From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #190

Recorded September 25, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at:
    • DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to
    • Join us for our Webcast with LogRhythm about "Tips & Tricks for Defending the Enterprise Using Open Source Tools". The webcast will be held September 27 @3:00PM EST!

    Security News

    1. Thousands of WordPress sites backdoored with malicious code - Guess how they are getting in? Thousands of WordPress sites have been hacked and compromised with malicious code this month, according to security researchers at Sucuri and Malwarebytes. All compromises seem to follow a similar pattern --to load malicious code from a known threat actor-- although the entry vector for all these incidents appears to be different. Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.
    2. Google's Forced Sign-in to Chrome Raises Privacy Red Flags - The overlords are watching you: Matthew Green, a cryptographer and professor at Johns Hopkins University, noticed his Gmail profile pic strangely and suddenly appearing in his browser window—generally a sign that a user is logged in. However, he hadn’t actually affirmatively signed in, which threw up a red flag. This led him to parse through Google’s last Chrome update (Chrome 69), where he discovered a significant change: That going forward, “every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you.”
    3. Newegg Is Latest Retailer to Be a Victim of Magecart Malware - Online retailers have increasingly come under attack in 2018 from a hacking group known as Magecart. The latest victim is allegedly online computer parts retailer Newegg, which admitted on Sept. 19 that it was breached. Magecart has been implicated in multiple high-profile attacks in recent months, including ones on British Airways on Sept. 7 and Ticketmaster on June 27. Look, I am a long-time NewEgg customer. All I ask for when a breach occurs is a description of what happened, with enough detail that you are admitting to making a mistake (or multiple mistakes). Then, a corrective action plan and finally a list of things that you are changing as a result. Granted, giving out too much information could provide attackers with more intelligence to conduct further breaches. Not saying anything will not win back the trust of your customers. Somewhere in between is what I am after.
    4. Woman hijacked CCTV cameras days before Trump inauguration - Just a few days before the January 2017 inauguration of President Trump, the Metropolitan Police Department (MPD) in Washington, DC noticed that several surveillance cameras weren’t working...The trail led to Romania, and eventually to Eveline Cismaru: a 28-year-old woman who on Thursday pleaded guilty to federal charges stemming from the attack. We don't know if the attackers were targeting these cameras specifically. The ransom in this case was not paid, all systems were restored without needing a ransom, making it a pretty lame ransomware attack. Sounds like the attackers were just unlucky and their malware spread to systems that triggered a very intense investigation, which included extradition from the UK for one of the suspects.
    5. Bitcoin Core Software Patches a Critical DDoS Attack Vulnerability - There has been a "Chain" of cryptocurrency attacks, and not by mining, but flaws in the protocols and implementations, including Bitcoin recently: The Bitcoin Core development team has released an important update to patch a major DDoS vulnerability in its underlying software that could have been fatal to the Bitcoin Network, which is usually known as the most hack-proof and secure blockchain. The DDoS vulnerability, identified as CVE-2018-17144, has been found in the Bitcoin Core wallet software, which could potentially be exploited by anyone capable of mining BTC to crash Bitcoin Core nodes running software versions 0.14.0 to 0.16.2.
    6. Cybercriminals Target Kodi Media Player for Malware Distribution - This has been my fear for some time as so many people now have "hacked" or "unlocked" or "jailbroken" Fire Sticks. Many of those users do not understand that Kodi is just an Android app, and suffers from many security weaknesses as described in this article: Kodi is free and open-source, and can be used to play videos, music, podcasts and other digital media files from local and network storage media and the internet/streaming sources. Users also can extend the software’s functionality by installing add-ons, found both in the official Kodi repository and in various third-party repositories. By targeting the various add-ons and relying on Kodi’s auto-update feature, it’s possible to stealthily spread bad code throughout the ecosystem. Researchers from ESET said that malware can spread through Kodi in three different ways. They could add the URL of a malicious repository to their Kodi installation, which would download add-ons whenever they update their Kodi installations; or, they could install a ready-made Kodi build that includes the URL of a malicious repository. Thirdly, users could install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates.
    7. Security researcher fined for hacking hotel Wi-Fi and putting passwords on the internet - Permission is key, without it you are a criminal: Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's Wi-Fi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network. The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city. Zheng took it upon himself, without asking for permission first, to hack into the Wi-Fi network of a Fragrance Hotel branch, where he checked in for the conference's duration.
    8. Open-source software supply chain vulns have doubled in 12 months - Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach. Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components over the last 12 months. Miscreants have even started to inject (or mainline) vulnerabilities directly into open source projects, according to Sonatype, which cited 11 recent examples of this type of malfeasance in its study. It's tough to say if this is just selection biase (as Sonatype monitors open-source software for vulnerabilities), or if we are using more open-source software, if there are in fact more vulnerabilities and attacks, or if more open-source projects allow for add-ons and don't check the sources, or if its all of the above. I do think we have a huge problem with this today...

    Expert Commentary

    Google Chrome has a “dark pattern” of poor privacy changes?

    Google has come under fire for a two recent changes to Chrome that impacts users’ control over their data when using the browser. A few days ago Matthew Green, an assistant professor at Johns Hopkins University, discovered a change in Chrome’s behavior that upset him. His issue is with the ability to control whether to sign into Chrome or not. In the past, Chrome has offered users the ability to sign into the browser itself and sync their web activity across devices. That way you can pick up on your mobile device where you left off on your desktop. However, now when you use current versions of Chrome and sign into any Google web service, Chrome automatically signs you in to the browser. So if I log into my Gmail account, I am now automatically logged into Chrome without notification.

    Green expressed his frustrations online and in a blog post where he stated he will no longer be using Chrome as a result. Adrienne Porter Felt, an engineering manager on Chrome, responded to his comments to give an explanation for the decision. The issue Google spotted was when Jane logs into Chrome, but then Mary uses it to log into Gmail or another Google service. This could lead to Mary’s data being synced to other instances of Jane’s devices. Obviously, this would have to be some kind of shared computer. I imagine only Google has any kind of guess as to how often this happens. Matthew Green was not impressed with this explanation and says in his blog post that their reasons “don’t make any sense.”

    Fortunately for privacy concerned desktop users, just signing into Chrome does not automatically invoke the sync functionality. Unfortunately for privacy concerned mobile users, signing into Chrome, DOES invoke the sync mechanism automatically and without notification. Google has updated the privacy policy for Chrome to reflect the new functionality and explain what they are doing. I took a glance at the privacy policy and searched through a roughly 40 page document to find the section on the changes to Chrome. In the middle of the policy is where the functionality is described. This is where the policy states, “On mobile versions of Chrome, you can sign into or sign out of Chrome from Chrome settings. Signing into Chrome will also turn on Sync.”

    The justification for the change appears to be rather edge case to me. The idea that putting the details into a lengthy policy document and having it buried in the middle of it seems ridiculous. Saying that everything is OK, because it was put into a document that few people read seems like reasoning that only makes sense to lawyers. I’ve always avoided signing into Chrome, but I just verified that I am now signed in, though sync has not been turned on. I’m not panicked about it, but I wasn’t happy either. So be aware that there have been changes made to Chrome that probably impact you.

    But wait, there’s more! In Chrome 69 changes will be made to the deletion of cookies. When you delete your browser history in Chrome, it will delete everything but Google’s cookies if you are signed into a Google service. The new feature here is to designed to keep you signed into Google services even when you clear your cookies. If you do so, the cookies get reset with a new date. To completely delete your cookies, you need to sign out of all Google services and then clear your cookies. Hurray for changes to Chrome!

    Matthew Green’s blog -

    Google Chrome Privacy Policy -

    Google cookies in Chrome 69 -

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+