This week, Jason reports on attackers exploiting unpatched flaw in Flash, new Western Digital My Cloud bugs give local attacker root on NAS devices, sensitive Super Bowl security documents found on plane, and more on this episode of Hack Naked News!
1. Grammarly user? Patch now to stop crooks stealing all your data… If you’ve been on YouTube at all, you’ve almost certainly seen ads for Grammarly. The software provider suffered vulnerability with how it enforces Same Origin Policy. According to Tavis Ormandy, “The Grammarly chrome extension […] exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data.” The flaw has been fixed by Grammarly and released in new versions of the Firefox and Chrome extensions. If you use Grammarly, take a moment to update your plugins.
2. Attackers Exploiting Unpatched Flaw in Flash Speaking of patching software, Adobe Flash is back in the news with a critical security flaw. Adobe announced Thursday last week that CVE-2018-4878 affects Flash 220.127.116.11 and earlier. According to Brian Krebs, this issue is currently being exploited by attackers. An updated release is available now. If you have Flash on your systems, it’s time to get to patching again.
3. California says no, you can’t cover your license plate California state senators killed SB-712 which would allow automobile owners to cover their license plates while parked. Under current laws, vehicle owners are allowed to cover their entire vehicle, including the license plate, while parked as long as the license plate is accessible. SB-712 would have allowed owners to cover their plates in response to automated license plate readers being deployed by companies to collect and sell this information to law enforcement. This data can then be used to track the movement of vehicles and where they are frequently parked. The EFF’s response was that the state senators should spend their time creating a new bill to address this issue.
4. New Western Digital My Cloud bugs give local attacker root on NAS devices Researchers from Trustwave disclosed two new vulnerabilities in the devices last week. One flaw is a command execution flaw with root privileges and the other is a file deletion flaw. Both flaws are related to the CGI script “nas_sharing.cgi” on the devices. Western Digital has released new device firmware to address the issues and. Looks like we are back to patching…. again.
5. Alleged hacker Lauri Love avoids US extradition: “Try him in England” Lauri Love was arrested in England back in 2013 for attacking the US Army, NASA and other US federal agencies. Love is accused of “hidden “shells” or “back doors” within the networks, which allowed them to return to the compromised computer systems at a later date and steal confidential data. The stolen data included the personally identifying information (PII) of thousands of individuals, some of whom were military servicemen and servicewomen, as well as other nonpublic material.” The legal battle quickly moved to whether Love should be extradited to the United States for trial or have his day in court in England. Yesterday the extradition question appears to have been answered and Love will stand trial in England. The ruling has no bearing on innocence or guilt in Love’s case and only ensures that his trial and any potential punishment will be completed in his home country.
6. Sensitive Super Bowl security documents found on plane In the “doh!” section of security news, sensitive Homeland Security documents about drills for responding to biological attacks on the Super Bowl were found in an airliner’s seat back pocket. Along with these documents were the travel ternary and boarding pass of the DHS employee who left them. The documents were supposed to be locked up after working hours. It does make you wonder why they were on a plane and being read while flying in public.
7. Covert data channel in TLS dodges network perimeter protection Researchers from Fidelis Cybersecurity have released a new proof of concept attack for using TLS certificate negotiations as place to covertly transfer data. If you’ve ever examined the contents of a TLS certificate you probably have noticed that there is a lot if information contained in it. According to the researchers, “[The] TLS X.509 certificates have many fields where strings can be stored… The fields include version, serial number, issuer name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.” Fidelis was able to store 60 KB in each TLS exchange. Obviously transferring a large amount of data would require a large number of certificate negotiations at a rapid rate. The number of negotiations and the rate of them being performed is a potential indicator that this attack is being exploited.