From Paul's Security Weekly
Recorded June 4, 2019 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- SUPRA Smart TV Flaw Lets Attackers Hijack Screens With Any Video - he vulnerability could allow a local attacker to inject a remote file in the broadcast and display fake videos without any authentication. It should be noted that the attacker must be connected to the same Wifi network as the TV, as stated in the article. I would imagine this just means access to the same network, wired or wireless. However, given the number of vulnerabilities in IoT devices and smartphones, its not impossible to gain access to someone's TV. This reminds me of the movie Idiocracy, where the TVs were filled with ads. The SUPRA brand is explained as well: SUPRA is a lesser-known Russia electronics brand on the Internet that manufactures several affordable audio-video equipments, household appliances and car electronics, most of which are being distributed through Russian, Chinese, Russian and UAE-based e-commerce websites. The vulnerability is a remote file include due to lack of authentication and sessions handling, and according to the article, unlikely to be patched.
- Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution - Cisco also patched several other high-severity flaws, including a group (CVE-2019-1771, CVE-2019-1772 and CVE-2019-1773) in the Cisco Webex Network Recording Player and the Cisco Webex Player for Microsoft Windows, which could allow an attacker to remotely execute arbitrary code on an affected system. The bug is rated high-severity instead of critical because exploitation requires user interaction, but admins should update as soon as possible given how widely deployed the software is. “The vulnerabilities exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files,” Cisco said on Wednesday. “An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file via a link or email attachment and persuading the user to open the file with the affected software on the local system.”
- >20,000 Linksys routers leak historic record of every device ever connected - Independent researcher Troy Mursch said the leak is the result of a flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the BinaryEdge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them. The flaw allows snoops or hackers to assemble disparate pieces of information that most people assume aren’t public. By combining a historical record of devices that have connected to a public IP addresses, marketers, abusive spouses, and investigators can track the movements of people they want to track.
- New attack creates ghost taps on modern Android smartphones | ZDNet - The attack itself consists of two steps. Once a user has placed their smartphone near the attack rig to be in the smartphone's NFC range (of 4 to 10cm), the NFC readers/writers can get basic info about a device and trigger one of three actions. It can make the user's smartphone open and access a specific URL (doesn't require any interaction), it can ask the smartphone to pair a rogue Bluetooth device (requires interaction), or it can ask the user to connect to a malicious WiFi network (requires interaction). This works because, by default, Android devices always look for nearby NFC transmissions, at all times.
- Majority of C-Level Executives Expect a Cyber Breach - Nine out of ten business leaders in the US and UK say their organization lacks at least one critical resource necessary for defense against a cyberattack - and three-quarters of those leaders say believe a cybersecurity breach is inevitable. Uhm, what happened to assume breach?
- Australian teenager hacked into Apple twice for a job - This is not how you get a job at Apple: “The boy, who is now 17, faced the Adelaide Youth Court and pleaded guilty to multiple computer hacking charges.” reported the Australian ABC website. “The court heard he and another teenager from Melbourne hacked into the technology giant’s mainframe in December 2015 and then again in early 2017 and downloaded internal documents and data.” The teenager is from Adelaide, Australia, and violated an Apple mainframe by creating false credentials, he was helped by another young hacker. The lawyer of the teen, Mark Twiggs, explained to the court that his client had no bad intentions and due to his young age he was not aware of the severe consequences.
- macOS zero-day in Mojave could allow Synthetic Clicks attacks - Wardle explained that a “subtle code-signing issue” in macOS could allow the hack of any trusted application to generate synthetic clicks, bypassing the core security feature introduced in 2018. Malware developers and hackers might use synthetic mouse-click attacks to emulate human behavior in approving security warnings. The attack could be triggered by an attacker with local access to the device when the screen is dimmed, this means that it could be very difficult to spot.
Expert Commentary: Winn Schwartau, SAC
Topic: Ethical Bias in Artificial Intelligence-Based Security Systems. In Winn's words, a "trolley-ological conundra of ethical bias and the failure of AI in security."