Hack Naked News 111 February 14, 2017

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #111

Recorded February 14, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    This week, Microsoft delays patch Tuesday, a very samy like vulnerability, Big-IP encryption problems, crashing BIND, 13 flaws and 13 code executions, Wordpress continues to fail at failing, a university catches some fishy attacks against IoT as attackers trout some serious DoS skills, and ransomeware that makes you do horrible things. Jason Wood joins us for some expert commentary on this edition of Hack Naked News.

    ITPro.TV Annoucenment: "Upcoming courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, and Microsoft System Center. ITProTV is introducing a new membership level soon. All current Premium Members will be granted the highest membership level available, so​ ​sign up today! Visit itpro.tv/hacknaked and use code ​ HN30."

    • InfoSecWorld - Your 10% off discount code to promote to your members is OS17-SW. This will give them 10% off the main conference or the World Pass.
    • 2017 SOURCE Boston Proposal - Code SECURITYWEEKLY for $100 off either a conference ticket or one of the trainings. The early bird prices are currently in effect, but they can get an additional discount by using your code.
    • Charity Event Shaves that Save at the RSA Conference 6:00 pm - 8:00pm PT on Wednesday, Feb 15, 2017 At the RSA Conference Moscone Center South, Gateway Ballroom / Viewing Room To register / more details: https://www.stbaldricks.org/events/infosecshaves2017

    Security News

    1. Microsoft Patch Tuesday Delayed, (Tue, Feb 14th) - This just in from Microsoft: This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan. No reason was given, other than patches will be delayed. Some speculate it could be due to the recent changes in the update procedures, as Microsoft was scheduled this month to switch from individual to monolithic updates.
    2. As Valve eradicates serious bug in Steam, heres what you need to know - This one brings back some memories, Valve has a pretty serious bug in the Steam web site. Attackers are able to create malicious profiles that, when visited by a user who is logged into the site, can steal your information including redirecting them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles. This is similar to the Samy worm that hit MySpace several years ago. Simple XSS bugs such as this one still plague the Internet, even though they are easier to spot and fix than ever before.
    3. Newly discovered flaw undermines HTTPS connections for almost 1,000 sites - Going back in the Security Weekly time machine again, we see a new bug in TLS present in several F5 Big-IP load balancers and firewalls. Attackers are able to send malicious packets and force the devices to leak clear-text data from memory, which could lead to the crypto-keys being disclosed. Sites are patching as we speak, lets hope its fast enough.
    4. Former NSA Chief Wants the Cloud to Protect Small and Midsized Businesses - The cloud will save you! Says Gen. Keith Alexander formerly head of the National Security Agency (NSA) until he retired from his post in 2014, is now the CEO of IronNet Cybersecurity. The cloud can help to enable that common defense, providing an opportunity to bring small and mid-sized organizations the security they need. "As we go forward, this cloud thing is going to keep moving," Alexander said. "It helps the small and mid-sized companies, that's the trend. It will be great for big companies, but it's a life-saver for small and mid-sized companies." a resounding endorsement for cloud, lets also hope at RSA they are also talking about how to secure data, applications and users in the cloud, because well, even with cloud we still have all those things to secure.
    5. High Severity BIND Vulnerability Can Lead to A Crash - ISC Bind Versions 9.8.8, 9.9.3-S1, 9.9.3, 9.9.10b1, 9.10.0, and 9.10.5b1, 9.11.0 are vulnerable to a denial of service attack when using two specific functions. This condition has been reported to cause a null pointer issue leading to a segmentation fault. ISC Bind users are encouraged to patch, so get on that!
    6. Adobe Patches 13 Code Execution Vulnerabilities in Flash - To think we are still patching flaws in Adobe Flash, and at an even more alarming rate than ever. Adobe patched 13 code execution vulnerabilities in Flash Player today as part of its regular patch update cycle. I guess this is just the normal course of operations for Adobe when it comes to Flash. Adobe said that Flash version 24.0.0.194 and earlier are vulnerable and that users should update immediately to 24.0.0.221. All of the flaws were rated the highest severity for Windows, macOS and Chrome, so get updating or even better remove Flash from your systems ASAP.
    7. More Than 1.5 Million WordPress Blogs Defaced - Even though Wordpress held back the patch in an effort to protect Wordpress users, the fix has been out for a couple of weeks and still 1.5 million sites are compromised. Please Wordpress, just switch to auto-updates? Sure some stuff would break, but this would make the Internet a safer place, not as fun for attackers, but safer.
    8. How IoT Hackers Turned A University's Network Against Itself - 5,000 IoT devices at an undisclosed university were instructed to make tons of DNS requests, causing an Internet outage on the university network. The DNS request were all, get this, looking up seafood resturants. while this may sound a bit fishy, it was reported in a 2017 Verizon DBIR digest. This may well be the first case of an organization's own devices being turned against them. The takeaway from this story is to be certain that IoT devices are locked down, as attackers will use them to scale attacks and cause disruptions on your network.
    9. New Annoying Ransomware Forces Victims to Take Online Surveys - Motherboard - Its bad when you get ransomware, but imagine if you were forced to fill out a survey? The horror! Recently discovered malware does just that, lets hope this one doesn't get out into the wild...