From Paul's Security Weekly
Recorded November 19, 2019 at G-Unit Studios in Rhode Island!
- Register for one of our upcoming webcasts with Bryce Shroeder and Barbara Kay of ServiceNow, Kevin O'Brien of GreatHorn, or Steve Laubenstein of Core Security (or all of them!) by going to securityweekly.com -> Click the webcast dropdown & Select Registration! If you have missed any of our previously recorded webcasts, you can find our on-demand library by selecting on-demand from the webcast drop down! If you attend any of our webcasts, you will receive 1 CPE credit per webcast!
- Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying - Checkmarx demonstrated the impact of the vulnerabilities by creating a fake weather application that only requires storage permissions. Exploitation of the camera app vulnerabilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call. The app could also upload the photos, videos and voice call recordings to the attacker’s server, extract location data from photos to track the victim, and mute the phone in an effort to operate in stealth mode. Normally, an application would have to request camera, microphone, location and storage permissions to be able to perform these activities, but CVE-2019-2234 made it possible to bypass permissions by abusing the default camera app.
- Undocumented Access Feature Exposes Siemens PLCs to Attacks | SecurityWeek.Com - This is not a remote exploit, but could lead to other vulnerabilities being discovered: The researchers analyzed the device’s firmware integrity verification mechanism, which is triggered on boot and uses bootloader code that is stored on separate SPI flash memory. An investigation of this bootloader, which the experts believe is present on S7-1200 PLCs made since 2013, revealed the existence of an undocumented access mode.Siemens S7-1200 PLC Described by the researchers as a hardware-based special access feature, it’s normally designed to provide additional diagnostic functionality during manufacturing. However, they discovered that an attacker who has physical access to a PLC could abuse it — through a cold boot attack — by sending a special command via the universal asynchronous receiver-transmitter (UART) interface during the first half second of the PLCs booting process, which allows them to dump the firmware from the memory.
- Ring doorbells and the police: What to do if surveillance has you worried - The Neighbors app connects local residents to help them find lost pets, view crime alerts in the area, share details of thefts or whatever people might deem "suspicious activity." Police departments sign up with Ring and can then look at posts on the Neighbors app. They can also ask Ring if any Neighbors users are willing to share video clips in a certain area for a specific time frame. But some are quick to point out the negavtives: "Amazon is building a privately run, for-profit surveillance state -- and they're getting local police to market it for them in exchange for VIP access to Amazon's on-demand surveillance system," FFTF wrote in a September petition, calling on mayors and other local elected officials to stop Ring's partnership with police.
- Design flaw leaves Bluetooth devices vulnerable | SC Media - The vulnerability centers on the universally unique identifier (UUID),which is often broadcast in the clear leaving the device open to a fingerprinting attack. At the very least this would allow an attacker to determine what type of Bluetooth devices are present by the UUID’s being broadcast.Lin (the researcher who discovered the vulnerability) and his team took a Bluetooth “sniffer” on a tour of the university’s 1.28 square-mile campus and found 5,800 Bluetooth devices operating, 94 percent of which they were able to fingerprint and 7.4 percent – were vulnerable to unauthorized access or eavesdropping attacks. Additionally, it was revealed that the Bluetooth signals emitted by these devices extended much farther than originally thought. “The typical understanding is that Bluetooth Low Energy devices have signals that can only travel up to 100 meters,” he said. “But we found that with a simple receiver adapter and amplifier, the signal can be ‘sniffed’ (or electronically found) much farther – up to 1,000 meters away.”
- GitHub launches Security Lab to boost open source security - This is a big task, but an important issue to address: Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage. It sounds so obvious, it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog: Securing the world’s open source software is a daunting task. “With Sophos we’ve had zero ransomware infections”Start an online demo of Sophos Intercept X in less than a minute. To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn. This has already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said.
- WhatsApp Remote Code Execution Triggered by Videos - Attackers can exploit the flaw merely by sending a target user a video — specifically, a specially crafted MP4 file, Facebook has warned. MP4 is a digital multimedia container format usually used to store video and audio; further details around how the MP4 files would need to be crafted were not disclosed. “The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” according to an advisory issued last week. The WhatsApp flaw (CVE-2019-11931) is a buffer overflow,
- Disney+ Credentials Land in Dark Web Hours After Service Launch - Password re-use was the issue: ZDNet found some credentials for sale in the underground for $3 to $11 per account and others, for free, as attackers took advantage of users who share their accounts. Some victims were locked some out of their accounts entirely. While no single mechanism for the credential theft has been identified, it seems that some victims re-used credentials from other sites — credentials that had previously been breached and posted on the Dark Web. Disney+ did not offer strong authentication options for its streaming service accounts.
- 146 security flaws uncovered in pre-installed Android apps - Researchers at Kryptowire have uncovered 146 security vulnerabilities in pre-installed apps across 29 Android OEMs (aka original equipment manufacturers), underscoring the vast scope of the problem. The shortcomings discovered in the study — funded by the Department of Homeland Security — range from unauthorized app installs to the ability to modify system and wireless settings, and even record audio. More troubling, it includes apps from some well-known OEMs like Asus, Samsung, and Xiaomi Samsung disputed the findings in a statement to Wired, stating “we have promptly investigated the apps in question and have determined that appropriate protections are already in place.”
Expert Commentary: Bob Erdman, Core Security a HelpSystems Co.
Effective Phishing Campaigns
Phishing campaigns are designed to give an organization data on how vulnerable they are to attacks and serve as an educational opportunity to increase employee awareness. It’s important for pen testers to carefully craft their phish by designing effective and enticing phishing simulations for their organization. We would like the segment to discuss key strategies pen testers should keep in mind before deploying a social engineering campaign. We’re all constantly sent those pesky phishing emails and as a leading cause of today’s breaches, they continue to be a security challenge for organizations. Fortunately, there are ways to discover how vulnerable you are to attacks and educate your employees about how to recognize and avoid getting phished. Strategic and carefully crafted phish can provide you with important insight about your organization’s susceptibility to social engineering. During today’s interview, we’re going to talk with Bob Erdman, noted cybersecurity export and senior product manager at Core Security, about key strategies you should keep in mind when deploying a campaign to get the most out of your simulations.
We are in the process of finalizing a video-based "Best Practices for Effective Phishing Simulations eCourse" on our website. We can provide the link once finalized.
We also have a recent blog on the topic titled, How to Use Social Engineering Penetration Tests to Protect Against Phishing Attacks (https://www.coresecurity.com/blog/how-build-effective-phishes-social-engineering-penetration-tests)