HNNEpisode162

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #162

Recorded February 20, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Also check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • InfoSec World is March 19-21st of 2018. It is at Lake Buena Vista, Florida. Security Weekly subscribers can save 15% off the InfoSec World 2018 Main Conference or World Pass with the code OS18-SW!
    • HackWest 1.0 “The Wild Bunch” will be held in Salt Lake City March 21st through 23rd. Go to hackwest.org to register, and get a 25% discount with the code, “SWHW2018”.

    News

    Google drops new Edge zero-day as Microsoft misses 90-day deadline Turns out Google isn’t joking around when they say they will disclose vulnerabilities that are not patched by the 90 day disclosure deadline. On Feb 15 Google made public a vulnerability with Microsoft’s Edge browser. The flaw was originally discovered last November and is with Edge’s secondary layer of defense called Arbitrary Code Guard. Once an attacker has compromised a browser via an initial vulnerability, this flaw allows the bypass of ACG. Google’s decision to drop this flaw even as Microsoft explained the difficulties with fixing it and gave a current release date of March 13th, has ignited some debate over Google’s iron clad deadline. Moral of the story is if Google contacts you about a vulnerability, you better get working. The 90 day clock is ticking.


    Hackers sentenced for SQL injections that cost $300 million The wheels of justice turn slowly, but they keep going. Listeners may remember the Heartland data breach that occurred back in 2009. The breach was huge news as the payment card brands shut down Heartland’s ability to process payments and the size of the breach was the largest breach of credit card information at that time. Approximately 160 million cards were compromised and prosecutors pegged damages three corporate victims was $300 million in losses. Wednesday the US Attorney’s office of New Jersey stated that two more perpetrators had finally been sent to federal prison after pleading guilty in 2013. At this point prosecutors have three of the attackers in prison and are still hunting the remaining three. It may be an old breach now, but law enforcement is still actively working this case.


    32 lawsuits filed against Intel over Spectre and Meltdown flaws The fallout from the Spectre and Meltdown attacks continues to happen. According to Ars Technica, Intel’s latest SEC filing stated that is facing 32 lawsuits over the vulnerabilities in their processors. 30 of these cases are class action lawsuits for consumers. The remaining two are securities lawsuits related to alleged false statements by the company in six month period after Intel was notified of the flaws. And finally there are three more claiming that Intel’s board and corporate officers committed a breach of duty in pursuing the alleged insider trading by Intel CEO Brian Krzanich. Which actually adds up to 35 lawsuits. Weird. Anyhow, now the lawyers have gotten involved in the impact of these attacks.


    Apple rushes fix for latest 'text bomb' bug as abuse spreads So perhaps you’ve been having fun texting your Apple product owning friends characters in the Telugu language. These characters cause applications on iOS and MacOS to crash when attempting process the characters. I can personally attest that this works when sending the characters via the Messages app on your Mac. Apple has responded with a patch that is available for install now. It will require a restart of your device and/or computer, but at least you won’t have to worry about killer Telugus now. Happy patching.

    https://www.grahamcluley.com/apple-fixes-killer-text-bomb-vulnerability-new-update-ios-macos-watchos-tvos/


    Why Chrome’s ad filter isn’t an adblocker Google has released a new ad filter in Chrome to address some of the really annoying ads that we get pummeled with. The filter is designed to address some of the most annoying and disruptive type of ads that get in our faces. These include flashing animated ads, ads that cover the entire screen, ads that auto play sound (I HATE THESE!!) and others. The update has caused much rejoicing by some folks who see this as Google supporting ad blocking in Chrome natively. The only problem is that it doesn’t intend to be an ad blocker. Google still wants us to see those links to pages that promise that one crazy trick will pay off our mortgage and cure any disease. Google just wants to prevent them from displaying them in ways that they have deemed to be egregiously annoying. After all, Google is an advertising company and cutting off their major revenue stream seems like a bad idea. Bottom line, the update should help prevent some of the things that really drive folks crazy, but isn’t going to block all ads.


    NIST Floats Internet of Things Cybersecurity Standards NIST has publicly unveiled their new security standards publication 8200 on Wednesday of last week. This publication contains their recommendations to address security in IoT devices. The draft document is 187 pages long and I’m sure is a real page turner. NIST has stated that they found that adoption of security standards has been slow in adoption by vendors. In all honesty, I don’t see the new standard changing that adoption rate. However, when attacks start causing noise in the news and doing damage to company brands, at least the standards have been published for vendors to reference in addressing things. And I apologize for my low level of optimism to how IoT will discover the need for securing their devices and applications.


    Larry's Proposed News

    1. Stealing passwords for DRM
    2. Scanning S3 buckets


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+