This week, WordPress vulnerabilities, Apple updates, Gentoo, Kim Dotcom, discovering 0-day exploits, and bypassing Apple’s USB restricted mode! Jason Wood from Paladin Security joins us for expert commentary, and more on this episode of Hack Naked News!
- WordPress 4.9.7 Update Fixes Pair of Security Vulnerabilities – Two file deletion vulnerabilities were fixed, which sounds like not a big deal, but it is as: when an author deletes this attachment, the wp-config.php is deleted allowing the author to go through the initial WordPress installation process which allows them to fully compromise the site. eWeek reports that 75 million sites are using WordPress today.
- Apple Releases Multiple Security Updates – It appears that this update is significant: Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. iTunes 12.8 for Windows, iCloud for Windows 7.6, Safari 11.1.2, macOS High Sierra 10.13.6 and El Capitan, watchOS 4.3.2, tvOS 11.4.1, and iOS 11.4.1
- Gentoo GitHub repo hack made possible by these 3 rookie mistakes – Say what you will, I really like the remediation plan moving forward: Two-factor authentication is now on by default in the project’s GitHub Organization and will eventually come to all users the project’s repos. A password policy that mandates password managers is planned. Also on the agenda is a review of who needs access to repos and cleanout of those who don’t, proper backups and an incident plan so that the project won’t need to rely on its luck if it’s popped again.
- Kim Dotcom loses latest extradition appeal – New Zealand’s Court of Appeal upheld the decision that Mr. Dotcom and three others can be extradited to stand trial for copyright infringement and fraud. The charges are related to Mr. Dotcom’s now defunct file-sharing website Megaupload, which allowed millions of people to download digital content. The article goes on to clarify that the copyright infringement is not a crime in New Zealand, however, they may still face extradition on the fraud charges. They are appealing to the NZ Supreme Court.
- Two Zero-Day Exploits Found After Someone Uploaded ‘Unarmed’ PoC to VirusTotal – In late March, researchers at ESET found a malicious PDF file on VirusTotal, which they shared with the security team at Microsoft “as a potential exploit for an unknown Windows kernel vulnerability.” After analyzing the malicious PDF file, the Microsoft team found that the same file includes two different zero-day exploits—one for Adobe Acrobat and Reader, and the other targeting Microsoft Windows. Patches have since been released.
- Researchers Reveal Bypass for Apple’s USB Restricted Mode – USB Restricted Mode, released as part of iOS 11.4.1, had removed an iPhone USB access feature, so that an hour after the iPhone has been locked, the phone’s Lightning port (its charging and data port) will automatically lock. However, researchers at ElcomSoft said that connecting an iPhone to a Lightning accessory – or even an untrusted USB accessory – will reset the USB Restricted Mode countdown timer, as long as the iPhone has still not entered USB Restricted Mode.
- Stolen certificates from D-Link used to sign password-stealing malware – Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia.
I read a couple of interesting blog posts by some folks at Veracode recently about the tensions between developer and security teams. The posts offer some ideas on how to decrease that contention and I think they are worth checking out. If you’ve ever gone to a security conference, I’m sure you’ve heard talks which make fun of developers for having no idea about security. And I’ve heard developers make comments about how security just gets in the way of their deadlines and is generally a roadblock to anything getting done. So what are the suggestions from these articles?
The first was written by Chris Eng, VP of Research at CA Veracode. In it he proposes two steps to help bridge the divide between the development and security teams. First, he recommends that the organization recognize that the security of its code is a component of code quality. To help the developers write better quality and more secure code, the organization should offer training on how to write secure code. As the developers become more aware of the issues and how to address them, it is more likely that they will become more personally invested in writing secure code. This is something that I’ve noticed in some of the developers that I’ve worked with. They resisted at first, but as they understood an issue better, they became much more interested in tackling the issue.
The second recommendation that Chris had was to get the two teams working closer together. Get team members in contact with each other so that each can understand a bit more of what the other is dealing with. He also recommends having a designated “Security Champion” on the development team. This person is someone who understands app sec and helps their co-workers build better code. I really like this idea, as it mirrors something that I read a while back in a book titled Team of Teams by retired General Stanley McChrystal. McChrystal talks about how he embedded members of different military disciplines into other teams to provide information, help and collaborate with the team they were assigned to. This led to more trust and understanding of between the different teams with the embedded member returned to their original unit.
The other blog post was written by Milena Spencer at Veracode and she recaps some ideas from a talk given by Veracode CTO Chris Wysopal. Chris recommended that there needs to be more integration between development and security teams. The idea is that the teams should see themselves as part of a single larger team. In this integrated approach, the goal of security should be to get security built into the development process instead of tacked on as at the tail end. Security should become more focused on being builders rather than breakers. Building secure applications rather than breaking the applications. Of course, there will be testing still involved in the process. We still need to validate what’s being deployed. However, it so much cheaper to fix a problem early in the development process rather than later.
Both articles are a good read and will only take a few minutes of your time to check out. I have the links in the show notes. As someone who has worked a lot in web based companies and spent a lot of time with developers, I really like these posts. The ideas suggested here are not tactical in nature and will require support from senior management. A security person who is tasked with collaborating with development is not going to be as productive because they will be learning and refining new skills. The same goes for a developer embedded with the security team. Senior management should foster and create a culture where this is possible and becomes reality. Breaking down the walls between the teams and changing the mindsets will take time and effort. I believe it is one worth making and will pay off over time.