October 22, 2019 – HNN #238



Samsung Blames Galaxy S10, Note 10 Fingerprint Unlock Bug on Covers, Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise, Popular VPN service NordVPN confirms data center breach, Researchers Turn Alexa and Google Home Into Credential Thieves, Microsoft Aims to Block Firmware Attacks with New Secured-Core PCs , US nuclear weapons command finally ditches 8-inch floppies, and much more! Jason Wood gives expert commentary on The Evolution False Flag Operations.

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

October 22, 2019

  1. Samsung Blames Galaxy S10, Note 10 Fingerprint Unlock Bug on Covers – According to Samsung’s statement, the source of the problem is an issue with Galaxy S10/Note 10’s ultrasonic fingerprint sensor that causes the phone to mistakenly recognize 3-dimensional patterns in certain silicone covers and screens protectors themselves as the user’s fingerprint. That means anyone who uses their phone without a case or uses a plastic or glass screen protector should be in the clear. That said, some users have posted videos like the one above showing that it’s possible to unlock an S10 by placing a specific kind of gel case on top of the sensor, even on a phone with freshly registered fingerprints, essentially allowing these gel cases to act as a sort of master key.
  2. Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise – The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system. Specifically, the driver is vulnerable to a buffer overflow attack, where a buffer is allocated in the heap portion of memory and in turn corrupts nearby memory space and could alter other data, opening the door for malicious attacks. The vulnerable piece of the rtlwifi driver is a feature called the Notice of Absence protocol. This protocol helps devices autonomously power down their radio to save energy. The flaw exists in how the driver handles Notice of Absence packets: It does not check certain packets for a compatible length, so an attacker could add specific information elements that would cause the system to crash. the Linux kernel team has developed a patch which is currently under revision but has not yet been incorporated into the Linux kernel.
  3. Popular VPN service NordVPN confirms data center breach – NordVPN, a popular virtual private network, said Monday it was the victim of a data breach in 2018. The company said that so far the impact from the hack was minor, but it plans on upping its security efforts. The VPN company released details on Monday of the March 2018 data breach, reported earlier by TechCrunch. An unauthorized user accessed a lone server in a Finland data center that NordVPN was renting from an unnamed provider, which apparently didn’t disclose the hack. NordVPN says no username or passwords were intercepted.
  4. Researchers Turn Alexa and Google Home Into Credential Thieves – Security Research Labs, a white-hat research organization, developed a total of eight apps, four each for Amazon Alexa and Google Home, that masqueraded as horoscope checkers or a random number generator. The apps triggered malicious actions based on action words like “stop,” while continuing to operate after users thought they had closed. According to the researchers, both Amazon and Google removed the malicious apps when presented with evidence of their capabilities. Each of the companies also said they have adjusted practices and policies to prevent similar apps from being added to their stores in the future.
  5. Microsoft Aims to Block Firmware Attacks with New Secured-Core PCs – Microsoft is teaming up with Windows device manufacturers to tighten firmware security in a new initiative called Secure-Core PCs, which are built to defend against firmware-level attacks. Its announcement arrives as attackers take greater aim at firmware, the level of software that is closest to the hardware and controls the functions of devices and systems. Firmware is an appealing target because it has a higher level of access and privilege than the operating system kernel and hypervisor. The National Vulnerabilities Database reports 414 firmware bugs have been reported in 2019, compared with 476 in 2018, 401 in 2017, and seven in 2016. New security requirements in Secured-Core PCs are intended to help users boot securely, protect devices from firmware flaws, and prevent unauthorized access to devices and data. Secured-Core PCs remove the need to trust firmware as part of the bootup process. Instead, they place the root of trust at the CPU level with new chipsets from AMD, Intel, and Qualcomm.
  6. New Azure AD Feature Detects Unauthorized Access Attempts | SecurityWeek.Com – Dubbed Azure AD My Sign-In, the new feature provides users with information on any attempts to guess a password, tells them whether the attacker managed to successfully sign in to the account, and what apps they attempted to access. The sign-in activity information users will receive includes data on location, browser, and operating system. Provided that a suspicious sign in appears there, users will know that an attacker may have gained access to the account.
  7. US nuclear weapons command finally ditches 8-inch floppies – In 2014, “60 Minutes” made famous the 8-inch floppy disks used by one antiquated Air Force computer system that, in a crisis, could receive an order from the president to launch nuclear missiles from silos across the United States. But no more. At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.
  8. New Winnti Backdoor Targets Microsoft SQL | SecurityWeek.Com – With a “magic” password, hocus pocus perhaps? Designed to target MSSQL Server 11 and 12 — the most commonly used versions, despite being deployed over five years ago — the backdoor is called skip-2.0 by its authors and can maintain a stealthy connection to any MSSQL account by using a magic password, in addition to hiding the connection from logs.The skip-2.0 backdoor targets functions related to authentication and event logging, including CPwdPolicyManager::ValidatePwdForLogin, which is responsible for validating the password provided for a given user. Should the user password match what ESET describes as a “magic password,” the original function is not called and the hook returns 0, thus allowing the connection without the correct password.

Expert Commentary: Jason Wood, Paladin Security

The Evolution False Flag Operations

UK National Cyber Security Centre (NCSC) updates on the Turla Group

A Brief History of Russian Hackers’ Evolving False Flags

Russian hackers cloak attacks using Iranian group

Turla Compromises, Infiltrates Iranian APT Infrastructure

There has been a burst of news stories this week about false flag operations, the Russians hacking the Iranians, and other similar headlines. The catalyst for these articles is an announcement made yesterday by the National Cyber Security Centre (NCSC) that a Russian hacking group compromised an Iranian group so that they could use the Iranian infrastructure and code for their own attacks. For those that aren’t aware, the NCSC is the defensive side of the UK’s GCHQ. The announcement basically stated that the Turla Group (a Russian team) compromised an Iranian group and used their systems for attacks against “more than 35 countries” so that it appeared the Iranians were actually the attackers.

The initial release by NCSC isn’t really that exciting and is fairly brief. The news articles listed in the show notes add more information and speculation as to what is going on. All of this focuses on the topic of attribution. The idea behind the phrase “false flags” is to throw off an investigator as they try to figure out who did something. If John attacks Jeff but leaves evidence on the scene to implicate Mary, then an investigator may decide Mary is the attacker. John’s false evidence is what is the false flag.

Attribution is a contentious and hot topic. Figuring out who attacked us satisfies an urge to discover who is to the blame for an incident. Attribution doesn’t do much for us while we are in the middle of defending against an attack, except maybe to make a guess at what the attacker’s next move may be. As Jake Williams put it to me a couple of weeks ago, if Mike Tyson comes up and punches you in the mouth, your first course of action should not be to try and authenticate that it was really Mike Tyson. Getting away from the person who just broke your jaw should be your first response!

Regardless, for governments and law enforcement, attribution is a big deal. They have to decide how to respond to events. For governments, that response may be diplomatic, economic, or military actions. If you are deciding whether to impose economic sanctions against a country for cyberattacks, then you want to make sure you have the right country. Wired magazine has an interesting timeline of how the Russians, in particular, have worked to hide their activities. Andy Greenberg details how this has changed over time. Initially, they would set up a persona that would take credit for the activities and make everyone speculate who that was and what their motivations were. For example, the “Cyber Caliphate” was thought to be ISIS at first, but later was determined to be the GRU.

Later they started using hacktivist and criminal group fronts to obscure their actions. This period focused on the heavy use of ransomware attacks. After all, why would a government organization be interested in stealing money with ransomware? That sounds like criminal operations and not intelligence ops. These ransomware attacks included NotPetya and Bad Rabbit. How well did it work? Apparently, it took 8 months for western intelligence agencies to trace it back to Russia.

With the latest incarnation of false flags, it appears that the Russian penetration has stepped further into throwing the blame on someone else. By compromising and using the Iranian code and infrastructure for their own attacks, the code doesn’t look like the Russians and the infrastructure being used is not theirs as well. We don’t know much at all about how NCSC has determined that these activities were actually Russian in origin. But it makes it easy for Russia to point out the differences between the attacks being piped through Iran and those performed by known Russian groups. It makes it more difficult how to decide how to respond and who to respond to. It shapes world opinion because they can throw doubt on the analysis. In the US, the debate over where certain security incidents were performed by the Russians is raging. None of this hurts Russia’s place in the world, whether you believe they were behind the attacks or not.

Determining who is behind what is growing more difficult in the world. Today we are just talking about security incidents and who is behind them. But it doesn’t end with only exploiting servers and stealing or destroying data. There are propaganda campaigns being run by countries all over the world. Social media is used to influence opinion and divide countries further. Operations are being conducted to downplay world events or blame others for causing them. Being aware of how they are being used is critical for us to understand how others are framing things and trying to spot when we are being played. The topic is extremely interesting and I recommend reading through the articles listed in this week’s show notes.


Jason Wood
Jason Wood – Founder; Primary Consultant
Paul Asadoorian
Paul Asadoorian – Founder & CTO



  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand