From Paul's Security Weekly
Hack Naked News #182
Recorded July 24, 2018 at G-Unit Studios in Rhode Island!
- We just released our 2018 Listener Survey; Please go to securityweekly.com/survey to help us continue to provide you with quality content that doesn't break the build.
- Come to our Pool Cabana @ Black Hat and Def Con to pick up a free copy of "Cyber Hero Adventures". Here you will be able to get the comic book signed by Gary Berman.
- Microsoft Edge's XSS Filter Appears to Be Broken - A security feature that's included with the Microsoft Edge browser appears to have stopped working, according to Gareth Heyes, a security researcher with cyber-security firm PortSwigger. The security feature in question is named "XSS Filter" and is a Microsoft-developed security mechanism that can prevent basic cross-site scripting (XSS) attacks inside browsers. Microsoft developed and launched XSS Filter in 2008 when it was first included with Internet Explorer 8, but the feature has since expanded to Edge, and adopted by other browsers such as Google Chrome and Safari.
- Fitness tracker cheating is big business in China - At some Chinese universities, students have a fitness requirement, so that means fitness tracker cheating has become a lucrative business for a few enterprising entrepreneurs.
- Russian hackers are inside US utility networks - Russian hackers infiltrated the control rooms of US utility companies last year, reaching a point where they "could have thrown switches," The Wall Street Journal reports. The paper cites officials from the Department of Homeland Security (DHS) confirming that the hackers -- from a state-sponsored group previously known as Dragonfly or Energetic Bear -- gained access to allegedly secure networks, where they could have caused blackouts. According to the DHS, the long-running Russian campaign has affected "hundreds of victims," and some companies may not even know they've been compromised as the attacks relied on the credentials of actual employees, making intrusions harder to identify. The attack is believed to have surfaced in spring 2016 and could still be continuing.
- Leaky Backup Spills 157 GB of Automaker Secrets - An insecure backup protocol used by robotics firm Level One is to blame for leaking 157 gigabytes of sensitive data belonging major automakers, including Ford, Tesla and Toyota. The data included 10 years of assembly-line schematics and control settings for robotics used to build the cars, along with internal ID and VPN-request forms. To blame was rsync, which stands for “remote sync,” a common file transfer protocol used to mirror or backup large data sets, according to UpGuard Cyber Risk team that first reported the problem on Friday.
- insecure-http-d-day - Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow. The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 onwards. The warning will apply both to internet-facing websites and intranet sites accessed through Chrome, which has approximately 60 per cent market share.
- Google hasnt suffered an employee phishing compromise in over a year - Given that Google has 85,050 employees, all of whom would be prized targets for phishing attacks, this is a remarkable advert for tokens, which reports suggest are Yubico’s Universal 2nd Factor (U2F) Yubikey. This doesn’t rule out the possibility that phishing attackers have been able to steal employee credentials, simply that they haven’t been able to overcome the extra layer provided by token security to take control of an account.
- Apache Tomcat Patches Important Security Vulnerabilities - he Apache Software Foundation (ASF) has released security updates to address several vulnerabilities in its Tomcat application server, one of which could allow a remote attacker to obtain sensitive information. Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a "pure Java" HTTP web server environment for Java concept to run in.
- The Bluetooth device snooping bug what you need to know - Most things have been patched or are not affected. Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange. Simply put, a crook who is in the right place at the right time might be able to figure out the encryption key that one of your Bluetooth devices is using to talk to your laptop, or your bicycle computer, or your phone, or whatever it’s paired with.
- Dust yourself off and try again: Ancient Solaris patch missed the mark - The vulnerability is a memory corruption bug that would allow an attacker to write malicious code to memory and execute it with kernel-level (highest) privileges. The flaw was first discovered in 2007 and made public during CanSec West 2009...A fix was applied shortly after the event. Trustwave found that the original fix was insufficient. "Exploiting the vulnerability can only be done by a locally logged in user (no direct remote exploitation)," the researchers said. "The vulnerability lets you execute code in the root/kernel context. Typically, this would be a root shell."
- OpenWhisk at Risk: Critical Bug Leaves IBM Cloud Exposed - A vulnerability in Apache OpenWhisk exposed IBM customer data through IBM Cloud Functions, which is one of thousands of services relying on the open source serverless platform. Apache and IBM have each issued a patch for the critical vulnerabilities, tracked as CVE-2018-11756 and CVE-2018-11757, which attackers could exploit to replace a company's serverless code with their own malicious code. In doing so, they would be able to leak sensitive customer data, edit or delete files, mine cryptocurrency, or launch a DDoS attack.