HNNEpisode230

From Paul's Security Weekly
Jump to: navigation, search

Recorded August 20, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences or Ian McShane from Endgame (or both!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand

    Security News

    1. 61 impacted versions of Apache Struts left off security advisories - Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework. The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities. The extensive analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’ Cybersecurity Research Center (CyRC), which investigated 115 distinct releases for Apache Struts and correlated those releases against 57 existing Apache Struts Security Advisories covering 64 vulnerabilities. Also, some versions were originally identified as vulnerable but were not. What a mess.
    2. VxWorks TCP/IP Stack Vulnerability Poses Major Manufacturing Risk - The report points out that VxWorks is embedded in more than 2 billion devices. Shalom Bublil, co-founder and chief risk officer at Kovrr, says the pervasiveness of Vxworks was eye-opening...According to the report, Kovrr took into account the specifics of company attributes and multiplied that score by the number of VxWorks instances on the ground at the company’s facilities. In the example of a theoretical automobile manufacturer, the result is a financial risk of $7,295,000,000. Using the same formula applied to a larger set of industrial companies, Kovrr calculates a total financial risk of nearly $19 billion. Interesting math and speculation, however, it doesn't appear to take into account any compensating controls or what data an attacker might gain access to if compromised, which is unique to each company and each device.
    3. Hacker publicly releases Jailbreak for iOS version 12.4 - During the weekend, experts discovered that the latest iOS version (12.4) released in June has reintroduced a security flaw found by a Google Project Zero white hat hacker that was previously fixed in iOS 12.3. The flaw potentially exposes iPhone devices running current and older iOS versions (any 11.x and 12.x below 12.3) to the risk of a hack until the 12.4.1will be released. The popular researcher Pwn20wnd, who already developed iPhone jailbreaks in the past, today has published a jailbreak for iOS 12.4. Some users claim the jailbreak works on their iPhones.
    4. Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers - Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project's maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers. Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build infrastructure—that surprisingly persisted into various releases of Webmin (1.882 through 1.921) and eventually remained hidden for over a year. The research was presented at Defcon on August 10, and the project maintainers did not know about it until it was public. I believe there are some ethical considerations here, including those by the researcher and perhaps the Defcon conference itself. While difficult to control, perhaps there should be some due diligence surrounding disclosure, and asking whether or not you've even attempted to work with the software maintainers or company to get vulnerabilities fixed before presenting on stage.
    5. The Pwn Star State: Nearly two dozen Texas towns targeted by tiresome ransomware - I just thought the title was really funning, more on this in the expert commentary. And the article image is really funny too.
    6. GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens | SecurityWeek.Com - This is great, as I am currently looking into Amazon AWS Secrets Manager: GitHub initially scanned commits for token formats associated with Alibaba Cloud, AWS, Azure, Google, Mailgun, npm, Slack, Stripe and Twilio. The company said on Monday that it has also added Atlassian, Dropbox, Discord, Proctorio and Pulumi to the list of partners.“Now if you accidentally check in a token for products like JIRA or Discord, the provider gets notified about a potential match within seconds of check-in, allowing them to revoke the token before it’s used maliciously,” explained Justin Hutchings, senior product manager at GitHub.
    7. VideoLAN Patches Dozen Vulnerabilities in VLC | SecurityWeek.Com - This makes me not want to use VLC any longer, but what are the alternatives and are they any better than VLC security-wise? Asking for a friend.
    8. Chrome users ignoring warnings to change breached passwords - ... according to Google, only one in four users of its Password Checkup Chrome extension decided to do just that when told the same bad news...[i.e. actually change your password] In month one alone, Google says it scanned 21 million usernames and passwords, flagging 316,000 or 1.5% as having been part of a breach (a stat that excludes trivial passwords such as ‘12345’, which the tool doesn’t warn against to avoid overstating the obvious). There is some good news – 60% of those who changed their potentially compromised passwords chose ones that would be hard to guess.
    9. Announcing the Microsoft Edge Insider Bounty Microsoft Security Response Center - We welcome researchers to seek out and disclose any high impact vulnerabilities they may find in the next version of Microsoft Edge, based on Chromium, and offer rewards up to US$30,000 for eligible vulnerabilities in Dev and Beta channels. We aim to complement the Chrome Vulnerability Reward Program, so any report that reproduces on the latest version of Microsoft Edge but not Chrome will be reviewed for bounty eligibility based on severity, impact, and report quality. Great, but can someone please work on the performance of Chrome, perhaps flaws in the Chromium framework are what lead to it eating up all of our CPU and Memory! Oh, and fix the security holes too.
    10. Unpatchable security flaw found in popular SoC boards | ZDNet - Unpatchable flaws are bad..."Attackers able tamper with the boot header in the early stages of the boot procedure can modify its contents to execute arbitrary code, thereby bypassing the security measures offered by the 'encrypt only' mode," said F-Secure's Adam Pilkey. Researchers also found a second bug. While the first was in the boot header parsing performed by the boot ROM, the second bug was in the parsing of partition header tables. This second bug also allowed attackers to run arbitrary code, but unlike the first, this was patchable. However, Xilinx did not release a software fix for this second bug, as attackers could always bypass any patch the company would have released by exploiting the first bug.

    Expert Commentary: Jason Wood, Paladin Security

    Ransomware and City Governments

    https://www.bbc.com/news/technology-49393479

    https://www.theregister.co.uk/2019/08/20/texas_towns_ransomware/

    https://dir.texas.gov/View-About-DIR/Article-Detail.aspx?id=210

    In the latest wave of city governments being hit by ransomware, at least 23 cities in the state of Texas have been hit in what is being reported as a coordinated attack. The cities reported the issues to the Texas Department of Information Resources (DIR) on the morning of August 16 and this initiated a consolidated response that is being run by the department. The department lists 9 named state and federal agencies/organizations that are participating in the response, with other unnamed “Federal cybersecurity partners.” Texas is hardly the first state to experience cities being crippled with ransomware. Previous well-known attacks have occurred to the city of Baltimore, Atlanta, and San Francisco. The bad guys have discovered that right now, this crime does pay.

    One of the questions that may cross someone’s mind, is why is there an increase in these attacks occurring on city governments? The answer most likely lies in the economics of the situation. City governments do not a lot of budget when for IT security or even IT operations when compared to other organizations. Their money is focused on things like roads, emergency services, and other city services. The cities have not allocated much money to IT because as long as things have worked ok, why spend the money? They may even have the funds to beef up these areas, as this would involve increasing city revenue some how which means fees and taxes. That is always unpopular with local residents. Historically, cities have not been targets for this type of attack, so they are not prepared for it.

    On the other side of the economic coin, we have the attackers. They likely see the cities as easy targets with high visibility to citizens when services are taken down. While the cities do not have money budgeted to IT budgets, they usually have some money set aside for emergencies. And even with tight budgets, the pay off for the attackers can be large. Recently, the city of Rivera Beach, FL paid a $600,000 ransom to recover their data. That’s a significant payday for a group of attackers! So for the attackers, they have a higher likelihood of success in their attack and a good chance of getting paid by the victims.

    When someone is victimized by ransomware, they have a choice. Pay the ransom and hope to get their data back or try to recover on their own. In the case of smaller cities, they probably don’t have enough staff to handle such an effort on their own. And the staff they do have may not be prepared for this type of attack. The city of Baltimore, which is a large city, decided to recover on their own. This had a reported price tag of $18m versus the ransom which was $100,000. If you are a small to medium-sized city, which sounds more appealing to you?

    One thing that I find interesting about the attacks in Texas is the array of state and federal assistance that has been gathered up to help in the response. This will be hugely expensive, but at least provides the cities with the experience that they wouldn’t have had access to on their own. The idea of states setting up their own incident response teams to respond to issues like this may be something to seriously consider. Some states have already done this, but others have likely not gotten too that point yet. As these attacks on cities appear to be a trend, states and cities should start preparing now for when it occurs in municipalities that do not have the resources to combat these attacks.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+