HNNEpisode184

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #184

Recorded August 14, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Endgame Webcast is being held on August 16, 2018 @3-4pm on Phishing Prevention. Go to securityweekly.com/endgame to register!

    Security News

    1. Security world to hit Las Vegas for a week of hacking, cracking, fun - Unless you are hiding under a rock somewhere, you probably noticed that the Hacker Summer Camp (AKA BlackHat, DEF CON, and BSides LV) just wrapped up this weekend. The Register reported on the background of BlackHat and DEF CON and reviewed some of the memorable talks that have been presented. No article on these conferences could be complete without it mentioning the risk of getting hacked yourself while attending the conferences. No surprise there for attendees.
    2. Hackers Could Cause Havoc By Pwning Internet-Connected Irrigation Systems - IoT sprinkler controls could drain cities dry of water? Well, perhaps not. An academic study was released by Ben Nassi, a Ph.D. student at Ben Gurion University. He highlights the weak security in these IoT devices and how they could be attacked to turn on all the sprinklers in town. The weaknesses sound real, but the reality of draining a town of its water seems unlikely. If nothing else, I'd turn the stupid sprinklers off.
    3. Linux vulnerability could lead to DDoS attacks - A vulnerability in Linux kernel 4.9 and up could result in a denial of service on any Linux box with an available TCP port. “Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service,” the report states. “An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions." Because the attack maintains a continuous TCP session, it is not possible to spoof the attacking IP addresses.
    4. Hack causes pacemakers to deliver life-threatening shocks Billy Rios and Jonathan Butts released information about vulnerabilities in Medtronic pacemakers last week at BlackHat. The pacemakers do not use encryption in transit or code signing on firmware updates, which enabled the researchers to install their own firmware. Apparently, the vendor doesn't sound too worried about the attack due to "existing controls" which mitigate the issues. The researchers disagree with the effectiveness of these controls. At least one individual I know was not impressed with the vendor response since he has one of these devices implanted in his body.
    5. Malicious fax leaves firms open to attack - Researchers at DEF CON released information on the security (or complete lack of it) on fax machines. The issue is that the protocols for fax technology were created in the 1980s and haven't been updated since then. These devices are frequently connected to the internal network of organizations since they act as printers as well. An attacker could connect to fax systems to gain a foothold on the internal network. At this point, there is no indication this is being abused by attackers.
    6. Apple macOS vulnerability paves the way for system compromise with a single click | ZDNet - The march of vulnerabilities being released at DEF CON and BlackHat continue on. Patrick Wardle, Chief Research Officer of Digita Security, released his results of looking at "synthetic events" in macOS at DEF CON last week. We all are getting used to clicking a prompt from our OS to authorize some security action. A synthetic event is where software is able to perform that authorization without the user being involved. Some of these prompts could include accessing Keychain, running an untrusted app, or installing third-party kernel extensions. The CVE related to these issues is CVE-2017-7150.
    7. Police body cameras open to attack - It turns out that even police body cameras are vulnerable to attack. These cameras have both proved police officers have acted improperly and have exonerated officers from accusations. They are admissible as evidence in court. But now Josh Mitchell, a consultant at security firm Nuix, has found that attackers can take control of these cameras and potentially tamper with evidence. A number of models of these devices are vulnerable to an attacker connecting remotely and downloading videos from the cameras. They could delete videos or upload a modified video back to the cameras. How does this happen? To an extent, the lack of encryption and default credentials are in play here. Go figure, our police officers are walking around wearing WiFi services and running servers.
    8. ThreatList: Almost All Security Pros Believe Election Systems Are at Risk - A poll taken by security vendor Venafi found that 93 percent of security professionals are concerned about cyber attacks against voting systems. The poll was not limited to the US and included the UK and Australia as well. No doubt that last week's Voting Village at DEF CON has not increased anyone's confidence in these systems.
    9. Adobe releases important security patches for its 4 popular software - Adobe has released August's round of patches for download and installation. The products affected in this round of patching are Adobe Flash Player, Creative Cloud Desktop Application, Adobe Experience Manager, Adobe Acrobat, and Reader. Some of the issues included arbitrary code execution in Adobe Acrobat and Reader. Time to get patching again.
    10. Researchers Break IPsec VPN Connections with 20-Year-Old Protocol Flaw - Threatpost is reporting that "A new Bleichenbacher oracle cryptographic attack has been set loose on the world, using a 20-year-old protocol flaw to compromise the Internet Key Exchange (IKE) protocol used to secure IP communications." The research comes from an academic paper released by researchers from Ruhr-University Bochum, Germany and the University of Opole, Poland. Their proof of concept attacks only Phase 1 if IKEv1 and IKEv2, where the attacker impersonates an IKE device. Cisco and Huawei released updates for these issues yesterday. Don't forget to patch your network gear too!


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+