Hack Naked News #185
Recorded August 21, 2018 at G-Unit Studios in Rhode Island!
- Javelin Webcast is being held on August 30, 2018 @3-4pm on How to Get Attackers to Contain Themselves. Go to securityweekly.com/javelin to register!
- How I Hacked BlackHat 2018 Ninja.Style - hose who have attended BlackHat may have noticed that their badge contains an NFC tag. This NFC tag is scanned at booths in the Business Hall so vendors can collect their marketing data including name, address, company, job title, and phone number. And essentially the researcher read the tag, analyzed the Android app, realized that you need only send badgeID, and eventID values to the API, the API had no security, and a quick Burp brute force reveals all BH 2018 attendees. Blackhat has since disabled the API.
- USBHarpoon Is a BadUSB Attack with A Twist - Several security experts have built a malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands. Some tried, some failed, but a team succeeded and presented at summer camp this year. This means that command injection happens inside the cable, regardless of the device being plugged in. Very stealthy!
- ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability- I think all bets are off when it comes to privelege escelation on masOS: Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually "click" objects without any user interaction or consent. To know, how dangerous it can go, Wardle explains: "Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click...allowed. Authorize keychain access? Click...allowed. Load 3rd-party kernel extension? Click...allowed. Authorize outgoing network connection? click ...allowed."
- New PHP Code Execution Attack Puts WordPress Sites at Risk - Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios. What does this mean? An author-level user can take over your Wordpress instance.
- Et tu, Brute? Then fail, Caesars: When it's hotel staff, not the hackers, invading folks' privacy - Lots of debate on this one: It appears DEF CON had run slap bang into a policy change by Caesars hotel properties. Worried about the prospect of someone stockpiling weapons in their suites just like the Mandalay Bay killer, and thus using their hotels for another bout of senseless slayings, the hotel giant decided that if someone has a do-not-disturb tag on their door for more than a couple of days, a search has to be made. In other words, if the maids can't be allowed in to clean up and clock any assault rifles and grenades, security guards will do the latter for them – whether guests are present or not.
- How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim - WTH: The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms. They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)
- Hackers Leverage AWS to Breach, Persist in Corporate Networks - In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they don't have to look far: Misconfigured S3 buckets made a number of headlines in the past couple of years; Amazon, to its credit, launched Macie to protect AWS S3 data. But, attackers are getting more sophisticated, embedding themselves in AWS deeply. The article covers some more of the advanced attack techniques, very interesting!
- InfoSec Handlers Diary Blog - OpenSSH user enumeration (CVE-2018-15473)
Expert Commentary: Jason Wood, Paladin Security
If proposed European Union legislation is passed, social networks may have one hour to remove content flagged as terrorism related or face stiff fines. It appears that the European Commission has decided that the social networks aren’t doing enough to prevent the hosting of extremist content. This article was released today on the Sophos Naked Security blog and covers the actions being proposed.
The details are still vague at this point, but there appears to be some consensus about what the legislation will look like. Law enforcement agencies will be able to mark content on social platforms illegal and the networks will have one hour to remove them from their sites. Content that is considered illegal includes terrorist related posts, "hate speech, material inciting violence, child sexual abuse material, counterfeit products and copyright infringement." Interestingly, the article quotes the EC as saying that, “voluntary industry measures to deal with terrorist content, hate speech and counterfeit goods have already achieved results.” However, the commission appears to feel that it still isn’t enough.
So what types of fines could the social networks be looking at? An existing German law requires that “obviously illegal” content be taken down within 24 hours or the platform faces a $50m fine. Targeted content includes hate speech, fake news, racist content and other subjects.
The social networks have already started pushing back on the proposed one hour requirement of the EC legislation, saying that it could cause more harm than good. They’ve published information to demonstrate their progress in removing this type of content. YouTube has started making this information public as part of a quarterly report. The numbers in this report are interesting to review; particularly with the results from automated monitoring and removal systems.
I have a couple of thoughts on this legislation. My primary interest is in the collision of laws in different regions and countries. The internet is by nature an entity that crosses borders and jurisdictions. You can’t be strictly a UK, German or US based company when your service is available to anyone around the world. The primary targets of this EU law are US based companies. What is “obviously illegal” in Germany, isn’t necessarily obvious to someone sitting in the United States. Someone in the US may think a video is in bad taste or even ought to be illegal, without realizing that it is actually illegal in another country.
I always have a concern about scope creep with laws like this regardless to where they are passed. This law is targeted at terrorist content, but includes copyright related information. Since we are already banning information X, then why not expand it to information Y? Also, law enforcement is made up of normal people who want to see things get done. If they can brand something as terrorism to get action on it, then they will do so. There are lots of examples of this affect in actions taken by law enforcement.
If you have a service that hosts posts, videos, images or whatever from users around the world, this may be a law you need to prepare for. The law hasn’t been passed yet, but sounds like it is going to come to pass with some fairly stringent requirements on response and impact with fines.