HNNEpisode174

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #174

Recorded May 22, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to psw@securityweekly.com.

    Security News

    1. Oh, great, now there's a SECOND remote Rowhammer exploit - In separate research, Meltdown/Spectre veterans Daniel Gruss, Moritz Lipp and Michael Schwarz of Graz University of Technology and their team have published a paper describing Nethammer. Nethammer works, they said, without any attacker-controlled code on the target, attacking “systems that use uncached memory or flush instructions while handling network requests.Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, ie, persistent denial of service”.
    2. As the Web moves toward HTTPS by default, Chrome will remove secure indicator - Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as "not secure," starting in July. Today, the company described the next change it will make to its browser: in September, Google will stop marking HTTPS sites as secure. This fits with Google's attitude towards SSL-enabled sites, which receive higher SEO rankings in Google.
    3. Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks - A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system. The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems. Red Hat has confirmed that the vulnerability impacts Red Hat Enterprise Linux 6 and 7, and that all of its customers running affection versions of the dhclient package should update their packages to the newer versions as soon as they are available.
    4. Google offers free DDoS protection services in the name of free democracy - Google has rolled out a free DDoS protection platform called Project Shield to protect news sites and free expression to defend the democratic process. The program is accepting applications from news organizations, election monitoring organizations, and individual journalists and some political organizations
    5. University fined 120,000 for data breach - The University of Greenwich has been fined £120,000 ($160,000) by the Information Commissioner. The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and - in some cases - physical and mental health problems. It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.
    6. Intel Set to Patch Two New Meltdown,Spectre Vulnerabilities - and the hits just keep coming: Two new variants of the Spectre and Meltdown side-channel vulnerabilities were publicly disclosed on May 21, impacting CPUs from multiple vendors, including Intel and ARM. The two vulnerabilities—CVE-2018-3640, identified as Rogue System Register Read, and CVE-2018-3639, identified as Speculative Store Bypass—could potentially enable an attacker to read arbitrary system memory on a vulnerable system.
    7. High-end router flinger DrayTek admits to zero day in bunch of Vigor kit - According to Bleeping Computer DrayTek, a Taiwan-based manufacturer of broadband CPE (Customer Premises Equipment) such as routers, switches, firewalls, and VPN devices, announced today that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers. The company admitted to the attacks after several users reported on Twitter about finding DrayTek routers with DNS settings changed and pointing to an unknown server located at 38.134.121.95. Attacks use an exploit, not a backdoor account or default password.
    8. This Day In Market History, May 22: iOmega's Incredible Run Comes To An End - On this day 22 years ago, iOmega Corp. hit $27 per share, a gain of 2,135 percent over a one-year stretch. Unfortunately, the iOmega bubble soon burst, and the stock had plummeted 68.1 percent by May 22, 1997.

    Expert Commentary

    Most Healthcare Workers Admit to Non-Secure Healthcare Data Sharing

    The title of this article tells a story that is probably completely unsurprising to the listeners of the show, but a survey sponsored by a secure file sharing service named Biscom has announced that people working in healthcare share information over insecure channels. Some of the numbers in it were a bit interesting to me. 87% of survey respondents said that they shared protected information via email. The article later states that most of this was internal, rather than sending to patients personal email address, but it’s still not a great thing. 1/3 of the respondents said they used services such as Google Drive, Dropbox, and Microsoft One Drive to share information. 88% said they understood how to use company provided tools and policies, but 10% said they didn’t bother to abide by them.

    Here’s the statement that stood out to me the most. “When asked why they did not use company tools or comply with company policies, respondents across industries agreed complexity was the biggest challenge. In fact, when deciding how to send sensitive documents, 60 percent said they simply do what is easiest.”

    A couple of thoughts occur to me out of all this. First, I’m not surprised at all and I suspect that surveys of other industries (such as legal and financial) that deal with confidential information would yield similar results. And this survey just deals with data leaving the medical provider. I can only imagine the information being passed into the providers by patients. “Protected” data is all over the place and actual protections are frequently avoided or worked around.

    Second, this is a pretty good indicator of how useful and easy to use secure data transfer tools are to use. Basically, they aren’t and their reach to the public is limited. There are legitimate needs to share information like health data. The doctor asks for something to be sent to the lab and the lab needs to send the results back. Are the tools for internal data sharing making it easy or hard to do so? Or is it easier to copy data out of the system and send it via email?

    I know we get frustrated by data being shared insecurely, particularly when we find evidence of it occurring in our own organizations. I made the mistake once at looking at a customer service ticketing system that was driven by emails coming in. It was filled with financial information from clients sending emails to our customer service reps. SSNs, names, account numbers, income, and more. I saw points where our employees were sending it out as well. As much as we want to get angry and insult the intelligence of our users, we also need to look at the tools we are providing to do the job. Things like this is a sign we need to do better.

    Here are some questions to ask as we evaluate this. Why are people doing sending information this way versus the way we want them too? Is there a way we can make our tools easier to use and still protect data? Are the current tools up to the task or do we need to look for replacements? Are there stories we can tell to our users that help them understand the impact of their decisions? Good examples would be things in the news.

    I don’t mean to say that this is all our fault for not providing better tools or even awareness training. We can provide the easiest mechanisms we know for transferring data securely, but someone will decide something is easier and go that route. Perhaps send a screenshot to patient via Snapchat for some reason. But we can do better at providing tools that are simpler to use and less frustrating to the users.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+