HNNEpisode159

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #159

Recorded January 30, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Also check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand. Currently On-Demand we have webcasts with: Cybereason, Onapsis, Signal Sciences, and Stealthbits!

    News

    1. Vulnerable industrial controls directly connected to Internet? Why not? - The ICS-CERT recently updated a report on Seimens PLCs: Zhu WenZhe from Beijing Acorn Network Technology has identified password leak and denial-of-service (DoS) vulnerabilities in Siemens’ S7-300 and S7-400 programmable logic controllers (PLCs). Siemens has released Security Advisory SSA-731239 with advice to mitigate these vulnerabilities. Arstechnica has reported that several hundred (or more) of potentially vulnerable PLCs are directly connected to the Internet, and accessible. Ruh-Roh!
    2. Crypto-jackers slip Coinhive mining code into YouTube site ads - The hijacking of CPU cycles through crypto-mining JavaScript code has surged over the past few days, according to security biz Trend Micro. The reason appears to be a distribution campaign that piggybacks on Google's DoubleClick ads that appear on YouTube among other sites. Google is working to play whack-a-mole, as it always had on multiple fronts with YouTube. This campaign is mining Monero, a cryptocurrency favored by online criminals and others because of its privacy features.
    3. Stop dilly-dallying. Block all ads on YouTube - Graham CLuley warns us of the dangers of not blocking ads: But because even Google, one of the world's largest advertising companies (with its own considerable security prowess), seems to be incapable of guaranteeing a stream of safe ads. What hope for the other advertising networks if Google can't get it right?
    4. Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix - The Spectre and Meltdown saga continues as Microsoft has released an emergency Windows update to disable Intel's troublesome microcode fix for the Spectre Variant 2 attack. Not only was Intel's fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances.
    5. Hard-coded Password Lets Attackers Bypass Lenovo's Fingerprint Scanner - And its even worse than I expected as Lenovo states: A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in. So, you will want to be rolling out updates if you are using this hardware.
    6. Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases - Over the weekend, the popular fitness tracking app Strava proudly published a "2017 heat map" showing activities from its users around the world, but unfortunately, the map revealed what it shouldn't—locations of the United States military bases worldwide. The article suggests that military bases should prohibit the use of smartphones and connected devices. This is, well, challenging at best.
    7. Linux Monitoring Tool Detects Meltdown Attacks - According to ITProToday Sentinel One has released a free tool to detect Meltdown attacks, that works as follows: the Meltdown exploit does generate some patterns that can be monitored during an attack. The Blacksmith monitoring tool utilizes Linux's built in perf events tool to leverage the performance counting feature on modern chipsets to monitor processes for malicious caching behavior. For older processors and virtual environments, Blacksmith identifies a specific type of page fault which indicates a Meltdown exploitation attempt. For Spectre, I got nothing, yet...
    8. Malwarebytes Delivers Buggy Patch That Spikes CPU and RAM Usage - I hate it when this happens: Malwarebytes apparently sent a buggy update that may be affecting both Home and Enterprise systems. The issue comes from a protection update that was released over the weekend to Malwarebytes’ Home and Enterprise users. The update caused several problems, including excessive memory usage, system crashes, and connectivity issues. The protection update was pulled back 16 minutes after the rollout had begun. However, by then it had been installed on a large number of devices using Malwarebytes. Malwarebytes is touted as a "trusted" AV vendor. I mean, I guess there is an inherent level of trust associated with all software vendors, and in Malwarebytes defense they did pull back the update rather quickly, but begs the question: How are you testing the updates?".

    Expert Commentary:

    Fitness tracking potentially outing military users

    I’m sure a number of listeners are familiar with the fitness devices and apps that are available out there. We’ve got Fitbits, Garmins, Apple Watches, RunKeeper, Strata and more. They make tracking our activity level so much easier. You turn it on, go for a run or ride, and get a wealth of information about where you went and how you performed. It’s great! Except when the vendor makes a heat map of running activity that reveals military locations and patrols. Oops.

    Strava operates one of these platforms and recently released a heat map that shows activity levels that are logged to their platforms. The more people running a route and with high frequency, then the more brilliantly it shines. It’s cool and you may find it motivating. But if you are a soldier or marine who is trying to keep up your fitness while deployed, there could be some problems. You might be in a location that the military isn’t known to be in. In fact, there are some tweets that people have made which show activity that could be a base in Somalia or patrol activity in Turkey.

    Apparently disabling the tracking features are not very intuitive and can still be partially enabled when you think you have them turned off. The data released by Strava is apparently old on a scale of months, but it apparently has had some issues with not being sufficiently anonymized. If you make a request for a specific geographic area, you can get the names and performance levels of individuals. If you are working in intelligence and get sucked into this, you could find it having an impact on your career. Being outed by name is not a good thing if you do covert related work. Some of the hype around military bases being mapped with this information seems to be overblown. The maps are overlaying satellite imagery that show streets, paths, etc. The base was already mapped before Strata added their data. But still, you can see this making people in government squeamish as the contemplate the impact this tracking.

    The take aways from this? Well, if you are concerned about your information being disclosed like this, then you should take a hard look at the privacy settings on the apps. If you are assigned to be in an area that requires long term anonymity, then consider leaving your fitness tracker at home. People have ran and biked successfully for years without these devices. Perhaps you can get by without using them for a few months. If you are a company that provides service relating to tracking locations of your users, be very careful with the data you are collecting, how you release it publicly and think about some of the more unusual impacts that could occur. I’m sure Strava was thinking about the benefits to their athletic user base, but it just didn’t occur to them what could be figured out about their users with a more sensitive job.

    https://labs.strava.com/heatmap/

    https://www.welivesecurity.com/2018/01/30/privacy-fitness-tracking-apps-spotlight-soldiers-exercise-routes-shared-online/#new_tab

    https://nakedsecurity.sophos.com/2018/01/30/secret-military-bases-revealed-by-fitness-app-strava/

    https://twitter.com/jack_dot_bin/status/957415671666696192


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+