From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #175

Recorded May 29, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements:

    • Go to and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at:
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to
    • How do you feel about User and Entity Behavior Analytics? What about your SEIM? Check out Logrhythm's webcast on June 14th at 3:00pm-4:00pm.

    Security News

    1. Why Is Your Location Data No Longer Private? Krebs on Security - Great article from Brian, I like this part as it clarifies what is actually happening: When the FCC’s repeal of the net neutrality rules takes effect on June 11, 2018, broadband providers will once again be regulated by the Federal Trade Commission (FTC). That power was briefly shared with FCC when the agency under the Obama administration passed its net neutrality rules with the assumption that it could regulate broadband providers like telecommunications companies. It remains to be seen how, or if, the FTC will regulate ISPs.
    2. SSD Advisory QRadar Remote Command Execution SecuriTeam Blogs - Multiple vulnerabilities in QRadar allow a remote unauthenticated attackers to cause the product to execute arbitrary commands. Each vulnerability on its own is not as strong as their chaining – which allows a user to change from unauthenticated to authenticated access, to running commands, and finally running these commands with root privileges. A patch has been issued by IBM, the link is in the article.
    3. Securing Mobile Devices During Summer Travel | US-CERT - As summer begins, many people will travel with their mobile devices. Although these devices—such as smartphones, tablets, and laptops—offer a range of conveniences, users should be mindful of potential threats and vulnerabilities while traveling with them. The guidelines include some basic advice, although noticeably missing is keeping your device up-to-date, in addition to all of your apps, making sure your phone is encrypted, using a secure messaging app like Signal, and protecting your device with a passcode/fingerprint/facial recognition.
    4. Z-Wave Downgrade Attack Left Over 100 Million IoT Devices Open to Hackers - Even after Silicon Labs, the company who owns Z-Wave, made it mandatory for certified IoT devices to use the latest S2 security standard, millions of smart devices still support the older insecure version of pairing process, called S0 framework, for compatibility. And a research company found it could trick devices into falling back on the older, and less secure, protocol.
    5. Singapore ISP Leaves 1,000 Routers Open to Attack - Southeast Asian telcom giant Singapore Telecommunications Limited left approximately 1,000 customer routers wide open to a potential attack via an unprotected port. The flub occurred after the region’s largest ISP conducted remote maintenance on affected routers and failed to secure equipment when the work was complete, according to NewSky Security. Just making sure that this practice is still in play, and a note to ISPs NOT to do this, ever.
    6. Starbucks site slurped, Z-Wave locks clocked, mad Mac Monero mining malware and much more - XSS is still floating around, despite so many methods and techniques for protecting against it: Researcher Martin Bajanik discovered a cross site scripting bug that was present on the Starbucks UK website. The now-patched bug would have allowed an attacker to inject malicious JavaScript into the browsers of people visiting the cafe chain's online store, though Bajanik says an actual exploit would have been hard to pull off.
    7. French teens charged over Despacito hack - Two 18-year-old French citizens have been charged in Paris following a hack of popular music videos on YouTube. The hackers targeted a string of videos last year, including the hit song Despacito - the most-watched YouTube music video of all time. They did this through Vevo, a music hosting service, and reportedly is not the first time the company has been breached.
    8. FBI Recommends Router Reboots to Limit VPNFilter Malware Risk - In many cases, the reason why power-cycling or rebooting a system works is because it will remove non-stateful code that is running in a device's memory and return the device to a default status. When it comes to malware, there has been a growing trend in recent years for attacks to make use of what is known as "file-less malware"—malware that resides in memory and doesn't use a specific malware executable that is stored on disk in order to run. The vulnerabilities will, of course, still exist. And the VPNFilter malware exploits known vulnerabilities, so also make sure you patch your devices.

    Expert Commentary

    Guest: Daniel Lowrie, ITPro.TV

    Daniel Lowrie
    is a Show Host at ITPro.TV.
    Daniel was born with a motherboard in one hand and a network cable in the other. After being raised by Aborigine Sys-Admins in the Australian bush, Daniel found his way to the most technologically savvy city on the whole of the Earth...Gainesville, FL. He then went on to serve the IT community as a Systems and Network Admin for corporate America. He is now back to teach the masses the art of IT. Daniel enjoys working in IT because he is intrigued by new technology and how technology and IT are driving the world that we live in. What he appreciates about ITProTV is that the method of learning caters to visual learners, like himself.

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+