HNNEpisode178

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #178

Recorded June 19, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Lacework Study Finds 300 Unsecured Container Orchestration Dashboards - Lacework conducted an analysis of cloud-hosted container orchestration deployments and discovered 21,169 publicly facing container orchestration platforms. Of these, 300 deployments were found to have open administrative dashboards without any required access credentials. While this is not overwhelming evidence of insecure container orchestration platforms, it does speak to a problem that could be much worse as the adoption of these technologies grows.
    2. Hackers who sabotaged the Olympic games return for more mischief - The advanced hacking group that sabotaged the Pyeongchang Winter Olympics in February has struck again, this time in attacks that targeted financial institutions in Russia and chemical- and biological-threat prevention labs in France, Switzerland, the Netherlands, and Ukraine, researchers said. While this could very well be the same group, likely it doesn't matter, and the important part of this report is the notice to all those who are being targeted to be aware of the threat and attempt to fend off the attacks before they become a problem, which is easier said than done.
    3. Cortana Software Could Help Anyone Unlock Your Windows 10 Computer - "Cochin discovered that by simply typing while Cortana starts to listen to a request or question on a locked device, he could bring up a search menu. Cochin didn’t even have to say anything to Cortana, but simply clicked on the "tap and say" button and started typing in words," a blog post on McAfee explained.
    4. Ex-CIA employee charged with leaking 'Vault 7' hacking tools to Wikileaks - A 29-year-old former CIA computer programmer who was charged with possession of child pornography last year has now been charged with masterminding the largest leak of classified information in the agency's history. Joshua Adam Schulte, who once created malware for both the CIA and NSA to break into adversaries computers, was indicted Monday by the Department of Justice on 13 charges of allegedly stealing and transmitting thousands of classified CIA documents, software projects, and hacking utilities. Initially he was charged with possession of child pornography, however, the revised indictment includes 13 counts of charges related to the theft and disclosure of the classified information to WikiLeaks.
    5. Firefox fixes critical buffer overflow - Earlier this month Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability. The buffer overflow bug, discovered by Ivan Fratric of Google Project Zero, occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.
    6. Unbreakable Smart Lock Tapplock Issues Critical Security Patch - There are now three vulnerabilities associated with this lock: 1) You can pop the back off with a screwdriver and unlock it 2) The Bluetooth LE MAC address is used as the key to unlock it via your smartphone 3) Poor session handling allows an attack to access anyone's account, which includes the location of where you last unlocked your lock. The companies response: “Tapplock is pushing out an important security patch,” the company said in a security notice. “This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorized users to illegal lygain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.” The from time to time language concerns me, and is an indication that Tapplock still does not understand security, as evidenced by the three recent vulnerabilities.
    7. Tesla saboteur caused extensive damage and leaked highly sensitive... - Insider threats are damaging: According to CNBC, the high profile executive sent an email to Tesla employees this weekend alleging that there was a saboteur in the company’s ranks who had changed code in an internal product, logged into systems without authorisation, and leaked “large amounts of highly sensitive Tesla data to unknown third parties.”
    8. 7 Time 'Jeopardy!' Winner Pleads Guilty to Hacking Into the Email of Students and Faculty - Just because you can, doesn't mean you won't get caught and go to jail, shame on you: A record-setting Jeopardy! contestant who teaches history at a college in Michigan plead guilty last week to accessing the email accounts of fellow professors, school administrators and students. Stephanie Jass took advantage of a campus-wide password reset to spy on emails sent by individuals including Adrian’s president and outgoing vice president. She has been charged with two felonies and terminated her employment this past January, and prosecutors dropped the second charge after she pleaded guilty last week to unauthorized access to a computer system.

    Expert Commentary

    Hey Alexa, have the front desk send up more towels!

    It appears that Amazon’s Echo may be coming to a hotel near you this summer. Marriott Hotels is planning on placing Echos in guest rooms in 10 of their hotels in the coming months. The idea is that hotel guests will have a convenient way to order room service, get recommendations for restaurants, and request hotel services without needing to call the front desk using a phone. Not only that, the devices will allow guests to check out of their rooms, get hotel information, turn off lights and even play soft music to fall asleep to. Later this year, Amazon plans to allow hotel guests to link their Amazon accounts to the Echo so that they can play their own music playlists or audio books.

    The Echos themselves will be customized version specific to hotel services. Amazon states that any data collected from hotel guests will be deleted daily. Marriott also said that customers can have the device removed from the rooms on request.

    So this is an interesting development in IoT’s reach into our lives. Depending on how this deployment goes (and I suspect it will go well enough), we can probably expect to see Marriott and other hotels deploy Echos to more of their properties. After all, having some of these services automated via an IoT device can make the workload easier for a busy front desk and customers may appreciate some of the convenience it provides. Amazon obviously wants Echos out in front of more people who may then decide that the device was so cool that they need one too.

    As interesting as this is, it brings up some questions and concerns to me. First, Amazon says that all data will be deleted daily from the devices. Does that include the guests’ linked Amazon accounts? Is data really being deleted? Could the hotel versions include monitoring for sounds of violence or destruction so that hotel security is notified? What about physical access to the devices? With it in the room available to any guests, someone could tamper with the device itself or plant a look a like device. If/when Echos get deployed widely enough, you could even see hotels start deploying cheaper and less secure alternatives to the Echo.

    The geeky part of me thinks this sounds kind of cool, but I’m not totally comfortable here. Perhaps I’m being a bit paranoid, but it feels like another inroad into allowing microphones into areas that have been mostly private. We don’t like the idea of government surveillance, but it’s ok if it is Amazon and Marriott. It will be interesting to see how this plays out and how fast we see IoT devices get deployed to places like hotels, rental cars, and other locations.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+