HNNEpisode153

Contents

Hack Naked News #153

Recorded December 12, 2017 at G-Unit Studios in Rhode Island!

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements

    • Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.
    • Chris Martin steps into the hot seat on this webcast to talk about LogRhythm’s point-of-view on today’s threat landscape! This webcast is being held on Wednesday December 13, 2017 from 3-4pm EST. Register now at securityweekly.com/logrhythm.
    • Check out our On-Demand Webcasts at securityweekly.com/ondemand. Here you will find previously recorded webcasts where you can register and watch On-Demand. Currently, we have 3 webcasts on-demand right now. "Defending Modern Web Applications" with Zane Lackey from Signal Sciences, "File System Analysis" with Jonathan Sander from STEALTHbits, and "Securing Business Critical Applications" with Sebastian Bortnik from Onapsis.

    News

    1. Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones - Threatpost reports: Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin. Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google. The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.
    2. Vulnerability Found in Two Keyless Entry Locks - Threatpost also reporting: Researchers at Dell Secureworks are warning a vulnerability in two keyless entry products could allow local attackers to lock and unlock doors and create illegitimate RFID badges by sending unauthenticated requests to affected devices. Impacted are two AMAG Technology Symmetry IP-based access door controllers used in keyless door models EN-1DBC and EN-2DBC. Researchers say if the devices are deployed with default configurations, attackers could abuse the systems by sending unauthenticated requests to door controllers via serial communication over TCP/IP.
    3. Android Flaw Poisons Signed Apps with Malicious Code - Among the four dozen vulnerabilities Google patched this week was a fix for a bug that allowed attackers to inject malicious code into Android apps without affecting an app’s signature verification certificate. The technique allows an attacker to circumvent device anti-malware protection and escalate privileges on targeted device with a signed app that appears to be from a trusted publisher, according to researchers.
    4. Chrome 63 offers even more protection from malicious sites, using even more memory - This update adds features for enterprise Google Chrome users. The first is the ability to truly block all communications between tabs, including those initiated by JavaScript. However, this comes with the cost of 10-20% more memory usage, and therefore is disabled by default. The other features allows admistrators to block extentions based on behavior, for example you can block all extentions that request access to the clipboard.
    5. Apple HomeKit Flaw Left Smart Gadgets Vulnerable - Not much in the way of details here, well, it is Apple and it is a security issue, so what more could you expect? Yep, that was a dig. In any case there is a vulnerability (though referenced as a "flaw" or a "bug", but its a vulnerability folks) in Apple HomeKit. Apple states: "The fix temporarily disables remote access to shared users, which will be restored in a software update early next week," This fix occurred on Apple servers, so no need to patch. However, Apple claims this vulnerability is diffcult to exploit, whatever that means in this context, wait, we don't really have much context, so, thanks Apple (I think).
    6. Researcher Discovers Hidden Keylogger in HP Keyboard Driver - Users of a number of different HP laptops are being urged to update drivers after security researcher Michael Myng revealed a potential keylogger risk with the integrated Synaptics Touchpad driver. I mean, cool that there is a built-in keystroke logger, which I am sure HP is saying was there for "debugging" purposes. Why you would leave that in is interesting, however attackers can always just install their own keystroke loggers, so this is nothing to really write home about.
    7. Google Researcher Releases iOS ExploitCould Enable iOS 11 Jailbreak - As promised last week, Google's Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources. On Monday morning, Beer shared the details on the exploit, dubbed "tfp0," which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system. Here, "tfp0" stands for "task for pid 0" or the kernel task port—which gives users full control over the core of the operating system. - And here I thought Jailbreaking was so 5 years ago. I suppose this is interesting, jailbreaking iOS really just means get an Android phone or tablet if you want that level of control.
    8. Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online - That's a whole ton, 41GB to be exact, of passwords: The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in. Time to change your passwords, again, and maybe throw in some 2fa.

    Expert Commentary:

    Putting Off Plans to Strengthen Data Security? It Could Cost You Your Job

    In an Infosec Island post Tim Critchley, CEO of Semafone, made the argument that not acting on the need to improve our company’s data security could cost us our jobs. Part of me responds back to this with, “Uh yes, of course.” But in reality it’s not a simple task to balance the urgent needs of the day against longer term issues that need to be tacked. Tim makes several points on why we might find ourselves in this situation. We don’t have the people or the headcount to get the people. We are facing pressure to cut costs. The fire of the day keeps us from working on important issues that must be addressed, but aren’t in crisis… yet. He also makes the point that some folks feel the chance of a breach against them is low. Also known as depending on luck.

    Tim then gets into how to start addressing the problem of improving our security practices. This is where I wanted to focus. Let’s face it, getting support and resources in organizations can be hard. Some times very hard. I’ve been extremely unpopular with influential coworkers who were not happy with me asking for resources they didn’t want to give. I’d like to share a few of his points here.

    1. “Share your vision” - If you have been in your company for a while, you probably already have an idea of what the weaknesses are. You also likely have a rough idea of what it would take to work on them. Take some time to document what needs to be done and create a picture of what the benefits are. For example, an organization I worked at faced a lot of difficulty on boarding clients due to due diligence efforts of our clients. I framed improvements to our security based on those assessments and the benefit of bringing on new clients.
    2. “Talk costs to the C-suite” - I want to double underscore and bold this point. Executives don’t care about technology or it’s details. They do care about profitability, costs and making sure the company remains healthy. Focus on this. One “benefit” of the number of breaches being public is that we have a better idea of what damages a firm will incur due to a breach. One main point is that a breach is expensive and while the company’s brand may ultimately survive, it’s a risky proposition and very expensive. Focus on the costs and tell an effective story.

    Tim makes a couple of other points that you can read via the link in the show notes. I’d like to add one more of my own. In spite of your best efforts to make your case for improving your security posture, you may get shot down. The best advice I have is to create a realistic plan to start tackling things, include cost and time estimates. Be specific that it is an ongoing effort and not a one time push. Then let people know about it and continue to tactfully make your case. The day may very well come that your organization is hit with a data breach, but instead of being the person who procrastinated working on issues, you are the one who has created and been advocating a plan. Going through the process of creating the plan will be a great learning experience and could save your job if things go bad.

    http://www.infosecisland.com/blogview/25010-Putting-Off-Plans-to-Strengthen-Data-Security-It-Could-Cost-You-Your-Job.html



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+