PATREON SECURITY NEWSLETTER - Week of August 12, 2019 (Patreon)

PATREON SECURITY NEWSLETTER - Week of August 12, 2019

Support me on alternative platforms! https://snubsie.com/support

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire 

Props to Justin and Dan188 on Patreon for this story

Steam Privilege Escalation Vulnerability

If you run the steam gaming client on a windows computer you may be vulnerable to a privilege escalation attack. The vulnerability is a zero day that allows an attacker who has limited permissions to run a program as an administrator. Steam could allow an attacker to use symbolic links to launch or execute services with full privileges.  Valve fixed the problem, but according to the same researcher, the patch can be bypassed. Hopefully we’ll see more details about that bypass soon.

https://www.bleepingcomputer.com/news/security/steam-zero-day-vulnerability-affects-over-100-million-users/

https://threatpost.com/gamers-zero-day-steam-client-affects-windows/147225/

https://amonitoring.ru/article/steamclient-0day/

https://twitter.com/enigma0x3/status/1159103239729471488

DEF CON NEWS

Canon Firmware Flaw Allows for Camera Ransomware

CheckPoint researcher Eyal Itkin found a vulnerability in Canon camera firmware that would allow him to exploit the device over USB or wifi, take over the camera, and even put ransomware on it. This means, an attacker with the right tools, could potentially hold private photos for ransom until you pay up. The problem persists in the Picture Transfer Protocol PTP firmware which allows you to transfer photos via USB or WiFi. To take it a step further, they found the AES symmetric encryption keys for the firmware, and were able to create a fake update that was actually their own malicious firmware with ransomware included. Canon released a security bulletin showing that the attack works on multiple different models including Canon EOS DSLRs and PowerShot point n shoots. Canon did not issue a fix, yet, but for the 80D, and states they will do so for a specific number of models. Canon recommended downloading firmware from their site, a trusted source, disable network functionality, don’t connect the camera to any device that has been exposed to viruses, and don’t use them on potentially hostile networks, like free wifi environments.

https://thehackernews.com/2019/08/dslr-camera-hacking.html

https://asia.canon/en/support/security-advisory-ptp-communication-and-firmware-functions/notice

https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

https://threatpost.com/hack-of-a-canon-eos-80d-dslr/147214/

Google Adding Fingerprint Verification

Google has rolled out some new security features for Chrome on Android. Now, if you use this browser on your phone, you can sign into your google account with your fingerprint instead of a password, allowing for more security while also saving time. Local User Verification can allow you to log into native applications and web services via your fingerprint, but you can also use a pin, pattern, or a separate password. Google is calling this new feature “Verify It’s You” and it uses FIDO2 which is available on android devices built in. This security key on Android was made available on Android 7.0 Nougat or later.  In order to try it, make sure your phone is running Nougat or higher, your google account is activated, and a valid screen lock is turned on. Open Chrome on the phone, navigate to passwords.google.com, choose or manage passwords, and follow the instructions that pop up on your computer. You should continue to use 2FA if possible.

https://thehackernews.com/2019/08/android-local-user-verification.html

https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html

https://arstechnica.com/information-technology/2019/08/google-lets-android-users-skip-the-password-when-logging-in/

https://www.cnet.com/news/google-now-offers-no-password-login-if-you-have-android-phone/

DEF CON NEWS

Researchers Hack Google Smart Speakers

Researchers found a way to hack and run code on Google home smart speakers. They used what is called the Magellan Vulnerability which uses the SQLite database engine. To do so, they dumped the firmware from the speakers via the NAND flash. This vulnerability was fixed. The entire hack is pretty cool to read through, which you can check out at this link:

https://threatpost.com/def-con-2019-hacking-google-home/147170/

DEF CON NEWS

Hotel smart lock hack

Some high end hotels in Europe use IoT smart locks instead of keys or cards to enter rooms. The hotel and exact smart lock wasn’t specified, but the hack allowed the researchers to wirelessly sniff when someone entered the room, unlock the elevator to their floor, and open the room door with BTLE enabled on a PC or Rasb. Pi. 

https://threatpost.com/hack-of-high-end-hotel-smart-locks-shows-iot-security-fail/147178/

Thank you to Matt on Patreon for this article!

Skype calls

Contractors for Microsoft listen to some personal conversations via Skype calls if a user takes advantage of the app’s translation service. Skype’s website does state that the company may analyze translation data, but doesn’t specify this’ll be done by humans.

https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls

https://www.theverge.com/2019/8/7/20758491/microsoft-voice-recordings-data-human-review-disclosure-privacy-voice-assistant-machine-learning

Thank you to Justin on Patreon for this article!

CPU attack - Microsoft

64-bit Intel and AMD Windows machines are at risk of having an attacker steal passwords, private convos, and other info stored in kernel memory. This attack is called the CPU “SWAPGS attack”. Users are advised to update this operating systems to the July 9 patch Tuesday Microsoft update.

https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability--advises-all-users-to-update-now/amp/

40+ Drivers Allow for Persistent Backdoors

40+ drivers from 20+ vendors (so… uh… almost everyone lol) have high risk security vulnerabilities that can allow an attacker to gain enhanced privileges on a machine, hide malware, all with persistence. A persistent backdoor could stick around for years without being noticed. Affected vendors include Nvidia, Intel, EVGA, AsusTek, SuperMicro, Toshiba, and more. Some patches have already started releasing, with more info in the links below:

https://thehackernews.com/2019/08/windows-driver-vulnerability.html

https://www.zdnet.com/article/researchers-find-security-flaws-in-40-kernel-drivers-from-20-vendors/

DEF CON NEWS

GSM Phonecalls

GSM is used in the US for AT&T and T-Mobile carriers. During DEF CON, researchers showed that GSM calls can be intercepted and decrypted, so audio would be clearly heard. The GSM standard has had this vulnerability for decades. There is no truly good way to fix it without overhauling the entirety of GSM, which sounds unlikely.

https://www.wired.com/story/gsm-decrypt-calls/?verso=true

DEF CON NEWS

4G ZTE Hotspot Flaw

4G hotspots from ZTE have a vulnerability allowing for the redirection of traffic to a malicious website. A user would simply need to visit a malicious site while using the hotspot to be captured, at which point the attacker would be able to steal the password for the device. No fix has been issued.

https://www.cnet.com/news/that-4g-hotspot-could-be-a-hotbed-for-hackers/

DEF CON NEWS

5G Networks Flawed

Commercial 5G networks are rolling out and will be used for infrastructure like automated cars, smart sensors, traffic, etc. This new protocol has new security implementations but some of those have been ported from 4G. These implementations have flaws that allow for device fingerprinting and man in the middle attacks. 

https://threatpost.com/5g-security-flaw-mitm-targeted-attacks/147073/

DEF CON NEWS

Election Systems Are Still Very Vulnerable, But DEF CON Hopes To Change That

DEF CON brought the voting machine hacking village back again with new machines, including an open source, $10 million funded DARPA machine that had bugs, making it unusable til the last day of the con. Several lawmakers were also at DEF CON in the village, learning alongside hackers about the current vulnerabilities and findings, in hopes of adding this data to proposed legislation to strengthen voter security.

Researchers found that multiple machines in multiple swing states were connected to the internet, even though they shouldn’t be. Many counties weren’t aware their devices were online til the researchers told them, then swiftly took them offline. 

https://www.wired.com/story/security-news-election-systems-more-vulnerable/?verso=true

https://www.cnet.com/news/darpas-10-million-voting-machine-couldnt-be-hacked-at-defcon-for-the-wrong-reasons/

https://www.cnet.com/news/lawmakers-turn-to-hackers-at-def-con-to-get-election-security/

https://threatpost.com/election-security-threats-from-misinformation-to-voting-machine-flaws/147164/

https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials

https://www.cyberscoop.com/def-con-voting-village-2019/

https://www.wired.com/story/darpa-voting-machine-defcon-voting-village-hackers/

DEF CON NEWS

ATM Hack

A security researcher was able to hack into a family of electronic safe locks by Dormakaba that are usually used by ATM safes, pharmacy drug cabinets, and DOD facilities. He cracked them in under five minutes with an oscilloscope and a laptop. No trace of tampering is left, either. This is an incredibly cool hack and worth a read!

https://www.wired.com/story/atm-lock-hack-electric-leaks/?verso=true

DEF CON NEWS

Boeing code leak

A security researcher was able to find completely unprotected documents exposing Boeing’s code that runs on 737 and 787 jets. This data was on Boeing’s network but easily searchable. With these documents, he found security flaws in the 787 Dreamliner components, starting with the entertainment system all the way down to flight controls and sensors. Boeing doesn’t think the flaws actually pose any real risk of attack and the researcher doesn’t have access to a plane to test his theory on. Maybe Boeing should hire him.

https://arstechnica.com/information-technology/2019/08/a-boeing-code-leak-exposes-security-flaws-deep-in-a-787s-guts/

DEF CON NEWS

Monitoring Traffic at DEF CON

D4rkm4tt4r was running around DEF CON with his WiFi Cactus, but had a new more portable version called the WiFi Kraken. We interviewed Mike on Hak5 during the convention, and will have a technical, detailed episode to share with you later this week on youtube.com/hak5 

https://www.cnet.com/news/what-a-security-researcher-learned-from-monitoring-traffic-at-defcon/

More News You Should Know About

Lots of Apple iPhone news! Apple opened up an iphone to researchers at blackhat. Google found several ways to hack iPhones without physically touching them, and more.

https://www.cnet.com/news/apple-opens-hacker-friendly-iphone-up-to-researchers-at-black-hat/

https://www.vice.com/en_us/article/ywazj5/google-hackers-found-10-ways-to-hack-an-iphone-without-touching-it

https://www.zdnet.com/article/two-weird-ways-your-iphone-or-mac-can-be-hacked/

LeapFrog’s tablets could allow an attacker to send pre-written texts and find the location of the device. Newer devices have been updated to fix the flaw.

https://www.cnet.com/news/tablet-for-kids-had-flaws-that-exposed-info-location/

https://threatpost.com/black-hat-leapfrog-tablet-flaws-let-attackers-track-message-kids/146822/

At DEF CON, a security researcher showed how MacOS malware should be taken seriously.

https://threatpost.com/macos-gets-a-malware-beatdown/147186/

83 million+ US households fell victim to a credential stuffing attack targeting State Farm insurance. The insurance company has started notifying customers.

https://threatpost.com/state-farm-credential-stuffing-attack/147139/

https://www.zdnet.com/article/state-farm-says-hackers-confirmed-valid-usernames-and-passwords-in-credentials-stuffing-attack/

Researchers found 35+ vulnerabilities in popular office printers from known brands like Lexmark, HP, and Brother. The vulnerabilities and any fixes are listed in the link. The researchers are pushing to make more people aware of the potential threats caused by insecure printers, which should be considered IoT devices.

https://threatpost.com/office-printers-hackers-open-door/147083/

WhatsApp is still open to message manipulation. 

https://threatpost.com/whatsapp-flaws-message-manipulation/147088/

Security researcher MG created the O.MG cable, which looks like an iphone lightning cable but can be used to hack a computer. The cable is likely going to come to Hak5’s online store in the future.

https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer

Google recently modified the Filesystem API so incognito mode wouldn’t be detected while in use, but researchers were already able to circumvent their patch.

https://www.zdnet.com/article/chromes-more-private-incognito-mode-websites-can-still-detect-youre-using-it/

The FBI has stated that they’ll start harvesting social media information from Twitter and Facebook to monitor for potential threats. 

https://www.zdnet.com/article/fbi-seeks-to-monitor-facebook-oversee-mass-social-media-data-collection/

Wordpress CMS developers want to force update older websites that haven’t updated to newer versions of the Wordpress CMS platform. 

https://www.zdnet.com/article/wordpress-team-working-on-daring-plan-to-forcibly-update-old-websites/

https://www.zdnet.com/article/new-windows-malware-can-also-brute-force-wordpress-websites/

The NSA’s open source tool called Ghidra will come with some updates to the software in the coming months including Android binaries and new features that should save time and boost accuracy for reverse-engineering malware. 

https://www.cyberscoop.com/ghidra-nsa-new-version-black-hat-2019/