Hack Naked News 103 December 6 2016
Hack Naked News Announcements
Check out our Listener Feedback Survey at https://wwww.securityweekly.com/survey to tell us how we can make your podcasting Experience with us more enjoyable!
ITPro.TV Annoucenment: "Upcoming courses include Cybersecurity Analyst+, CCNA Cyber Ops, ITIL Operational Support and Analysis, and Microsoft System Center. ITProTV is introducing a new membership level soon. All current Premium Members will be granted the highest membership level available, so sign up today! Visit itpro.tv/hacknaked and use code HN30."
Hack Naked News Stories
Hi everyone this is Paul Asadoorian reporting live from G Unit studios in Rhode Island for December 6, 2016. In the news this week:
- USB Killer, yours for $50, lets you easily fry almost every device - The USB Killer is shockingly simple in its operation. As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors its known to fry just about every device you can stick it in, laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars. There is no known fix for this, unless you want to fill your USB ports with glue or cement, which can be bought cheaply at most home improvement stores. Just don't leave one of these devices laying around the office with a label that reads "porn", because that would just be wrong, so very wrong...
- Thieves can guess your secret Visa card details in just seconds - Thieves can guess your secret Visa payment card data in as little as six seconds, according to researchers at Newcastle University in the UK. also Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value that most sites use to verify the validity of a credit card. Even when sites go a step further by adding the card holder's billing address to the process, the technique can correctly guess the information in about six seconds. The technique relies on Web bots that spread random guesses across almost 400 e-commerce sites that accept credit card payments. The fix? Don't use a visa card for online purchases! Your welcome Amex and mastercard.
- DDoS, IoT Top Cybersecurity Priorities for 45th President - Brian Krebs reports: Addressing distributed denial-of-service (DDoS) attacks designed to knock Web services offline and security concerns introduced by the so-called “Internet of Things” (IoT) should be top cybersecurity priorities for the 45th President of the United States, according to a newly released blue-ribbon report commissioned by President Obama. The report recommends what we've been hearing so far: guidelines, suggestions and awareness is the answer to the "cyber"Threats today. Many are pushing for legislation and regulations to force security on ISPs and IoT manufacturers, and its still unclear, and unlikely given the new administration, that we will see this anytime soon.
- New Large-Scale DDoS Attacks Follow Schedule - A powerful new botnet is being blamed for massive and sustained DDoS attacks that security researchers at CloudFlare compare to Mirai when it comes to intensity and scope. This is most likely due to the Mirai source code being released, as attackers are now continuing to rent space to conduct targeted attacks. Moral of the story? Don't piss of anyone on the Internet. Good luck with that!
- Google Fixes 12 High-Severity Flaws In Chrome Browser - Threatpost reports: Google is urging Windows, Mac and Linux users to update their Chrome browsers to fix multiple vulnerabilities that could allow malicious third parties to take control of targeted systems. Released Thursday, Chrome version 55.0.2883.75 for Windows, Mac, and Linux fixes those security issues. It also introduces a number of new features to the browser to enhance the way it handles panning gestures and to support CSS automatic hyphenation. Several researcher's are credited in this latest round of vulnerabilities, and bug bounties have been paid out. Users are encouraged to apply the fixes, which still requires that you restart your browser. Personally, I would love to see updates applied automatically and further prompting the user to restart the web browser, especially for critical vulnerabilities.
- Seattle Thief Caught By Remote Car Door Lock - In other news, that is not really news, BMW remotely locked the doors on a stolen vehicle. So lets say you get married and let your friend borrow your BMW. Your friend, perhaps still hungover from the wedding the night before, leaves the keyfob in the car. The thief, likely wasted as well, was he in the wedding party too? not sure. In any case the thief drives the car into an alley and falls asleep with the car running. Police quickly locate the vehicle and have # BMW lock the doors remotely. Apparently the thief doesn't know this common fact: YOU CAN OPEN CAR DOORS FROM THE INSIDE! He tries to drive away, but doesn't get far before being arrested and likely sent to prison where he will be made fun of for being one of the dumbest car thiefs, this week anyhow.
- Sony Kills Off Secret Backdoor In 80 Internet Connected CCTV Models - Sony fixed the firmware backdoors in several model CCTV cameras, which people won't apply and attackers will likely add to the Mirai botnet. The good news is SEC Consult, the firm who discovered and disclosed the vulnerabilities in October of this year, recommends you not to use these products until a thorough security review has been performed by security professionals right, because everyone is going to do just that...
- Botnet Known as 'Avalanche' Taken Down by Law Enforcement - Using the double fast flux technique the Avalanche bot managed to live on for over 6 years, that is until the FBI and other international agencies were able to finally take it down this week. Its estimated to have infected over 500,000 users per day and used 800,000 domain names in an attempt to mask its origin. Arrests have been made, and for now, the Internet could be a slightly safer place. However, infected users are, well, still infect, except they don't have a place to phone home. On to the next botnet I suppose, however if it takes 6 years to take down a botnet, we will never get caught up.