From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #161

Recorded February 14, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements

    • Check out our friends at ItProTV for an awesome library of OnDemand training head on over to ITPro.TV/securityweekly!
    • InfoSec World is March 19-21st of 2018. It is at Lake Buena Vista, Florida. Security Weekly subscribers can save 15% off the InfoSec World 2018 Main Conference or World Pass with the code OS18-SW!
    • HackWest 1.0 “The Wild Bunch” will be held in Salt Lake City March 21st through 23rd. Go to to register, and get a 25% discount with the code, “SWHW2018”.
    • Check out ServiceNow's webcast on Symphonies & Robots! Register at
    • SOURCE Boston is coming up on May 9-10! Go to to use the $100 discount code - W89AEE2.


    1. Microsoft Won't Patch a Severe Skype Vulnerability Anytime Soon - A new vulnerability has been discovered in Skype, and we won't see a patch anytime soon. A DLL hijacking vulnerability was reported to Microsoft by security researcher Stefan Kanthak this week and will require Microsoft to re-write a significant portion of Skype's code, requiring a shiny new version to be distributed to all Skype users, presumably on all Windows platforms. No word on when this will happen, but stay tuned.
    2. Lenovo Warns Critical WiFi Vulnerability Impacts Dozens of ThinkPad Models - Lenovo warned customers on Friday that two critical Broadcom vulnerabilities impacts 25 models of its popular ThinkPad brand. The vulnerabilities were first revealed in September and originally they were only reported to impact specific Broadcom chipsets used in Apple iPhones, Apple TV and Android devices. This vulnerability follows a couple of recent vulnerability announcements on the Lenovo platform, making me a bit leery of using hardware from Lenovo, though they are patching, multiple issues such as these are not a good sign.
    3. Romance Scams Drive Necurs Botnet Activity in Run Up to Valentines Day - Attackers have always been opportunistic with phishing campaigns, exploiting current events and holidays to trick users into getting infected. This scam is really interesting as Victims are encouraged to share revealing photos of themselves, which scammers later use as leverage in extortion shakedowns. Seriously? Do people fall for this one? Damn.
    4. Zerodium Offers $45,000 For Linux Zero-Day Vulnerabilities - This seems a bit shady to me as Zerodium 'Customers may include government agencies that require exploits for purposes including breaking device encryption or conducting covert surveillance.'. I believe its unethical and really just a way to sell your exploits on the black market. The good angel on your shoulder should tell you to responsibly disclose the vulnerability to the Linux development teams, but I digress.
    5. Hackers Hijack Nintendo Switch, Show Linux Loaded On Console - Arstechnica reports that hackers have cracked the Nintendo Switch: This week, the hacking team fail0verflow claimed a major advance in that effort, tweeting a picture showing Linux booting up on the machine. While fail0verflow's photo wouldn't be that difficult to fake, the group has released several significant hacks for systems ranging from the Wii to the PS4 in the past, lending credence to their Switch hacking claims. I think this is really cool, nothing more...
    6. Uh-oh. How just inserting a USB drive can pwn a Linux box - If you are running KDE Plasma, you want to be aware of USB thumb drives as if a USB memory stick is plugged into a vulnerable computer has a volume label containing the characters `` or $(), the text contained within the characters will be executed as shell commands. KDE Plasma users are advised to update their systems as soon as possible to version 5.12.0 or later.
    7. Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies - This is not a good trade-off: Yup, Salon is giving you a choice. If you don't want to disable your ad blocker, maybe you'll feel comfortable letting it run code from Coinhive which will gobble up your computer's resources to mine some Monero cryptocurrency.
    8. 0-Day Flash Vulnerability Exploited In The Wild - In other news, that could come at no suprise: ..another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects and earlier versions for both Windows and Mac (the desktop runtime) and for basically everything in the Chrome Flash Player (Windows, Mac, Linux and Chrome OS).
    9. Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018 - Good news for companies selling SSL certificates: Google is ramping up its campaign against HTTP only sites and is going to mark ALL Non-HTTPS sites insecure in July 2018 with the release of Chrome 68. It’s a pretty strong move, but Google and the Internet, in general, has been moving in this direction for a while.

    Expert Commentary

    Tim comes on the show to talk about Crypto Mining. Tim has over 13 years of experience in cybersecurity, from network to cloud to application attacks and defenses. Prior to joining DomainTools, he helped define and launch some of the best-selling SMB security appliances in history during his tenure at WatchGuard. At Symform, he led definition and messaging efforts for the company's unique peer-to-peer cloud storage solution. Tim has spoken at security conferences, media events, and technology partner conferences worldwide.

    Radiflow reveals first documented cryptocurrency malware attack on SCADA network

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+