HNNEpisode191

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #191

Recorded October 2, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to DerbyCon.com/wellness
    • Join us for our Webcast with DomainTools about How To Analyze And Investigate Malicious JavaScript Attacks on October 11 at 3-4pm EST. Go to securityweekly.com/domaintools to register now!

    Security News

    1. Robocallers slapped with huge fines for using spoofed phone numbers - We need more of this, er, cracking down on this: The calls also appeared to come from unassigned phone numbers and numbers assigned to pre-paid “burner” phones, the FCC said. The caller ID was spoofed in every one of the millions of calls, making it impossible to identify who was actually calling. The FCC pointed to one poor soul whose phone number was hijacked in order to make those calls. The Arizona woman said she received more than five calls a day on her cell phone, all coming from irate people complaining about the telemarketing calls they got from “her” phone number.
    2. 100,000 home routers recruited to spread Brazilian hacking scam - Don't be misled by the headline, this is not a scam, its unauthorized access to your home router. This attack has been around for well over 10 years: The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi). If they get control of a device, they change the router's default DNS server to their own “rogue” machine.
    3. Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now - Because PDF readers have become such a popular target for email and web-based malware attacks, users and admins alike would do well to test and install the updates as soon as possible. Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone's machine. Except malware being distributed by a PDF document is so 10 years ago, and most email protection solutions will spot a malicious PDF a mile away. Office documents are far more popular.
    4. Nine NAS Bugs Open LenovoEMC, Iomega Devices to Attack - Lots of steps here: [1] A hypothetical attack would first include luring an authenticated NAS user of one of the devices to a specially crafted malicious website designed to steal the user’s access token and a session cookie-like identifier, called a “__c parameter" Then "[2] The next step in the attack, after acquiring a target’s NAS access token and “_c parameter” is finding the static IP address the NAS is running on" which is using brute force techniques. I don't think you need to sound the alarm on this one and drop everything and patch as this is tricky to pull off.
    5. Google Announces 5 Major Security Updates for Chrome Extensions - Finally, some much-needed controls for Chrome extensions: users will be able to control when and how Chrome extensions can access site data, allowing them to restrict access for all sites and then grant temporary access to a specific website when required, or enable permissions for a specific set of websites or all sites. and With Chrome 70, Google will also start performing a more in-depth review of extensions that ask for "powerful permissions.". There are 5 total, including more in-depth code reviews for extensions that require more "powerful" permissions.
    6. Twitter bans distribution of hacked materials ahead of US midterm elections | ZDNet - Twitter already had rules in place that prohibited the distribution of hacked materials that contain private information or trade secrets, but after Monday's update, the platform's review teams will also ban accounts that claim responsibility for a hack, make hacking threats, or issue incentives to hack specific people and accounts. Twitter has been so dilligent about enforcing policies and ridding the social network of bad behavior that I am....oh, nevermind!

    Expert Commentary: Sven Morgenroth, Netsparker

    Sven Morgenroth, Security Researcher at Netsparker
    Sven Morgenroth is a security researcher at Netsparker. He found filter bypasses for Chrome's XSS auditor and several web application firewalls. He likes to exploit vulnerabilities in creative ways and has hacked his smart TV without even leaving his bed. Sven writes about web application security and documents his research on the Netsparker blog.
    1. Facebook Hacked 10 Important Updates You Need To Know About - [Paul] - Not a bad list...


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+