Hack Naked News 113 February 28, 2017
From Paul's Security Weekly
Hack Naked News #113
Recorded February 28, 2017 at G-Unit Studios in Rhode Island!
- Torvalds Downplays SHA-1 Threat to Git - Recent research dubbed SHAttered, co-authored by Google, describes a collision attack in the SHA-1 hashing algorithm. Researchers successfully created a has collision, that is two different sets of data that share the same hashed value. Both git and subversion use SHA-1 to create hashed values for source code, which means it is possible to upload malicious or backdoored source code that has the same cryptographic hash as the production, and clean, source code. However, other security researchers are quick to point out that files with the same hashed values are flagged by the rep-sharing feature, at best an attacker can cause issues with rep-sharing. Of course, Linux Torvalds chimes in with his typical messaging on security by stating "The sky isn't falling". In reviewing all of the arguments for the severity of this attack, its clear we must migrate away from SHA-1 and be certain we are aware of this attack and take further steps to detect code that is being backdoored.
- Germany, France Lobby Hard For Encryption Backdoors - France and Germany, in the name of fighting terror, have suggested that, and I quote, technology companies to come up with impossible encryption systems that are secure, strong, and yet easily crackable by law enforcement on demand. . Not much more to this story other than this is a really bad idea as, well, privacy, which is interesting ad the EU has some of the strictest privacy laws, certainly ahead of the US in this department.
- Bad Bug Found In Microsoft Browsing Code - Google has released details of a 0day vulnerability in IE 11 and the Edge browser,, BBC states this bug arises because of the way both programs handle instructions to format some parts of web pages. Fortunately Google has released a proof-of-concept, if you're into that sorta thing (I know I am!). Google went public because Microsoft went past the 90 day disclosure, or non-disclosure Window. The saga continues as we previously reported that Microsoft skipped patch Tuesday this month. My advice? Use Chrome perhaps?
- Apple deleted server supplier after finding infected firmware in servers [Updated] - Apple returned some servers found to have infected firmware operating in the Apple Design Lab. Supermicro reports that Apple has severed its relationship with the hardware provider, and Apple states that no customer data was lost. While Apple always has a weird way of dealing with security incidents, essentially providing little to no information to the public, props to them for discovering it. however, it would be nice to share what you found so that others can perform similar investigations.
- Creepy IoT teddy bear leaks >2 million parents and kids voice messages - Troy hunt reported this week that a children's IoT toy device was storing the customer databases in a publicly accessible location. Troy reports that Spiral Toys also used an Amazon-hosted service with no authorization required to store the recordings, customer profile pictures, children's names, and their relationships to parents, relatives, and friends. This is just one of several flaws in kids toys, which is really creepy. Before you jump on the IoT kids toy bandwagon, okay, well, you know what, just don't get on that bandwagon for a while.
- Cloudflare Moves Quickly to Patch Data Leakage Flaw - Now would be a good time to change your passwords: as Cloudflare-protected websites and services—including Uber, dating site OkCupid, and Fitbit—have inadvertently been leaking sensitive user data, potentially including passwords and private messages. Some of this data is still floating around, cached in search engines. While unlikely that your credentials have been leaked, its a good time to change them, use a password manager which will help you keep track of them and reduce password re-usage, and enable two-factor authenication where available. Personally, I've been on a mission to enable two-factor auth on all the services that I use, and the milage varies. Some sites allow me to use a token, and others will only do an SMS two-factor auth. With all of the threats against your credentials, you improve the security of your account with two-factor auth and I believe its worth the minor inconvenience. And I know, blah blah blah from all the folks who poo-poo two-factor. Whatever....
Expert Commentary: Jason Wood, Paladin Security
NSA Using Cyberattack for Defense: