HNNEpisode172

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #172

Recorded May 8, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!

    Security News

    1. How FREE VPNs Sell Your Data - Take this with a grain of salt as it comes from a VPN services provider. However, they looked at the privacy policies of some VPN services and found they the privacy statements could allow them to share or sell your data. They summed it up as follows: Many free VPN services are not transparent about how they make money from you using their services; in most cases, when you’re not being sold a product you are most likely the product.
    2. Report: Chinese government is behind a decade of hacks on software companies - Arstechnica reports: Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.
    3. Goodbye Cambridge Analytica, hello Emerdata? - Some are suggesting that just because Cambridge Analytica shut down that they should not be spared from an investigation. Either way, Graham Cluley reports: So, Cambridge Analytica is no more. People will have lost their jobs. But don’t be too quick to shed a tear. It turns out that the founders of Cambridge Analytica have registered a new data analytics company, that they have called Emerdata. Perhaps they will live to fight, and invade privacy, another day?
    4. Twitter is Testing End-to-End Encrypted Direct Messages - Dubbed "Secret Conversation," the feature has been spotted in the latest version of Android application package (APK) for Twitter by Jane Manchun Wong, a computer science student at the University of Massachusetts Dartmouth. Okay, so first people have too much time on their hands looking at Android apps and such. Also, I wonder if they will log all conversations in clear-text on their servers?
    5. 350,000 cardiac devices need a security patch - The US Food and Drug Administration (FDA) last month approved a firmware patch for devices made by Abbott’s (formerly St Jude Medical) that are vulnerable to cybersecurity attacks and which are at risk of sudden battery loss. Some 350,000 patients are affected. The FDA is recommending that all eligible patients get the firmware update “at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.” Battery issues aside, the article goes on to cite researchers who uncovered flaws in teh firmware update process, as in, there was none.
    6. Equifax reveals full horror of that monstrous cyber-heist of its servers - And lets be clear, full horror means they've clarified with the SEC in a publicaly available letter (https://www.sec.gov/Archives/edgar/data/33185/000119312518154706/d583804dex991.htm read it here) all of the data that was accessed and what type of data. This was still one of the worst breaches in history, and is still being attributed to a vulnerable version of Apache Struts, which by the way A LOT of companies are still running today.
    7. Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked - The attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability (CVE-2018-7600) dubbed Drupalgeddon 2.0, said Troy Mursch, a researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now. So if you haven't patched by now, its likely you could be targeted and your systems are now crypto mining. Will people care? Thats the big question.
    8. Twitter Fixes Bug, Advises Users to Reset Passwords - Look folks, use two-factor authentication. I realize this is common sense, and that most people stuggle with a single factor, but for accounts you care about, two-factor authentication is a must.

    Expert Commentary

    Bruce Schneier Responds to Ray Ozzie’s Master Crypto Key A new flurry of activity has been occurring in the debate over how to allow governments to unlock encrypted mobile devices and whether it should be allowed at all. Yesterday Bruce Schneier responded to Ray Ozzie’s proposal how how allow governments to unlock encrypted mobile devices when presented with a valid warrant. Schneier didn’t mince words as he called Ozzie’s idea “barely a proposal, and essentially the same key escrow scheme we’ve been hearing about for decades.” First what is this proposal and how would this work?

    Ozzie’s idea calls for a processor dedicated to device encryption and key management to be added to each device. When the device is built by the vendor, a unique public key for each device from the vendor is placed on the processor. This key is used to encrypt data on the device. The corresponding private key is retained by the vendor (not the government) and placed on an HSM inside a highly secure vault, inside a highly secure building and access to both is protected by biometrics and smart cards. Only “highly trusted” employees of the vendor have access to this system.

    Law enforcement must have physical access to the device to get into a special unlock screen with a QR code that they send the vendor. They send this code to the vendor along with the search warrant. The vendor then validates this information, goes into the vault to retrieve the unlock PIN for this device and sends it back to law enforcement. Once this mechanism is used, the device is no longer useable. That’s the proposal.

    The major difference between this proposal and others is that the key escrow is done by the vendors instead of the government. Their protections would be the same “maniacal care” used to protect their keys to sign applications and operating systems.

    Schneier’s response is that vendors will not be able to adequately protect these databases of keys, that the processor outlined doesn’t exist and that none of the policy issues with key escrow at a large scale have been addressed. He goes on to cite other cryptographers and technologists who point out their opinions on the flaws of this proposal.

    I get the idea of why law enforcement wants the ability to decrypt phones. I’ve heard a forensic examiner for law enforcement state that pretty much every crime has a mobile forensic aspect due to the prevalence of mobile devices. At the same time, I’ve experienced what a pain in the neck key management is on a small scale, much less such a large scale. We’ve seen examples of “highly trusted” individuals suddenly acting in ways that are not trustworthy. We’ve seen the lengths that governments of all varieties will go to get access to sensitive data. And this is about as sensitive as it gets. What happens if the vendor is not a US or European based vendor who decides they want to obey the rules? What will US and European vendors do when oppressive governments come to them and demand access to decrypt an individuals phone? The questions go on and on.

    Keep your eyes on the news, be informed and keep in contact with your government representatives. This debate isn’t going away and it looks like Pandora’s box that will not play out as some officials in government seem to hope.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+