From Paul's Security Weekly
Recorded April 25, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcast with ServiceNow by going to https://securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find them at https://securityweekly.com/ondemand.
- You can now submit your suggestions for guests in our recently released guest suggestion form! Go to https://securityweekly.com/guests and enter your suggestions!
- We've heard from our listeners that they love our content, but the amount of content we distribute can sometimes be overwhelming. We've recently released our customizable listener interest list. Visit https://securityweekly.com/subscribe and click the button to Join the Listener List and let us know your interests.
- The Layer 8 Conference has two tracks of talks on social engineering and Open Source Intelligence gathering. The conference is the only one of its kind and will be on Saturday, June 8th in Providence, Rhode Island. Check out the Mental Health Hackers village, the TOOOL lockpick village, the CTF with Trace Labs, all at layer8conference.com
Interview: Haroon Meer, Thinkst - 6:00-6:30PMThinkst Canary. Haroon has contributed to several books on information security and has published a number of papers on various topics related to the field. Over the past decade (and a half) he has delivered research, talks, and keynotes at conferences around the world.
Tech Segment: Gururaj Pandurangi, Cloudneeti- 6:30 - 7:30PM
Security News - 7:30PM-8:30PM
- Chrome 74 Patches 39 Vulnerabilities
- Serious Vulnerabilities Found in Fujifilm X-Ray Devices - I can't believe we are still talking about TELNET: a critical flaw related to the lack of authentication mechanisms for Telnet services (CVE-2019-10950). The second bug can be exploited to access the underlying operating system and possibly gain complete control of a vulnerable device. Not only that but lack of authentication!!!
- DNSpionage Hackers Use New Malware in Recent Attacks
- IoT Security- it's complicated
- Facebook Could Be Fined Up To $5 Billion Over Privacy Violations - To be clear the amount of fine is not what the FTC has announced or hinted yet; instead, it's an estimated due that Facebook disclosed on Wednesday in its first quarter 2019 financial earnings report.
- Hacker could locate thousands of cars and kill their engines... - Lorenzo Franceschi-Bicchierai, a hacker claims he managed to break into accounts belonging to users of GPS tracker apps, allowing him to monitor the locations of tens of thousands of vehicles, and even granting the ability to turn off the engine of some of them as they were moving.
- Ramblings of a Recovering Academic on the So-Called Lack of Security Talent - +1000 on this article, LOVE it: In reality, the false impression that available jobs are unattractive may be a symptom of miscommunication between candidates and employers, and misunderstandings about an academic researcher's skills and interests, which run deep in the industry. In turn, the inability to source candidates from academia may be leading to a perceived lack of senior technical talent in the field.
- 'Highly Critical' Unpatched Zero-Day Flaw Discovered In Oracle WebLogic - Oracle WebLogic application reportedly contains a critical deserialization remote code execution vulnerability that affects all versions of the software, which can be triggered if the "wls9_async_response.war" and "wls-wsat.war" components are enabled. The vulnerability, spotted by the researchers from KnownSec 404, allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.
- Those bootleg streaming devices have malware preinstalled - One app for pirated movies and live sports, called Mobdro, immediately forwarded his Wi-Fi network name and password to servers in Indonesia, he said. Other apps would collect data on the user, including photos and videos on the network, and upload them to the server. In one case, an app collected more than a terabyte of data after getting connected to Wolfe's network. These apps offered streams on movies that were still in theaters during the study time, like Aquaman and Green Book, as well as access to pay-per-views like UFC fights. One app, called "Free Netflix," used a network of stolen Netflix accounts that would constantly rotate so that hacked users would not become suspicious, Wolfe said.
- ISC Releases BIND Security Updates
- How a Nigerian ISP Accidentally Hijacked the Internet - BGP For The WI-er, Loss: China Telecom, one of MainOne's BGP peers, accepted the route advertisement and relayed it to its neighbors. Transtelecom, based in Russia, accepted this advertisement and relayed it to its peers. At this point, the advertisement had made it far enough into the Internet that many ASs began accepting it. For around 74 minutes, most traffic destined for Google and Cloudflare services from around the world was routed through Russia, into China, and on to MainOne in Nigeria.
- Password1, Password2, Password3 no more: Microsoft drops password expiration rec - FINALLY! the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement. The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don't like picking or remembering new passwords. Instead, they'll do something like pick a simple password and then increment a number on the end of the password, making it easy to "generate" a new password whenever they're forced to.
- Crooks abuse GitHub platform to host phishing kits - Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical $github_username.github.io domain.” reads the post published by Proofpoint. “threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing.
- Supply Chain Hackers Snuck Malware Into Videogames
- Hackers are stealing millions in Bitcoin Thieves use SIM swapping to get access to email and other data that allows access to cryptocurrency wallets, laundering millions.
- LinkedIn Data Found in Unsecured Databases Researcher from GDI Foundation found about 60Million LinkedIn records in an unsecured Amazon database. What was interesting was that the database shifted IP addresses nightly, and that the information appeared to contain non-public data. LinkedIn claims the data was public aggregated with other data sources. Databases were secured after April 15, 2019.
- Tiwan Military holds 'Anti-Fake News' Exercises This week, April 22-26, Tiwaneese military began simulation of the 35th Han Kuang exercises that include exercises to combat disinformation and "fake news" online to thwart disinformation campaigns from the Communist Party of China (CCP.)
- WordPress Social Warfare Plugin Vunlerabilities WordPress Social Warfare plugin joins the list of plugins that permit RCE and XSS exploits, CVE-2019-9978 is being actively exploited in the wild, 42,000 sites purportedly haven't applied the fix from March 21, 2019.
- Fingerprint Errors on over 200,000 Danish Passports Danish authorities find errors in over 200,000 Danish Passports. Apparently right and left hand fingerprints were swapped. Authroities looking for a fix without making citizens pay for new passports. The Danish passport offers visa-free access to over 187 countries making it one of the most attractive in the world.
- Online thief cracks private keys to steal $54m in ETH Weak private keys used in the ETH blockchain allowed thieves to steal $54M, highlighting the need for tested, verified good key management practices versus rolling your own.
- Microsoft Considering dropping its Windows Password expiration policy THey are considering dropping this form their configuration baseline guidance. The realities of changing passwords too frequently, the ease of which users will give up passwords plus providing organizations flexibility on implementing a value to suit their risk profile were reasons stated.
- Nokia 9 bug allows unlock with - anything Android 9 Pie update 4.22 likely introduced bug that allows any fingerprint (or other ojbects) to unlock the device once one is configured.
- The Black Hole: It's time for Apple to ditch the MacOS trash can In my search to find an awesome story for the Security News, the one thing I was intrigued about over the past couple weeks was that Dr. Katie Bouman, a 29 year old Computer Scientist, created the algorithm that was able to snap the first picture of a black hole, which imaged over 5 petabytes of data. Amazing! The article dives into the NeXT computer that Steve Jobs founded, and how the operating system used a "black hole" as the trash can we find today in Windows and PC. How cool would it be to bring back the black hole to replace the trash bin?? Awesome!!! Here's a link to the article going more in depth of Dr. Katie's work - https://www.cbsnews.com/news/katie-bouman-black-hole-image-algorithm-mit/
- Virtual reality as a treatment for ADHD? I found this one very interesting, as the article states that it would be awesome if a parent could download an app for treatment, being readily accessible to anyone around the world. I also love that the UC Davis MIND Institute (team leading the study), is trying to figure out a way to solve the illness through non-pharmaceutical treatment. Technology FTW!
- How the Boeing 737 Max Disaster looks to a Software Developer An examination of the 737 Max problem, origin and hardware issues the MACS attempts to solve, and the deficiencies of that solution by a software designer and private pilot.
- Why “PWNED" is appearing on smart watches…
- Carpe Diem - Apache root
- Intelligence Agencies want fast threat dissemination. "When a cyberattack begins, Canada's intelligence establishment can get essential threat information to a critical infrastructure provider in just seven minutes. While that's an improvement on what previously might have been a seven-week delay, the goal is to get such threat-information sharing down to 7 milliseconds, says Scott Jones, who heads the Canadian Center for Cyber Security.”
- Forcing the finger…."A US judge gave the cops permission to force people's fingers onto seized iPhones to see who could unlock them, a newly unsealed search warrant has revealed.”
- Nest features for came to keep intruders out, actually lets them in to your network.
- How Microsoft discovered backdoors Huwawei drivers
- such fun doing Wireshark in curses