From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #183

Recorded July 31, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements:

    • Endgame Webcast is being held on August 16, 2018 @3-4pm on Phishing Prevention.
    • Come to our Pool Cabana @ Black Hat and Def Con to pick up a free copy of "Cyber Hero Adventures". Here you will be able to get the comic book signed by Gary Berman.

    Security News

    1. Chinese 'hackers' try to attack state governments by mailing CDs - The Multi-State Information Sharing and Analysis Center has warned officials of a China-based campaign that mails CDs loaded with malware. State institutions have received China-postmarked envelopes containing both discs with virus-laden Word documents as well as nonsensical letters. While it's not clear what the exact intent was, it looks as if the 'hackers' hoped to make their campaign seem more plausible by sending something physical.
    2. DHS Forms New Cyber Hub to Protect Critical U.S. Infrastructure - The Department of Homeland Security announced on Tuesday the creation of a new center aimed at guarding the nation’s banks, energy companies and other industries from major cyberattacks that could cripple critical infrastructure. Likely a response from recent reports that Russian hackers have infiltrated US critical infrastructure systems. Typically these knee-jerk reactions are not effective, short-lived and do not carry enough weight to make a difference.
    3. Swiss lab that analyzed Salisbury nerve agent says it was targeted by Russian hackers - The state-run Spiez laboratory near Bern was targeted by hackers believed to be linked to the Russian government ahead of a conference of chemical and biological warfare experts in September, the mass-market Swiss newspaper Blick reported. After Sergei Skripal and his daughter Yulia were poisoned in Salisbury in March, the Swiss laboratory confirmed the British finding that they had fallen victim to the Soviet-developed military-grade nerve agent Novichok. - Trying to get information or cover up the evidence? I supposed we may never know, but always fun to speculate!
    4. Malicious Cyber Activity Targeting ERP Applications | US-CERT - Digital Shadows Ltd. and Onapsis Inc. have released a report describing an increase in the exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. ERP applications help organizations manage critical business processes—such as product lifecycle management, customer relationship management, and supply chain management. An attacker can exploit these vulnerabilities to obtain access to sensitive information.
    5. How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign - Try to follow the trail: Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it via white-label ad-serving tech from AdKernel* and advert resellers (ExoClick, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding "advertiser". Also, 10,000 is a small number of Wordpress sites!
    6. Jailhouse Tablets Allow Inmates to Steal Thousands of Dollars in Credits - Officials at the Idaho Department of Correction say that inmates from five different facilities across the state collected nearly a quarter million dollars in credits after hacking their tablets. Up to 364 inmates exploited a vulnerability in JPay tablets – which were given to prisoners for email, music and games – to improperly increase their account balances, officials said. The total amount stolen by all the inmates totaled nearly $225,000. I mean who didn't consider that prisoners would try to hack the system?
    7. Connected Car Apps Open Privacy Hole For Used Car Owners - Matt Watts, data strategist and director of technology at NetApp, discovered after buying a used car that a previous owner could access a range of his personal information via the app that connects with the vehicle. “Many of the current generation of cars have a host of online ‘connected’ features, apps that allow you to interact with the vehicle even when you’re nowhere near it,” he explained in a personal blog post last week. “Mine has the ability for you to remotely control the climate systems, to call breakdown services, to upload GPS/destination details and much more, it also keeps a record of much of this information and stores it all against your online account.” Basically, getting rid of a car is now just like getting rid of an old phone or computer, it has to be wiped.
    8. HP Offers Up to $10,000 Rewards for Printer Bugs - “HP has offered a way for researchers to disclose bugs to our team for a long time now,” Shivaun Albright, HP’s chief technologist of print security said. “This is our first bug bounty program, and the world’s first Print specific bounty, to be managed by an external party.” The company told Threatpost it’s looking for obscure defects that could be used against its customers. HP said it will specifically focusing on potential malicious actions at the firmware level, which includes CSRF, RCE, and XSS. I am wondering how this will work as you have to have a physical printer to test it, perhaps, unless you are just analyzing firmware. I believe a public bounty is the wrong way to go, instead they'd be better off with a private program that gives researchers access to the hardware in a controlled environment.

    Expert Commentary: Ed Sattar,QuickStart

    Ed Sattar
    is the CEO of QuickStart.
    Ed Sattar is the CEO of QuickStart and has more than two decades of experience in the e-learning industry. His experiences include extensive research and consulting to convert training into high-impact, personalized learning experience for a modern learner.


    Key challenges - mitigate advanced threats, insufficient IAM/PIM management, insecure APIs, data loss, lack due diligence, what are the solutions? three things to prevent and correct, corrective is costly, stock value goes down, fines from gov't regulation,


    1. Locking down policies, procedures/training, and tools
    • policies
    • procedures/training
    • tools
    • leverage training

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+