HNNEpisode163

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #163

Recorded February 22, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW89AEE2 to get a $100 discount!
    • InfoSec World is March 19-21st of 2018. It is at Lake Buena Vista, Florida. Security Weekly subscribers can save 15% off the InfoSec World 2018 Main Conference or World Pass with the code OS18-SW!
    • Security Weekly listeners save $100 off their registration for a full Conference Pass. Go to www.secureworldexpo.com and use the discount code SecurityWeekly, and join us at SecureWorld Boston!

    News

    1. Intel ships (hopefully stable) microcode for Skylake, Kaby Lake, Coffee Lake - I really like this description from Peter at Arstechnica: The microcode updates help address Spectre variant 2 attacks. Spectre variant 2 attacks work by persuading a processor's branch predictor to make a specific bad prediction about which code will be executed. This bad prediction can then be used to infer the value of data stored in memory, which, in turn, gives an attacker information that they shouldn't otherwise have. The microcode update is designed to give operating systems greater control over the branch predictor, enabling them to prevent one process from influencing the predictions made in another process.
    2. How to protect your browser from Unicode domain phishing attacks - In short, there is a browser plugin that will detect this condition as described by Graham Cluley on his blog: There are countless ways in which bad guys can take advantage of the many Unicode characters that look remarkably similar to common ASCII characters. Which means that you and I are at risk of visiting a site believing it to be legitimate, when in fact it's designed to scam us in what is known as an IDN Homograph attack.
    3. Drupal Releases Security Updates - If you are running Drupal, God bless you first of all, there are a number of vulnerabilities fixed in recent versions. The most critical include an information leakage in the comments subsystem in addition to a cross-site scripting condition. Users are encouraged to upgrade to Drupal versions 7.57 or 8.4.5.
    4. Shopping for a VPN app? Read this. | Consumer Information - If you are evaluating VPN clients the FTC has published some guidelines. These are pretty basic suggestions, such as checking the app permissions, verifying whether or not the app actually encrypts your data, and understanding the privacy limitations.
    5. Hacker Who Never Hacked Anyone Gets 33-Month Prison Sentence - Turns out you don't have to actually hack anything to be sentenced for computer crimes as Taylor Huddleston, 26, of Hot Springs, Arkansas, discovered when he pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25. Besides the 33-month prison sentence handed down by judges on Friday, Huddleston also gets two years of supervised release.
    6. Israeli Security Firm Says They Can Hack Any iPhone - The speculations are the most fun part of this article: What isn't clear is whether the company is using a vulnerability that they have kept to themselves and not reported, if they are using some sort of brute-force mechanism, or the hack requires hardware access. Either way, if you're an iPhone owner it's possible your device may not be as secure as you think.
    7. Tech Legend Steve Wozniak Scammed Out of $70K in Bitcoin - CoinDesk - Woz learned a valuable lesson about Bitcoin as he states: "Somebody bought them from me online through a credit card and they cancelled the credit card payment," he went on to say. "It was that easy. And it was from a stolen credit card number so you can never get it back."
    8. Man sues Microsoft for $600M after a forced Windows upgrade destroyed his PC - Somehow I think his chances of winning are pretty slim: “Frank K. Dickman Jr.” of Albuquerque, N.M., files a lawsuit seeking damages of $600 million from Microsoft and its CEO Satya Nadella. The plaintiff’s PC, an Asus laptop, came loaded with Windows 7, but then became “non-functional immediately” when the upgrade to Windows 10 failed, according to the complaint filed in the United States District Court for the District of Colorado earlier this month.


    Commentary

    LA Times Cryptojacking Attack Due to Insecure AWS Storage

    File this event as another example of why we need to treat our cloud configuration the same as any on premises system. The LA Times was hit with a cryptojacking attack last week due to a world writeable S3 bucket. The researchers at Bad Packets Report actually found this one because they ran into the writeable bucket. Then they discovered the malware. One thing that made me chuckle at this bit of malware is that it actively attempted to keep its activity at below 30% CPU utilization to avoid detection. Apparently someone else left a note in the bucket to indicate the issue. The note read, “Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it.” Nice try guys, but no one noticed.

    Anyhow the issue was finally resolved after Bad Packets Report notified the LA Times. Now, this is not the first time we’ve mentioned incidents due to bad S3 configurations. So I thought it might be useful to discuss a way to help us address this. And that is through scripting and automation.

    Amazon AWS is written with a target audience of developers. It has an extensive API that allows you to do pretty much anything that’s possible in AWS. So let’s make use of that. I’ve done a little scripting against AWS and so I did some quick digging to see what we can do. There is an important thing that we’ll need in preparation for this. You must have an API key issued to you. And you must resist the urge to request an API key with admin access. After all, we just want to pull data from AWS, not reconfigure it. This is not to say that a read-only API key is not sensitive and doesn’t need to be protected. It absolutely does, but at least if something were to get changed unexpectedly we can’t be blamed for it because of our scripts.

    We would want our script to be fairly resilient and able to handle changes in the environment. So what should our script do? Here are a few ideas.

    1. Query the S3 service for buckets in all regions. Just because we aren’t using an EU region today, it doesn’t mean that we won’t be later.
    2. For each bucket that we pull, grab it’s name and any reference data we need for the region
    3. Pull the permissions for each bucket and save that off into a list.
    4. Read through the list and make note of any world writable buckets. Don’t know what that would look like? Create one briefly, query it to get the resulting data and then delete the bucket.
    5. Finally, have your script sound out a high priority alert on it.

    That may or may not sound like a lot to do, but it isn’t really that complicated. Using a Python library like Boto 3, you can do this fairly easily. A simple request to get and print out the permissions on a bucket is just a few lines of Python. Obviously, what I just described above would take more code, but it would still be very simple to do. Take some time to brush of your scripting skills and give this a try. It might save you a headache later on.

    Simple example of using Boto 3 to pull S3 bucket permissions


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+