP/Platform Security CoProcesser)

    How this all works:

    • So the normal CPU manages all these things like the OS functions (kernel) and basic apps that are running on the system.
    • Protecting certain transactions means that embedded apps may be used to "trust" certain components or "secure" certain operations.
    • FED -- When we process coins, who cares. When they process hundreds, several embedded actions take place. Cameras, guards, etc. to watch the stacks offload.
    • So this ARM module is embedded in the CPU back in 2012 as a place to conduct trusted operations like passwords and certificates processing. In theory, this area is "safe" and separate from the rest of the applications and processes.

    What happened, with AMD:

    • A function called EkCheckCurrentCert can be buffer overflowed as a means to execute code on the trusted side by using an EK Certificate designed to exceed the bounds (there is no bounds checking on this function).
    • So, this is the equivalent of a root shell inside the TPM if the CPU CP!
    • //USE the example of the old password stored on the hard drive in plain text.
    • ASLR -- randomize address space. This is a function that basically ensures that the memory stack is not static. NOT FOUND.
    • NX BIT -- This is like and ID for each memory page which says, go/no go on execution. NOT FOUND.
    • Canary -- The Stack Canary is a method of protecting against stack overflow where the return address is protected and thus stack overflows can't easily happen. NOT FOUND.

    - So, basically, what you think is safe is not.

    • //Security through obscurity again...Just because stack analysis is hard, who would ever look there.


    References:


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+