Hack Naked News 112 February 21, 2017

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #112

Recorded February 21, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    ITPro.TV Annoucenment: "Upcoming courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, and Microsoft System Center. ITProTV is introducing a new membership level soon. All current Premium Members will be granted the highest membership level available, so​ ​sign up today! Visit itpro.tv/hacknaked and use code ​ HN30."

    • InfoSecWorld - Your 10% off discount code to promote to your members is OS17-SW. This will give them 10% off the main conference or the World Pass.
    • 2017 SOURCE Boston Proposal - Code SECURITYWEEKLY for $100 off either a conference ticket or one of the trainings. The early bird prices are currently in effect, but they can get an additional discount by using your code.

    News

    1. SSD Advisory Oracle Java FTP Stream Injection - It has been discovered that the Java and Python runtimes fail to properly validate FTP URLs, potentially allowing attackers to open holes through firewalls to access local networks. On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails. Securiteam has released details on the attacks after the vulnerabilities were disclosed by another party. Securiteam had been working with Oracle several months ago in a coordinated disclosure effort, but that went out the window this week.
    2. Is your child a hacker? Liverpudlian parents get warning signs checklist - A program called Hackers to Heroes has released a list of of the top signs that your child may be a hacker, or even worse, a "cyber" criminal. I really hope my kids are hackers, it makes life more interesting and fun. Some of the signs to look for, according to Hackers to Heroes, are: They spend most of their free time alone with their computer, Teachers say the child has a keen interest in computers (okay, already summing up my childhood), they use the language of hacking, such as "DdoS" , Dossing, pwnd, Doxing, Bots, Botnets, Cracking, Hash (refers to a type of encryption rather than cannabis), Keylogger, and of course Lulz, and Your internet connection slows or goes off, as their hacker rivals try to take them down (or they are just normal kids downloading porn). So watch for these signs, and give us a call here at Security Weekly, as we may enroll them in our internship program.
    3. Lone Hacker Rasputin Breaches 60 Universities, Federal Agencies - A hacker has compromised at least 60 universities and US government organizations, utilzing SQL injections as his weapon of choice. Rasputin, believed to be a Russian hacker, is most well-known for the December 2016 attack against the US Electoral Assistance Commission through an unpatched SQL injection (SQLi) vulnerability. While this is nothing new, the information collected was being sold on the so-called dark web. Amazing that this particular vulnerability is still be exploited today for profit.
    4. German Parents Told To Destroy Cayla Dolls Over Hacking Fears - An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data. That's right Cayla can be hacked to say bad things to your children! The company claims vulnerabilities have been remediated, but security experts warn the dolls can still be hacked. While I don't recommend burning the dolls in a fire, removing the electronics and using it as, well, just a doll, may be advisable.
    5. Porn Sites Are Finally Getting the Right Idea on Bug Bounties - Amazing how a free porn site, in the case YouPorn (which I am sure none of you have ever heard of) is taking measures to prevent attackers from penetrating the site. They've released details on a Bug Bounty program, in collaboration with HackerOne. The bug bounty is very explicit in the types of vulnerabilities that researchers can discover to even have a shot at the money.
    6. Yahoo! Loses $350 Million In Verizon Buyout Deal Due To Breaches - Due to multiple major breaches, Yahoo! has lost at least $350 million in the Verizon deal. They better close this one out soon, before they get hacked again.
    7. Google (Again) Discloses Windows Bug After Microsoft Fails to Patch It - Google was forced to go public with the details of a vulnerability in Windows GDI (Graphics Device Interface), which is a library that enables applications to use graphics and formatted text on both the video display and a local printer. The bug enables hackers to steal information from memory and affects Windows versions from Windows Vista Service Pack 2 to the very latest Windows 10. Microsoft, of course, delayed patch Tuesday for February of this year, forcing Google's hand to release these details. Also, it has been reported that a -day exploit was released via Github, which very well could have been patched in the latest round of updated from Microsoft. Way to go Microsoft!
    8. Hackers Siphon Over 600 Gigs From PC Microphones - Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including critical infrastructure, news media, and scientific research. The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox, primarily targeting industrial control system environments.

    Expert Commentary: Jason Wood, Paladin Security

    Smart City Tech Would Make Military Bases Safer