Paul reports on a flaw found in Dirty COW patch, Apache Software security updates, more hacks in 2018, and a MailSploit e-mail spoofing flaw! Jason Wood joins us to give expert commentary on a Federal Data Breach Legislation, and more on this episode of Hack Naked News!
- Flaw Found In Dirty COW Patch – A flaw in the original patch for the notorious Dirty COW vulnerability could allow an adversary to run local code on affected systems and exploit a race condition to perform a privilege escalation attack. A little refresher, the Dirty COW vulnerability allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory. The flawed patch is not required for Android, but most other Linux distributions.
- Apache Software Foundation Releases Security Updates – US CERT is reporting that The Apache Software Foundation has released security updates to address vulnerabilities in Apache Struts versions 2.5 to 2.5.14. They claim a remote attacker could exploit one of these vulnerabilities to take control of an affected system. CVE-2017-7525 has been assigned and states: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
- Get Ready For More Hacks In 2018 – CNET reports that we should get ready for more hacks in 2018, with experts stating “Patch your phone, patch your Mac, patch your Windows machine.” Wow, and I thought we would be 100% safe in 2018 and not have to worry about patching. Dammit! Looks like we will still be reporting all the “hackery” in 2018, and beyond. Thanks CNET for those wonderful insights!
- Apple Mac Security Issue May Reoccur – Wired magazine has found that the bug returns if Mac owners upgrade to the latest version of High Sierra after applying the patch. If you read the article, it basically states that if you install the patch, upgrade to HIgh Sierra, and don’t perform an additional reboot, you are still vulnerable. Not a huge deal and this may have been one of the most over-hyped bugs of the year.
- Hacker Flooded Tourism Agency’s Facebook Page with Bizarre Posts – I think this is more appropriately termed a prank: Early in the morning on 4 December, the Facebook page for Explore Minnesota Tourism began publishing some unusual content. The stories consisted of fake news items with headlines such as “Detroit woman gives birth to her 14th child from 14 different fathers” and “Woman arrested for training squirrels to attack her ex-boyfriend.” While funny, the attacker could still face charges.
- How a hack almost sprung a prisoner out of jail – After a targeted phishing attack, Konrad Voits from Ann Arbor, Michigan, attempted the following With the login credentials to the prison management system in his hands, Voits attempted to change the records of one prisoner to arrange their early release. Voits is still awaiting sentencing and faces up to 10-years in prison, where he may be joining his friend.
- MailSploit Email Spoofing Flaw Affects Over 30 Popular Email Clients – A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms. Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others. Check out the link in the article for a complete list of vulnerable, and not vulnerable, email clients.
- 100,000 Strong Botnet Built On Router 0-Day Could Strike At Any Time – Attackers have used an advanced new strain of the Mirai Internet-of-things malware to quietly amass an army of 100,000 home routers that could be used at any moment to wage Internet-paralyzing attacks, a researcher warned Monday. Look, this is always a threat, and while the new botnet does pick on a vulnerability in Huawei routers, this is always going to be a threat, well, at least until we fix it, and it doesn’t look like that will happen anytime soon.
Expert Commentary: Federal Data Breach Legislation. Good, bad, or meh?
Thursday was apparently a busy day in Capitol building in Washington D.C. for information security. To start off, the Energy and Communications Committee held hearings titled “Identity Verification in a Post-Breach World”. The witnesses at this hearing were Troy Hunt (author and instructor), Jeremy Grant (managing director of Venable), and Ed Mierzwinski (consumer program director of US PIRG). Basically it was stated that authentication based on what we can remember (passwords, answers to “secret” questions, etc) are no longer enough to adequately identify individuals when accessing applications and systems. This is based on the idea that the combination of passwords and data that have been compromised in breaches have made it too easy for attackers to gain access to our accounts. Something else needs to be invented to address to identify individuals.
Troy Hunt called this situation the “perfect storm” for data exposure. The information that individuals would normally think of as private is becoming public knowledge. Jeremy Grant called for legislation to restrict how information such as SSNs can be used in transactions. (My first impression is that this seems like closing the corral gate after the horses have left.) Ed Mierzwinski called for legislation to make it easier to for consumers to protect themselves using credit freezes and monitoring credit bureau activities. He also warned against federal laws pre-empt state laws and water down their restrictions at the same time. He mentioned a push by business create laws which would prohibit consumers who were impacted by a breach from suing and would require the consumer prove real harm by a breach.
Outside of these hearings, Senator Bill Nelson (D-FL) reintroduced legislation that would (among other things) make it a criminal offense punishable by jail for executives to knowingly conceal data breaches. This bill, titled the “Data Security and Breach Notification Act”, would make doing so a crime that is punishable up to 5 years in prison. There are some problems with the bill though, in that it will also 38 states would see the requirements for notification actually diminished by the bill.
Perhaps I’m a bit cynical, but my main reaction is not positive. Sure it sounds nice to have criminal penalties when executives actively cover up a data breach, but I’m not sure it’s worth reducing the requirements of existing state laws to notify. The idea of more consistency is appealing, since just about every state has a different law with different requirements and triggers. I’m also wary of saying statements that something needs to be invented without some suggestions of what that something is. Multi-factor auth is getting pretty inexpensive compared to what it used to be, so that is definitely a potential solution. And how do you enforce it across the spread of applications, devices and systems that already exist?
Perhaps it is time (or even past time) for federal legislation to force changes to be made. As much as I’m hesitant to look to Congress for a solution to anything, business seems to be taking the stance that it’s better to take the hit and maintain the status quo. The consumer takes the hit. Particularly when the business lobby pushes for requirements to make things more difficult for the consumer to seek reparations from businesses. They say that necessity is the mother of invention. Perhaps someone will come up with a new way of performing authentication that is more secure that usernames and passwords. It’d be great. But I wouldn’t look for the solution to appear in a law.