NodeJS, Rowhammer, & FBI FedEx – Hack Naked News #198

Disastrous Rowhammer bitflips, malicious developer steals Bitcoin with nodeJS module, Germany proposes router security guidelines, Uber fined 148$ Million for data breach cover-up, Microsoft yanks 2 buggy Office patches, and a malvertising campaign impacts millions of iOS users! Jason Wood from Paladin Security joins us for expert commentary to discuss how The FBI created a Fake FedEx Website to Unmask a Cybercriminal!

Security News

  1. Potentially disastrous Rowhammer bitflips can bypass ECC protections – Dubbed ECCploit, the new Rowhammer attack bypasses ECC protections built into several widely used models of DDR3 chips. The exploit is the product of more than a year of painstaking research that used syringe needles to inject faults into chips and supercooled chips to observe how they responded when bits flipped. The resulting insights, along with some advanced math, allowed researchers in Vrije Universiteit Amsterdam’s VUSec group to demonstrate that one of the key defenses against Rowhammer isn’t sufficient. I like Kenn’s analysis from the article: Kenn White, an independent researcher who specializes in cloud security, told Ars. “I don’t want to come across as a grumpy guy in the balcony, because this is grueling work that took hundreds of hours to pull off. But unless you can demonstrate a real exploit, it remains in the confines of endpoints and on-premise hardware.
  2. Facebook to pay ethical hackers $40,000 for reporting a single account-takeover bug – Facebook is extending an olive branch to the ethical hacker community, increasing its bug bounty rewards while decreasing the technical overhead. White hats can earn as much as $40,000 for a single account-takeover bug. The announcement was made on the social network’s Bug Bounty page, where Facebook encourages white hat hackers to poke at the platform in every way imaginable to find any undiscovered flaws before bad actors do so. But despite boasting a bug bounty program for over 7 years now, Facebook has been plagued by leaks and attacks. In an effort to thwart these business-wrecking occurrences, the company is now planning to give ethical hackers more incentive to find holes in its platform.
  3. Worm Using Removable Drives to Distribute BLADABINDI Backdoor – Yep, attackers are still using this method: In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as “Worm.Win32.BLADABINDI.AA.” They’re still investigating the threat’s exact method for infecting a system. But after analyzing its propagation routine, the researchers determined that the worm likely propagates and enters a system through removable drives. Specifically, they spotted the worm installing a hidden copy of itself on any removable drive connected to the infected system.
  4. Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins – This is an example of the dangers of open-source software: The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week. It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers. The library was created by Dominic Tarr, who maintained it for a long time, but when he left the project allowed an unknown programmer, called “right9ctrl” to continue its work.
  5. Germany proposes router security guidelines | ZDNet – I don’t believe this will work, but noble effort: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don’t have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance.
  6. Uber fined $148m for data breach cover-up – Uber is to pay a fine of $148m and improve its data security as part of a legal settlement for attempting to cover up a data breach in 2016, which only came to light in 2017 when it emerged that 600,000 US drivers and 57 million user accounts had been affected, including an estimated 2.4 million in the UK. Covering up a breach does not pay, in fact, companies will be forced to pay!
  7. Microsoft yanks two buggy Office patches but keeps pushing one that crashes – Two related Office 2010 non-security patches issued on Nov. 6 were pulled on Nov. 17. KB 4461522 and KB 2863821 are both related to changes coming in the Japanese calendar next month attributed to the abdication of Emperor Akihito in favor of his son, Naruhito. The event has been compared to the Y2K problem in the west…Security patch KB 4461529 is still being distributed, in spite of acknowledged crashes — and the alternative may not work.
  8. Cisco Releases Second Patch for Webex Meetings Vulnerability | SecurityWeek.Com – Cisco has released a new round of patches for a potentially serious Webex vulnerability first addressed one month ago. The security hole, discovered by Ron Bowes and Jeff McJunkin of Counter Hack, is caused by insufficient validation of user-supplied parameters, allows a local and authenticated attacker to execute arbitrary commands with SYSTEM privileges. However, Cisco warned that remote exploitation may also be possible in Active Directory deployments.
  9. Malvertising Campaign Impacts Millions of iOS Users – According to researchers, those behind the malvertising campaigns typically inject malicious code into legitimate online ads and webpages, so when victims click those pages, they are forcefully redirected to a malicious page. In this case, the ad unit forcefully redirects mobile users to adult content and gift card scams. In this specific case, when users visited a web page, the malicious ad would execute embedded obfuscated JavaScript. Victims were then redirected to an array of malicious landing pages, including happy.hipstarclub[dot]com or happy.luckstarclub[dot]com. These landing pages typically impersonated Google Play apps, making them appear more legitimate

Full Show Notes

Visit http://hacknaked.tv to get all the latest episodes!

Hosts

Jason Wood
Jason Wood – Founder; Primary Consultant, Paladin Security.
Paul Asadorian
Paul Asadorian – CEO, Security Weekly.