Hack Naked News #196
Recorded November 13, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
- Introducing the Android Ecosystem Security Transparency Report - Google Play Protect is built-in protection on Android devices that scans over 50 billion apps daily from inside and outside of Google Play. These scans look for evidence of Potentially Harmful Applications (PHAs). If the scans find a PHA, Google Play Protect warns the user and can disable or remove PHAs. In Android's first annual Android Security Year in Review from 2014, fewer than 1% of devices had PHAs installed. The percentage has declined steadily over time and this downward trend continues through 2018. The transparency report covers PHA rates in three areas: market segment (whether a PHA came from Google Play or outside of Google Play), Android version, and country. The most obvious takeaway is that the more recent versions of Android have less Potentially Harmful Apps.
- 1 Thing You Can Do To Make Your Internet Safer And Faster - A nice way to secure your DNS traffic: Any time you are on a public internet connection people can see what sites you visit. Even worse, your Internet Service Provider is very possibly selling all of your browsing history to the highest bidder. We have a tool called 18.104.22.168 which makes it easy to get a faster, more private, Internet experience, but it’s historically been too complex for many people to use, particularly on mobile devices. Today, we’re launching an app you (and everyone you know) can use to use 22.214.171.124 every time your mobile phone connects to the Internet. It’s a free, it’s easy, download it now.
- Vulnerabilities in SSD Encryption: Using osquery to Identify Vulnerable Windows Machines - Some really good practical advice to deal with the latest flaws in SSD encryption that we covered on Paul's Security Weekly last week: we’ll look at how you can identify which systems are running Bitlocker, and if they’ve been configured to default to the SSD’s hardware encryption. We’ll then review some possible steps to fix configurations to remove the vulnerability for good.
- Researcher Bypasses Windows UAC by Spoofing Trusted Directory - A security researcher from Tenable, Inc. recently discovered that it is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory...The researcher also published proof-of-concept code for this UAC bypass technique. All resources are available in the show notes.
- Hacking the hackers IOT botnet author adds his own backdoor on top of a ZTE router backdoor - A backdoor for the backdoor! A weaponized IoT exploit script is being used by script kiddies, making use of a vendor backdoor account to hack the ZTE routers. Ironically, this is not the only backdoor in the script. Scarface, the propagator of this code has also deployed his custom backdoor to hack any script kiddie who will be using the script.
- Between you, me and that dodgy-looking USB: A little bit of paranoia never hurt anyone - What would you do in this situation: Arriving at a recent conference organised by one of the government's many regulatory bodies, I received my obligatory lanyard – and something else, credit-card-shaped, emblazoned with the branding for event. "What's this?" I asked. "Oh, that's a USB key." I presume the conference organisers mistook my wild-eyed stare of disbelief as one of benevolent gratitude and admiration for their consideration of my storage needs. Who could have thought this gift a good idea? This is a really good reason not to distribute USB keys, very few will trust them.
- Botnet pwns 100,000 routers using ancient security flaw - This is just becoming common: No one patches flaws on routers, they are vulnerable to things such as UPnP vulnerabilities, then someone creates a botnet. The botnet covers 116 devices, including models from Billion, D-Link, Cisco Linksys (now Belkin), TP-Link, Zyxel, Broadcom itself, and several others.. Obligatory "turn off UPnP and update your router firmware" advice.
- That Domain You Forgot to Renew? Yeah, its Now Stealing Credit Cards - Brian Krebs reports: If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers. Makes sense that attackers would exploit this situation, full details from the Krebs blog.
- Google Hit With IP Hijack Taking Down Several Services - In the "Oops" category: Google G Suite yesterday had much of its traffic re-routed through Russia and dropped at China Telecom, according to the network intelligence company Thousand Eyes. Thousand Eyes at this time reported Google was victimized by a Border Gateway Protocol (BGP) hijacking attack. Google confirmed there was an issue, but does not believe it was done intentionally.
- Hackers Change WordPress Siteurl to Pastebin - From the original research that pointed out the attack patterns, Sucuri reports: We have noticed a growing number of WordPress-based sites that have had their URL settings changed to hxxp://erealitatea[.]net. Further investigations show that the issue is related to a security vulnerability in the WP GDPR Compliance plugin for WordPress (with 100,000+ active installations). (https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html) Recently it was reported that sites are now being redirected to a Pastebin site. Again, insert standard Wordpress advice on updating Wordpress, PHP and all of you plugins, etc...
This is a wild read that was published by Motherboard yesterday. Three years ago a company named Hacking Team was broken into by an attacker who goes by the moniker of Phineas Fisher. The attacker pillaged Hacking Team and published sensitive emails, files, and their source code into a 400 GB torrent file. It was a crushing breach for Hacking Team, though they have apparently survived the debacle. What is interesting is that Italian prosecutors requested to close the investigation and a judge has agreed because there are no more leads to follow. The attacker, Phineas Fisher, has gotten away with the breach!
You might not think this is too surprising, since attackers are frequently not caught. However, in this case Fisher has been making comments online and even did an off the wall interview via a puppet. Typically, you would expect the attacker to get away with it if they practiced good opsec and kept their mouth shut. In this case, Fisher was able to practice good opsec, even while maintaining a level of public profile to discuss the attack.
If you missed the news on the breach when it happened in 2015, here is a quick summary. The Hacking Team sells software to governments to conduct surveillance and offensive security operations. Apparently, Phineas Fisher broke into the Hacking Team via an unpatched firewall and VPN implementation. To add insult to injury, the firewall already had an updated system in place and was waiting to be decommissioned. This decommissioning was held up because one person was using the firewall. The organization was pillaged for data and once it was all gathered up, it was published online.
Hacking Team CEO, David Vincenzetti, blamed five former employees and pressed charges. Three years later, the judge wrote that “it’s clear that such a theory is completely groundless … and has not found any confirmation in any of the evidence acquired during the investigation.” At the end of the saga, no one knows who Phineas Fisher is and how many people may make up the identity.
The interesting thing to me in regards to this attacker is that Phineas Fisher has two very public breaches against companies that write surveillance and offensive tools to governments. They have a political bent and are skilled enough to be highly successful while staying anonymous. They didn’t make any mistakes that investigators were able to find that could pierce their operational security. Even with doing puppet voiced interviews via chat messages, Twitter posts, and writing their own narrative of what happened, they remained successfully anonymous.
So can attackers remain unknown online? At this point, yes they can. They have to work at it. They have to plan ahead and they are probably going to use stolen funds (bitcoin in this case) to avoid leaving a financial trail back to themselves. But it can be done. Check out the Motherboard articles in the show notes to see what one of these attackers did.