Hack Naked News 110 February 7, 2017

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #110

Recorded February 7, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    This week, printers are exploited, Android vulnerabilities are patched, you TV is watching you, Wordpress updates quietly, iOS apps are vulnerable, the lamest crypto bug, and Metasploit hacks all the things. In our expert commentary section Jason Wood joins us to talk about a Former NSA contractor who may have stolen 75% of TAO’s elite hacking tools, all that and more on this edition of Hack Naked News.

    ITPro.TV Annoucenment: "Upcoming courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, and Microsoft System Center. ITProTV is introducing a new membership level soon. All current Premium Members will be granted the highest membership level available, so​ ​sign up today! Visit itpro.tv/hacknaked and use code ​ HN30."

    • InfoSecWorld - Your 10% off discount code to promote to your members is OS17-SW. This will give them 10% off the main conference or the World Pass.
    • 2017 SOURCE Boston Proposal - Code SECURITYWEEKLY for $100 off either a conference ticket or one of the trainings. The early bird prices are currently in effect, but they can get an additional discount by using your code.
    • Charity Event Shaves that Save at the RSA Conference 6:00 pm - 8:00pm PT on Wednesday, Feb 15, 2017 At the RSA Conference Moscone Center South, Gateway Ballroom / Viewing Room To register / more details: https://www.stbaldricks.org/events/infosecshaves2017

    Security News

    Paul Asadoorian:

    1. Cryptkeeper Bug - Perhaps the most facepalm security moment of the week comes from the Linux software Cryptokeeper who fixed a ridiculous security bug: the single-character decryption key "p" decrypts everything, you know, for convenience. Cryptkeeper's developer appears to have abandoned the project, so time to find a new solution.
    2. Critical WordPress update fixes zero-day flaw unnoticed - The vulnerability, which has been announced finally, affects the WordPress REST API added in the 4.7 release, allows attackers to modify the content on any affected website remotely. It was kept quiet to avoid a hacking rampage on the Internet that typically follows major Wordpress vulnerabilities. It goes without saying, keep your Wordpress up-to-date, its easier than ever but still requires human intervention. We long for the days when Wordpress can auto-update.
    3. Are you watching your TV or is your TV watching you? - American television manufacturer Vizio has had its knuckles rapped and been forced to pay $2.2m in an agreement with the Federal Trade Commission after collecting data including IP addresses and demographic information on 11m users. Two things on this story, one its scary to think that device manufacturers are collecting your information, especially without your consent. On the other hand, its nice to see the FTC taking notice and doing it job of regulating manfuactuers and handing out fines. I hope to see this trend continue to keep IoT device manufacturers in line from both a security and privacy standpoint.
    4. Hacker stackoverflowin pwning printers, forcing rogue botnet warning print jobs and Hacker Briefly Hijacks Insecure Printers - An attacker by the name of "stockoverflowin" created a script to remotely access printers via port 9100/tcp and print out messages. Messages contained ASCII art of robots and various messages informing the vulnerable printer owners to "For the love of God, please close this port, skid.". This comes off the heels of the release of German security researcher's disclosure of printer vulnerabilities documented on the web site hacking-printers.net that we reported on last week. It makes sense that attackers would resort to some sort of mass-scale attack to prove a point, in this case there is not "botnet" only a script running that prints robots. Many of the printers attacked were posted to Twitter, and several images depict point-of-sale devices. I don't believe this is the last we will hear about printer hacking and security of these devices. As for "stackoverflowin", regardless of intention, typically folks pointing out flaws by exploiting them over the Internet at scale are then under investigation. However the famed hacker Weev pulled off similar attacks last year, forcing printers to spew anti-semitic messages.
    5. Dozens of popular iOS apps vulnerable to intercept of TLS-protected data - Encryption, yep its still only as secure as the implementation. The Sudo Security Group found Seventy-six popular applications in Apple's iOS App Stor had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attacks. Applications can be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet. Sudo is still working with the app creators to get fixes in place and has not yet released a full list. Its important to make certain that all of you apps are always up-to-date on your smartphones and tablets.
    6. Rapid7 Adds IoT Hardware Support to Metasploit Security Testing - Recently announced the new Metasploit Hardware Bridge API will allow security researchers to connect Metasploit to your favorite hardware devices for security testing. Initial releases are supporting automotive testing, with support for CAN, but reports stated this will be extended for more devices in the near future. Metasploit has shaped much of the security testing, making it easier for researchers to develop proof-of-concept exploits to raise awareness around the security of software, and now hardware. Its important to note that Metasploit is not the only tool for this, but that integration with the framework will allow more people to get into both automotive and device hacking, which is hopefully a good thing.
    7. Google Patches Android for 58 Vulnerabilities in February Update - Google has released its second round of patches for Android this year on February 6, 2017. This round of patches fixed 58 vulnerabilities, including 8 that Google itself has marked as critical. Some highlights include CVE-2017-0405, a remote code execution vulnerability in the Android Surfaceflinger graphics library and CVE-2017-0427, a privilege escalation vulnerability in the kernel filesystem and four, count them four, vulnerabilities related to the "stagefright" series of vulnerabilities, initially released in 2015, that allow remote attackers to exploit the MMS messaging system and more specifically the handling of media files.
    8. https://arstechnica.com/tech-policy/2017/02/former-nsa-contractor-may-have-stolen-75-of-taos-elite-hacking-tools/