From Paul's Security Weekly
Recorded September 17, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts with ISC2 by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
- Google Calendar Settings Gaffes Exposes Users' Meetings, Company Details - 'The Google Calendar setting in question is for users who want to organize meetings by sharing their calendar with specific users using a specific link. However, what the settings enables is for anyone with the shared link – not just the intended user – to see the shared calendar, according to Jain. What that notification means is that the URL becomes indexed by Google search, meaning that anyone can find the calendar without even knowing the link, he said.'
- Expert disclosed passcode bypass bug in iOS 13 a week before its release - Below the step by step procedure to exploit the passcode bypass: Reply to an incoming call with a custom message. Enable the VoiceOver feature. Disable the VoiceOver feature Add a new contact to the custom message Click on the contacts image to open options menu and select “Add to existing contact”. When the list of contacts appears, tap on the other contact to view its info.
- A bug in Instagram exposed user accounts and phone numbers - The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form. The attack scenarios is composed of two steps: The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account. The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.
- Drone attacks hit two Saudi Arabia Aramco oil plants - SpotterRF was an interview we did a while back that could serve as an early warning system: Drone attacks have hit Saudi Arabia’s oil production suffered severe damage following a swarm of explosive drones that hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Online are circulating the images of a huge blaze at Abqaiq, site of Aramco’s largest oil processing plant, the Abqaiq site. A second drone attack hit the Khurais oilfield. Abqaiq is about 60km south-west of Dhahran, while in Khurais, 200km further south-west, there is the second-largest oilfield in the country.
- Google fixes Chromebook 2FA flaw in built-in security key - Your Chromebook may have a security key, convenient, but vulnerable: Unfortunately, a vulnerability has been discovered in the system that makes this work, specifically the generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) signature by H1 chips running v0.3.14 firmware and earlier. Google said: We confirmed that the incorrect generation of the secret value allows it to be recovered, which in turn allows the underlying ECC private key to be obtained. Which means that an attacker could work out the private key, completely undermining what is supposed to be a fundamental security feature.
- Uber Confirms Account Takeover Vulnerability - From Forbes: Anand Prakash, founder of AppSecure and a Forbes 30 Under 30 honoree, discovered that it was possible for an attacker to exploit the vulnerability via an application programming interface (API) request. This involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address. "Once you have the leaked Uber UUID from the API request," Prakash said, "you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address." Prakash says that with the mobile apps access token he was able to completely compromise a test account in this way, requesting rides, getting payment information and more.
- SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices | SecurityWeek.Com - ISE last year decided to conduct another similar assessment to see if and how much IoT security has evolved since then. A total of 13 routers and NAS devices were analyzed as part of the SOHOpelessly Broken 2.0 project, which led to 125 CVEs being assigned to the new vulnerabilities. Results of the research were made public on Monday. SOHOpelessly Broken 2.0 targeted devices from Buffalo, Synology, TerraMaster, Zyxel, Drobo, ASUS and its subsidiary Asustor, Seagate, QNAP, Lenovo, Netgear, Xiaomi, and Zioncom (TOTOLINK). The researchers said they identified at least one vulnerability that allowed remote shell access or access to the admin interface in each of the tested products, including cross-site scripting (XSS), OS command injection and SQL injection bugs.
- LastPass Fixes Bug That Leaks Credentials - Tavis is a beast: Tavis Ormandy, a vulnerability researcher from Google Project Zero, discovered the flaw in the LastPass password manager and published it on the project’s website on Aug. 29, rating it as “high.” He followed that up with a Twitter post warning web users about the bug on Sunday...if a web user running LastPass entered credentials to one site and then surfed to another, the second site could have unauthorized access the username and password from the first site. If the second site is malicious, it could put the user at risk of cybercriminals.
- AMD Radeon Driver Flaw Leads to VM Escape | SecurityWeek.Com - 'The attacker could trigger the flaw from a VMware guest usermode to potentially execute code on the associated VMware host. An attacker could theoretically trigger the issue through WEBGL (remote website) as well. “An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine,” Talos says. Tracked as CVE-2019-5049, the vulnerability has a CVSS score of 9.0. Talos says they reported the vulnerability to AMD in early May, but a patch was released only this week
- The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite - When the Air Force showed up at the Defcon...It brought along an F-15 fighter jet data system—one that security researchers thoroughly dismantled, finding serious vulnerabilities along the way. The USAF was so pleased with the result that..Next year, it’s bringing a satellite. That’s a promise from Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics...“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”
Expert Commentary: George Avetisov, HYPR Corp.
True Passwordless Security
We'll discuss the evolution of authentication from its beginning state to where it is heading. For 50 years passwords and other shared secrets have been the dominant means of authenticating users. What is the paradigm shift from shared secrets to PKC-based authentication, and how are enterprises benefiting from it?
- THE EVOLUTION OF AUTHENTICATION (WHITE PAPER)
- THE CISO’S GUIDE TO DEPLOYING TRUE PASSWORDLESS SECURITY (WHITE PAPER)
- JAVELIN IMPACT NOTE: DECENTRALIZED AUTHENTICATION (WHITE PAPER)