July 16, 2019 – Hack Naked News #227

July 16, 2019



Zoom RCE flaw affecting RingCentral and Zhumu, a researcher releases PoC code for critical Atlassian Crowd RCE flaw, thousands of legacy Lenovo storage devices exposed millions of files, unusual Linux ransomware targets NAS servers, and how hacked hair straighteners can threaten your home! In the expert commentary, we welcome our CEO Matt Alderman, to discuss Facebook's $5 Billion dollar FTC fine!

Security News

  1. Hacked Hair Straighteners Can Threaten Homes - Pen Test Partners decided to put the Glamoriser hair straightener through its security paces, given that it has Bluetooth Low Energy (BLE) embedded for connecting to a mobile app. The app allows a user to remotely change the temperature and set a time frame for automatic shut-off of the device.“For years we’ve been trying to set fire to ‘smart’ things by hacking them. We got some charring on the iKettle, but nothing more,” said Stuart Kennedy, in a Friday posting. “These [straighteners] seemed like a much better candidate for our pyromaniac intent.” I'm sorry, I just don't get a lot of things about this story. First, this device looks as though it must be plugged in. So, why not unplug it before you leave the house? Second, why do you need to set the tempurature and automatic shutoff timer from an app on your phone? Couldn't you have something on the device that easily lets you do this? Also, why are the researchers so interested in setting things on fire? Also, shouldn't it be a requirement there is some sort of hardware that prevents it from ever reaching an unsafe tempurature?
  2. Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu - The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software. Security researchers confirmed The Hacker News that RingCentral, used by over 350,000 businesses, and Zhumu, a Chinese version of Zoom, also runs a hidden local web server on users' computers, just like Zoom for macOS. The controversial local web server that has been designed to offer an automatic click-to-join feature was found vulnerable to remote command injection attacks through 3rd-party websites.
  3. Unusual Linux Ransomware Targets NAS Servers - The most interesting part of this article is how our friends at Intezer disrupted the campaign by using up all of the Bitcoin wallets, LOL: “This idea simply abuses the fact that no authentication is enforced to connect to the SOCKS5 proxy,” Sanmillan explained. “Since the authors behind this ransomware were delivering one Bitcoin wallet per victim from a static pool of already generated wallets, we could replicate the infection packets to retrieve all of the wallets until they had no further wallets under their control. Therefore, when a genuine infection would occur, the ransom client would not be able to retrieve configuration artifacts.” Love the folks at Intezer! Also, set an air-quotes "good" password as the initial infection came via an SSH brute-force attack.
  4. CVSS 3.1: Refined and updated for easier adoption by the security community - Help Net Security - Neat update to CVSS: The additional metrics allow industry sectors such as privacy, safety, automotive, healthcare, etc., to score factors that are outside the core CVSS standard. Finally, the CVSS Glossary of Terms is expanded and refined to cover all terms used throughout the CVSS version 3.1 documentation.
  5. Apple quietly removes Zooms hidden web server from Macs - Look at Apple caring about security on macOS! In an embarrassing twist to the week-long saga of Zoom’s vulnerable web-conferencing app, Apple has issued a ‘silent’ update that automatically removes the software’s hidden web server from Macs. Zoom released its own fix doing the same thing a day earlier, on 9 July 2019, but Apple remained unconvinced that this protected users who had either not updated their software or had deleted it before the company took this action.
  6. Facebooks FTC fine will be $5 billionor one months worth of revenue - Uhm: The Federal Trade Commission and Facebook have reportedly agreed on a $5 billion fine that would settle the FTC's privacy investigation into the social network. With Facebook having reported $15 billion in revenue last quarter, the $5 billion fine would amount to one month's worth of revenue. Yea, not so great at math, the real numbers: In the most recently reported year, the social network's revenue amounted to 55.8 billion US dollars, up from 40.6 billion U.S. dollars in 2017. (Source: https://www.statista.com/statistics/268604/annual-revenue-of-facebook/)
  7. The npm installer for PureScript package has been compromised - This stuff happens: Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times. @shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.
  8. Researcher releases PoC code for critical Atlassian Crowd RCE flaw - Help Net Security - This type of thing happens too: The flaw arose due to a development plugin incorrectly getting enabled in release builds. “Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center,” the Australian enterprise software firm explained. Atlassian has a great reputation, and all software has bugs, features, and vulnerabilities. Upgrades are available to fix the issue.
  9. Thousands of Legacy Lenovo Storage Devices Exposed Millions of Files | SecurityWeek.Com - Authentication is important: “The API is completely unauthenticated and provided the ability to list, access and retrieve the files remotely in a trivial manner. It is similar to millions of open s3 buckets being discovered,” Whittaker told SecurityWeek. An attacker could have scanned the web for vulnerable devices and sent a malicious request to the targeted device’s IP address. However, Whittaker said an attacker could have also created a script that would automate the attack and retrieve data from all the vulnerable devices. Vertical Structure and WhiteHat reported their findings to Lenovo, which pulled three versions of the affected software out of retirement to address the vulnerability. Lenovo, which tracks the flaw as CVE-2019-6160, published an advisory on Tuesday.

Expert Commentary: Matt Alderman

After a $5B fine, will Facebook change its ways?

The battle lines are being drawn... On one side, privacy experts believe the FTC fine is unlikely to hurt Facebook, which logged a profit of $2.4 billion on revenue that climbed 26 percent to $15.1 billion in the first three months of this year. In addition, Facebook's stock value increased 1.8 percent after the fine was announced, closing at nearly $205, the highest it has been all year.

Others disagree, as they think it’s a pretty big chunk of change. $5 billion is about 9% of Facebook’s annual review, which recorded nearly $56 billion in revenue last year. That makes it more than double the maximum percentage – 4% – of annual revenue that can be imposed as a penalty under the EU’s General Data Protection Regulation (GDPR). The UK’s Information Commissioner’s Office (ICO) only fined Facebook £500K for the same incident. That's because GDPR was not law when this incident occurred. After the fines imposed last week for both British Airways and Marriott, it's highly possible a Facebook incident now could be very costly in the EU, but still less than the FTC fine.

It is, however, the biggest fine in FTC history, dwarfing the previous record holder, which was the $22 million fine levied against Google in 2012. Like Facebook now, that earlier fine against Google for misrepresenting to Safari users that it wouldn’t place tracking cookies or serve targeted ads to them was also for being in violation of an earlier privacy settlement with the FTC.

So this fine leaves facebook… pretty much in the same place, unless one of two things happens: 1) Congress passes a national privacy bill. Chances are low it gets done this year, if ever. or 2) Break-up Facebook, which is unlikely. Users beware. As long as Facebook can make money selling your data, and fine have little impact, there is very little incentive for them to change.

Full Show Notes

Visit http://hacknaked.tv to get all the latest episodes!


Matt Alderman

Matt Alderman - CEO, Security Weekly.

[caption id="attachment_210" align="alignleft" width="120"]Paul Asadorian Paul Asadorian - CTO, Security Weekly.[/caption]


[audio src="http://traffic.libsyn.com/sw-all/July_16_2019_-_Hack_Naked_News_227_converted.mp3" ]

prestitial ad