From Paul's Security Weekly
Recorded October 1, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts with ISC2 by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
- Google Play Malicious Apps Installed 335M+ Times in September - Most of it is "Adware": ESET researcher Lukas Stefanko said on Tuesday that the majority of those 172 malicious apps were harboring adware. He said 48 adware-laced apps represent up to 300 million installs on Google Play. “Unwanted ads or adware is popular category because after install it doesn’t request any further inputs, like banking trojans, and can simply generate revenue for developers right from the beginning,” Stefanko told Threatpost. “Also, it isn’t as difficult to create adware as it is to create Android ransomware or banking Trojans.”
- Cloud Vulnerability Could Let One Server Compromise Thousands - This is just sloppy syadmins: The researchers explored the control panel of the hosting company and saw there was an SSH connection between their server and the cloud provider. A public key had been pre-installed to access the server, prompting the team to wonder whether the management software was using the same key pair to manage every server. Researchers found this was the case, and they could launch an SSH connection to any server with the hosting company. They could do this even if they didn't have the private key, which granted the same level of root access the provider had.
- Critical Remote Code Execution Vulnerability Patched in Exim Email Server | SecurityWeek.Com - At this point, just uninstall Exim and keep it off your systems. That is all for now, next story!
- New Bug Found in NSAs Ghidra Tool - The vulnerability allows a remote attacker to compromise exposed systems, according to a NIST National Vulnerability Database description. No fix is currently available. Despite the warning, researchers are downplaying the impact of the bug. They maintain conditions needed to exploit the flaw, tracked as CVE-2019-16941, are rare. They also note, the NSA’s GitHub repository for Ghidra indicates a patch is currently in the works. Nevertheless, the flaw exists within NSA Ghidra versions through 9.0.4. According to the description of the bug, the flaw manifests itself “when [Ghidra] experimental mode is enabled.” This “allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document,” it reads.
- Ex-Yahoo engineer hacked accounts for pornography - Dude, like there's lots of porn on the Internet (so I am told), why do this? A former Yahoo software engineer has pleaded guilty to charges of illegally accessing user accounts. Reyes Daniel Ruiz admitted he had "hacked" about 6,000 accounts, seeking sexual images and videos. The US Department of Justice said Ruiz had "cracked" user passwords and accessed internal Yahoo systems while hunting for pornography.
- WebEx, Zoom Meetings Exposed to Snooping via Enumeration Attacks | SecurityWeek.Com - According to the company, WebEx and Zoom allow a bot to automatically cycle through all potentially valid meeting IDs via API calls. Once they obtain valid meeting IDs, attackers can try to access meetings in hopes that the user has not set a password, allowing them to spy on individuals and organizations. The vulnerability is even more worrying in cases where users sought to simplify meeting management by setting a personal ID. Once they obtain this meeting ID, attackers may be able to snoop over an extended period of time. The vendors do not identify this as a vulnerability. Of course, this just means more restrictions on APIs that will increase the time it takes to code against them.
- Medical Practice Closing Permanently After Ransomware Attack | SecurityWeek.Com - Yikes: Very little information about the attack is provided in the statement on the website. It says the firm "was the victim of a ransomware attack that resulted in its patients' personal healthcare information being encrypted." There is no indication of the ransomware type, nor the value of any ransom demanded. There is no indication that the incident was reported to the FBI, nor whether any third-party security experts were employed to investigate the incident. The attack occurred on August 10, 2019 while the notification statement is dated September 18, 2019. In the intervening weeks it can be assumed that the firm tried and failed to recover its patients' healthcare records. "The attack encrypted our servers, containing your electronic health records as well as our backup hard drives," says the firm.
- Researchers Find New Hack to Read Content Of Password Protected PDF Files - Dubbed PDFex, the new set of techniques includes two classes of attacks that take advantage of security weaknesses in the standard encryption protection built into the Portable Document Format, better known as PDF. To be noted, the PDFex attacks don't allow an attacker to know or remove the password for an encrypted PDF; instead, enable attackers to remotely exfiltrate content once a legitimate user opens that document. In other words, PDFex allows attackers to modify a protected PDF document, without having the corresponding password, in a way that when opened by someone with the right password, the file will automatically send out a copy of the decrypted content to a remote attacker-controlled server on the Internet.
- Hackers Turn to OpenDocument Format to Avoid AV Detection - Most AV systems are able to detect malicious documents if they are common types, such as PDFs or MS Word Documents. Many do not thoroughly check open standards, such as ODT, from the article: In one example highlighted by Cisco Talos, attackers used a malicious ODT file with an embedded Object Linking and Embedding (OLE) file. OLE files are used to link embed or link documents together for sharing data across applications. Next, the ODT used the embedded OLE to trigger the HTML Application script (HTA) into action. The HTA script downloaded the remote administrative tool (RAT) called NJRAT. The attack scenario did involve the recipient of the malicious email to double-click the attachment and grant the document permission to run, while alerting the user the “file type that can be unsafe.”
- Billboard in Michigan Hacked to Play Porn For Drivers Along I-75 | iHeartRadio - This "prank", which is the wrong word, this CRIME is not worth it: "Promoting pornography and/or promoting pornography for minors by disseminating any pornographic material, images, videos, etc. is a violation of an Auburn Hills local ordinance with a possible penalty of 90 days in jail and/or a $500 fine. These suspects now face potential burglary charges for forcing entry into the building to gain access to the computer system, which is a felony offense," Auburn Hills police said in a statement about the incident.. I do think one of the comments from a driver is funny: "It was very bizarre," Chuck McMahon told WDIV. "I thought maybe it was a billboard for a strip club or something. I was like, 'Huh, oh, wow — that's porn.'".
Expert Commentary: Sean O'Brien, PrivacySafe
PrivacySafe - The Anti-Cloud Appliance
PrivacySafe is an IoT backup appliance you can trust. It plugs in at your home or office, giving you the keys to your data. Malware protection, password vault, cryptocoin payment processing, and more. 100% Free and Open-Source Software and Open Hardware, so that it can be audited down to the circuitry.
Use Sean's Hacker Halted promo code HACKNAKED1 to get a 10% Discount on PrivacySafe's website!