From Paul's Security Weekly
Hack Naked News #187
Recorded September 4, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to https://www.derbycon.com/wellness
- Android OS API-Breaking Flaw Offers Useful WiFi Data to Bad Actors - Researchers from Nightwatch Cybersecurity System said that certain all-points-bulletins sent out by the Android OS expose sensitive information about the user’s device to any app that’s installed on the phone, regardless of whether the app requires the data to function. It’s information that can be used for any number of nefarious attacks, including physically locating the user. Basically any app can use interprocess communications to interact with Wifimanager to get data such as your MAC address and BSSIDs. After being informed of the problem in March, Google fixed the issue earlier this month in Android P (Android 9). However, it said that it doesn’t plan to fix older versions of the OS, so users should upgrade as soon as possible.
- The Linux Foundation Set to Improve Open-Source Code Security - The Linux Foundation is set to expand its Core Infrastructure Initiative (CII) for improving open-source code security, that was initially setup in the aftermath of the OpenSSL Heartbleed vulnerability in 2014. In a video interview at the Open Source Summit, Jim Zemlin, Executive Director of the Linux Foundation explains why the CII remains a critical effort for his organization and what is coming next to help improve open source security. "Most security vulnerabilities are just bugs," Zemlin said.
- Google 'Titan Security Key' Is Now On Sale For $50 - Google's Titan Security Key is a tiny USB device—similar to Yubico's YubiKey—that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks. Google's Titan Security Key is now widely available in the United States, with a full kit available for $50, which includes: USB security key, Bluetooth security key, USB-C to USB-A adapter,USB-C to USB-A connecting cable.
- Thousands of MikroTik Routers Hacked to Eavesdrop On Network Traffic - Now Chinese security researchers at Qihoo 360 Netlab have discovered that out of 370,000 potentially vulnerable MikroTik routers, more than 7,500 devices have been compromised to enable Socks4 proxy maliciously, allowing attackers to actively eavesdrop on the targeted network traffic since mid-July
- Researchers show Alexa skill squatting could hijack voice commands - Thanks to the way Alexa handles requests for new "skills"—the cloud applications that register with Amazon—it's possible to create malicious skills that are named with homophones for existing legitimate applications. Amazon made all skills in its library available by voice command by default in 2017, and skills can be "installed" into a customer's library by voice. This is interesting, difficult to target, but a concern for Amazon users.
- John McAfee's 'unhackable' Bitcoin wallet is hackable, company admits - Two weeks ago, it seemed safe to say that John McAfee's supposedly "unhackable" cryptocurrency wallet had been hacked. (It's been nearly four weeks since the first security researchers reached that conclusion.) But it's only today, in the wake of yet another hack (more details at the link), that wallet-maker Bitfi has decided to admit defeat. If you say "unhackable", someone will hack it.
- Thousands of misconfigured 3D printers on interwebz run risk of sabotage - Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet. "These printers are controlled using the open source software package 'OctoPrint' but it's likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way," Mertens explained.
- Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords - In the case of SonarSnoop, for example, the information the hacker is looking for is the phone’s unlock password. Instead of brute forcing the password by trying all the possible combinations or looking over the person’s shoulder, SonarSnoop exploits secondary information that will also reveal the password—in this case, the acoustic signature from entering the password on the device.
Expert Commentary: Ron Gula, Gula Tech Adventures, Political Campaign Security
Ron started his cybersecurity career as a network penetration tester for the NSA. At BBN, he developed network honeypots to lure hackers and he ran US Internetworking's team of penetration testers and incident responders. As CTO of Network Security Wizards, Ron pioneered the art of network security monitoring and produced the Dragon Intrusion Detection System which was recognized as a market leader by Gartner in 2001. As CEO and co-founder of Tenable Network Security, Ron led the company's rapid growth and product vision from 2002 through 2016. He helped them scale to more than 20,000 customers worldwide, raise $300m in venture capital and achieve revenues in excess of $100m annually.