HNNEpisode203

From Paul's Security Weekly
Jump to: navigation, search

Recorded January 15, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • RSA Conference 2019 is the place to be for the latest in cybersecurity data, innovation and thought leadership. From March 4 – 8, San Francisco will come alive with cybersecurity’s brightest minds as they gather together to discuss the industry’s newest developments. Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass!
    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Critical Flaw in Cisco's Email Security Appliance Enables 'Permanent DoS' - Infinant loop for the win, or loss, depending on your perspective: Once these S/MIME features receive this unintended input, it causes the system to crash: “If decryption and verification or public-key harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition,” said Cisco. Making matters worse, the software would then attempt to resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. “A successful exploit could allow the attacker to cause a permanent DoS condition,” said Cisco. This vulnerability may require manual intervention to recover the email security appliance.
    2. U.S. Government Shutdown Leaves Dozens of .Gov Websites Vulnerable - As the U.S. federal shutdown continues, dozens of U.S. government websites have been rendered either insecure or inaccessible due to expired transport layer security (TLS) certificates that have not been renewed. In fact, .gov websites are using more than 80 TLS certificates that have expired, according to a new Thursday report by Netcraft. That’s because funding for renewals has been paused. That opens the impacted sites to an array of cyber-attacks; most notably, man-in the-middle attacks
    3. The FCC and Call Authentication - This is interesting: Specifically, the FCC is pushing telecommunication companies to adopt call authentication to verify the caller ID reading. Ajit Pai, the FCC Chairman, is determined to have telecommunication companies adopt “robust call authentication” to combat illegitimate caller ID spoofing. The FCC hopes to have the call authentication framework in production in 2019. What is the Authentication Method? “Robust call authentication” uses two frameworks to verify the caller ID. The two frameworks are Secure Handling of asserted information using toKENs (SHAKEN) and Secure Telephony Identity Revisited (STIR). The process to verify a caller ID uses certificates to verify that the caller ID wasn’t manipulated to look like an authorized number.
    4. Firefox 69 to Disable Adobe Flash by Default - “We are now scheduled to completely disable Flash in Firefox 69 which moves to the Stable release on August 3rd,” Mozilla notes on the browser’s roadmap page. In July 2017, Adobe announced plans to completely kill Flash and stop providing security updates for it by the end of 2020...“When Adobe stops shipping security updates for Flash at the end of 2020, Firefox will refuse to load the plugin,” Mozilla notes on the Firefox plugins roadmap. If you use Google Chrome, this is the official statement from Google: Important note: Adobe has announced the deprecation of Flash Player for December, 2020 and will be turned off by default in Chrome in July, 2019. We strongly encourage customers to migrate to alternative solutions. Reference
    5. Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs - According to the researcher, a remote attacker can maliciously craft a VCard file in a way that the contact's website URL stored within the file points to a local executable file, which can be sent within a zipped file via an email or delivered separately via drive-by-download techniques. As shown in the video demonstration, if a victim clicks that website URL, the Windows operating system would run the malicious executable without displaying any warning, instead of opening the web address on the browser...the vulnerability was reported to the Microsoft security team through Trend Micro's Zero Day Initiative (ZDI) Program over 6 months ago, which the tech giant has refused to patch, at least for now.
    6. 36-Year-Old SCP Clients' Implementation Flaws Discovered - In other terms, SCP, which dates back to 1983, is a secure version of RCP that uses authentication and encryption of SSH protocol to transfer files between a server and a client. Discovered by Harry Sintonen, one of F-Secure's Senior Security Consultants, the vulnerabilities exist due to poor validations performed by the SCP clients, which can be abused by malicious servers or man-in-the-middle (MiTM) attackers to drop or overwrite arbitrary files on the client's system...CVE-2018-20685 was patched in OpenSSH's implementation of the SCP protocol in November, though the fix has not been formally released by the vendor yet. The rest three vulnerabilities remain unpatched in version 7.9, the latest version released in October.
    7. Tesla's software bug bounty is going to the big leagues with Pwn2Own - Most car manufacturers would dread the idea of someone hacking one of their vehicles, but Tesla has decided to go the other way and open up its software to a hacking contest called Pwn2Own in Vancouver. The winner will take home a Model 3...Tesla's involvement in Pwn2Own is just the latest escalation of its bug-seeking behavior. In 2018 the company altered its warranty policy to state that as long as security exploits are found and reported within the limits outlined by the bug bounty program, the user's warranty will remain intact.
    8. Yes, you can remotely hack ... building site cranes. Wait, what? - The sensationalism surrounding IoT security, or lack thereof, is unprecedented: Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one's own custom havoc-wreaking commands to remotely controlled equipment."Our findings show that current industrial remote controllers are less secure than garage door openers," said Trend Micro in its report - "A security analysis of radio remote controllers" - published today. We get it, IoT systems that control a wide variety of things, from hot tubs to cranes, are lacking security. Can we fix this already so we don't have to keep talking about it? Because, well, I'm tired of covering, k, thx, bye.

    Expert Commentary:

    10 years for Boston Children’s Hospital attacker

    This article describes a very risky decision on someone’s part that could have harmed the health of a lot of patients at Boston Children’s Hospital. First, let’s start with some background on what happened. Back in February 2013, a 15-year-old girl named Justina was taken away from her parents because BCH decided her parents were abusing her. She was a ward of the state for over a year when hacktivists decided to protester her situation in April 2014. Their activity primarily involved DDOS attacks. One individual, Martin Gottesfeld, deployed malware to 40,000(!) routers which then connected back to his house. His actions resulted in BCH not having access to the internet and impacted other hospitals in the area. Gottesfeld was just sentenced to 10 years in prison and plans to appeal.

    I’m not going to get into whether Justina being removed from her parents’ custody was appropriate or not, nor do I want to dig into Gottesfeld’s motivations for his activity. If you want to read up on it, you can check out the link in the show notes. What I do want to comment on is that in several ways Gottesfeld is lucky that prosecutors didn’t (or weren’t) able to prove harm to other patients. His could have been much worse had they done so. Particularly since he represented himself and made comments such as, "My only regret is that I didn’t get to Justina sooner. I wish I had done more."

    As we’ve discussed in many different episodes of HNN and Security Weekly, hospitals have become highly involved in using technology for patient care. Some of this is for effectiveness, some for cost control, and some because of regulations. A number of medical facilities use cloud-based services as well. They need internet access to function. When medical record systems go offline or become unavailable, doctors are unable to get the status and history of patients. They can’t see what was prescribed or allergies to medications. The doctors may even be unfamiliar with paper records and reading them, if they exist. The pharmacies in hospitals frequently can’t fill prescriptions without these systems. Pain medications and other highly regulated meds are usually controlled by computerized dispensers. Even if the pharmacist is staring at the valid, written prescription, they can’t fill it if the computer isn’t working. The bottom line is that without these systems working, things can get serious very fast for patients.

    Leaving out whether or not we feel that Gottesfeld’s actions were justified due to his view of Justina’s custody, his actions could have and likely did impact patient care. Is protesting the legal situation of an individual worth jeopardizing the health of uninvolved patients? In my view, the answer is an emphatic no. There are other ways to protest situations like this without taking a hospital offline. Activists and hacktivists don’t have to pose a threat to others health to raise awareness about a potential abuse. If you or anyone you know is contemplating attacking a medical facility in response to a situation like this, be aware what the impact of these actions are. It goes far beyond someone not being able to have an elective procedure done and can hurt sick or injured people.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+