HNNEpisode200

From Paul's Security Weekly
Revision as of 18:16, 11 December 2018 by Jason (talk | contribs) (Expert Commentary: Jason Wood, Paladin Security)
Jump to: navigation, search

Recorded December 11, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Texas Instruments flicks Armis' Bluetooth chip vuln off its shoulder - At Black Hat London last week, Ben Seri and Dor Zusman from research house Armis went into full detail about their November discovery of how to pwn TI-made Bluetooth Low Energy (BLE) chips. The two affected chips – CC2640 and CC2650 – are used in several models of Cisco and Aruba wireless APs. What gave Armis a way in was the method of updating the chip's firmware, which consisted of uploading firmware over an unencrypted connection, though the upload was authenticated. They also triggered a memory corruption vulnerability to be able to load custom firmware. TI has issued firmware updates to address these issues.
    2. Latest Google+ Flaw Leads Chocolate Factory To Shut Down Site Early - The Chocolate Factory maintains that it has no evidence that the vulnerability, which was found in the API for Google+, was ever actively exploited. According to Google's G-Suite VP of product management David Thacker, over a six-day period in November developers would have been able to access profile information that users had not made public. Google said the vulnerability shows up when the user allows an app to connect with their Google+ profile. Rather than only see information the user had opted to share, the application would have been able to see all data about the user. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019.
    3. Over 40,000 Credentials For Government Portals Found Online - A Russian cyber-security firm says it discovered login credentials for more than 40,000 accounts on government portals in more than 30 countries. The data includes usernames and cleartext passwords, and the company believes they might be up for sale on underground hacker forums. Lots of speculation here: the accounts could allow attackers access to both commercial or state secrets accessible through those accounts. Furthermore, the accounts could be used for other reconnaissance operations, or as an entry point inside a government agency's internal network from where hackers can execute other attacks, such as cross-site scripting or SQL injections.
    4. Secure Messaging Applications Prone to Session Hijacking - So here's the issue: The instant messaging apps also support the major mobile device platforms and a desktop version, and Talos discovered that an attacker could use malware to hijack a session from a desktop version and access the data without the user knowing or before they would realize a hijack has been performed. And here's the statement about the vulnerability from Cisco's research team: Secure instant messaging applications have a solid track record of protecting the information while in transit, even going as far as protecting the information from their own servers. However, they fall short when it comes to protecting application state and user information, delegating this protection to the operating system. I completely disagree, to expect that any application would go to great lengths to detect operating system or other attacks is insane. This means that apps are vulnerable because someone could install a keystroke logger and an attacker could steal your key. Okay, not the same thing as this attack, but pretty close. Just because you have a secure messaging app doesn't mean you can just forget about opsec completely.
    5. This One Windows Tweak Can Save You From NotPetya - Interesting observations: The unnamed NCC customer "had configured within Active Directory the 'Account is sensitive and cannot be delegated' flag prior to NotPetya for their domain administrator accounts. We found that this configuration would have hindered NotPetya propagation significantly using the token impersonation route for domain admin accounts," said the infosec firm. As a Microsoft Technet post stated, the "account is sensitive" flag means that "an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application," something NCC summed up as "this is now your favourite setting".
    6. This Phishing Scam Group Built A List Of 50,000 Execs To Target - Some email targeting, and this should be expected: The security company said it came across the list of execs as part of its research. The scammers had generated the list in early 2018 to be used in future BEC phishing campaigns. Of the names on the list, 71 percent were CFOs, two percent were executive assistants, and the remainder were other finance leaders. Several of the world's biggest banks each had dozens of executives listed, the company said. The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments. Over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the US; other countries commonly targeted included Spain, the United Kingdom, Finland, the Netherlands and Mexico.
    7. ESET Discovers 21 New Linux Malware Variants - Yea, this should be easy to spot: In a report published yesterday by cyber-security firm ESET, the company details 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions. ESET said that "18 out of the 21 families featured a credential-stealing feature, making it possible to steal passwords and/or keys" and "17 out of the 21 families featured a backdoor mode, allowing the attacker a stealthy and persistent way to connect back to the compromised machine.
    8. Hackers defaced Linux.org with DNS hijack - Lame attack, but the funniest description of goatse ever: Attackers changed the defacement page a few times, they protested against the new Linux kernel developer code of conduct in a regrettable way with racial slurs and the image of an individual showing the anus. The defacement page also includes links and a Twitter account (@kitlol5) believed to be under the control of the attacker. The person who was operating the Twitter account posted a screenshot showing that they had access to the Network Solutions account of Michelle McLagan, who evidently owns linux.org, and modified the DNS settings.
    9. Expert devised a new WiFi hack that works on WPA/WPA2 - Unlike other WiFi hacking techniques, this attack doesn’t require the capture of a full 4-way authentication handshake of EAPOL. Instead, the new WiFi hack is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point. “This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

    Expert Commentary: Jason Wood, Paladin Security

    Microsoft Calls For Facial Recognition Tech Regulation

    This article on ThreatPost lead to an interesting rabbit hole for me to climb into. Basically, the use of facial recognition software is extending. Particularly in areas around government and sensitive public areas. Government buildings, airports, and schools are common areas of focus. In fact, we’ve talked about the use of facial recognition software in schools in previous episodes of HNN. Last week the Department of Homeland Security announced a program to use facial recognition in its surveillance around the White House. On Thursday of last week, Brad Smith of Microsoft wrote a blog post that calls out the potential dangers of unregulated use of facial recognition and requests government regulation.

    In his post Smith writes, “We believe it’s important for governments in 2019 to start adopting laws to regulate this technology. The facial recognition genie, so to speak, is just emerging from the bottle. Unless we act, we risk waking up five years from now to find that facial recognition services have spread in ways that exacerbate societal issues. By that time, these challenges will be much more difficult to bottle back up.”

    In general I’m not a huge proponent of regulation, but his comments about things being out of control in five years did resonate with me. Technology has a way of being used in new and interesting ways that no one really expected when they started down the path. And facial recognition certainly has some ramifications around privacy and the ethics of how this data is used.

    The topic got more interesting to me when it mentioned Amazon’s Rekognition platform. I hadn’t heard of this before, so I checked it out. It turns out that you can indeed purchase facial recognition on demand and use it via APIs. Rekognition actually goes beyond facial recognition and can be used to recognize objects in images in videos. One of my professors explained this one of my classes. He said computers (at the time) weren’t good at recognizing objects, particularly as they changed orientation. For example, a stapler could be taught to a program in a certain orientation, but if it was moved then the program would fail to recognize it. Rekognition works to solve this problem.

    Of course some of the interesting features that Amazon focuses on do involve facial recognition. If you are building an app to recognize people in pictures, then you can do so as long as you are building up a library of images and metadata to examine as the source. It is interesting to note that it does not appear to search out online for similar issues or have its own repository of images to recognize people broadly. The exception to this is celebrities. So if you are famous, then you are hosed. Sorry Paul.

    The Rekognition platform also is able to recognize moods based on the expression on someone’s face. This type of analysis isn’t going to be limited to Rekognition of course. It does enable some interesting ideas though. In the case of the DHS surveillance program around the White House, the Secret Service could leverage this type of analysis to see if someone is showing signs of distressed or angry expressions. They could then monitor that person more closely and prepare to move in, even if they don’t know who the individual is yet. Just a note, there’s no indication that DHS’ program is using Amazon’s Rekognition.

    Anyhow, the point is that the use of facial recognition isn’t limited to governments or large organizations with deep pockets. Anyone with an AWS account and some cash can get started with it. You can build it into your mobile app or whatever else you feel like. I can see why Brad Smith is calling out the risks here. This is a lot of power to turn loose with no restrictions on how it is used. As people have access to things like Rekognition (and I doubt it will never have competitors), they can use it in new and unexpected ways. I’ve had several ideas on how it could be used in stores and even at homes while preparing this segment. We could indeed wake up and find that our shrinking privacy is completely compromised as we go out in public. It may indeed be time for some regulation here before things get out of hand. Take a look at the links in the show notes and see what you think.

    https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

    https://aws.amazon.com/rekognition/


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+