HNNEpisode228

From Paul's Security Weekly
Jump to: navigation, search

Recorded July 23, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Register for our upcoming webcasts with ISC2 by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!

    Security News

    1. Bug in NVIDIAs Tegra Chipset Opens Door to Malicious Code Execution - 'The warning comes from researcher Triszka Balázs, who discovered the flaw and asserts that the bug “affects every single Tegra device released so far.” He also created a proof-of-concept (PoC), called Selfblow, to exploit the vulnerability. On Thursday, NVIDIA released a patch for the bug (CVE‑2019‑5680) via a security bulletin. The vulnerability is more specifically found in the Tegra system-on-a-chip (SoC) framework called Jetson TX1 L4T, used in devices that require low power consumption such as drones and IoT gear. It’s unclear how many chips utilize the vulnerable framework. However, the researcher said his PoC can flash (or reprogram) Tegra chips to run Jetson TX1, significantly enlarging the range of vulnerable devices.
    2. Experts found critical RCE in Palo Alto Networks GlobalProtect - According to experts at Tenable that analyzed the CVE-2019-1579 flaw, the issue exists because the gateway doesn’t sanitize the value of a particular parameter passed to snprintf.“More specifically, the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, and exploitable, fashion. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN target in order to remotely execute code on the system,” reads the analysis published by Tenable. Orange Tsai and Meh Chang reported the flaw to Palo Alto Networks, the company acknowledged the flaw but informed them that its experts have already discovered the vulnerability and released a patch. Patches are available!
    3. Hackers Publish List of Phished Discord Credentials - Change your password, if you think you've been phished? Earlier this week a group of hackers published a list of email addresses and passwords they say they phished from users of gaming chat platform Discord. The list is small, totalling in at only around 2,500 logins, but the news still acts as a reminder that Discord users need to remain vigilant for phishing. "This was no virus, worm or malware of any sort—it was simple old phishing site that utilized Discord's own moronic API to hijack these accounts," the hackers wrote in a message on their website.
    4. Cyberthreats targeting municipalities are on the rise - Help Net Security - The report, based on global data compiled by AppRiver’s cybersecurity analyst team, delves into what is being considered a record year for disruptive attacks that appear to be affecting municipalities at an alarming rate. In 2018, AppRiver analysts stated that they “expect to see more disruptive cyberattack events committed by nation states that masquerade as financially motivated attacks.” According to the report, it is still up for debate as to who or why these attacks are being launched against local governments, but they could have widespread effects beyond financial damage. For example, malware has the potential to disrupt infrastructure, spread fear and doubt, or otherwise cause discomfort for citizens dependent on city services.
    5. Several Vulnerabilities Found in Comodo Antivirus - David Wells, a researcher at Tenable, uncovered five types of flaws in Comodo Antivirus and Comodo Antivirus Advanced. Four of the issues were identified in version 12.0.0.6810 and one denial-of-service (DoS) bug only impacts version 11.0.0.6582. The most serious of the vulnerabilities, with a CVSS score of 6.8, is CVE-2019-3969, which allows an attacker with access to the targeted system to escape the Comodo Antivirus sandbox and escalate privileges to SYSTEM.
    6. Equifax to Pay up to $700 Million in 2017 Data Breach Settlement - Equifax, one of the three largest credit-reporting firms in the United States, has to pay up to $700 million in fines to settle a series of state and federal investigations into the massive 2017 data breach that exposed the personal and financial data of nearly 150 million Americans—that's almost half the country. According to an official announcement by the U.S. Federal Trade Commission (FTC) today, Equifax has agreed to pay at least $575 million in fines, but this penalty could rise to up to $700 million depending on the amount of compensation people claim.
    7. Mozilla to add password manager, hack alert to Firefox 70 - According to Firefox bug reports and project documentation, Lockwise will automatically record username-and-password pairs, generate complex passwords on demand, identify victimized accounts and instruct users to change any passwords that have leaked. While the Lockwise-Monitor combination in Firefox Nightly was free for the using, users shouldn't be surprised if Mozilla puts the pairing - or an even more feature filled version - behind a paywall. Mozilla has made no secret of its desire to boost revenue by selling subscriptions of some sort, probably to individual or a suite of services, that amplify the browser. Security cannot be the only thing that gets people to switch to Firefox, why not just pay for Lastpass then?
    8. ProFTPD Vulnerability Can Expose Servers to Attacks | SecurityWeek.Com - At first glance I thought this was a throwback to the old school days of RCEs in FTP servers, but this description made me think differently: “Attacks could be made (for example) on Open Source mirror servers,” the researcher explained. “These have anonymous access enabled, often use ProFTPd and host a lot of binary files. A malicious actor would need to get his malicious file to this machine somehow (for example by distributing it at some unrelated project which is also mirrored on this server) and can then override any file on the mirror server with this (infected) version. This could be used to swap out .iso files or .exe installers where no strict validations (like GPG signatures on apt repositories) are in place.”
    9. VLC Player Has Critical RCE Flaw With No Patch Available - “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” according to a release by German security agency CERT-Bund posted over the weekend. CERT-Bund discovered the vulnerability. According to NIST, the bug ranks 9.8 out of 10 on the CVSS 3.0 scale, making it critical severity. Despite the level of severity, no patch is currently available for the vulnerability. VideoLAN did not respond to a request for comment from Threatpost. According to VideoLAN, current work is being done to create a patch, which is about 60 percent complete. That said, no exploitation of the vulnerability has been observed yet, according to CERT-Bund.


    Expert Commentary:

    Corporate Mobile Security Isn’t Cutting It

    I found this article on the RSA Conference web site today and I thought it brought up some interesting points to discuss. It was written by Robert Ackerman and he takes the position that mobile security is being neglected by companies. One of the sources of information he cites is the Mobile Security Index Report for 2019. This seemed relevant to me because I’ve worked on assessments where the companies are either neglecting mobile security completely or are trying to do quite a bit to protect themselves. Let’s take a look at Mr. Ackerman’s article.

    First off, he cites the Verizon report’s finding that one in three organizations in a sample 617 companies reported suffering a “breach” due to a mobile device. What the impact of these breaches were is not defined, so this could be a simple security incident that was cleared up somewhat quickly or something far more damaging. Verizon also noted that these breaches tended to occur in companies that “failed to meet a basic level of preparedness.” That is probably no shock at all to any of our listeners.

    Mr. Ackerman goes on to say that when computer security is brought up in organizations, mobile security is one of the last things on peoples’ minds. Instead, they focus on traditional computing systems and perimeter controls, rather than thinking about the devices that leave their perimeter on a regular basis. He also, correctly, brings up the work that is done remotely via these devices. It happens all the time, as employees expect to have work email on their phones. It’s encouraged in most cases, as companies go out of their way to make sure email is available via the web and mobile device makers are quick to integrate with things like Exchange or Gmail.

    Here are some observations that I have about mobile security and attempts to implement controls on these devices. First, no one likes carrying two phones and would rather use their own mobile device. This gets into a grey area of what a company can control on a device and what they cannot. If I’m a security admin is notified that a device with work data on it was lost, they can’t wipe the phone if it’s not their phone or without some kind of explicit permission. At best, they can wipe the company data on it and only if they have taken steps to have even that level of control. BYOD rules the roost in the mobile device world.

    Two, there are a number of software solutions out there that offer mobile device management. They help isolate company data from the rest of the device and can make some security controls required on the devices. Additionally, you can wipe the company data off the device and leave the rest of the phone intact. This helps dodge the issue of wiping an entire phone that your company doesn’t actually own. There are some caveats on these software solutions though, and most of them go back to the manufacturers of the devices. These manufacturers, Apple especially, put some serious effort into isolating apps from each other and limiting what an app has access to. MDM solutions will not be like traditional AV or newer endpoint solutions that can hook into the kernel of the OS. Their access is very limited and they may not even be actively running all the time. Be prepared for this.

    MDM systems do a fairly good job at isolating company data from being improperly copied out of the container set up on the devices if configured properly. The vendors do make some impressive claims about what they can do. I've found through testing that some of these claims don't exactly mean what you think they mean. So do testing and ask pointed questions about what they mean on specific features. Don't let the vendor give a non-answer to you. Still, the ones I've tested do a pretty good job providing a good foundation to build upon.

    I agree with Mr. Ackerman that far too many companies aren’t doing enough to protect their data on these devices. Organizations need to be prepared to respond to things like lost or stolen phones. They need to be able to remove their data from them if necessary. It’s not enough to simply enable mobile device sync to your productivity software and decide to figure out what to do later if something goes wrong. A little preparation can go a long way. Just be prepared to spend some significant time in implementing things like Mobile Device Management and be ready to answer some tough questions from employees about what you will be able to do to their mobile device.


    One in three organizations suffered data breaches due to mobile devices

    Verizon Mobile Security Index Report 2019


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+