HNNEpisode215

From Paul's Security Weekly
Jump to: navigation, search

Recorded April 23, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements:

    • Register for our upcoming webcasts by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
    • The Layer 8 Conference has two tracks of talks on social engineering and Open Source Intelligence gathering. The conference is the only one of its kind and will be on Saturday, June 8th in Providence, Rhode Island. Check out the Mental Health Hackers village, the TOOOL lockpick village, the CTF with Trace Labs, all at layer8conference.com

    Security News

    1. Weather Channel Knocked Off-Air in Dangerous Precedent - On Thursday, The Weather Channel – a trusted cable network source of meteorological data across the U.S. – was knocked off the air by what it said was a “malicious software attack” on its network. The Weather Channel hack – not to be confused with the Weather Channel’s own hacks – affected its live broadcast for about 90 minutes between 6 and 7:30 a.m., during which canned content was aired. The network resumed broadcasting from backup locations at that point. Joseph Carson, chief security scientist at Thycotic, via email. “It will be interesting to see if this attack is related to the most recent string of malicious malware impacting other global organizations such as the LockerGoga ransomware that impacted Norsk Hydro several weeks ago, causing more than over $40 million in damages so far. And still several systems are under manual control, a week following the incident.”
    2. Bad bots now make up 20 percent of web traffic - Bots, in general, are estimated to make up roughly 37.9 percent of all Internet traffic. In 2018, one in five website requests -- 20.4 percent -- of traffic was generated by bad bots alone. According to Distil Networks' latest bot report, "Bad Bot Report 2019: The Bot Arms Race Continues," the financial sector is the main target for such activity, followed by ticketing, the education sector, government websites, and gambling. The most interesting part is how the attacker are attempting to use, albeit lame, AI: A total of 73.6 percent of bad bots are classified as Advanced Persistent Bots (APBs), which are able to cycle through random IP addresses, switch their digital identities, and mimic human behavior. An example of this is mouse mimicry, in which the bot is able to simulate mouse events a genuine visitor may perform on a website domain. These tactics are used to try and appear as a legitimate user for the purposes of ad fraud, as well as brute-force attacks against online accounts, competitive data mining, transaction fraud, spam, and phishing campaigns.
    3. Internet Explorer zero-day lets hackers steal files from Windows PCs - Internet Explorer is dying, just like Flash: A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems. The vulnerability resides in the way Internet Explorer processes MHT files. MHT stands for MHTML Web Archive and is the default standard in which all IE browsers save web pages when a user hits the CTRL+S (Save web page) command.
    4. Two-Year-Old DNS Hijacking Campaign Targeted 40 Firms Globally - Not Hijacked on the network, but using Phishing to gain access to your registrar: The phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization’s DNS records with the registrant’s credentials or by exploiting known vulnerabilities – including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous “Drupalgeddon” remote code execution Drupal glitch (CVE-2018-7600).
    5. Ransomware ravages municipalities nationwide this week - Augusta, Maine; Imperial County, Calif.; Stuart, Fla.; and Greenville, N.C. were all in different stages of recovering from ransomware attacks over the last seven days. Augusta City Center operations were shuttered after being hit with malware on April 18, according to the Sun-Journal. The city’s IT department did not say ransomware was to blame, but the description of what took place has all the hallmarks of a ransomware attack. The city said the malware gained entry into its network in an unknown fashion and then methodically locked up endpoints and servers. The attack has affected the police dispatch system, the municipal financial systems, billing, automobile excise tax records, assessor’s records and general assistance.
    6. A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores - API security is very poor in so many applications: The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform. The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.
    7. jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites - The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack. “This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects.
    8. Attackers are weaponizing more vulnerabilities than ever before - Some actionable results to review: Over the research period, the Acrobat Reader family of products contained the most vulnerabilities (1,338). In 2015, the year the Acrobat DC product was introduced, 137 vulnerabilities were reported. I recommend removing this software from all of your systems, there are plenty of alternatives. Also: Despite a 31% decrease in vulnerabilities compared to the high reached in 2016, last year had the most weaponized vulnerabilities ever (177), which represents a 139% increase compared to 2017 (74). This means, get patching faster! Easier said than done as we know.

    Expert Commentary: Itai Tevet, Intezer

    Itai Tevet
    is the CEO of Intezer.
    Itai carries out Intezer’s vision of improving organizations’ security operations and accelerating their incident response. Tevet previously served as the Head of the Israeli Defense Force’s cyber incident response team (IDF CERT), combining technical expertise and leadership experience to mitigate state-sponsored cyber threats. During this time, Itai led an elite group of cybersecurity professionals in digital forensics, malware analysis, incident response, and reverse engineering.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+