HNNEpisode168

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #168

Recorded April 10, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
    • Visit securityweekly.com/domaintools to register for our next webcast “Detecting Malicious Domains” hosted by myself and Keith Hoodlet. Tim Helming of DomainTools joins us to show you how to interpret each of the many data points related to a domain. @Wednesday, April 4th 3:00-4:00pm ET

    Security News

    1. Google bans cryptomining Chrome extensions because they refuse to play by the rules - After a policy that previously permitted them, Google has decided to remove any and all Chrome extensions that mine for cryptocurrencies after finding that too many developers didn't play by the company's rules. We need to see more of this. Apple has set the standard for providing a secure app store. Sure, its not 100% foolproof, nothing it, but so much better than the ecosystems created by Chrome, Wordpress, Android and more...
    2. Delta, Sears Breaches Blamed on Malware Attack Against a Third-Party Chat Service - Security researchers are pinning a recent data breach – that potentially exposed the credit card information of hundreds of thousands of Delta Air Lines and Sears Holdings customers – on weak third-party security policies. Yea, but you can't just blame a 3rd party, there are well-defined processes, and companies, that will help assess 3rd party risk. You should use them...
    3. Intel Admits It Won't Be Possible to Fix Spectre (V2) Flaw in Some Processors - Time to buy a new computer! These vulnerable chip families—which are mostly old that went on sale between 2007 and 2011—will no longer receive microcode updates, leaving more than 230 Intel processor models vulnerable to hackers that powers millions of computers and mobile devices.
    4. Authentication Bypass Vulnerability Found in Auth0 Identity Platform - This one is scary, I mean your an authentication company and someone found and authentication by pass. Yikes, but the response was solid: The security firm reported the vulnerability to the Auth0 Security Team in October 2017. The company acted very fast and addressed the weakness in less than 4 hours.
    5. Critical Code Execution Flaw Found in CyberArk Enterprise Password Vault - Now, don't freak out, but here's the thing: security companies can have vulnerabilities too, and its all about they way they handle the situation, and CyberArk has done a great job with the response: The technical details of the vulnerability and exploit code came only after RedTeam responsibly reported the vulnerability to CyberArk and the company rolled out patched versions of the CyberArk Password Vault Web Access. Enterprises using CyberArk Password Vault Web Access are highly recommended to upgrade their software to version 9.9.5, 9.10 or 10.2.
    6. Jail for white collar pirates who stole from Oracle - Bottom line, do not mess with Oracle, because, well, ninja lawyers: The struggle between software giant Oracle and services company Terix has finally concluded with the latter’s CEO and co-founder Bernd Appleby being handed two years in jail. A US tech exec being put behind bars is not an everyday occurrence but, then again, what Oracle accused Terix of doing was not a run-of-the-mill crime. According to Oracle’s 2013 accusation, along with a separate company Maintech, Terix had illegally obtained software patches and firmware from Oracle’s Solaris support site, secretly distributing them to their own customers on a commercial basis.
    7. Ransomware Named Most Prevalent Malware in Verizons 2018 DBIR - Not only that, but US-CERT is up in arms about Ransomware too: Ongoing Threat of Ransomware | US-CERT
    8. Facebook privacy: How to watch Mark Zuckerberg at congressional hearings - Well, it might be too late to watch live, but I am sure there will be a recording somwhere: Facebook CEO Mark Zuckerberg has arrived on Capital Hill and is set to answer lawmakers' questions over the social network's handling of user data in the Cambridge Analytica scandal. Should be interesting to watch and listen...
    9. New Ransomware Locks Your Files Unless You Play 'PUBG' - Very creative ransomware: Everyone loves PlayerUnknown's Battlegrounds, and one piece of ransomware seems to love it so much it’s willing to lock down your computer’s files until you spend quality time with the game. First spotted by MalwareHunterTeam and first reported by BleepingComputer, PUBG Ransomware is a bizarre program that encrypts a user’s desktop files—including all subdirectories—with a .PUBG extension. “Your files is encrypted by PUBG Ransomware! but don’t worry! It is not hard to unlock it,” splash screen for the program says. “I don’t want money! Just play PUBG 1 hours!”
    10. The world's most popular YouTube video has been hacked - Graham Cluley points out my favorite article of the week: Hackers have managed to deface an array of popular YouTube music videos, changing titles and thumbnail images. Amongst the victims was the most-viewed YouTube video of all time, “Despatico” by Puerto Rican singer Luis Fonsi featuring rapper Daddy Yankee. The video, which has been watched an astonishing five billion times, had its thumbnail changed to an image of armed masked robbers from TV heist drama “La Casa de Papel” (also known as “Money Heist”) and a message added underneath saying “Free Palestine.” The videos affected are all part of the Vevo service, and the theory is there is an issue with Vevo, and not a widespread vulnerability and exploit for YouTube...

    Expert Commentary

    UPNP becomes Universal Plug and Proxy according to Akamai Whitepaper Today’s commentary is from something near and dear to Paul’s heart; pwning home routers via UPnP. For years people have been saying that UPnP is a terribly insecure protocol and is ripe for abuse. According to a white paper by Akamai, the days of abuse is now. Akamai states that this protocol is actively being used by attackers and, due to to badly designed devices, is being compromised remotely.

    So what is UPnP, you ask? Basically, UPnP was built to make things easier for home users to get the functionality they want out of other devices. In particular, setting up port forwarding rules from the internet to internal devices. For example, you fire up your gaming console and want to play with your buddies. UPnP allows your gaming console to send a request to your router to open up a port forward to the console so that you can group up with everyone. No need to look up what port needs to be forwarded and then configure it on your router. Very convenient, but no authentication required either. The security posture of your device is changed on the fly. Now imagine this protocol being exposed to the internet. Yeah… problems.

    Akamai cites a number of instances where security researchers have commented on the issues of badly implemented UPnP. One of note was I 2013 when Rapid7 performed scans of the internet to identify devices that have UPnP available on the WAN interface of routers. They found about 80 million devices at the time. Akamai goes on to discuss how this can be abused to setup what they call UPnProxies on these devices.

    First, the attacker scans down devices that are running UDP/1900 on the internet. It’s a UDP port so scanning can be a bit hit and miss, but UDP is fairly well understood and it should be fairly easy to craft a valid request. If the device is making UPnP to the internet, the attacker then starts making configuration changes to the router to setup port forward rules. Attackers are using this ability to bypass censorship, spamming, click fraud, credit card fraud, DDoS, botnets and more. Some of these chains of UPnProxies are so convoluted that they are extremely difficult to unravel if you are investigating them. Not great for law enforcement, but useful for an attacker.

    The white paper includes some scripts you can use to check your router at home, plus a list of known vulnerable devices. If you attempt to use the scripts, be aware that copy and pasting it into a shell script will have issues. The double and single quotes in the PDF will not translate well to your text editor and will make bash complain. Go take a look at the white paper and make sure that your home router isn’t getting caught up in this. The list of vendors that have messed this up is extensive. The link to the white paper is in the show notes.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+