Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.

HPR3828: The Oh No! News.

Hosted by Some Guy On The Internet on 2023-04-05 00:00:00
Download or Listen

The Oh No! news.

Oh No! News is Good News.

Threat analysis; your attack surface.

  • Article: CISA warns of actively exploited Plex bug after LastPass breach.
    • Author: Sergiu Gatlan (2023, Mar 11).
    • Attackers with "admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code," according to an advisory published by the Plex Security Team in May 2020 when it patched the bug with the release of Plex Media Server 1.19.3.
    • "This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. This issue could not be exploited without first gaining access to the server's Plex account."
    • Link to Cybersecurity & Infrastructure Security Agency (CISA).
  • Supporting Article: Plex Security, regarding security vulnerability CVE-2020-5741.
    • Author: PlexSecurity, Plex Employee. (2020, May).
    • We have recently been made aware of a security vulnerability related to Plex Media Server. This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.
  • Supporting Article: Official statement from Plex, concerning vulnerabilities, on LastPass Data Breach.
    • Author: PlexInfo, Plex Employee. (2023, Feb 28).
    • "We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported following responsible disclosure we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released. And when we’ve had incidents of our own, we’ve always chosen to communicate them quickly. We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above. Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure."
  • Supporting Article: LastPass says employee’s home computer was hacked and corporate vault taken.
    • Author: Dan Goodin. (2023, Feb 27).
    • According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced.
  • Supporting Article: Plex imposes password reset after attackers steal data from over 15 million users.
    • Author: Dan Goodin. (2022, Aug 24).
    • “Yesterday, we discovered suspicious activity on one of our databases,” company officials wrote in an email sent to customers. “We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”
    • The email said that the passwords were “hashed and secured in accordance with best practices,” meaning the passwords were cryptographically scrambled in a way that requires attackers to devote additional resources to crack the hashes and revert them back to their plaintext state. A Plex spokesperson said that the passwords were hashed using bcrypt, among the strongest algorithms for protecting passwords. bcrypt automatically applies what's known as cryptographic salting and peppering to make cracking harder.
  • Article: Keepass vulnerablility allows attackers, with write access to the xml config, to export cleartext passwords.
    • Author: National Institute of Standards and Technology (NIST). (2023, Jan 21).
    • ** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
    • This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary.
  • Supporting Article: CWE-312: Cleartext Storage of Sensitive Information.
    • Author: Common Weakness Enumeration. (N/A).
    • Because the information is stored in cleartext (i.e., unencrypted), attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
  • Supporting Article: KeePass Help Center, Security Issues.
    • Author: KeePass. (N/A).
    • This page lists various potential security issues that have been reported and their status/analysis (whether the claims are valid, whether an issue is fixed, etc.).

User space.

  • Article: How to delete yourself from the internet.
    • Author: Martyn Casserly. (2023, Mar 9).
    • Whether you are privacy minded or not, it’s very difficult to be completely anonymous online. Over the years you might have posted on social media, downloaded apps, entered competitions or opened accounts which required details such as your email address, phone number, age, gender and more.
  • Article: Mark Zuckerberg’s Meta exploring plans to launch a Twitter rival.
    • Author: Reuters (2023, Mar 10).
    • Mark Zuckerberg’s Meta Platforms is exploring plans to launch a new social media app in its bid to displace Twitter as the world’s “digital town square.”
    • Its video-sharing app, Instagram, is also facing stiff competition as content makers or hit influencers abandon the platform for TikTok.

  • Toys for techs.
  • Article: Inky Frame 4.0" (Pico W Aboard) review.
    • Author: Phil King. (2023, Mar 1).
    • "A classy colour e-ink display whose Wi-Fi connectivity greatly extends its possible uses, including as a digital photo/art frame, life organiser, or low-power smart home dashboard."
  • Supporting Article: Inky Frame 4.0" (Pico W Aboard).
    • Author: Pimoroni. (N/A).
    • Raspberry Pi Pico W Aboard.
    • 4.01" EPD display (640 x 400 pixels).
      • E Ink Gallery Palette™ 4000 ePaper
      • ACeP (Advanced Color ePaper) 7-color with black, white, red, green, blue, yellow, orange.
      • Ultra wide viewing angles
      • Ultra low power consumption
      • Dot pitch – 0.135 x 0.135mm
    • 5 x tactile buttons with LED indicators
    • Two Qw/ST connectors for attaching breakouts
    • microSD card slot *
    • Dedicated RTC chip (PCF85063A) for deep sleep / wake **
    • Fully assembled (no soldering required)
    • C/C++ and MicroPython libraries
    • Schematic
  • Article: YubiHSM 2, the world’s smallest hardware security module, enhanced with new features to support security for the Public Sector.
    • Author: Saqib Ahmad. (2023, Mar 9).
    • AES is one of the most widely used symmetric cryptography algorithms and can be used in several modes such as ECB, CBC, CCM and GCM. Out of these four modes, YubiHSM 2 now supports three most commonly used modes of encryption.

  • Additional Information.
    • What is a Data Breach? A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so.
    • What is Malware? Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy.
    • What is a Payload? In the context of a computer virus or worm, the payload is the portion of the malware which performs malicious action; deleting data, sending spam or encrypting data. In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection.
    • What is Phishing? Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim.
    • What is Information Security (InfoSec)? Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management.
    • What is a Vulnerability (computing)? Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware.
    • What is an "Attack Surface"? The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.
    • What is an "Attack Vector"? In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity.


More Information...

Copyright Information

Unless otherwise stated, our shows are released under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license.

The HPR Website Design is released to the Public Domain.