HNNEpisode170

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #170

Recorded April 24, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
    • Visit securityweekly.com/domaintools to register for our next webcast “Detecting Malicious Domains” hosted by myself and Keith Hoodlet. Tim Helming of DomainTools joins us to show you how to interpret each of the many data points related to a domain. @Wednesday, April 4th 3:00-4:00pm ET

    Security News

    1. 'iTunes Wi-Fi Sync' Feature Could Let Attackers Hijack Your iPhone, iPad Remotely - Apple has a feature that allows you to sync your phone with your computer wirelessly, granting authentication only once while the phone is physically connected to a computer. So, if your phone is plugged into someone else's computer, or someone gains control of your computer, they can access your phone and do bad things. For the record, this is kind of lame. However, I do believe the trust aspect is scary, such that an attacker in this scenario who gains access to your computer, also has access to your phone because your phone explcitly trusts your computer forever. Apple has put safeguads in place that will ask the phone user to enter a passcode.
    2. Google Project Zero pulls the rug out from under Microsoft (again)
    3. LinkedIn bug allowed data to be stolen from user profiles - LinkedIN has a feature that allows your data to be auto-filled, turns out there is a problem with that: LinkedIn only allows whitelisted domains to have this functionality, and LinkedIn has to approve each new domain. Right now, there are dozens of sites in the top 10,000 websites ranked by Alexa that have been whitelisted by LinkedIn, including Twitter, Microsoft, LinkedIn, and more. And XSS was found in one of the sites, which in turn allows attackers to steal some data.
    4. When you go to a security conference, and its mobile app leaks your data - This is a lesson in 3rd party vendor risk: A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.
    5. After ransomware attack, Atlanta spent 50 times more than the ransom demand - Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. I know what you're thinking, that's a lot more than the ransom. However, you can't pay the ransom for a lot of reasons, including 1) paying the ransom may not decrypt your systems 2) you can pay the ransom once, but the attackers may come back and perform the attack all over again and demand more money, because, well, you paid once, maybe you will pay again.
    6. Police try to unlock phone at funeral home - Linus Phillip, 30, was killed while trying to escape from police at a petrol station in Largo on 23 March. After his body was released to the Sylvan Abbey Funeral Home, his family say, two police officers tried to use his finger to unlock his mobile phone. Question, did they have a warrant? Do they need a warrant? Do they need special permission to access a dead person's finger? All great questions for a lawyer...
    7. Windows-powered medical scanners are being hit by healthcare hackers - Symantec reports X-Ray and MRI machines are being hacked, but no one knows why? What’s confusing the security professionals, however, is that the attacks don’t appear to have a clear purpose. While they seem to use phishing emails as an attack vector — a common method for many malware types — they don’t seem to share many characteristics with more traditional digital assaults. No data appears to have been stolen, no ransoms are being demanded, and the systems aren’t left running cryptominers.
    8. Nintendo Switches Hacked to Run LinuxUnpatchable Exploit Released - Flaws in the code of Read-only memory are bad, and can't be patched: Nvidia's Tegra line of embedded processors that comes on all currently available Nintendo Switch consoles. Dubbed Fusée Gelée and ShofEL2, the exploits lead to a coldboot execution hack that can be leveraged by device owners to install software of their choosing. Both exploits take advantage of a buffer overflow vulnerability in the USB software stack of read-only boot instruction ROM (IROM/bootROM), allowing unauthenticated arbitrary code execution on the game console before any lock-out operations (that protect the chip's bootROM) take effect.

    Expert Commentary

    Now Amazon wants the keys to your car Graham Cluley released a blog post today about Amazon’s new delivery service. Prime users in select areas can now get their packages delivered to their car. Amazon is continuing to push the boundaries of delivery services to make things more convenient for customers to receive their packages. Delivery by drone? Check. Delivery into your locked house? Check. Now delivery into your locked car. Amazon’s goal is absolutely at convenience and reducing the number of concerns people may have about receiving their packages.

    The announcement of this service leads to the obvious question of, “how does this work?” Obviously, my 24 year old truck is not a prime candidate for this service. Physical keys are not used for this service. To receive packages to your vehicle you must have a 2015 or new General Motors or Volvo automobile. You also have to be a subscriber to GM’s OnStar or Volvo’s On Call services. You setup the Amazon Key app for you car by linking the OnStar/On Call account to your Amazon Prime account. The Amazon driver (not FedEx or UPS) uses an app on their side to say they are at the car, unlock it, and then re-lock it after delivery. You are then notified of arrival. You will need to plan ahead and make sure your car is in the agreed upon location at the time of delivery.

    To be honest, this service bugs me less than the delivery to your locked home. I don’t keep things of value in my car because cars aren’t that secure. Glass breaks pretty easily. The thing that caught my attention is the idea that a 3rd party is now being authorized to access my vehicle via an API. A quick search is done and I find myself looking at API information for OnStar at developer.gm.com. Lo and behold, you can become a developer of apps for GM cars. There’s some validation that GM requires, so getting access to the API is not as simple as creating an account. Interestingly, GM does have a bug bounty setup with Hackerone, but it appears to be a mechanism for reporting bugs with a reduced chance for prosecution. If you are using a newer GM or Volvo vehicle then there’s definitely an app for it.

    Overall, the announcement from Amazon is interesting as it highlights the fact that 3rd parties can have physical interaction with your vehicles via an API. I have no knowledge of what GM or Volvo are doing to design security into these APIs, how they monitor them, or test them. We live in a world where more and more the digital realm is gaining a presence in the physical one. I would find it amusing if services like Amazon’s car delivery caused services like OnStar to become more popular and purchased by car buyers. Convenience is a powerful market force.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+