HNNEpisode189

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #189

Recorded September 18, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Join us for our Webcast with LogRhythm about "Tips & Tricks for Defending the Enterprise Using Open Source Tools". The webcast will be held September 27 @3:00PM EST!
    • DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to https://www.derbycon.com/wellness

    Security News

    1. drone-assassins-are-cheap-deadly-and-available-your-local-store - This article tells a story of an assassination attempt, via a drone: In the heart of Venezuela's capital, Caracas, Nicolás Maduro was delivering of a rousing speech. He stood high on a podium, speaking to a parade of military troops. The event was broadcast live on national TV. An hour in, the Venezuelan president flinched. His eyes widened. An unexpected object flew by...Two minutes later, an explosion thundered overhead. Reports put it at less than a football field away. Bodyguards rushed to surround the president. Fourteen seconds passed, and then a second explosion reverberated two blocks away. The attack injured seven soldiers. Defense is not easy, shooting them down, jamming and nets are only so effective.
    2. Malware-less Email Attacks Increasingly Common, FireEye Finds - FireEye considers impersonation and BEC to be a class of attack it refers to as malware-less—that is, there is no executable virus or file that is directly associated with the attack. According to the report, 90 percent of all email attacks blocked by FireEye in the first half of 2018 were malware-less, with only 10 percent containing some form of malware, including ransomware, viruses or spyware. The article does not get into specifics, however I do see document-based attacks as popular, and of course emailing a link or social engineering someone to transfer funds by impersonating senior management are all likely attacks.
    3. Public Shaming of Companies for Bad Security - Schneier on Security - Shaming. Or chastising, putting them in their place or taking them down a peg or two. Whatever synonym you choose, the underlying criticism is that the outraged group is wrong for expressing their outrage towards the organisation involved, especially if it's ever construed as being targeted towards whichever individual happens to be the mouthpiece of the organisation at the time. Shame, those opposed to it will say, is not the way. I disagree and I want to explain - and demonstrate - precisely why
    4. State Department shamed for poor adoption of multi-factor authentication | ZDNet - Does public shaming work when the Government is the target of said shaming? Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).The five senators cite two recent governmental reports in their letter, reports that pinpoint serious issues with the State Department implementing cyber-security best practices.
    5. MS-ISAC Releases Advisory on PHP Vulnerabilities | US-CERT - Announced on Sept 13, MS-ISAC advises that everyone upgrade to the latest versions of PHP to avoid being vulnerable: Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code...Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
    6. Apple Has Started Paying Hackers for iPhone Exploits - Question is, does this make good financial sense for Apple? At the beginning, Apple struggled to woo researchers and convince them to report high-value bugs. For the researchers, the main issue was that the bugs they discovered were too valuable to report to Apple, despite rewards as high as $200,000. Companies like GrayShift and Azimuth made an entire business out of exploiting vulnerabilities in Apple products, while other researchers didn't want to report bugs so they could keep doing research on iOS. But two years later, some researchers are finally reporting vulnerabilities to Apple, and the company has begun to award some researchers with bounties I think it may, even if the bounties are a high payout.
    7. Nasty piece of CSS code crashes and restarts iPhones | ZDNet - Maybe Apple is worried because of things like this: A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS operating system used by iPhones and iPads. The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs).
    8. Old WordPress Plugin Being Exploited in RCE Attacks - Researchers are warning that attackers are abusing a vulnerability in WordPress site admins’ outdated versions of a migration plugin called Duplicator – allowing them to execute remote code. Made by Snap Creek Software, all Duplicator plugins earlier than version 1.2.42 are vulnerable to the attack. As the name suggests, the plugin facilitates the migration of a site by allowing the website admin to duplicate the WordPress site.
    9. RDP Ports Prove Hot Commodities on the Dark Web - Econimics as applied to evil hackers: Someone who finds 100 exposed RDP servers can instead of selling access on a forum for $10 each, figure out who they belong to, says Wisniewski. Low-value credentials sell in bulk for cheap, but high-value targets can go for markedly higher prices – up to tens of thousands of dollars. The high dollar value is limited to adversaries who want that specific access.
    10. Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras - When will we see a decline in IoT vulnerabilities! Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware. According to a Tenable Research Advisory issued Monday, the bugs are rated critical and tied to firmware possibly used in one of 100 different cameras that run the affected software. NUUO, the Taipei, Taiwan-base company that makes the firmware, is expected to issue a patch for the bug Tuesday. The company lists over a 100 different partners including Sony, Cisco Systems, D-Link and Panasonic. It’s unclear how many OEM partners may use the vulnerable firmware.
    11. FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux's SegmentSmack - Holy crap, fragmentation reassembly attacks! Attributed to SegmentSmack discoverer Juha-Matti Tilli of Aalto University in Finland, the FreeBSD TCP issue is related to how the operating system's networking stack reassembles segmented packets. Much in the same way Linux kernel versions 4.9 and higher can be brought down by bad network traffic, a sequence of maliciously crafted packets can also crash FreeBSD machines. FreeBSD 10, 10.4, 11, 11.1, and 11.2 are affected, and the maintainers have released patches to mitigate the programming cockup. In the open-source operating system project's advisory for CVE-2018-6922 (Linux's SegmentSmack was assigned CVE-2018-5390), the problem was this week described as an “inefficient algorithm” involving a segment reassembly data structure.

    Expert Commentary: Jason Wood, Paladin Security

    The Effectiveness of Publicly Shaming Bad Security

    Troy Hunt published an interesting, and often entertaining, post on how effective shame is at getting companies to change bad security controls. I’ll be honest, my first thought was that Troy was going to talk about how people give a detailed analysis of incidents that they don’t have any involvement or real information on. Those always annoy me. But that’s not what he did at all. Instead, he is focusing on when you notice a company doing security badly, or not doing security at all, and you say something about it on social media. And he gives some interesting examples of what can happen.

    Here’s one that made me laugh and cry. Troy noticed a tweet by a UK company telling one of their customers that they should never use password managers and that they have taken steps to prevent their use “for security reasons.” Wait, what? Ok, MFA aside, a password manager is about the only way anyone can not re-use passwords, have reasonably strong passwords, and be able to get into all these sites. Troy calls them on it with a request for someone in the UK to go straighten them out. In this case, it doesn’t appear that they’ve fixed the issue. However, in other examples, the companies being criticized did change what they were doing.

    Sometimes other companies are seeing these public responses and use this as an example of what could happen to them. The information gets forwarded up the chain and suddenly something that would take months of development time and tons of money gets fixed in short order. He quoted one security professional at a bank who sent Troy for publishing something that allowed him to get something fixed that he had been fighting for 6 months to get done.

    Ok, so public shaming, even though I personally don’t prefer it, appears to work. How you go about calling out an issue can go a long way to helping things along. Troy gives some advice. First, don’t be rude and abusive. There’s plenty of that already going on out there. Read the comments on a news article and watch your faith in humanity die a bit. Don’t be one of those folks. Be polite, be firm, and don’t shy away when they tell you that you are wrong. You can probably even call in reinforcements with an @troyhunt or someone like that.

    Troy also has some advice if you are responsible for responding to such feedback for your employers on social media.

    • Never get drawn into technical debates
    • Never allow public debate to escalate
    • Always take potentially volatile discussions off the public timeline
    • Make technical people available (privately)
    • Never be dismissive

    If you are not responsible for responding on social media, you can always pass this list on to those who are. Our organizations should be prepared to respond to things like this and if we don't prepare those who are managing social media, they can inadvertently make a bad situation worse.

    You may or may not be comfortable with calling a company out for doing something dumb. You may find great joy in doing so. You, like me, may have some concerns as to how effective this is at making positive change and in general acting like a mob with torches and pitchforks. However, Troy does make some good points here. Polite public shaming can cause an organization to improve what they are doing. It may help people in the organization who are making those same points. But if there was a question about whether social shaming can make improvements, Troy makes a pretty good argument that it can.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+