Threat hunting, Threat modeling

July 30, 2019 – Hack Naked News #229

July 30, 2019

This week, a rare steganography hack can compromise fully patched websites, the Louisiana governor declares state of emergency after a local ransomware outbreak, Apples shock Siri surveillance demands a swift response, Google found a way to remotely attack Apple iOS devices by sending a boobytrapped iMessage, and 100 million users data stolen in the Capital One breach! In the expert commentary, we welcome Jason Wood, to discuss how the US issues a hacking security alert for small planes!

Security News

  1. Rare Steganography Hack Can Compromise Fully Patched Websites - According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites. “PHP provides a nice function that allows you to read out and parse EXIF data, so if you target a website that allows you to upload images and also uses PHP scripts, you can essentially upload any malware you want,” explained Karl Sigler, a security research manager at Trustwave SpiderLabs.
  2. Louisiana governor declares state emergency after local ransomware outbreak - Louisiana Governor John Bel Edwards has activated a state-wide state of emergency in response to a wave of ransomware infections that have hit multple school districts. The ransomware infections took place this week and have impacted the school districts of three North Louisiana parishes -- Sabine, Morehouse, and Ouachita. IT networks are down at all three school districts, and files have been encrypted and are inaccessible, local media outlets are reporting. This is the second time that a state governor has activated a state emergency due to ransomware or any form of cyber-attack. The first time was in Colorado in February 2018, when the Colorado Department of Transportation was forced to shut down operations because of an infection with the SamSam ransomware.
  3. Marcus 'MalwareTech' Hutchins gets no prison time, one year supervised release | ZDNet - Marcus 'MalwareTech' Hutchins, the security researcher who helped stop the WannaCry ransomware outbreak, was sentenced today in the US to time served and one year of supervised release. The UK-born malware analyst avoids prison time in a case that the judge described as having "too many positives on other side of ledger" -- referring to Hutchins' role in the WannaCry ransomware outbreak and his work as a malware analyst. Judge J. P. Stadmueller had a difficult decision on his hand, and would have considered a pardon. However, courts have no such power, and deferred to the executive branch. After the sentencing hearing, Hutchins' laywers said they would explore it. In court, Hutchins apologized, again, to victims, family, and friends. The judge waived any fines. Hutchins will be allowed to return to the UK. US authorities will now decide if he's barred from returning to the US due to his criminal record.
  4. Apples shock Siri surveillance demands a swift response - Apple stated: “A small portion of Siri requests are analysed to improve Siri and dictation.” It also promises that “User requests are not associated with the users Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple's strict confidentiality requirements.” That’s reassuring to some extent, but given that in some instances, Apple’s reviewers are reported to have heard people sharing personal information, including their address, the move to divorce recorded sound from the relevant Apple ID may not be enough.
  5. Critical zero-days discovered in VxWorks RTOS, billions of devices at risk - The collection of vulnerabilities was dubbed URGENT/11, it includes 11 flaws, 6 of which are rated as critical in severity. The report states: “URGENT/11 poses a significant risk to all of the impacted VxWorks connected devices currently in use. There are three attack scenarios, depending on the location of the device on the network and the attacker’s position. URGENT/11 can be used by an attacker to take control over a device situated either on the perimeter of the network or within it. Even a device that is reaching outbound to the internet could be attacked and taken over. Alternately, an attacker who has already managed to infiltrate a network can use URGENT/11 to target specific devices within it, or even broadcast an attack capable of taking over all impacted VxWorks devices in the network simultaneously.” reads the report published by Armis Labs. “It is important to note that in all scenarios, an attacker can gain complete control over the targeted device remotely with no user interaction required, and the difference is only in how the attacker reaches it.”
  6. Google found a way to remotely attack Apple iOS devices by sending a boobytrapped iMessage - Details weren’t shared at the time, but we now know that the iOS security update addressed critical vulnerabilities discovered by Google security researchers..that could allow a remote attacker to attack an iPhone just by sending a maliciously-crafted iMessage. Thankfully the vulnerabilities, which could most likely have been sold to an intelligence agency for millions of dollars, were responsibly disclosed to Apple in May so that they could be addressed and fixed within the 90-day disclosure deadline imposed by Google.
  7. Capital One breach 100 million users data stolen - What's in your wallet? Hackers: Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate. So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be. We don’t know whether it was an unpatched security flaw, an incorrectly configured access control setting, or some other cybersecurity issue.
  8. DHS Warns About Security Flaws in Small Airplanes - The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on newly found vulnerabilities in the controller area network (CAN) bus networks used on small aircraft that could be abused by an attacker with physical access to a plane. "An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment. The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot," the alert said.

Expert Commentary:

US issues hacking security alert for small planes

We’ve head about hacking cars for a few years and the issues that have been discovered with CANBus. It turns out, somewhat unsurprisingly, that CANBus is not limited to automobiles and overlaps to modern flight systems for small aircraft. This is not the type of aircraft that we fly in by major airlines, but instead, are smaller aircraft used by individuals and small charter businesses. The Department of Homeland Security released a safety alert today based on research performed by Rapid7 into this technology. I was not able to find the DHS alert online, but I do have a link to the Rapid7 report in the show notes.

So this is really interesting to me because I have a personal interest in general aviation. For those not familiar with modern small aircraft, here’s a quick primer. In the past, aircraft were made with a variety of mechanical sensors that fed into dial gauges in the cockpit. Flying in these aircraft is a lot of fun when you are staying in a limited area and are just maneuvering around for the experience of flying. It’s an old system and is very reliable. However, they don’t support the pilot very much, especially in cross country flight, and the pilot has to do quite a bit of work for navigation.

It’s no surprise that the general aviation industry has followed the trend to more digital-based equipment and sensors. It’s made things much easier on the pilot and presumably safer. The systems provide significant support in cross country navigation with GPS and waypoints to follow. Weather information can be retrieved and displayed on the displays to guide pilot decisions in their course. The pilot can also file flight plans digitally with the FAA from the cockpit and retrieve their approvals. All this is great, but the problem then lay in the interface between this system and the airplane itself.

Flight system manufacturers used the already established CANBus protocol to provide communication between the engine and flight sensors to the flight system. According to the research, the information being passed between the sensors and system without authentication or encryption. This makes it very easy for an attacker with physical access to the plane to modify the signals sent to the flight system. The impact of this could get pretty wild if, for example, the altitude readings were modified while on autopilot or while flying in poor visibility. Pilots depend on accurate data when flying under instrument only conditions.

The key here is that the attacker had to have physical access to the plane at some point to plant something in the system to modify these readings. The articles I read online make a point of commenting on airport security limiting the risk of this attack. They aren’t wrong, but they also don’t point out that there are a large number of small airports with limited security where vulnerable aircraft may be located. I’ve gone flying at an airport where driving up the hangar is normal. A lot of the planes at these locations are older and do not have digital cockpits. But there are almost certainly some of these newer aircraft there.

Rapid7 originally reported the results of their research to two OEMs two years ago and have kept this information private to give the manufacturers time to start addressing the issue. They also had to coordinate with a number of government agencies as well. Due to the seriousness of safety in aviation, this all lead to a longer than normal time for disclosure.

Obviously, airplanes have a very long lifetime and replacing parts is not inexpensive. One of the planes I’ve flown in was built sometime in the 1950s. With good maintenance, the newer aircraft with vulnerable sensors and flight systems will be with us for quite some time. It will be a while before this issue is fully addressed, if ever. I imagine (and hope) that new aircraft being built will have the fixes implemented into the flight system going forward.

If you want more information on the research into the issue, check out the show notes at

Full Show Notes

Visit for all the latest episodes!


[caption id="attachment_210" align="alignleft" width="120"]Jason Wood Jason Wood - Founder; Primary Consultant, Paladin Security.[/caption]
[caption id="attachment_210" align="alignleft" width="120"]Paul Asadorian Paul Asadorian - CTO, Security Weekly.[/caption]


  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for our upcoming webcasts with (ISC)2 by going to If you have missed any of our previously recorded webcasts, you can find our on-demand library at

[audio src="" ]

prestitial ad