From hacking to hacked, hacking team gets owned & what gets leaked is the best part, we’ll share the details.

Plus, a new OpenSSL vulnerability revealed, Apple tweaks their two factor authentication.. Your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Italian intrusion software vendor Hacking Team Breached, Data Released

• Hacking Team, a vendor known for selling spyware to governments, suffered a serious data breach
• The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network.
• Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
• Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
• A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
• Adobe released a patch on July 7th 2015
• Researches also have found that the Adobe Flash zero-day has already been used in the wild.
• “In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.
• The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.
• In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
• Did the “Hacking Team” find these zero days themselves? With the intent to sell them? Or did they discover them being used by others, and then added them to their own arsenal? Why were they not reported to the vendors?
• Additional Coverage: Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
• Additional Coverage: Security Week
• Additional Coverage: CSO Online
• Additional Coverage: Net Security
• Additional Coverage: Daily Dot
• Additional Coverage: Threat Post — Update: Hacking Team to continue operations
• Hacking Team bought Flash 0-days from Russian hacker

iOS 9 will drop the recovery key from two-factor authentication

• After a hacker used social engineering against Apple Support to take over the Apple ID of Mat Honan, a Wired.com reporter, in order to take over his coveted 3 letter twitter handle, everyone raced to setup Two Factor Authentication for their Apple ID
• The hacker was able to remotely erase Honan’s iPhone and iPad, destroying personal data, family photos, and all other content.
• The hacker was able to reset the password for the Apple ID account by socially engineering the operation at Apple by using stolen information from public data, and from a hacked Amazon account
• In the aftermath, Apple promised to increase training of its support operators and improve security
• As part of this, when you enable two factor authentication, Apple issues you a recovery key. A short text string that you should print and store in a safe place
• Without it, you cannot recover your account if you lose the password
• This system is far more secure, but it has its drawbacks
• Journalist loses recovery key, and Apple ID
• If you, like Owen from the link above, lose your recovery ID, and your account is compromised or you lose your password, you have no way to get it back
• Apple has drawn a hard line in the sand, for the sake of security, they can’t recovery an account without that recovery key. You specifically asked to be protected from impersonation etc.
• In the wake of scandals such as “the fappening”, this strong stance on security makes sense
• However, Apple has decided to abandon it, because, as always, they are more focused on customer satisfaction than security.
• But, can you blame them?
• “Apple said at WWDC it would build a more integrated and comprehensive two-factor security system into its next OS releases”
• “Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.”
• Apple has posted more details about the new system on their Developer site

OpenSSL vuln revealed, while critical, not wide spread. All that hype for nothing

• “During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL).”
• Impact: “An attacker could cause certain checks on untrusted certificates, such as the
  CA (certificate authority) flag, to be bypassed, which would enable them to
  use a valid leaf certificate to act as a CA and issue an invalid certificate.”
• If you installed the OpenSSL update from June 11th, which blocks DH parameters shorter than 768 bits, your system is affected
• This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
• Older versions of OpenSSL (1.0.0 and 0.9.8) are not affected, but reminder: support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015
• This suggests further than OpenSSL needs to separate new features from bug and security fix releases
• Why are any new features being added to OpenSSL 1.0.1?
• Shouldn’t all new development happen only in the bleeding edge version?
• Why has a sane release model not been adopted yet?

Feedback:

• SSDs and ZFS

• storing your salty password hashes

• hp-ux, owncloud investigation?

Round Up:

• FBI’s James Comey: I Know All The Experts Insist Backdooring Encryption Is A Bad Idea, But Maybe It’s Because They Haven’t Really Tried
• 14 world renowned security experts including: Whitfield Diffie, Ronald L. Rivest, and Bruce Schneier have write a paper to the US and UK governments informing them that their ask for crypto backdoors are impossible and unsafe. Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
• The FBI Spent $775K on Hacking Team’s Spy Tools Since 2011
• Click-Fraud trojan helpfully updates your flash player so you don’t get exploited by ads
• All US United Airlines Flights Are Grounded Due to “Automation Issues”
• The story of a company changing their proprietary code to an open source license
• NPR and Panoply on the economics of podcasting
• Bitcoin miners running outdated software are generating invalid blocks. However the hashing power of the invalid miners is high enough that the block chain is building on those blocks
• Windows Server 2003 end of support
• Data centers dropped into war zones