Hack Naked News #166
Recorded March 27, 2018 at G-Unit Studios in Rhode Island!
- Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
- Visit securityweekly.com/domaintools to register for our next webcast “Detecting Malicious Domains” hosted by myself and Keith Hoodlet. Tim Helming of DomainTools joins us to show you how to interpret each of the many data points related to a domain. @Wednesday, April 4th 3:00-4:00pm ET
- Speculative Execution Bounty Launch - Microsoft is taking speculative execution vulnerabilities seriously, with their announcement of a new set of bug bounties covered these types of flaws. The highest payout goes to whoever can discover a new class of speculative execution flaws, coming in at $250,000 all the way down to $25k for spotting existing speculative execution flaws in various versions of Windows.
- Facebook Woes Continue as FTC Opens Data Privacy Probe - Facebook is in hot water this week, on multiple fronts. Its so bad they took out ads in popular newspapers, such as the New York Times, and pledged to protect users data. Let's first start with the Cambride Analytica debocle: The investigation stems around Facebook’s acknowledgement earlier this month that since 2015 a third-party application had handed over the data of up to 50 million platform users to Cambridge Analytica – a consulting group that has worked on several high-profile political campaigns, including that of President Donald Trump’s. If that's not enough, it's been reported that Facebook is responsible for collecting your call history and SMS data via the Facebook Messenger Appp: the company had been logging Android users’ call and text history without their permission. Facebook responded to the reports on Sunday saying that some users’ information has been logged, but stressing that the function has “always been opt-in only,” that the information collected doesn’t include the contents of calls or texts, and that the data isn’t sold to third parties. And to top things off, it is still being reported that Alex Stamos, Facebooks former Chief Information Security Officer, will be leaving the company in August of this year. (More references: Facebook and Cambridge Analytica What's Happened So Far and Facebook Collected Your Android Call History and SMS Data For Years).
- Guccifer 2.0s schoolboy error reveals he's hacking from Moscow - Guccifer 2.0, the notorious hacker who is alleged to have compromised the computer systems of the Democratic National Committee (DNC) and stolen opposition research on Donald Trump, has accidentally tipped his hand that he was working for Russian intelligence. The "lone hacker" apparently forgot to enable his VPN, which in turn left some logs at a social media company revealing his real IP address, which was then traced back to Russia's GRU (Russia’s military intelligence division). Oops.
- YouTube isn't for kids - Graham Cluley reports Wired reports, YouTube continues to recommend young kids watch some deeply weird (and sometimes downright disturbing) videos. I have experienced this as well, and at a technical level, I struggle to understand how to classify videos on YouTube as safe for kids, or not. I did recently pick up a Circle by Disney device, which does contain the ability to restrict content on YouTube, so we'll see how that goes.
- iPhone manufacturer Foxconn acquires Belkin, Linksys, and Wemo - Taiwanese hardware manufacturer Foxconn, which is contracted by Apple to make its iPhones, has agreed to acquire accessory firm Belkin and its associated brands, Linksys, and Wemo for $866 million in cash, by way of a merger. They have some serious competition in the market, and it will be interesting to see how, or if, handling of security issues will be impacted. Linksys, in particular, seems to be thrown around like a hot potato in the market after being sold to Cisco, then to Belkin.
- GreyKey iPhone Unlocker - GreyKey has come to market with a device that can unlock iPhones, one is limited and must be Internet connected, the other: However, there is also a $30,000 option. At this price, the device requires no Internet connection whatsoever and has no limit to the number of unlocks. It will work for as long as it works; presumably, until Apple fixes whatever vulnerabilities the device relies on, at which time updated phones would no longer be unlockable.
- GitHub Vuln Scanner Turns Up 4 Million Flaws - Looks like people are actually fixing vulnerabilities discovered by Github's scanning tool: GitHub announced the first run of the security checker turned up “over four million vulnerabilities in over 500,000 repositories”. On that first pass, GitHub's post said, 450,000 of the vulns were resolved by December 1, 2017. In the months since then, “our rate of vulnerabilities resolved in the first seven days of detection has been about 30 per cent. Additionally, 15 per cent of alerts are dismissed within seven days”.
DNS over HTTPS? Could be coming to a browser near you - Mozilla and Cloudflare will begin testing a new method for resolving domain names in the development version of Firefox. The test is planned to begin in the next few weeks and will put DNS requests from the browser over HTTPS to Cloudflare’s systems. An RFC has been published in draft form with the Internet Engineering Taskforce and is titled DNS Queries over HTTPS. Another name for it is Trusted Recursive Resolver via DNS over HTTPS. Both have been shortened to DoH.
The idea behind the proposed standard and test is that DNS is a clear text protocol that is shared with multiple parties, is vulnerable to spoofing, and therefore has security issues that should be addressed. Instead of querying a DNS server directly, your browser would use a DNS api and request resolution for a domain to a service such as one hosted by Cloudflare. The resolution request would use HTTPS and prevent your ISP from seeing the DNS requests and collecting this information. Essentially, the DNS api provider would be performing the DNS request for you (if they didn’t have it cached already), so DNS isn’t going away with this proposal. Just being offloaded to someone else.
For those concerned about privacy, many of the same issues with the current implementation of DNS exists. It would still be possible to collect information about DNS requests that you make. It just wouldn’t be available to your ISP. Instead someone like Cloudflare would be in this position. Cloudflare has said that they will not keep any logs for more than 24 hours and will not store source IP addresses at all. They aren’t the only party involved in testing DNS over HTTPS, as Google has performed their own testing back in November of 2017. Those running the development version of Firefox will have to opt out to avoid being included. Google’s service requires users to opt-in.
There are a number of things that interest me in this proposal. First is the operational component of DoH. Enterprises will need to be ready to support their users if and when this rolls out on a large scale. Well understood behavior of browsers will change at a very fundamental level and that will require preparation to be ready for it. Then there are the privacy concerns that may exist for some individuals and organizations. Do they care that a DoH provider is now the main point for all their browser based name resolution requests? What are the ramifications to that? It is an interesting proposed standard and one that will need to be watched. If for no other reason than we will have to keep track of yet another path to resolve a name to an IP.