HNNEpisode176

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #176

Recorded June 5, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to psw@securityweekly.com.
    • How do you feel about User and Entity Behavior Analytics? What about your SEIM? Check out Logrhythm's webcast on June 14th at 3:00pm-4:00pm.

    Security News

    1. A host of new security enhancements is coming to iOS and macOS - Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protections. The company also released a beta version of the upcoming iOS 12 that, according to Motherboard, all but kills off two iPhone unlocking tools used by police forces around the world. This includes encrypting your passwords, storing them in iCloud, and auto-filling them in Safari.
    2. Hacker charged with murder after a worker dies building his underground tunnel system - In September, 21-year-old Askia Khafra was found dead after a house fire in a suburban Bethesda home belonging to security researcher Daniel Beckwitt. Now, Beckwitt has been charged with murder in connection with Khafra’s death. Prosecutors say Khafra had been hired to construct an intricate network of tunnels below Beckwitt’s home And the story gets even more bizarre: the fire was the result of an unconventional construction setup, which included a so-called “daisy chain” of extension cords to provide power for the equipment. Significant amounts of trash had also accumulated in the home, making escape more difficult.
    3. Decade-old remote code execution vulnerability patched in Valve Steam client | ZDNet - The security flaw is a heap corruption issue within one of the Steam client's libraries. An aspect of the code which dealt with fragmented datagram reassembly from received UDP packets could be triggered remotely and be utilized to remotely execute malicious code. Steam is a gamin platform that allows users to download, purchase and play a variety of games and has millions of users worldwide.
    4. One third of business decision makers would pay hackers ransom demands rather than invest in more security, NTT Security Risk:Value report reveals - Noooooo: One third of global business decision makers report that their organisation would try to cut costs by considering paying a ransom demand from a hacker rather than invest in information security. Invest in a good backup product instead.
    5. Facebook Accused of Giving Over 60 Device-Makers Deep Access to User Data - Facebook is in hot water again: After being embroiled into controversies over its data sharing practices, it turns out that Facebook had granted inappropriate access to its users' data to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung. According to a lengthy report published by The New York Times, the social network giant struck data-sharing partnerships with at least 60 device manufacture companies so that they could offer Facebook messaging functions, "Like" buttons, address books, and other features without requiring their users to install a separate app.
    6. everyone-complaining-about-microsoft-buying-github-needs-offer-better-solution - The fear is that Microsoft is hostile to open source and will do something to GitHub (though exactly what isn't clear) to undermine the open-source projects that depend on it. Comments here at Ars, as well as on Slashdot, Reddit and Hacker News, suggest not any specific concerns but a widespread lack of trust, at least among certain developers, of Microsoft's behavior, motives, and future plans for the service.
    7. Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit - Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago. Security researcher Troy Mursch scanned the whole Internet and found over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. If you can't easily auto-update your platform and add-ons, consider a different platform.
    8. Today In Hip Hop History - Or pretty close, June 3, 1997 Wu-Tang Clan released their second studio album Wu-Tang Forever, and was certified 4× platinum by the Recording Industry Association of America (RIAA) on October 15, 1997 (each disc in the double album counted as separate unit for certification purpose),[1] and has sold over 2 million copies in the United States.[2] It is the group's highest selling album to date. Upon its release, Wu-Tang Forever received favorable reviews from most music critics, while it also earned the group a Grammy Award nomination for Best Rap Album at the 40th Grammy Awards in 1998.

    Expert Commentary

    Federal Agencies Face an Uphill Battle in Cyber-Prepardness

    The title of this article on Threatpost shouldn’t shock anyone who has worked in IT security, cybersecurity or whatever you call it. The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) have released a report that says the various agencies of the US federal government are not ready to protect themselves from attackers. As a general statement, this shouldn’t generate any surprise. Some of the information and issues they cite are interesting though.

    The report makes its case early on by stating that 71 out of 96 agencies have programs that are at risk or high risk. That the “agencies are not equipped to determine how threat actors seek to gain access to their information.” Because they do not understand it, the agencies are making mistakes in how they allocate their security related resources.

    The report proposes four things to address these issues. First, increase “cybersecurity threat awareness” among agencies. Second, standardize IT and security capabilities to control costs and improve asset management. Third to consolidate agency SOCs. Fourth, to drive accountability by improving processes and doing more risk assessments.

    Personally, I’ve done some testing of federal systems and have experienced some of the issues described. To be fair, the experiences were ones that I’ve had in plenty of non-government organizations as well, but it still doesn’t provide much in the way of inspiration at times. The agencies suffer from many of the same issues that other organizations do. They’ve got a job to do and protecting the agency is only part of it and people only complain about security when it gets in their way or something has gone wrong. There is much more complaining about systems being down, access being needed, etc, etc.

    Back to the recommendations. I do think that driving awareness throughout the agencies can and should help. If you don’t know you should be looking for something, then you don’t notice it unless you trip over it. I agree that there is lots of fragmentation of IT between agencies. They are doing things differently all over the place. Consolidating SOCs seems like a good idea, but the politics of having some other group come in and tell you that you have a problem can cause things to be delayed or buried. I don’t know that I agree with how the report decides to drive accountability. If there is no teeth to the assessment results. As it is, it calls out that CIOs and CISOs for agencies don’t have the authority in many cases to make organization wide decisions regarding their area of responsibility!

    The report is informative and tosses out some interesting ideas. The problem is that this will likely be another report that correctly cites issues that it found and then is ignored. The Threatpost article has some discussion about the Trump administration eliminating the cybersecurity coordinator position in the National Security Council as a serious issue. But did that coordinator ever have any authority to make decisions, or were they like the CIOs and CISOs of individual agencies that had a position, but no ability to do anything. As far as federal cybersecurity issues go, the limits placed on these individuals to make changes in response to issues is a major issue that also needs to be addressed.


    https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+