HNNEpisode199

From Paul's Security Weekly
Jump to: navigation, search

Recorded December 4, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Join us for our Webcast with Chronicle entitled "Intelligence Powered Malware Hunting". This webcast will be held December 5th @3-4pm EST. Go to securityweekly.com/chronicle to register now!
    • Go to https://go.stealthbits.com/2019trends to register for stealthBITS webcast "Emerging & Continuing Trends in 2019: Privacy Regulations, Active Directory Security & Machine Learning" for an in-depth discussion from Rod Simmons and Paul Asadoorian. You can also view their assessment at: https://www.stealthbits.com/assessment.

    Security News

    1. Hacker hijacks printers worldwide to promote popular YouTube channel - I'm not going to mention the YouTube channels involved because I believe this is an unethical way to garner attention and ultimately subscribers, to your YouTube channel: The hacker scanned the Internet for printers with port 9100 open using Shodan and hacked them publishing a message that invited the victims to unsubscribe from [a competing] channel and subscribe to [Their own channel] instead. The attacker used the Printer Exploitation Toolkit (PRET) to compromise vulnerable printers. The PRET is a legitimate developed by researchers from Ruhr-Universität Bochum in Germany for testing purposes. The case is very singular and raises the discussion about the importance of properly secure Internet-connected devices. eh, largely depends on the make, model and firmware revision to determine just what sort of attacks are possible. Sending rogue print jobs to the printer is pretty common across vulnerable printers on the Internet.
    2. Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances More of this data exposure stuff going on: Experts from HackenProof discovered Open Elasticsearch instances that expose over 82 million users in the United States. Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide. Experts discovered 73 gigabytes of data during a regular security audit of publicly available servers. Using the Shodan search engine the experts discovered three IPs associated with misconfigured Elasticsearch clusters. But was the data intended to be public already?
    3. Fake iOS Fitness Apps Steal Money | SecurityWeek.Com - Tricky: The trick used by the fake fitness apps is fairly simple: they ask the user to scan their fingerprint, supposedly for fitness-tracking purposes, but instead use this to activate a dodgy payment mechanism. Once the user complies with the request and places their finger on the iOS device’s fingerprint scanner, a pop-up showing a payment amounting to $99.99, $119.99 or 139.99 EUR is briefly displayed. “This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams,
    4. M2M Protocols Expose Industrial Systems to Attacks | SecurityWeek.Com - Some machine-to-machine (M2M) protocols can be abused by malicious actors in attacks aimed at Internet of Things (IoT) and industrial Internet of Things (IIoT) systems, according to research conducted by Trend Micro and the Polytechnic University of Milan. The security firm has analyzed two popular M2M protocols: Message Queuing Telemetry Transport (MQTT), which facilitates communications between a broker and multiple clients, and the Constrained Application Protocol (CoAP), a UDP-based server-client protocol that allows HTTP-like communications between nodes.
    5. Cisco Patches Critical Bug in License Management Tool - “The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application,” according to the Cisco Security Advisory. “A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.”
    6. It's nearly 2019, and your network can get pwned through an oscilloscope - Special-purpose devices such as this tend to have many security vulnerabilities: On Friday, SEC Consult said it had uncovered a set of high-impact vulnerabilities in electronic testing equipment made by Siglent Technologies. In particular, the bug-hunters examined the Siglent SDS 1202X-E Digital line of Ethernet-enabled oscilloscopes and found the boxes were lacking even basic security protections. Among the flaws found by researchers was the use of completely unauthenticated and unguarded TCP connections between the oscilloscopes and any device on the network, typically via the EasyScopeX software, and the use of unencrypted communications between the scope and other systems on the network.
    7. Dell Resets All Customers' Passwords After Potential Security Breach - On November 9, Dell detected and disrupted unauthorized activity on its network attempting to steal customer information, including their names, email addresses and hashed passwords. According to the company, the initial investigation found no conclusive evidence that the hackers succeeded to extract any information, but as a countermeasure Dell has reset passwords for all accounts on Dell.com website whether the data had been stolen or not.
    8. Marriott hack hits 500 million Starwood guests - You might have heard: The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access the Starwood network since 2014. The company said it would notify customers whose records were in the database. Marriott International bought Starwood in 2016, creating the largest hotel chain in the world with more than 5,800 properties.
    9. Critical Privilege Escalation Flaw Patched in Kubernetes | SecurityWeek.Com - A critical privilege escalation vulnerability has been found in Kubernetes, the popular open-source container orchestration system that allows users to automate deployment, scaling and management of containerized applications. The vulnerability, discovered by Rancher Labs Co-founder and Chief Architect Darren Shepherd, is tracked as CVE-2018-1002105 and it has been assigned a CVSS score of 9.8. It can allow an attacker to escalate privileges by sending specially crafted requests to the targeted server.
    10. Google Patches 11 Critical RCE Android Vulnerabilities - Android update time! Remote code-execution (RCE) vulnerabilities dominated Google’s December Android Security Bulletin. The flaws are part of a total of 53 unique bugs patched by the Android security team, with a total number of 11 critical bugs – six of which are RCE flaws tied to the operating system’s Media Framework and System components. According to Google, there are no reports that any of the unique bugs have been exploited or abused in the wild. Patches apply to Google’s Pixel and Nexus devices along with flagship Android phones from Samsung, LG, HTC and others. Over-the-air updates will be sent to Google handsets, and update schedules for other device manufacturers and mobile carriers will vary, according to the bulletin.

    Expert Commentary: Jason Wood, Paladin Security

    ‘Iceman’ hacker charged with running drone-smuggling ring from jail

    I really enjoyed reading this article on the Naked Security blog about how Max Vision, formerly Max Butler of CardersMarket fame, ran a smuggling operation from inside prison! Vision is serving a 13 year sentence for wire fraud in 2010. In that operation, Vision sold stolen credit card numbers on CardersMarket that resulted in $86.4 million dollars in fraud. Because he was arrested in 2007, Vision’s sentence for those crimes is just about up. He is currently scheduled for release in 2019. Except now he is facing additional charges for his smuggling operation in prison. Oops.

    According to the charges, Vision got a hold of a cell phone that was smuggled into prison. He used this phone to go back to something he knew well; getting stolen debit card numbers. The stolen cards were used to purchase cash payments to other inmates at the prison via MoneyGram and Western Union. That is certainly one way to boost your popularity in prison. “Don’t mess with that guy. He got me $300 for the commissary.” This went on for about a year and involved 5 inmates.

    After a while, one of the involved inmates, Jason Tidwell, was released from prison. Vision and Tidwell kept in touch and came up with the idea of expanding their smuggling operation by using a drone to drop contraband off. Apparently Amazon isn’t the only one who thought drone delivery was a good plan. The first attempt at delivery failed, but they upgraded their pilot and successfully dropped off cell phones, tobacco, and drugs. Not too surprisingly, the secret started leaking out. Snitching in prison is part of prison life and this was no exception. The contraband was never found, but a prisoner confessed to picking it up. His confession pointed to Vision as the leader of the operation. If found guilty, Vision will have an extended stay in prison beyond his scheduled release for next year.

    Smuggling in prison has a long tradition, so this really is just represents a new evolution in the how banned items find their way behind bars. No one noticed a drone flying over the fence kind of boggles my mind. They aren’t terribly quiet. The FAA established no-fly zones for drones around prisons in June 2018. This of course will not stop the idea of drone delivery to your prison yard. I live within 5 miles of an airport and it is a no-fly zone without approval from the tower. I can attest to the number of drones in the air and from talking with the pilots, they had no idea they were supposed to get approval. And honestly, if you are breaking the law by smuggling into prison, do you care about a no fly zone?

    Most of the public likely sees prison as a place where offenders are completely isolated from the world. This hasn’t actually been the case, but technology has increased the reach that inmates have to continue committing crime. The prisons are heavily focused on physical security, but don’t appear to be ready to handle technology crimes. This is an area where they will continue to struggle. The prisoners are innovative and willing to take risks to improve what they can of their life while incarcerated. Expect to see more stories like this, where inmates take advantage of technology to commit additional crimes. All they need is a hidden cell phone to make it happen.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+