This week, Hacking Blackhat Badges?, USB Harpoons (not the ale), PHP attacks, privacy in Las Vegas hotels, or not, who is looking at your DNS requests?, AWS breaches. Jason Wood from Paladin Security joins us for expert commentary on social networks getting fined for hosting terrorist content so stay tuned to this episode of Hack Naked News!
- How I Hacked BlackHat 2018 Ninja.Style – hose who have attended BlackHat may have noticed that their badge contains an NFC tag. This NFC tag is scanned at booths in the Business Hall so vendors can collect their marketing data including name, address, company, job title, and phone number. And essentially the researcher read the tag, analyzed the Android app, realized that you need only send badgeID, and eventID values to the API, the API had no security, and a quick Burp brute force reveals all BH 2018 attendees. Blackhat has since disabled the API.
- USBHarpoon Is a BadUSB Attack with A Twist – Several security experts have built a malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands. Some tried, some failed, but a team succeeded and presented at summer camp this year. This means that command injection happens inside the cable, regardless of the device being plugged in. Very stealthy!
- ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability– I think all bets are off when it comes to privelege escelation on masOS: Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent. To know, how dangerous it can go, Wardle explains: “Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.”
- New PHP Code Execution Attack Puts WordPress Sites at Risk – Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios. What does this mean? An author-level user can take over your WordPress instance.
- Et tu, Brute? Then fail, Caesars: When it’s hotel staff, not the hackers, invading folks’ privacy – Lots of debate on this one: It appears DEF CON had run slap bang into a policy change by Caesars hotel properties. Worried about the prospect of someone stockpiling weapons in their suites just like the Mandalay Bay killer, and thus using their hotels for another bout of senseless slayings, the hotel giant decided that if someone has a do-not-disturb tag on their door for more than a couple of days, a search has to be made. In other words, if the maids can’t be allowed in to clean up and clock any assault rifles and grenades, security guards will do the latter for them – whether guests are present or not.
- How’s that encryption coming, buddy? DNS requests routinely spied on, boffins claim – WTH: The researchers looked for providers spoofing the IP addresses of users’ specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms. They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term “ASes,” which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)
- Hackers Leverage AWS to Breach, Persist in Corporate Networks – In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they don’t have to look far: Misconfigured S3 buckets made a number of headlines in the past couple of years; Amazon, to its credit, launched Macie to protect AWS S3 data. But, attackers are getting more sophisticated, embedding themselves in AWS deeply. The article covers some more of the advanced attack techniques, very interesting!
- InfoSec Handlers Diary Blog – OpenSSH user enumeration (CVE-2018-15473)