HNNEpisode188

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #188

Recorded September 11, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Join us for our Webcast with LogRhythm about "Tips & Tricks for Defending the Enterprise Using Open Source Tools". The webcast will be held September 27 @3:00PM EST!
    • DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to https://www.derbycon.com/wellness

    Security News

    1. How to steal a Tesla Model S in seconds | ZDNet - Researchers at the KU Leuven University in Belgium discovered that the fobs, which can be used to unlock vehicles, came with poor cryptographic and encryption standards. As reported by Wired, by using roughly $600 in radio and PC equipment, the team were able to read the signals from a Tesla key fob, clone the key, open the car and drive away in no time at all. And if you own a Tesla, you will be able to get a new keyfob: Tesla has worked with their supplier to boost the cryptographic standards of key fobs from June, and a corresponding software update will allow owners of vehicles built prior to this month to switch to new key fobs if they so choose.
    2. That British Airways breach shows hackers finetuning e-commerce attacks - The baggage claim page contained a JavaScript library that sent all the data on the screen to the URL "baways.com." The hackers would obtain a copy of the data while the victim was sending that personal and financial information to the airliner, without realizing that anything was wrong. Likely an XSS vulnerability, and this story got a ton of press, not sure why as it's not all that interesting!
    3. US government releases post-mortem report on Equifax hack | ZDNet - Equifax made a lot of mistakes, including this one: Equifax IT administrators circulate this advisory on an internal mailing list. Unbeknownst to its IT administrators, the mailing list was out-of-date and did not include all its systems administrators, indirectly leading to an incomplete patch of Equifax's servers. Underscoring the point that security is not all about products, but more about communication and process.
    4. Microsoft extends security patch support for some Windows 7 users - As the article states: Microsoft is offering an olive branch to companies taking too long to upgrade from Windows 7, the company revealed last week. It will provide security updates for another three years as it tries to help business customers migrate to Windows 10 – but they’ll have to pay for the privilege. Not sure if paying for something is an "olive branch". Also, does this encourage bad behavior? Will companies drag their feet updating because they can pay for a pass? The larger question is does this really matter to your security posture? All good questions, and topics to discuss within your respective organizations.
    5. Keybase browser extension weakness discovered - If you are using Keybase, be aware of the encryption limitations in the browser plugin: Behind the scenes, every message sent via browser chat is passed to the local desktop app, which is the bit that does the encryption. However, according to Palant, messages are unencrypted as they are sent to the app – hardly the “end-to-end encryption” promised on the Keybase website.
    6. Trend Micro apologises after Mac apps found scooping up users' browser history - Browser history is a big deal for privacy, but also could reveal internal servers and applications: Trend Micro has confirmed reports that some of its Mac consumer products were silently sending users’ browser history to its servers, and apologised to customers for any “concern they might have felt.”However, in an advisory on its blog,the well-known internet security firm maintained that all collected data was “safe and at no point was compromised.”
    7. Tor(ched): Zerodium drops exploit for version 7 of anonymous browser - I find Tor browsers to be riddled with bugs and vulnerabilities: Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system.
    8. ProtonVPN, NordVPN Flaws Open Door to Privilege Escalation - Trusting a VPN service is hard, espcially given the latest round of vulnerabilities: The vulnerabilities disclosed this month are related to a critical bug previously discovered by VerSprite in April 2018: CVE-2018-10169, which affected both services. It allowed an attacker with access to the target PC to use a specially crafted malicious OpenVPN configuration file, which the service would use to execute a user’s VPN connection instead of a legitimate file. Thus, it offered an adversary escalated privileges.
    9. Adobe Patches Six Critical Flaws in ColdFusion - Are people still using Coldfusion? I believe there are better options, though I am curious what the use cases are for using it, especially given these vulnerabilities: Adobe has released patches fixing six critical vulnerabilities in its ColdFusion product that could lead to arbitrary code execution. The flaws impact Adobe’s ColdFusion product, the company’s commercial web application development platform. Impacted are the 2016 (Update 6 and earlier versions) and the July 12 (2018) release of ColdFusion, as well as ColdFusion 11 (Update 14 and earlier versions).

    Expert Commentary: Jason Wood, Paladin Security

    Governments commit to fighting encryption, and tech companies will have to cooperate

    We’ve covered the issue of government calling for access to encrypted data several times already, but there have been some new developments that I want to discuss today. Because we are in the US we tend to be a bit more US centric, but in this case we are going international. Two weeks ago, the “Five Eyes” governments, United States, the United Kingdom, Canada, Australia, and New Zealand, met to discuss areas of cooperation and information sharing. One of the topics that were discussed were the widespread use of encryption and it’s impact on intelligence and law enforcement.

    Two documents were produced from these meetings that are of interest to governments’ efforts to weaken encryption. The first is titled “Five Country Ministerial 2018 Official Communiqué” and second is “Statement of Principles on Access to Evidence and Encryption.” The Official Communiqué included a paragraph on encryption towards the end of the document that states that the governments have no interest in weakening encryption mechanisms, but then go on to make the case that encryption must be reversible to governments. In spite of this intent, the act of making encryption reversible weakens it. It then links to the second document on evidence and encryption.

    The “Statement of Principles on Access to Evidence and Encryption” is where things get concerning to us in the latest round of the encryption war. It starts out detailing the challenges that encryption poses to and details some of the crimes that criminals use encryption to hide their activities. It links the need to access encrypted data to the established procedures of getting warrants and searching buildings and vehicles. It lays out several principles for access to encrypted data. The last one is where they lay down an ultimatum on technology companies. “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” Cooperate or we will force you to give us what we want.

    There are several things which concern me here, but the one that seems most apparent is that the tech companies will face five different governments demanding access to this data. Once they are compelled to provide access to encrypted data or weaken algorithms in one country, then it becomes available to all nations. It becomes straightforward for the other four nations to say, “Well you did it for this country. Why can’t you give us the data we need?” Countries known for actively oppressing their people will demand the access as well. Once one country forces a tech company to their will, then that company falls to the other governments as well. Australia is making the first legislative attempt to require access to encryption. The law is currently being debated and has not yet been signed into law.

    The intent of these nations strikes me as a Pandora’s box that will turn into a mess. The Five Eyes don’t mind encryption as long as they can have access to the data. They will not like it when they realize the tech companies will be forced to provide this data to nations such as China, Russia, and more. Once it results in news headlines, there will be inquiries, congressional hearings, and outrage. The same politicians and officials will be outraged at tech companies for selling out activists, business secrets, and more.

    The only way that I can see to slow this down is for citizens in each of the countries to become informed and make their voices known on the issue in their country and to their fellow citizens. If this concerns you, then I recommend that you write to your representatives in Congress or Parliment. Let them know what your opinion is.

    Five Country Ministerial 2018 Official Communiqué

    Statement of Principles on Access to Evidence and Encryption


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+