From Paul's Security Weekly
Recorded January 8, 2019 at G-Unit Studios in Rhode Island!
- RSA Conference 2019 is the place to be for the latest in cybersecurity data, innovation and thought leadership. From March 4 – 8, San Francisco will come alive with cybersecurity’s brightest minds as they gather together to discuss the industry’s newest developments. Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass!
- If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Ethereum Classic (ETC) Hit by Double-Spend Attack Worth $1.1 Million - We didn't have to wait long to see a 51% attack in 2019 against a cryptocurrency: Coinbase revealed Monday that it identified "a deep chain reorganization" of the Ethereum Classic blockchain (or 51 percent attack of the network), which means that someone controlling the majority of miners on the network (over 50%) had modified the transaction history. After reorganizing the Ethereum blockchain, the attackers were able to what's called "double spend" about 219,500 ETC by recovering previously spent coins from the rightful recipients and transferring them to new entities chosen by attackers (typically a wallet in their control).
- Linus Torvalds opts for the scream test: Linux kernel syscall tweaked to shut data-leak hole anyone upset, yell now - I thought Linux was yelling, he still may: As we revealed first over the weekend, a group of experts – including some of the researchers who discovered the Spectre family of chip flaws – worked out how to get operating system page caches to leak information from one application to another. Among other things, a successful exploit would allow malware or rogue logged-in users to swipe sensitive data from application sandboxes that they should not otherwise be able to access. For Linux environments, the issue has been assigned CVE-2019-5489. That bug database entry notes that remote attacks are possible, for example, by exploiting latency in accessing files via an Apache web server to potentially sniff private data.
- InfoSec Handlers Diary Blog - A Malicious JPEG? Second Example - Good point from Dider Stevens: the malicious content of this JPEG image will not execute when the image is viewed with an image viewer or browser.For the script to execute, this JPEG file has to be opened as an HTML application (HTA). mshta.exe, the application that executes HTA files, ignores all the binary data of the JPEG image and parses and executes the script between the <SCRIPT> tags. This can be achieved by saving the JPEG image with .hta extension, and then launch it. Or by running mshta.exe with an URL as argument that points to this JPEG image.
- NSA to Release Reverse Engineering Tool for Free Public Use - Dubbed GHIDRA, the tool will be demonstrated at RSA Conference 2019 that will take place in early March in San Francisco. The platform is said to include high-end capabilities and support for Windows, macOS, Linux, and other operating systems. GHIDRA provides users with the ability to disassemble executable files into code that they can then analyze. Such disassemblers are used, for example, in the analysis of malware and suspicious files. The platform has been previously mentioned on WikiLeaks, as part of the “Vault 7” leak, which provided information on a broad range of hacking tools used by the U.S. Central Intelligence Agency (CIA). Containing files dated between 2013 and 2016, the leak was made public in March 2017.
- Skype Glitch Allowed Android Authentication Bypass - Not too alarming considering you must steal the phone: “A new vulnerability that I found on Skype has been fixed that affected millions of android devices around the world that uses Skype,” Kunushevci said in a LinkedIn post about the bug last week. “[The] new update you will find from 23 December 2018.” Kunushevci said a hacker would simply need to steal an Android device, place a Skype call to said device, and answer that call. After that, without unlocking the screen the bad actor would be able to view an array of typically authenticated information through the Skype platform – including pictures and albums, contact details, browsers and apps.
- Threatlist: Container Security Lags Amidst DevOps Enthusiasm - I share these concerns: That’s according to Tripwire’s State of Container Security Report released Monday, which surveyed 311 IT security professionals at companies with over 100 employees. It also found that a full 94 percent of respondents said they have container security concerns, with 71 percent predicting that container security incidents would increase in the new year.
- Tens of thousands of hot tubs are exposed to hack - I was really hoping this attack would allow me to turn my hot tub into a time machine, but instead: “Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API.” Experts reported that tens of thousands of hot tubs are currently vulnerable to cyber attacks. The researchers were able to search for vulnerable hot tubs using the wigle.net database, they located several devices that were in AP mode. The unprotected devices can be easily hacked because the AP is open and no PSK is used. An attacker could hack into the hot tubs in the nearby or remotely.
- Zerodium offers $2 Million for remote iOS jailbreaks, and much more - That's a lot of dough: Zerodium announced it is going to pay up to $2 million for remote iOS jailbreaks that don’t need any user interaction, Previous offers of the company for this kind of exploits was $1.5 million.