HNNEpisode153

From Paul's Security Weekly
Revision as of 15:48, 12 December 2017 by Wheat Loaf (talk | contribs) (Created page with "= Hack Naked News #153 = ''Recorded December 12, 2017 at G-Unit Studios in Rhode Island!'' <div align="center"> {{#widget:SoundCloud |id=365464520 |width=75% |height=100 |co...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Hack Naked News #153

Recorded December 12, 2017 at G-Unit Studios in Rhode Island!

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements

    • Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.
    • Chris Martin steps into the hot seat on this webcast to talk about LogRhythm’s point-of-view on today’s threat landscape! This webcast is being held on Wednesday December 13, 2017 from 3-4pm EST. Register now at securityweekly.com/logrhythm.
    • Check out our On-Demand Webcasts at securityweekly.com/ondemand. Here you will find previously recorded webcasts where you can register and watch On-Demand. Currently, we have 3 webcasts on-demand right now. "Defending Modern Web Applications" with Zane Lackey from Signal Sciences, "File System Analysis" with Jonathan Sander from STEALTHbits, and "Securing Business Critical Applications" with Sebastian Bortnik from Onapsis.

    News

    1. Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones - Threatpost reports: Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin. Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google. The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.
    2. Vulnerability Found in Two Keyless Entry Locks - Threatpost also reporting: Researchers at Dell Secureworks are warning a vulnerability in two keyless entry products could allow local attackers to lock and unlock doors and create illegitimate RFID badges by sending unauthenticated requests to affected devices. Impacted are two AMAG Technology Symmetry IP-based access door controllers used in keyless door models EN-1DBC and EN-2DBC. Researchers say if the devices are deployed with default configurations, attackers could abuse the systems by sending unauthenticated requests to door controllers via serial communication over TCP/IP.
    3. Android Flaw Poisons Signed Apps with Malicious Code - Among the four dozen vulnerabilities Google patched this week was a fix for a bug that allowed attackers to inject malicious code into Android apps without affecting an app’s signature verification certificate. The technique allows an attacker to circumvent device anti-malware protection and escalate privileges on targeted device with a signed app that appears to be from a trusted publisher, according to researchers.
    4. Chrome 63 offers even more protection from malicious sites, using even more memory - This update adds features for enterprise Google Chrome users. The first is the ability to truly block all communications between tabs, including those initiated by JavaScript. However, this comes with the cost of 10-20% more memory usage, and therefore is disabled by default. The other features allows admistrators to block extentions based on behavior, for example you can block all extentions that request access to the clipboard.
    5. Apple HomeKit Flaw Left Smart Gadgets Vulnerable - Not much in the way of details here, well, it is Apple and it is a security issue, so what more could you expect? Yep, that was a dig. In any case there is a vulnerability (though referenced as a "flaw" or a "bug", but its a vulnerability folks) in Apple HomeKit. Apple states: "The fix temporarily disables remote access to shared users, which will be restored in a software update early next week," This fix occurred on Apple servers, so no need to patch. However, Apple claims this vulnerability is diffcult to exploit, whatever that means in this context, wait, we don't really have much context, so, thanks Apple (I think).
    6. Researcher Discovers Hidden Keylogger in HP Keyboard Driver - Users of a number of different HP laptops are being urged to update drivers after security researcher Michael Myng revealed a potential keylogger risk with the integrated Synaptics Touchpad driver. I mean, cool that there is a built-in keystroke logger, which I am sure HP is saying was there for "debugging" purposes. Why you would leave that in is interesting, however attackers can always just install their own keystroke loggers, so this is nothing to really write home about.
    7. Google Researcher Releases iOS ExploitCould Enable iOS 11 Jailbreak - As promised last week, Google's Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources. On Monday morning, Beer shared the details on the exploit, dubbed "tfp0," which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system. Here, "tfp0" stands for "task for pid 0" or the kernel task port—which gives users full control over the core of the operating system. - And here I thought Jailbreaking was so 5 years ago. I suppose this is interesting, jailbreaking iOS really just means get an Android phone or tablet if you want that level of control.
    8. Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online - That's a whole ton, 41GB to be exact, of passwords: The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in. Time to change your passwords, again, and maybe throw in some 2fa.

    Expert Commentary:

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+