Heather Monk Blog: July 2017

Monday, July 31, 2017

Game of Thrones Leak Puts Unreleased Script and Other HBO Shows Online

This hack could go way deeper than Game of Thrones

from
https://www.wired.com/story/game-of-thrones-leak-hbo-hack

Sunday, July 30, 2017

The Very Best Black Hat Hacks

All the best hacks from the year's biggest security conferences.

from
https://www.wired.com/story/best-black-hat-defcon-talks

Saturday, July 29, 2017

A $10 Hardware Hack Turns Up Zero Day Vulnerabilities in IoT Devices

Using an SD card reader and some soldering savvy, these hackers rooted out a ton of IoT zero days.

from
https://www.wired.com/story/sd-card-hack-iot-zero-days

How Hackers Can Use 'Evil Bubbles' to Destroy an Industrial Pump

One demonstration at the Black Hat conference shows how insidious physical infrastructure hacking could be.

from
https://www.wired.com/story/evil-bubbles-industrial-pump-hack

Your Own Pacemaker Can Now Testify Against You In Court

Opinion: What happens to privacy when data from our medical devices can lead to criminal charges?

from
https://www.wired.com/story/your-own-pacemaker-can-now-testify-against-you-in-court

Friday, July 28, 2017

A GOP Staffer Crowdsourced a Resolution From a Conspiracy Subreddit

An amendment that targets Hillary Clinton and James Comey has its roots in r/The_Donald, a notoriously conspiracy-minded subreddit.

from
https://www.wired.com/story/republican-staffer-the-donald-resolution

How Netflix DDoS’d Itself To Help Protect the Entire Internet

Taking one for the stream.

from
https://www.wired.com/story/netflix-ddos-attack

Thursday, July 27, 2017

The 'Cloak & Dagger' Attack That Bedeviled Android For Months

Not all Android attacks come from firmware mistakes.

from
https://www.wired.com/story/cloak-and-dagger-android-malware

How the Broadpwn Wi-Fi Vulnerability Impacted a Billion iPhones and Android Phones

A Broadcom flaw that undermined scores of Android and iOS devices hints the future of smartphone hacking lies in third-party components.

from
https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android

One Billion Daily WhatsApp Users Prove Privacy Isn't Dead

WhatsApp's rise and Twitter's decline converge to send a message about the way we communicate now.

from
https://www.wired.com/story/whatsapp-billion-daily-users-privacy-twitter

The _Reply All_ Podcast Tackles Phone Scammers–By Meeting Them in Person

Reply All trades memes for scams in its latest endeavor.

from
https://www.wired.com/story/reply-all-phone-scammers

The Trump-Russia Scandal's Many Swirling Unknowns

What we know so far about the Trump-Russia scandal only suggests more questions—questions Special Counsel Robert Mueller is digging into.

from
https://www.wired.com/story/the-known-unknowns-swirling-around-the-trump-russia-scandal

Wednesday, July 26, 2017

Hacker Warns Radioactivity Sensors Can Be Spoofed Or Disabled

A security researcher exposes software flaws that could prevent detection of radioactive leaks or aid in smuggling radioactive material.

from
https://www.wired.com/story/radioactivity-sensor-hacks

Lipizzan Malware Could Take Over Android Devices Until Google Shut It Down

A new, targeted malware called Lipizzan could completely take over an Android device until Android Security shut it down

from
https://www.wired.com/story/lipizzan-android-malware-nation-state

A New Toolkit Hopes to Fix the SS7 Flaws That Plague Cell networks

Carriers have ignored flaws in SS7 that allow hackers easy access to telecoms. A new set of open-source tools hopes to jumpstart a fix.

from
https://www.wired.com/story/ss7-flaw-open-source-toolkit

Rep. Blake Farenthold's Early '90s Internet Message Board Posts Show a Whole New Side

The dueling Congressman had some strong opinions about telecom and nudity.

from
https://www.wired.com/story/blake-farenthold-message-board-posts

Anti-Drone Tools Tested: From Shotguns To Superdrones

From anti-drone shotgun shells to a drone-snagging megadrone, security researchers put the drone defense arsenal to the test.

from
https://www.wired.com/story/watch-anti-drone-weapons-test

Asomándonos a la Revolución Cubana de Internet Hecha por los Propios C

En Cuba, donde los datos gotean vía una red sobrecargada controlada por el gobierno—en su caso—la gente ha puesto en escena la revolución del auto autor.

from
https://www.wired.com/2017/07/internet-revolucion-cuba

Inside Cuba's D.I.Y. Internet Revolution

In Havana, where data trickles in via overloaded, government-controlled networks—if at all—the people have taken matters into their own hands.

from
https://www.wired.com/2017/07/inside-cubas-diy-internet-revolution

Tuesday, July 25, 2017

Popular Remote Administrative Tools Turn Out to Be Easily Hacked

As the debate over "hacking back" heats up, it turns out that a lot of the time actually doing so wouldn't be all that hard.

from
https://www.wired.com/story/bugs-in-popular-hacker-tools-open-the-door-to-striking-back

Monday, July 24, 2017

Jared Kushner's Senate Testimony May Forget Russia Meetings, But the FBI Would Remember

Anything the Russian ambassador says on the phone almost certainly gets caught on a FISA wiretap.

from
https://www.wired.com/story/jared-kushner-senate-testimony-russia-fisa

A 'Locked' Smart Gun Can Be Fired By Anyone With $15 Wort of Magnets

One smart gun model's protections turn out to be easily overcome–by cheap magnets.

from
https://www.wired.com/story/smart-gun-fire-magnets

ShieldFS Is a Clever New Tool That Shuts Down Ransomware Before It's Too Late

By sniffing out ransomware in real-time, ShieldFS might be the cure to the internet's latest security scourge.

from
https://www.wired.com/story/shieldfs-ransomware-protection-tool

Saturday, July 22, 2017

Ethereum Thefts Cost Investors Millions

Ethereum thefts, an Ashley Madison settlement, another leaky Amazon S3 bucket, and more of this week's top security news.

from
https://www.wired.com/story/ether-cryptocurrency-theft

Antivirus for Android Has Terrible Track Record

A new study shows that 94 percent of Android antivirus failed to stop a comprehensive set of malware attacks.

from
https://www.wired.com/story/android-antivirus-malware

Letting Cyberattack Victims Hack Back Is a Very Unwise Idea

Opinion: Retaliating against hacks is the wrong way to prevent them.

from
https://www.wired.com/story/letting-cyberattack-victims-hack-back-is-a-very-unwise-idea

Friday, July 21, 2017

A GAO Sting Scored $1.2 Million in Weapons From an Unsuspecting Department of Defense

A federal sting reveals lax oversight in the Defense Department’s gear giveaway program.

from
https://www.wired.com/story/gao-sting-defense-department-weapons

Watch a Homemade Robot Crack a SentrySafe Combination Safe in 15 Minutes

Not so safe after all.

from
https://www.wired.com/story/watch-robot-crack-safe

As Cyberattacks Destabilize the World, the State Department Turns a Blind Eye

"It's manifestly ridiculous."

from
https://www.wired.com/story/state-department-cybersecurity

Thursday, July 20, 2017

Portable power for APoS

Newer APs often come with some pretty hefty power requirements. Standards such as the 15.4W 802.3af specification are increasingly insufficient on APs that are more power hungry. Enter the 802.3at standard that can support all the way up to 30.0W! While runtime operation of these (over PoE switches) is a topic all of itself, the Wi-Fi professional has always had issues with doing AP on a Stick designs (site surveys, empirical measurements) – especially when your AP power requirements exceed some of the more tried and true solutions. I’ve hashed out several different solutions over the past year, and thought it was time to write them all down.

The staple of AP powering has been for a very long time the Ventev / TerraWave – MIMO Site Survey Battery Pack. On its own, it only supports the older 802.3af specification. This all in one solution is portable, but since it’s based on old lead-acid technologies, it tends to fall on the heavier side of the solutions. Venerable, heavy, doesn’t support newer APs, but everyone has them.

The Terrawave Site Survey Battery Pack!

Enter the Tycon Systems DC To DC Converter And POE Inserter. This bad boy becomes an integral part of most of the rest of our solutions – and it’s very important to understand that it comes in a variety of input voltages. You must mate it to the power solution you’re using.

The Tycon POE injector.

Using the Ventev MIMO Site Survey Battery pack, you can see from it’s data sheet that it supports an external 56V output. If you use the included 56V cable, cut the ends off and mate that with the Tycon that has 802.3at power output, you can retrofit existing site survey battery packs to support newer high power APs! Sadly, physics wins out at some point. Since you’re drawing more power, invariably your battery will not last as long. If you have an older unit, you may be having problems holding a charge or any other number of other issues, but if you’re in a bind, it’s a potential solution.

If you think this Tycon solution looks familiar, Scott Stapleton wrote about a similar solution in his blog. Using the injector that he stated (TP-DCDC-1248GD-HP, note the 10 to 15VDC input change), along with commonly available batteries such as the RAV power units, you can extend the run time of your APoS efforts by interchanging either larger capacity batteries or additional units. In my tests, I used two of the RAVPower 2300mAh batteries along with the Jacobs interconnect to complete the solution.

Image shamelessly stolen from Scott Stapleton.

Thanks to Keith Parsons for this next solution, which is a variation on Scott’s using a battery from Hardened Power Systems. The ReVolt G2 is a large capacity battery that uses 12V powerpole connectors that is *very* light (27 ounces) due to the LiFePO4 battery technology. This, mated with correct Tycon solution using the 12V powerpole connectors gives you a far more portable solution (one high capacity battery, one injector) that can last all day long!

High Capacity Battery, lightweight.

While these all address in varying ways different requirements, they’re all considered a touch on the bulky side and carrying around multiple pieces has always been a challenge for a road warrior that doesn’t want to lose or break bits and pieces. Enter the Ventev VenVolt solution that they were showing off at Cisco Live US 2017. While this isn’t shipping yet, they had a prototype to show off that looked awesome! Lightweight, all in one solution, all day battery on modern technology. Stated dimensions for the unit are 9 3/8″ x 4 3/4″ x 3″ according to Mike Parry. I for one can’t wait for a fully integrated solution to finish baking and come to market!

from
https://sc-wifi.com/2017/07/20/portable-power-for-apos/

Alphabay and Hansa Takedowns Ensnare Thousands of Dark Web Users

Cops sent unsuspecting users scrambling from one dark web site's takedown to another site---that they controlled.

from
https://www.wired.com/story/alphabay-hansa-takedown-dark-web-trap

Musings on Multigigabit and APeX

Cisco Live is always a whirlwind of information and the 2017 US event was no exception! Between the Catalyst 9k launch, the focus on Software Defined Access, and Intuitive Networking, it’s easy to miss some of the nuance that was to be uncovered on the show floor. In the Enterprise Networking booth there was a hidden nugget that was focused on developers called APeX (short for Access Point Extensions). One part of this APeX program is the Extender Module Hardware Development Kit – EM-HDK for short (or just HDK for even shorter!) that plugs directly into the often-overlooked module port on the AP3800. The board itself is a neat springboard for developing on – it allows you to attach a Raspberry Pi, Arduino, XBee or other Small Board Computer directly to the AP. Of course, you wouldn’t deploy a production solution like this, but you would take the solution you’re working on, and compress it to a design that’s purpose built for the modular slot that’s part of the AP3800.

The APeX EM-HDK

The thing that struck me though is that while the HDK is neat – and if you have any SBC experience at all, a very interesting platform, the hidden secret of the HDK is that it also sports two Gigabit Ethernet connections supporting PoE out. It is worth noting that if your host AP had a single 1 Gigabit link, and you put two additional 1 Gigabit links on the back side of it, you can safely assume you have an automatic bottleneck. This is the genesis of my epiphany – those that were shortsighted enough to make claims that 802.11ac wave 2 doesn’t justify uplink speeds beyond 1 Gigabit, clearly did not take into account that 2x 802.11ac wave 2 radios moves you a lot closer to that 1 Gigabit bottleneck, and when you want to pass an additional 2x 1 Gigabit Ethernet interfaces on the same link as your 2x 802.11ac wave 2 radios, your use case for Multigigabit becomes pretty clear.

HDK with Raspberry Pi attached to an AP3802i.

Remember folks, your wired infrastructure is expected to last much longer than your typical switches will. As you start seeing very obvious use cases for breaking the 1 Gigabit uplink requirement, make sure you’re considering the cost savings of investing in multi gig technology today – especially if you can get it for a nominal uptick in price.

Multigigabit interfaces, left. 10G, right.

Go here for more information on Cisco’s mgig (or NBASE-T) and here for information on the APeX program over at Devnet.

from
https://sc-wifi.com/2017/07/20/musings-on-multigigabit-and-apex/

Wednesday, July 19, 2017

Trump's Election Integrity Committee Made All the Wrong Points

If you want to fix voting, don't investigate fraud. Improve the outdated, insecure tech.

from
https://www.wired.com/story/trump-voter-fraud-committee

Segway MiniPro Vulnerabilities Would Have Let Hackers Take Over the Hoverboard

The self-balancing scooter isn't quite so steady when hackers take charge.

from
https://www.wired.com/story/segway-minipro-hack

Tuesday, July 18, 2017

'Devil's Ivy' Vulnerability Could Afflict Millions of Internet-Connected Cameras and Card Readers

An obscure bug in 34 companies' physical secure gadgets could leave them open to hackers.

from
https://www.wired.com/story/devils-ivy-iot-vulnerability

Monday, July 17, 2017

Myspace Security Flaw Let Anyone Take Over Any Account Just By Knowing Their Birthday

If you know someone's birthday, you can crack their Myspace account.

from
https://www.wired.com/story/myspace-security-account-takeover

Twitter Will Never Ban Donald Trump

If Twitter were going to ban Trump, they would have done it by now.

from
https://www.wired.com/story/twitter-ban-donald-trump

Sunday, July 16, 2017

IBM Z's 'Pervasive Encryption' Wants to Stop Data Breaches in Their Tracks

The new IBM Z mainframe uses "pervasive encryption" to stop data breaches in their tracks.

from
https://www.wired.com/story/ibm-z-mainframe-encryption

An Amazon Echo Can't Call the Police—But Maybe It Should

Though coming from a connected home assistant, there may be such a thing as too much help.

from
https://www.wired.com/story/alexa-call-police-privacy

Saturday, July 15, 2017

Verizon and WWE Data Exposures Come Down to Human Error

What's behind the recent spat of database vulnerabilities? Good ol' fashioned human error.

from
https://www.wired.com/story/amazon-s3-data-exposure

Security News This Week: White House Exposes the Info of Privacy-Concerned Voters

The White House exposes voter info, Trump Jr. met with an alleged Russian hacker, and more security news this week.

from
https://www.wired.com/story/white-house-exposes-private-voter-info

Friday, July 14, 2017

Did Trump's Data Team Help Russian Hackers? Facebook Might Have the Answer

The congressional investigation turns its attention to the digital team that helped Trump win.

from
https://www.wired.com/story/trump-russia-data-parscale-facebook

The AlphaBay Takedown Sends Dark Web Markets Reeling

But law enforcement's raid on AlphaBay won't end the darknet's vibrant drug trade.

from
https://www.wired.com/story/alphabay-takedown-dark-web-chaos

Wednesday, July 12, 2017

Your Guide to Russia’s Infrastructure Hacking Teams

Which of Russia's hacking groups is targeting American energy utilities?

from
https://www.wired.com/story/russian-hacking-teams-infrastructure

Tuesday, July 11, 2017

In Donald Trump Jr.'s Emails, Intent Matters More than Intel

The conservative defense of Donald Trump Jr. misses the point.

from
https://www.wired.com/story/donald-trump-jr-email-intent

Rob Goldstone, the Trump Family, and Russia: A Timeline

As details around Donald Trump Jr.'s meeting with Russian lawyer Natalia Veselnitskaya become clearer, a look at the man who brokered it, and his ties to the Trumps.

from
https://www.wired.com/story/rob-goldstone-trump-family-timeline

Saturday, July 8, 2017

Kaspersky Gives the Government Its Code

Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention.

from
https://www.wired.com/story/security-news-kaspersky

Friday, July 7, 2017

The Petya Plague Exposes the Threat of Evil Software Updates

Security firm Kaspersky says the ransomware was the third attack in the last year that hijacked innocent updates to spread malware.

from
https://www.wired.com/story/petya-plague-automatic-software-updates

Hackers Targeted a US Nuclear Plant (But Don't Panic Yet)

Hackers have reportedly targeted US energy utilities, and may be laying the groundwork for blackouts. But they may yet be a long way from that goal.

from
https://www.wired.com/story/hack-brief-us-nuclear-power-breach

Wednesday, July 5, 2017

North Korea's Latest Missile Launch Hastens the Day It Can Launch Nuclear Weapons

Despite its frequent missteps, experts agree that North Korea will achieve the ability to launch a nuclear missile.

from
https://www.wired.com/story/north-korea-icbm-missile-test

Sunday, July 2, 2017

Professional Phishers Assailed to My Inbox

Phishing attacks have gotten crazy smart. I know that now firsthand.

from
https://www.wired.com/story/phishing-attempts-email-inbox