Robocallers, Netsparker, and LenovoEMC – Hack Naked News #191
October 3, 2018
This week, Robocallers get huge fines for spoofing phone numbers, 100,000 home routers used for Brazilian hacking scam, 85 reasons to update your Adobe PDF software, 9 NAS bugs open LenovoEMC, 5 major Security updates for Chrome extensions, and Twitter bans distribution of hacked materials ahead of the US midterm elections! Sven Morgenroth of Netsparker joins us for expert commentary this week on the most recent Facebook hack!
Robocallers slapped with huge fines for using spoofed phone numbers - We need more of this, er, cracking down on this: The calls also appeared to come from unassigned phone numbers and numbers assigned to pre-paid “burner” phones, the FCC said. The caller ID was spoofed in every one of the millions of calls, making it impossible to identify who was actually calling. The FCC pointed to one poor soul whose phone number was hijacked in order to make those calls. The Arizona woman said she received more than five calls a day on her cell phone, all coming from irate people complaining about the telemarketing calls they got from “her” phone number.
100,000 home routers recruited to spread Brazilian hacking scam - Don't be misled by the headline, this is not a scam, its unauthorized access to your home router. This attack has been around for well over 10 years: The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi). If they get control of a device, they change the router's default DNS server to their own “rogue” machine.
Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now - Because PDF readers have become such a popular target for email and web-based malware attacks, users and admins alike would do well to test and install the updates as soon as possible. Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone's machine. Except malware being distributed by a PDF document is so 10 years ago, and most email protection solutions will spot a malicious PDF a mile away. Office documents are far more popular.
Nine NAS Bugs Open LenovoEMC, Iomega Devices to Attack - Lots of steps here:  A hypothetical attack would first include luring an authenticated NAS user of one of the devices to a specially crafted malicious website designed to steal the user’s access token and a session cookie-like identifier, called a “__c parameter" Then " The next step in the attack, after acquiring a target’s NAS access token and “_c parameter” is finding the static IP address the NAS is running on" which is using brute force techniques. I don't think you need to sound the alarm on this one and drop everything and patch as this is tricky to pull off.
Google Announces 5 Major Security Updates for Chrome Extensions - Finally, some much-needed controls for Chrome extensions: users will be able to control when and how Chrome extensions can access site data, allowing them to restrict access for all sites and then grant temporary access to a specific website when required, or enable permissions for a specific set of websites or all sites. and With Chrome 70, Google will also start performing a more in-depth review of extensions that ask for "powerful permissions.". There are 5 total, including more in-depth code reviews for extensions that require more "powerful" permissions.
Twitter bans distribution of hacked materials ahead of US midterm elections | ZDNet - Twitter already had rules in place that prohibited the distribution of hacked materials that contain private information or trade secrets, but after Monday's update, the platform's review teams will also ban accounts that claim responsibility for a hack, make hacking threats, or issue incentives to hack specific people and accounts. Twitter has been so dilligent about enforcing policies and ridding the social network of bad behavior that I am....oh, nevermind!
Sven Morgenroth is a security researcher at Netsparker. He found filter bypasses for Chrome's XSS auditor and several web application firewalls. He likes to exploit vulnerabilities in creative ways and has hacked his smart TV without even leaving his bed. Sven writes about web application security and documents his research on the Netsparker blog.