HNNEpisode201

From Paul's Security Weekly
Jump to: navigation, search

Recorded December 18, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Annoucements:

    • RSA Conference 2019 is the place to be for the latest in cybersecurity data, innovation and thought leadership. From March 4 – 8, San Francisco will come alive with cybersecurity’s brightest minds as they gather together to discuss the industry’s newest developments. Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass!
    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Google Outlines Steps It Is Taking to Secure Kubernetes - Among those questions that customers ask Google about its managed Kubernetes service, Google Kubernetes Engine, are ones about infrastructure security, with organizations curious about how Kubernetes security features can be used to protect user identities, Kaczorowski said. Organizations are also curious about the software supply chain and whether or not a given container application image is safe to deploy. Google, and others in this space are going to get more questions like this. Security teams are getting up-to-speed on DevOps technology and will drive security, as a collaborative effort, within the DevOps process. There are too many areas of potential security weaknesses in today's modern software development and delivery processes, we must work together.
    2. Twitter Fixes Bugs That Expose Data - On Monday, the social-media giant revealed a hole that accidentally enabled bad actors to pull the country codes of accounts’ phone numbers – and revealed that several IP addresses located in China and Saudi Arabia may have been trying to access the exposed data. This comes on the heels of a tricky glitch, disclosed over the weekend, that had allowed several apps to read users’ direct messages – even when they told users that they wouldn’t. While there is no evidence of a data breach per se, opsec is important. I suggest using separate phone numbers for social media accounts, I mean get as fancy as you like even with multiple SIM cards. Also, realize that Direct Messages are not called "Secure Direct Messages", and private communications should not be had on social media networks, but rather through Signal or other secure messaging platforms (though I like Signal best).
    3. U.S. Ballistic Missile Defense System Rife with Security Holes - Ah, the devil is always in the details, usually at the end of the article, which states: Lamar Bailey, director of security research and development at Tripwire, added that while the findings are alarming, it’s not quite as bad as it seems initially, given that the security problems were not found in a blanket fashion across the five facilities that were audited.“While I agree at first glance this sounds horrible, the key word in the findings is ‘consistently,'” he said via email. “Only one audit hit all five [networks audited] and this dealt with justification for access. [Not only were they] not consistently used, but this can apply to ‘administrative, facility, a lab or both,’ so they may not apply to the networks with the defense/offense controls.”
    4. Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers - We will be patching this one for a long time: SQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices, macOS and Windows apps, including major web browsers, such as Adobe software, Skype and more. Since Chromium-based web browsers—including Google Chrome, Opera, Vivaldi, and Brave—also support SQLite through the deprecated Web SQL database API, a remote attacker can easily target users of affected browsers just by convincing them into visiting a specially crafted web-page.
    5. Suggestions for Last-Minute Holiday IT Gifts - If you are shopping for the security nerd on your list, check out this handy, encrypted, USB drive: The Datalocker Sentry K300 256-bit USB stick is a handy instrument for storing and securing important files. It can hold a lot (from 8GB up to 256GB) and is easy to use. The Sentry K300 is the only platform independent, keypad, micro SSD to incorporate an OLED display to enable advanced security features. The display supports true alpha-numeric password based authentication and a full featured on-board menu system. I also recommend a two-factor authentication token, such as those from Fetian, Yubico or Google.
    6. Malware controlled through commands hidden in memes posted on Twitter - When Memes attack! Okay, not the Meme itself, but rather receiving commands from the images. I am assuming the commands are embedded in the metadata, but have not researched it. The article states: The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include. The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.
    7. WordPress Targeted with Clever SEO Injection Malware - Nasty little malware using Wordpress sites: Upon analysis, the researchers discovered that the malware has two functions. First, it can add hidden links for indexing by search engines (a process that usually violates search engine terms of service and could result in blacklisting of the site); and secondly, it can redirect site visitors to spam content. The latter function is more advanced than usual, because it only redirects unregistered site users (presumably one-time visitors who wouldn’t flag the issue to the webmaster). And, it redirects visitors to certain pages based on their profile.

    Expert Commentary: Ed Sattar, QuickStart: How To Optimize Your Cyber Security Investment To Maximize ROI

    Ed Sattar
    is the CEO of QuickStart.
    Ed Sattar is the CEO of QuickStart and has more than two decades of experience in the e-learning industry. His experiences include extensive research and consulting to convert training into high-impact, personalized learning experience for a modern learner.


    • How to decide What To Spend on
    • Balance in investments in technology as well as Quality Training
    • Workforce Readiness


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+