Hack Naked News #186
Recorded August 28, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Make sure you register for our webcast with Javelin Networks entitled "How to Get Attackers to Contain Themselves", which will be airing on August 30th from 12 pm to 1pm EST. Go to securityweekly.com/javelin to sign up today!
- DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to https://www.derbycon.com/wellness
- AT Command Hitch Leaves Android Phones Open to Attack - Attackers can use AT commands to launch several malicious functions on an array of Android devices, including extracting data, rewriting the smartphone firmware and bypassing Android security measures. All they need, according to researchers who developed a proof-of-concept (PoC) attack, is the device and a USB connection. It would be interesting to make a cable that could send AT commands to the phone...
- Adobe Pushes Out Unscheduled Creative Cloud Application Fix - Creative Cloud Desktop Application is a centralized place where users can locate and manage their Adobe apps. The vulnerability, which is an Improper Certificate Validation, means an attacker could exploit it to gain elevated access to resources normally protected within an application. Adobe said that an “important” categorized flaw means an exploitation would result in compromised data security or potentially allowing access to confidential data. This is also important: While the vulnerability (CVE-2018-12829) was rated “important,” Adobe acknowledged on Tuesday that it is aware of a publicly available proof-of-concept code that exists to leverage the code.
- Security Flaws Inadvertently Left T-Mobile And AT&T Customers' Account PINs Exposed - Apple’s online store contained the security flaw that inadvertently exposed over 72 million T-Mobile customers’ account PINs. The website for Asurion, a phone insurance company, had a separate vulnerability that exposed the passcodes of Asurion’s AT&T customers. Apple and Asurion fixed the vulnerabilities after BuzzFeed News shared the security researchers’ findings.
- Fortnite Installer Vulnerabilities Highlight Mobile App Store Risks - The discovery of a high-profile flaw in one of the world's most popular games highlights why you should stick to apps in Google Play. Epic Games' Fortnite is played by millions of players around the world on different platforms, including Android. Fortnite, however, isn't available on the Google Play store for Android; rather, Epic Games decided to bypass Google and use a third-party store to deliver its game. This is problematic for three reasons: 1) If I have to enable the installation of 3rd party apps and 2) I have to either manually update or trust epic games auto update and 3) This app will not be scanned by Google's Play Store checks for integrity or security.
- Proof-of-Concept Released for Apache Struts Vulnerability - The link is in the article to the code, check it out. Also be certain to read the original write-up: https://semmle.com/news/apache-struts-CVE-2018-11776 which states: the Apache Software Foundation announced a critical remote code execution vulnerability in Apache Struts, a popular open source framework for developing web applications in the Java programming language. Applications developed using Apache Struts are potentially vulnerable. The vulnerability (CVE-2018-11776) was identified and reported by Man Yue Mo from the Semmle Security Research Team, which works to find and report critical vulnerabilities in widely used open source software."
- Hacker Discloses Unpatched Windows Zero-Day Vulnerability (With PoC) - A security researcher has publicly disclosed the details of a previously unknown zero-day vulnerability in the Microsoft's Windows operating system that could help a local user or malicious program obtain system privileges on the targeted machine. And guess what? The zero-day flaw has been confirmed working on a "fully-patched 64-bit Windows 10 system." I am really curious why it was disclosed this way. What prompted the researcher to do this rather than 1) responsibly disclose it to Microsoft 2) Sell it on the black market 3) Sell it to a company that is more legit 4) Go through a bug bounty program.
- Side-Channel Attack Allows Remote Listener to 'Hear' On-Screen Images - According to a team of academic researchers from Columbia University, the University of Michigan, University of Pennsylvania and Tel Aviv University, inaudible acoustic noises emanating from within computer screens can be used to detect the content displayed on those screens. This includes the text on the screen of a computer, or website content that a user may have opened on their desktop. It can also be used to monitor users’ input into on-screen virtual keyboards. This can all be detected and recorded by the microphones built into laptops and webcams; the subtle acoustic signals also can be recorded by a smartphone or speaker placed on a desk next to the screen, or from as far as 10 meters away using a parabolic microphone. So we can just put tin foil over our screens and be safe?
Expert Commentary: Jason Wood, Paladin Security
I don’t think I’ve ever done commentary on a product in Hack Naked News, but I wanted to cover a completely new version of Burp Suite and I’m not referring to the 2.0 version of it. Port Swigger has announced that they are releasing an enterprise version in the near future. No dates have been published and the details on functionality are light. So what’s the difference between Burp Pro and Burp Enterprise? Let’s take a look at what we know.
First off, Burp Enterprise will be a server-based application. It will have a web interface and a REST API. It has the ability to do automated scanning and integrated with integration and development tools. All of that sounds cool, but what really surprised me is how they are addressing teams of testers using it to go through large numbers of sites. Burp Enterprise will be a multi-user application with different roles for accounts. No details on what those are. It will also have scanning agents that you can deploy to various areas of your network to perform scans through. All of the agents will point back to the enterprise server.
Depending on the information sharing between user accounts, this could be a really useful app for penetration testing teams. For example, distributed teams should be able to better see what team members are doing, their results, and ask questions. Organizations could use this to better cover the web apps in various locations of their environment. Building its use into the development process sounds interesting, though there's no information on that functionality at this point. This all sounds cool.
Now some warnings. First, I really like Port Swigger and Burp Suite. However, this is a totally new deployment model for them. Now we are looking at placing software throughout the network and adding to our network services available. I would strongly recommend reviewing the security of the application and doing some testing. Just because we trust the company to produce quality software, don’t assume their first release is going to be solid. So be prepared for that. How will you control access between the components? How do they authentication to each other? How are things encrypted in transit? What privileges will it need to run? These are all questions to get answered.
I’m pretty excited about the idea and congrats to Port Swigger for taking this step. At the same time, do your due diligence just like you would any other software product. It will be storing data on how we hack web apps, so it’s definitely sensitive information.