HNNEpisode177

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #177

Recorded June 12, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register!

    Security News

    1. Make sure Windows auto update is temporarily turned off, and watch out for SMBv1 fixes - Word is the update is releasing today, and will disable SMBv1: Microsoft had already announced since summer 2017 that support for the SMBv1 protocol in Windows 10 will expire. The abbreviation SMB stands for Server Message Block (former names are LAN Manager or NetBIOS protocol), a network protocol for file, print and other server services in computer networks. Version 1 (SMBv1) of the network protocol designed over 30 years ago, and especially the Microsoft implementation, is considered very error-prone and security-critical Source: https://borncity.com/win/2018/06/10/microsoft-plans-a-windows-10-v1803-smbv1-fix-on-june-2018/
    2. GnuPG patched to thwart 'fake filename' - The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs. So, according to El Reg: If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug.
    3. Trump and Kim USB fan raises eyebrows - Some warned reporters not to plug them in to their laptops, as USB devices can carry malware. The fans were part of a gift bag including a branded water bottle and a local guidebook. Temperatures reached 33C [91.4F] in Singapore during the meeting.
    4. Hackers Stole Over $20 Million in Ethereum from Insecurely Configured Clients - Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet. Users who have implemented Ethereum nodes are advised only to allow connections to the geth client originating from the local computer, or to implement user-authorization if remote RPC connections need to be enabled. This is a trend with newer technology, folks rush to implementation, and forget to restrict access (ala S3, Docker, Git, etc...)
    5. Supermicro is the latest hardware vendor with a security issue
    6. OnePlus 6 smartphone flash override demoed - The recently released ‪OnePlus 6‬ smartphone allows the booting of arbitrary images, security researchers at Edge Security have discovered. According to the researchers, the trick is possible using the fastboot boot image.img feature on the BBK Electronics phone – even when the bootloader is completely locked and in secure mode An update is being released soon. I really like the OnePlus 6 on the surface, but the spotty carrier support in the US makes me leary. So, are you holding out for the Pixel 3 or jumping on the OnePlus 6?
    7. Thousands of Android Devices Running Insecure Remote ADB Service - Despite warnings about the threat of leaving insecure remote services enabled on Android devices, manufacturers continue to ship devices with open ADB debug port setups that leave Android-based devices exposed to hackers and Usually, developers connect to ADB service installed on Android devices using a USB cable, but it is also possible to use ADB wirelessly by enabling a daemon server at TCP port 5555 on the device.
    8. The Google Pixelbook power button is now a 2FA token - If you own a Google Pixelbook, intriguing news – it appears the power button can now double as an alternative to using U2F (Universal 2nd Factor) tokens for two-factor authentication (2FA). As the name implies, U2F tokens such as the YubiKey are hardware tokens that plug into a USB port to authenticate users who enter a username and password on supported websites.
    9. Signature Validation Bug Let Malware Bypass Several Mac Security Products - A years-old vulnerability has been discovered in the way several security products for Mac implement Apple's code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers. and Apple says this: "Apple stated that documentation could be updated and new features could be pushed out, but 'third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result'," Pitts said. Which means, look for updates from many of your Apple Anti-malware products.

    Expert Commentary

    Meet the Microsoft Red Team That Researches 0-days

    We talk a lot about red teaming in security and the shapes and forms that it takes. It’s one of those terms that means something very specific to some people, but that others to use as a blanket to cover anyone paid to attack systems. So I was interested when I saw a Wired article that was posted on June 10th that described one of Microsoft’s red team. What does this team do and how does their work contribute to Microsoft’s security?

    This particular team does work a bit differently than you normally hear ascribed to red teams. Some are more like penetration testers and others can spend months attempting to simulate the bad guys and evade the defenders. This red team simulates the bad guys in finding exploits in the Windows operating systems. Instead of being active on the network looking for misconfigured systems, they spend their time looking at Windows itself and trying to find zero days rather than waiting for them.

    The team is actually a fairly new addition to Microsoft. David Weston is the current leader of the team and he started advocating for the team about 4 years ago. Quoting from the Wired article,

    “Most of our hardening of the Windows operating system in previous generations was: Wait for a big attack to happen, or wait for someone to tell us about a new technique, and then spend some time trying to fix that,” Weston says. “Obviously that’s not ideal when the stakes are very high.”

    Honestly, that sounds fairly similar to how a lot of the security world functions. Wait for something bad to happen and then respond. Anyhow, the team spends its time digging through Windows looking for unknown weaknesses that bad guys can use to ultimately break into systems, steal data and do all the crazy things that they do. As I read about this, my first thought was that this sounded like a security research team and not really a red team. However, here are the things that they do that separate them from security research.

    One, they keep an eye on how attackers are attempting to exploit systems. For example, the web browser is a prime target since this is software that reaches out to systems outside of organizations. They then start working from that point and examining what it takes to pull off a successful browser exploit. What components in the browser and operating system will need to be broken to be successful? They emulate the path that attackers must take and move forward from there. This has resulted in vulnerabilities in the browser sandbox being patched before anyone outside of Microsoft (as far as we know) knew about them. They are under no illusions that their work will stamp out all bugs. Team member Adam Zabrocki was quoted as saying, “Bugs will always be there. We can’t fix all the bugs in the world.”

    Second, they measure the time it takes to find a flaw and put together an exploit for it. The name of the game here is the economics of time. The attackers need to prioritize their time and efforts as well. As a result, if a component of Windows takes too much time to attack, they may just move on. Weston’s team starts a timer whenever they begin working on an area for attack. How long does it take to start to see some success? How long will it take to turn it into a functional exploit? If it starts taking too long, then that component could indeed have issues with it, but the time required makes it less appealing for an attacker.

    I’ll be honest, my first reaction was, “wow, it would be cool to be on this team.” But it isn’t always sunshine and shells for the team. Microsoft is a huge company and moves slowly like any large organization. One team member apparently “laments that Microsoft can sometimes take months to fix what both internal and external security researchers see as serious issues.” No surprise there if you’ve worked in a large company. Or any company that may get frustrated with security pointing out problems.

    The article is an interesting read and doesn’t take too long to get through. I recommend you check it out. The link is in the show notes. Kudos to David Weston for putting this team together and selling the idea at Microsoft. I’m sure it was an extremely difficult process. It’s good to see a software company with the reach that Microsoft has attempting to get ahead of what the attackers are doing, rather than waiting to see what happens next.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+