HNNEpisode218

From Paul's Security Weekly
Jump to: navigation, search

Recorded May 14, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements:

    • Register for our upcoming webcasts with Kaseya, SaltStack, and DomainTools, by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!

    Security News

    1. Hacking the Unhackable eyeDisk USB stick - eyeDisk is a USB stick that uses iris recognition to unlock the drive, it is advertised as the “Unhackable USB Flash Drive,” instead it could reveal the device’s password in plain text. and then Lodge used the Wireshark USBPcap function to sniff packet from a USB in real time and discovered that the device used Command Descriptor Blocks (CDB) to send commands to and from the device. The traffic generated while he was unlocking the device included a string containing his password.
    2. Expert discovered how to brick all Samsung mobile phones - Basically the researcher creates a loop on the phone that continually locks containers, making the phone unusable: In this Proof Of Concept (POC), I send these 2 intents every second. Moreover, after opening this app the 1st time, the app icon will disappear. As a consequence, the device will be inoperable due to this local DoS. Every time the victim will open the SecureFolder app, the container will be locked and every time he will try to use his phone, the phone will come back directly to the first page of the launcher.
    3. Twitter accidentally shares user location data with advertising... - Twitter Inc said on Monday it may have accidentally collected and shared location data of some users accessing its app through Apple devices with an advertising partner. In a blog post here, the social media platform said the information collected was not retained and only existed in their systems for a short time and have informed the people whose accounts were impacted to let them know the bug has been fixed. The advertising partner did not receive data such as user’s twitter handle or other unique account ids that could have compromised identity, the company said.
    4. Cybersecurity skills shortage still the root cause of rising security incidents - Help Net Security - I agree with these statements: “Organizations are looking at the cybersecurity skills crisis in the wrong way: it is a business, not a technical, issue. Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people.“In an environment of a ‘sellers market’ with 77 percent of cybersecurity professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function,” said Candy Alexander, CISSP CISM, Executive Cybersecurity Consultant and ISSA International President. I do not believe the skills shortage causes security incidents, there is no evidence to suggest this in the study!
    5. Hackers Used WhatsApp 0-Day Flaw to Secretly Install Spyware On Phones - According to an advisory published by Facebook, a buffer overflow vulnerability in WhatsApp VOIP stack allows remote attackers to execute arbitrary code on target phones by sending a specially crafted series of SRTCP packets. Apparently, the vulnerability, identified as CVE-2019-3568, can successfully be exploited to install the spyware and steal data from a targeted Android phone or iPhone by merely placing a WhatsApp call, even when the call is not answered.Also, the victim would not be able to find out about the intrusion afterward as the spyware erases the incoming call information from the logs to operate stealthily.
    6. Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor - Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm). Trust Anchor module (TAm) is a hardware-based Secure Boot functionality implemented in almost all of Cisco enterprise devices since 2013 that ensures the firmware running on hardware platforms is authentic and unmodified. However, researchers found a series of hardware design flaws that could allow an authenticated attacker to make the persistent modification to the Trust Anchor module via FPGA bitstream modification and load the malicious bootloader.
    7. Remote Code Execution Vulnerability Impacts SQLite | SecurityWeek.Com - Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0. To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely. The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Cisco Talos notes.
    8. Linux Kernel Flaw Allows Remote Code-Execution - Kernel versions prior to 5.0.8 are affected by the vulnerability (CVE-2019-11815), which exists in the rds_tcp_kill_sock in net/rds/tcp.c. “There is a race condition leading to a use-after-free [UAF],” according to the CVE description. Linux issued a new kernel version on April 17, but the bug itself wasn’t widely reported; now, distributions like Debian, Red Hat, SUSE and Ubuntu have issued updates in the last week. Neat: attackers could exploit the bug by sending specially created TCP packets remotely, to trigger a UAF situation related to net namespace cleanup, the advisory details. UAF is a class of memory corruption flaw that can lead to system crashes and the ability for an attacker to execute arbitrary code.

    Expert Commentary: WebAuthn (Web Authentication API) - Marcin Szary, Secfense

    Marcin Szaryis the CTO at Secfense
    Experienced (16 years) tech professional with focus on the security and identity management space. Previously a CTO of multiple startups in mobile, telecom and security space. He was held responsible for R&D operations in the area of multi-factor authentication, mobile payments, notification services within GSM-networks and more. As a contractor he conducted multiple projects on virtualization, storage architecture and data security for enterprise clients within telecom, banking and public sector. Currently - the CTO of Secfense, the company that streamlines the adoption of two-factor authentication and other account-takeover prevention techniques into complex environments.



    Here's a little intro on the topic: https://webauthn.guide/#about-webauthn

    - A real promise to replace passwords in the near future
    - A bridging standard for Windows Hello
    - A bridging standard for U2F (Universal 2nd Factor) - the only 2FA that can actually STOP phishing-based account takeover attack as it happens
    - Amazing user experience (finally :)
    - Privacy oriented - a single authenticator (key, fingerprint, etc) used with many apps without a way to link the identities generated by it + no way for the apps to use the authenticator without the user consent
    - It's already built into most modern browsers and OSes (https://caniuse.com/#search=webauthn)
    - Built on good ol' crypto. primitives (PKI/ECC), but this time digestible by the mass consumer.
    - Non-proprietary open standard backed by the big guys (https://fidoalliance.org/members/)

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+