Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
The Mercury News have reported how a family in the US were subjected to 5 minutes of terror after their NEST home surveillance camera was accessed by hackers and used to broadcast a North Korean Missile Strike warning via its built-in speakers.The detailed broadcast message warned that missiles were heading to Chicago, Ohio and Los Angeles, that people in these areas had 3 hours to evacuate, and that the United States had retaliated against North Korea. In an interview the family stated:
“It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”
Calls were made to the emergency services and to NEST, before the warning was finally deemed a hoax, and that the incident was probably the result of a hack. Surprisingly, prior to the incident the family were completely unaware that their NEST camera had speakers installed.This is not the first time NEST have been in the news for remote hacking of their cameras, only last month we were hearing about a polite security conscious hacker who instructed the owner via a compromised camera, how to improve his security.These incidents highlight the ever-growing risks associated with IOT Smart devices and connecting them directly to your home and business networks without thinking about security. These hacks are typically the result of poor password practice by the users.Reuse of passwords for multiple online services that then appear in data breaches, is a sure-fire method of hackers gaining access to your devices. In addition to this a simple compromise of an IOT device could lead to further or even complete compromise of all devices on your network.To help protect against these attacks, users should ensure that you never use the same password more than once; if available, enable two factor authentication (sometimes called two step verification); and if possible create a new sub-network in your home or office to separate these IOT devices from computers you deem more critical (PCs, laptops, servers etc.).
Phishing attacks have been around for quite some time and detecting them is not getting any easier. With the scammers trying new tricks and making the emails and websites more like the real thing, even hardened security professionals that deal with analysing phishing threats, can have a hard time detecting a real email from a scam. If this is hard for InfoSec professionals then just imagine how hard it is for the general public and business users.Education and awareness into what a phishing threat looks like, and the general steps you can take to identify them is a key step to protecting yourself or your business from attack.There are lots of options available that businesses can use to educate their users (such as PhishMe and KnowBe4) but now Google and their Jigsaw unit have developed a short quiz that is available to everyone, so you can see how good you are at spotting what’s real and what’s fake.
The quiz is available online at phishingquiz.withgoogle.com, why not have a go and test your phishing detection skills. It’s simple but clever interface gives classic examples and shows you the common things to check and look out for.It’s starts by asking for name and email address, but there is no need to enter any real information about yourself, entering fake details here is just fine. I have taken this myself and managed to get 6 out of 8 questions correct, and hopefully by giving this a try you will see that spotting a phish is hard.Generally phishing starts by trying to hook a potential victim into clicking on a malicious link or attachment contained in an email. Once the victim has taken the bait, phishing websites are used to capture their usernames, passwords and personal information, which can then be used by the malicious actors for identity theft, fraud and account compromise.As a final note, please remember that security education and awareness is a great tool, that’s a must when trying to combat the threat of phishing and other cyber attacks, but alone it will never be a complete solution or mythical silver bullet. Combining education with good practice, process and technology is what’s required to create a more robust security posture.
Tuesday saw the release of multiple security updates for vulnerabilities across Apples iPhone, iPad, Mac, TV and Watch products. The highlights in these updates, address critical vulnerabilities that exist in iOS and macOS operating systems.iOS 12.1.3 has been released to resolve a number of privilege escalation and remote code execution issues with iPhones and iPads. Buffer Overflow / memory bounds flaws in the devices Bluetooth implementation (CVE-2019-6200) and FaceTime app (CVE-2019-6230) can allow an attacker to execute remote code on the affected devices. While the update to CVE-2019-6206 covers a flaw in the password autofill feature that allows the password to still be filled after they have been manually cleared.On the macOS front, Mojave, Sierra and High Sierra updates are available to address several vulns. Flaws in the Intel graphics driver (CVE-2018-4452) have been addressed that would allow a malicious application with system privileges to execute code; while memory corruption issues in the sandbox process (CVE-2019-6235) and hypervisor (CVE-2018-4467) could result in the bypassing of sandbox restrictions and the elevation of privileges.Staying up to date with the latest security patches goes a long way when defending against online threats, so please update your devices as soon as you can.Notes for all January updates can be found here.
The APT package manager aka apt-get, a well-known software update and removal utility in Linux distributions (such as Ubuntu and Debian), has been in the news this week, due to a critical vuln, that could allow a malicious actor to launch a man-in-the-middle attack and execute remote code.In his post, researcher Max Justicz explains that due to the use of clear text HTTP in the update process, and inadequate checks of HTTP redirects, a hacker can manipulate the response to redirect to another mirror site and install malicious packages with root privileges.This is a technical post but explains in depth how he was able to exploit this vulnerability. Max, and many others believe that if apt used HTTPS communication by default for its update process, the man-in-the-middle attack would not have been possible.This topic has resulted in many debates, with a lot of people thinking HTTPS is pointless during the update process and that focus on signing the packages (with digital certificates) is more important. This was evident this week as those against HTTPS took to twitter to defend HTTP and its benefits when used for updates, stating that HTTPS added a level of complexity, hampers performance and makes it difficult to cache content using multiple mirrors (repositories).Ubuntu and Debian Linux have issued patches for this vuln and security notices can be found at the below links. It is recommended that you update your servers ASAP to prevent this threat. If you have concerns about performing the update, Max’s post above gives details on how you can disable redirects during the update process.Ubuntu Security Notice: https://usn.ubuntu.com/3863-2/Debian Security Notice: https://www.debian.org/security/2019/dsa-4371And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #26 – 25th January 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
