This is Hacker Public Radio Episode 3,828 for Wednesday, the 5th of April 2023.
Today's show is entitled, The Oh No, News.
It is hosted by some guy on the internet, and is about 18 minutes long.
It carries a clean flag.
The summary is, oh no, news is good news.
Hello and welcome to another episode of HPR.
I'm your host, some guy on the internet.
Let's begin the Oh No News.
We're going to start off with threat analysis, your attack surface.
The first story we're going to cover under threat analysis is going to be the Plex and Laspa
Story.
In the last episode of The Oh No News, I covered Laspa's and their vulnerability history,
or I should say their recent vulnerability history.
I did not want to include the name Plex back then.
I wanted to read some more on it, so that way when I reported using the name Plex, I would
have a little bit more details, and I felt like that was a more responsible approach.
Now, I just want to be clear, currently, it is pure speculation that Plex Media Server was
involved in the last past day to reach.
A Plex Vulnerability dubbed CVE 2020, 5741, was patched in May of 2020, but a bleeping computer
article states, quote,
This is likely linked to Laspa's close quote, later in that same bleeping computer article,
which you can find in the show notes, all articles mentioned here will be in the show
notes I just want to state that, bleeping computer linked to an ARS technical article,
the ARS technical article states, quote,
The first and briefed on a private report from Laspa's who spoke on conditions of anonymity,
the media software package that was exploited on the employee's home computer was Plex.
Close quote,
ARS technical also mentioned in this article, quote,
Interestingly, Plex reported its own network intrusion on August 24th, just 12 days after
the second incident commenced.
Close quote,
The second incident being the second Laspa's incident,
just keep in mind, we're not saying the two are linked, but it's very interesting that
right after Laspa's had their incident suddenly packed, suddenly plex has a
date breach of their own.
We're going to move on over to Plex and the security announcement that they've made,
regarding the CVE 2020-5741.
Now let's go ahead and read a message from the Plex security team from May 2020.
Quote,
We have recently been made aware of a security vulnerability related to Plex Media Server.
This issue allowed an attacker with access to the server, administrator,
Plex account to upload a malicious file via the camera upload feature and have the media
server executed.
This could be done by setting the server data directory to overlap with the content location
for a library on which the camera upload was enabled.
This issue could not be exploited without first gaining access to the server's
Plex account.
Close quote,
Plex also mentioned that they're going to start mitigation in version 1.19.3 of the Plex Media Server.
So this one thing that I'm going to point out here,
the attacker has to first have an admin access on the system to the Plex Media Server.
Most people already, you know, we give a pass to anyone or anyone's software
when an attacker has root access on a machine.
Kinda hard, it just only blame Plex there, you know what I mean?
What makes this bug a little more dangerous is like they mentioned earlier.
Once the attacker has root access, they exploit this vulnerability within Plex.
And use Plex to then execute code without the user knowing it.
Plex is being used as a link in the attack chain.
Then after the latest last pass incident in August of 2022,
don't worry I'm not going to cover all of the details that were mentioned in the last Ono News,
but shortly after last pass is data breach in August of 2022.
Approximately 12 days later Plex also had a data breach.
In August of 2022, the Plex data breach was just as bad.
I mean, last pass is worse because again, it's the keys to everyone's kingdom.
However, the Plex data breach, the attacker had access to password user names and emails
of over 30 million customers.
Plex of course went through the usual methods of requiring all of its customers to reset their
passwords and other security measures.
They also snuck in a little message at the bottom saying, no payment data was leaked.
Like that's going to do anybody any good, especially when it's tied to last pass, right?
I don't mean the laugh because this is a terrible thing that has happened,
but I can just imagine trying to recover your reputation when something like this gets out.
After having ARS technical mentioned that a confidential informant from last pass stated that
it was Plex's fault, this whole thing happened.
Which is kind of funny, right?
It does feel like pointing the finger here.
You know, last pass would alter terrible policies, now trying to go, no, no, it wouldn't
us, you know, Plex and their software is why this whole thing occurred.
Plex did not respond in the way that we're used to within the online slash blinning's community.
Same to you for calling last pass, how may I help you?
How dare you try to drag Plex into your nonsense?
You and your buggy have big data software, we didn't...
Now we didn't get that, instead Plex gave us something a little bit more classy and professional.
Cool.
We have not been contacted by last pass, so we cannot speak to the specifics of their incident.
We take security issues very seriously and frequently work with external parties who report
issues big or small using our guidelines and bug bounty program.
When vulnerabilities are reported, following responsible disclosure, we addressed them swiftly
and thoroughly, and we've never had a critical vulnerability published for which there wasn't already
a patched version released.
Close quote.
So there you have it folks, that's what I have so far on this whole Plex and last pass debacle.
Last pass is tempting a graceful landing.
Only problem is they're moving at about 400 kilometers per hour, so I don't know how graceful
it's going to be.
They attempted to pull the Plex parachute at the last second and the evidence that came from
it all does kind of suggest.
Plex may have had a part in it, however I cannot state enough.
This is like circumstantial evidence, right?
These are things that are just happening around the same time period,
and currently last pass has not released any sort of actual data that they've gathered from the
employees home computer that was suggested, yes indeed, Plex did play a part in this,
so this is all just being a speculation.
So let's move on from here.
If there's more details in the future, I'll bring you back in on it.
On next story.
Keypass.
Not to be confused with keypass XC.
Vulnerability allows attackers with right access to the XML config to export clear text passwords.
This story was brought to us by NIST, the National Institute of Standards and Technology.
Alright, I'm going to boil this one down.
This is vulnerability with the keypass database file, but in order for it to be exploited,
the attacker would need to have physical access to the machine with the user that controls the
password database file being already logged in, so if you were to walk away from your PC and
just left it logged in and someone walked up to that PC and found your keypass database,
they can then exploit this vulnerability.
So either that or an attacker with the root access to your machine.
In other words, your PC was already owned, so this vulnerability is just sort of a side effect of
your PC being owned.
Now with that said, it's still pretty rough because you expect your password to vote to keep
your passwords secure.
Keypass has patched this, by the way, and I have some supporting articles down in the show notes
that will take you to the different articles showing the patched versions, which I believe is
2.53 is the version that is patched or 2.53.3 something like that.
I just wanted to report this, and would I feel to be more responsible manner before it gets
out there?
Oh no!
Keypass XC is super vulnerable, and you're going to lose all your passwords because
other stories with last pass and everything else that's happening out there.
So, you know now, if you're using Keypass, just make sure you keep it up to date, don't let
anybody, you don't know access your computer and you'll be just fine.
All right, let's go ahead and pivot on over to the user space, version of the show.
First article?
How to delete yourself from the internet.
Bye!
I'm going to go ahead and spoil it for you here folks.
You cannot actually delete yourself from the internet.
Yeah, once you've uploaded something to someone else's computer, just because you made
a request for them not to display it to you anymore, doesn't mean it's not there anymore.
But the article goes on telling you different methods about sending requests over to Google
to remove information because it reveals very private information like your phone number,
your home address, or things like that, and Google will remove it from the search results.
They also go on to show you how to delete social media accounts and other chat service accounts.
One of the good things about the articles, they talked about Firefox relay a little bit,
just for a teeny bit, which yay, Firefox, right?
Mention some information about using VPNs, which is good information, but it keeps you
private on internet.
It won't actually delete you.
This is just pre-emptive measures and remaining anonymous on the internet.
And understand that's still very limited, depending on who's coming after you or who's
looking for you if they have enough time and resources they'll find you.
But I thought it was still a nice little article to mention for user space.
If you were looking to clean up your trail just a little bit and you want a day, nice
method to go about that, I thought this article was, it was decent, especially if you
can find your personal information in a Google search like right on the search page,
or your phone number, something just pops up and you don't know why, yeah, you might
want to take care of that.
And now next article.
Mark Zuckerberg's meta-exploring plans to launch Twitter rival.
Yeah, I included this one in user space because I thought it was funny, Facebook's basically
from what it sounds like, Facebook's basically playing around with a mastodon, like, and
stints.
So there's the idea written in the story that meta, aka Facebook, is going to be launching
a Twitter alternative, something like mastodon.
But of course, it's going to be centralized instead of decentralized, and it's just planes
for now.
There's no real evidence of it.
Apparently, he's nervous about how TikTok's taking over, drawn a bunch of his Instagram
models and things away from the platform.
So I got to come up with something fresh and hip, and all the other cliché nonsense.
My throat's starting to give out here.
I'm drinking a ton of water, but I'm going to, we're going to push on folks, we're going
to keep going.
Let's go ahead and change over to the next segment, which is Toys for Texts.
Alright, we were last time we did this.
It's kind of hard to find cool toys for text, but the first one I found was a nice little
eating display, which is mounted to a Raspberry Pi Pico wireless board.
And it's called the Inky Frame 4.
It has Wi-Fi connectivity.
You can mount extra storage using an SD card, very low power usage.
Now for some details on that e-ink display, it's the e-ink gallery palette 4,000 e-paper.
I don't know if that makes sense to you or not, but I got some links in the description
if it doesn't.
It's an ACEP, which stands for Advanced Color e-paper, 7 color with black white red green blue
yellow and orange.
And it looks pretty cool, it looks like a nice little wall mount system or whatever
if you want it like a just a little e-display somewhere, so you can imagine this thing
is going to be super low power because of that e-ink technology and it's colored.
They have some of the some little images displaying the color palette and they show things
like the pillars of creation and a few other really cool images that look fairly nice,
but just take a look at it, I didn't see any availability on it like they're out of stock
at the moment, so yes, it might be a supply chain issue or who knows, but it looks really
cool and I thought I'd show it off here.
And I almost forgot, Phil King, the author of the article, he gave it a wonderful review
quote.
The classic color e-ink display whose Wi-Fi connectivity greatly extends the possible
uses, including as a digital photo art frame, life organizer, a low powered smart home dashboard.
Close quote.
Now because I don't know anything about C or C++ or Micro Python, I can't give you a ton
of detail on that, but I have included links in the description for the libraries.
I think it links to GitHub and shows you some code examples and stuff like that.
I was just poking around and obviously I can't really make sense of what I'm looking at,
but it's there if you can, you can look at it and you have this schematic, so it's pretty
nice.
I think that's a nice little toys for techs.
I think it comes in the whole device with the PiP core and everything comes in it
about 70 US dollars, I think it was.
So if that's something you're interested in that whole e-ink thing, I remember that
was big a little while ago, yeah, take a look at that.
All right, last but not least, our last toy and story for today, we're looking at the
Ubico UBS HM2, which is like one of their really, really small form factor Ubeke's.
This one was created specifically for the public sector and they go into detail about all
the different changes that they're making for this device.
It's not a very podcast-friendly story and I'll just give you an example of why it's
got a lot of alphabet soup and it's so.
There's a quick little line from the story here.
Support for advanced encryption standards, A-E-S, in electronic codebook, E-C-B, and
Cypher Block Channing, C-B-C modes, all right, so then when you want to read further in
the dad and you go with, A-S is one of the most widely used symmetric cryptograph algorithms
and can be used in several modes such as E-C-B, C-B-C, C-C-M, and G-C-M.
I want to stop there because, you know, like I mentioned, this isn't a very podcast-friendly
thing to read, but it's Ubeco, it's a more security and they talk some about the different
restaurants out there. It's all usual, one-zero-day exploits, other type of malware that's
out there.
It's not going to help you against something like ransomware, but still, you know, it's
trying to break in a digital credentials, yeah, this low-device super low profile.
For me personally, I'd have to keep it on the land here because I got kind of, you know,
fat fingers, I can't really pinch down to poles such a small device out of the USB slot once
it's inserted. So, like, if you take a look at it in the show, no standard, it's quite the
form factor.
Alright, ladies and gentlemen, now my closing thoughts here before we end the show. I just
wanted to mention that I reconfigured the way the show notes are so that it is more accessible
to listeners who want to go through the show notes. I had some help from HPR members.
Want to give a shout out to Mike Ray for assisting me via email. No, I must have been annoying
a crap out of him, just blast in the money. You know, hey Mike, hey Mike, what'd you take
a look at this one?
You know, just constantly sending emails back and forth, trying to get them to look
at stuff as I'm, as I'm making changes. So, I thank him for, for assisting me with that.
And Dave, as well, Dave gave me some help. He appointed me in direction that would allow
me to, you know, learn other features using a pan doc. And yeah, I mean, I believe we got
the show notes looking pretty good. And I included an additional information section at
the bottom of the notes. You can go through that to learn more if you're new to HPR and
all of the security and technology. I've got some standardized notes I'd like to continue
including with future shows, future, oh, no news shows. So, that's about it. Thank you
guys for listening. Now see you guys in the next episode.
Goodbye.
You have been listening to Hacker Public Radio at Hacker Public Radio.org. Today's show was
contributed by a HPR listening like yourself. If you ever thought of recording podcast,
click on our contribute link to find out how easy it means. Hosting for HPR has been
kindly provided by an onsthost.com, the Internet Archive and our Sync.net. On this
otherwise stages, today's show is released on our Creative Commons. Attribution for
going to International License.