From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #198

Recorded November 27, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Join us for our Webcast with Chronicle entitled "Intelligence Powered Malware Hunting". This webcast will be held December 5th @3-4pm EST. Go to to register now!
    • Go to to register for stealthBITS webcast "Emerging & Continuing Trends in 2019: Privacy Regulations, Active Directory Security & Machine Learning" for an in-depth discussion from Gabriel Gumbs and myself. You can also view their assessment at:

    Security News

    1. Potentially disastrous Rowhammer bitflips can bypass ECC protections - Dubbed ECCploit, the new Rowhammer attack bypasses ECC protections built into several widely used models of DDR3 chips. The exploit is the product of more than a year of painstaking research that used syringe needles to inject faults into chips and supercooled chips to observe how they responded when bits flipped. The resulting insights, along with some advanced math, allowed researchers in Vrije Universiteit Amsterdam's VUSec group to demonstrate that one of the key defenses against Rowhammer isn't sufficient. I like Kenn's analysis from the article: Kenn White, an independent researcher who specializes in cloud security, told Ars. "I don't want to come across as a grumpy guy in the balcony, because this is grueling work that took hundreds of hours to pull off. But unless you can demonstrate a real exploit, it remains in the confines of endpoints and on-premise hardware.
    2. Facebook to pay ethical hackers $40,000 for reporting a single account-takeover bug - Facebook is extending an olive branch to the ethical hacker community, increasing its bug bounty rewards while decreasing the technical overhead. White hats can earn as much as $40,000 for a single account-takeover bug. The announcement was made on the social network’s Bug Bounty page, where Facebook encourages white hat hackers to poke at the platform in every way imaginable to find any undiscovered flaws before bad actors do so. But despite boasting a bug bounty program for over 7 years now, Facebook has been plagued by leaks and attacks. In an effort to thwart these business-wrecking occurrences, the company is now planning to give ethical hackers more incentive to find holes in its platform.
    3. Worm Using Removable Drives to Distribute BLADABINDI Backdoor - Yep, attackers are still using this method: In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as “Worm.Win32.BLADABINDI.AA.” They’re still investigating the threat’s exact method for infecting a system. But after analyzing its propagation routine, the researchers determined that the worm likely propagates and enters a system through removable drives. Specifically, they spotted the worm installing a hidden copy of itself on any removable drive connected to the infected system.
    4. Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins - This is an example of the dangers of open-source software: The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week. It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers. The library was created by Dominic Tarr, who maintained it for a long time, but when he left the project allowed an unknown programmer, called “right9ctrl” to continue its work.
    5. Germany proposes router security guidelines | ZDNet - I don't believe this will work, but noble effort: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance.
    6. Uber fined $148m for data breach cover-up - Uber is to pay a fine of $148m and improve its data security as part of a legal settlement for attempting to cover up a data breach in 2016, which only came to light in 2017 when it emerged that 600,000 US drivers and 57 million user accounts had been affected, including an estimated 2.4 million in the UK. Covering up a breach does not pay, in fact, companies will be forced to pay!
    7. Microsoft yanks two buggy Office patches but keeps pushing one that crashes - Two related Office 2010 non-security patches issued on Nov. 6 were pulled on Nov. 17. KB 4461522 and KB 2863821 are both related to changes coming in the Japanese calendar next month attributed to the abdication of Emperor Akihito in favor of his son, Naruhito. The event has been compared to the Y2K problem in the west...Security patch KB 4461529 is still being distributed, in spite of acknowledged crashes — and the alternative may not work.
    8. Cisco Releases Second Patch for Webex Meetings Vulnerability | SecurityWeek.Com - Cisco has released a new round of patches for a potentially serious Webex vulnerability first addressed one month ago. The security hole, discovered by Ron Bowes and Jeff McJunkin of Counter Hack, is caused by insufficient validation of user-supplied parameters, allows a local and authenticated attacker to execute arbitrary commands with SYSTEM privileges. However, Cisco warned that remote exploitation may also be possible in Active Directory deployments.
    9. Malvertising Campaign Impacts Millions of iOS Users - According to researchers, those behind the malvertising campaigns typically inject malicious code into legitimate online ads and webpages, so when victims click those pages, they are forcefully redirected to a malicious page. In this case, the ad unit forcefully redirects mobile users to adult content and gift card scams. In this specific case, when users visited a web page, the malicious ad would execute embedded obfuscated JavaScript. Victims were then redirected to an array of malicious landing pages, including happy.hipstarclub[dot]com or happy.luckstarclub[dot]com. These landing pages typically impersonated Google Play apps, making them appear more legitimate

    Expert Commentary: Jason Wood, Paladin Security

    The FBI Created a Fake FedEx Website to Unmask a Cybercriminal

    Warrant obtained for the attempt

    This story reported by Motherboard had me laughing a bit due to the reversal of roles that occured. Normally, we read of spear phishing attempts being the domain of the bad guys, but in this case the FBI received a warrant authorizing them to use the same techniques against the crooks. It’s an interesting read to see the how the FBI went about this investigation.

    Things got started when a company received spear phishing attacks that impersonated their CEO. The accounts payable department received emails asking about what was supposed to be a new vendor. Tax forms and probably an invoice was sent to them and the company’s finance department sent out a $82,000 check. Apparently somebody realized this was dodgy because when the bad guys came back for more money using the same technique, the FBI was present.

    The FBI responded back to the request for more money with a request that they provide some information to a shipping website. In this case, it was a fake FedEx site that had been setup to try to capture the attacker’s source IP address. The site attempted to verify that the connection was not coming from proxy servers. Unfortunately, for the FBI the attempt did not work. The attacker did a number of checks from different IP addresses to see if the site was legit. They decided to pass and the FBI did not get the information it wanted.

    The FBI then moved on to more aggressive attempts to get the information they wanted. In this case, it was a Word document with a payload that contained an image hosted on an FBI controlled server. Hopefully the Word document would load the image and the FBI would capture the source IP. I wasn’t able to find information on whether this was successful or not.

    The Motherboard article goes on to cite another example of similar techniques being used by the FBI. One interesting note was that there was a rule change by the Justice Department around obtaining warrants. In the past, US judges could only sign warrants for computer systems inside their district. This has the obvious issue that in investigations like this, there’s no way to know where the computer system is located ahead of time. So the rule change now allows judges to sign warrants for computer systems that are outside of their district. To me this seems like an obviously necessary change to work with reality.

    There has long been discussion about hacking back for companies, but at this point this activity remains illegal. Law enforcement has greater authority in its activities and has the responsibility to find the criminals. In this case, their activity has some very narrow parameters and is limited to information gathering. It is possible that the owner of the site being emulated (in this case FedEx) could take issue with law enforcement using their brand. However, it is definitely stuff that penetration testers and red teamers use in their work. And I doubt that FedEx would fuss much in this case. Particularly since only the attacker was likely to run into the site. It is possible that someone could have stumbled into it, but mostly it would be bots and the attacker that would find it.

    Anyhow, if you are interested in reading some of the techniques that law enforcement is employing, then the article and supporting materials is worth a read. There is a link to the warrant obtained by the FBI as well. It’s a bit dry to read, but you can get the information directly from the source in that case.

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+