From Paul's Security Weekly
Hack Naked News #161
Recorded February 14, 2018 at G-Unit Studios in Rhode Island!
- Check out our friends at ItProTV for an awesome library of OnDemand training head on over to ITPro.TV/securityweekly!
- InfoSec World is March 19-21st of 2018. It is at Lake Buena Vista, Florida. Security Weekly subscribers can save 15% off the InfoSec World 2018 Main Conference or World Pass with the code OS18-SW!
- HackWest 1.0 “The Wild Bunch” will be held in Salt Lake City March 21st through 23rd. Go to hackwest.org to register, and get a 25% discount with the code, “SWHW2018”.
- Check out ServiceNow's webcast on Symphonies & Robots! Register at securityweekly.com/servicenow.
- SOURCE Boston is coming up on May 9-10! Go to sourceboston.com to use the $100 discount code - W89AEE2.
- Microsoft Won't Patch a Severe Skype Vulnerability Anytime Soon - A new vulnerability has been discovered in Skype, and we won't see a patch anytime soon. A DLL hijacking vulnerability was reported to Microsoft by security researcher Stefan Kanthak this week and will require Microsoft to re-write a significant portion of Skype's code, requiring a shiny new version to be distributed to all Skype users, presumably on all Windows platforms. No word on when this will happen, but stay tuned.
- Lenovo Warns Critical WiFi Vulnerability Impacts Dozens of ThinkPad Models - Lenovo warned customers on Friday that two critical Broadcom vulnerabilities impacts 25 models of its popular ThinkPad brand. The vulnerabilities were first revealed in September and originally they were only reported to impact specific Broadcom chipsets used in Apple iPhones, Apple TV and Android devices. This vulnerability follows a couple of recent vulnerability announcements on the Lenovo platform, making me a bit leery of using hardware from Lenovo, though they are patching, multiple issues such as these are not a good sign.
- Romance Scams Drive Necurs Botnet Activity in Run Up to Valentines Day - Attackers have always been opportunistic with phishing campaigns, exploiting current events and holidays to trick users into getting infected. This scam is really interesting as Victims are encouraged to share revealing photos of themselves, which scammers later use as leverage in extortion shakedowns. Seriously? Do people fall for this one? Damn.
- Zerodium Offers $45,000 For Linux Zero-Day Vulnerabilities - This seems a bit shady to me as Zerodium 'Customers may include government agencies that require exploits for purposes including breaking device encryption or conducting covert surveillance.'. I believe its unethical and really just a way to sell your exploits on the black market. The good angel on your shoulder should tell you to responsibly disclose the vulnerability to the Linux development teams, but I digress.
- Hackers Hijack Nintendo Switch, Show Linux Loaded On Console - Arstechnica reports that hackers have cracked the Nintendo Switch: This week, the hacking team fail0verflow claimed a major advance in that effort, tweeting a picture showing Linux booting up on the machine. While fail0verflow's photo wouldn't be that difficult to fake, the group has released several significant hacks for systems ranging from the Wii to the PS4 in the past, lending credence to their Switch hacking claims. I think this is really cool, nothing more...
- Uh-oh. How just inserting a USB drive can pwn a Linux box - If you are running KDE Plasma, you want to be aware of USB thumb drives as if a USB memory stick is plugged into a vulnerable computer has a volume label containing the characters `` or $(), the text contained within the characters will be executed as shell commands. KDE Plasma users are advised to update their systems as soon as possible to version 5.12.0 or later.
- Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies - This is not a good trade-off: Yup, Salon is giving you a choice. If you don't want to disable your ad blocker, maybe you'll feel comfortable letting it run code from Coinhive which will gobble up your computer's resources to mine some Monero cryptocurrency.
- 0-Day Flash Vulnerability Exploited In The Wild - In other news, that could come at no suprise: ..another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 184.108.40.206 and earlier versions for both Windows and Mac (the desktop runtime) and for basically everything in the Chrome Flash Player (Windows, Mac, Linux and Chrome OS).
- Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018 - Good news for companies selling SSL certificates: Google is ramping up its campaign against HTTP only sites and is going to mark ALL Non-HTTPS sites insecure in July 2018 with the release of Chrome 68. It’s a pretty strong move, but Google and the Internet, in general, has been moving in this direction for a while.