Hack Naked News 99 November 3 2016

From Paul's Security Weekly
Jump to: navigation, search

Episode Audio

Hack Naked News Announcement

In this edition of hack naked news, a popular cloud-based web site hosting company could become the next myspace, more powerful IoT botnets, Browser vendors lack trust in two CAs, and some are very worried about an election day hack

ITPro.TV Annoucenment: "Quick announcement, ITProTV has updated their course library to include CompTIA Security+, CISSP, CEH v9, and Red Hat Linux."

Hack Naked News Stories

  • Unpatched Vulnerability on Wix.com Puts Millions of Sites at Risk - Update Cloud-based web host Wix.com is vulnerable to a DOM-based cross-site scripting vulnerability that can give attackers control over any of the millions of websites hosted on the platform. Yikes: Worse, Contrast Security said, using this flaw a cybercriminal could expand on the attack, turning it into a worm that spreads across all Wix sites, similar to the notorious 2005 Samy worm or MySpace worm – designed to propagate across the social-networking site.
  • New, more-powerful IoT botnet infects 3,500 devices in 5 days - Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6.

The best-of-breed approach "is driving a high infection speed of Linux/IRCTelnet (new Aidra) so it can [infect] almost 3,500 bot clients within only five days from the moment its loader was first detected," a researcher who goes by the handle Unixfreakjp wrote in a blog post reporting on the new malware. "To incarnate a legendary botnet code into a new version that can [target] the recent vulnerable threat landscape is really inviting more bad news."

  • Why Browser Vendors Chose to Distrust 2 Certificate Authorities - The revocation of trust in WoSign has been debated since at least August 2016, when it was revealed that WoSign issued an SSL/TLS certificate for GitHub without its authorization. Mozilla conducted an extensive investigation of WoSign documenting at least 14 different security issues.
  • Silicon Valley is seriously worried about a cyber attack on Election Day - Most agree attackers will not be able to impact the outcome of the election, as there are several checks and balances in place to prevent this. However, a massive attack on the Internet could impact those looking to find where to vote on election day and/or disrupt the flow of news by taking out some big sites such as Twitter and Facebook. The real impact could be voter confidence, the Internet being impacted on election day and false leaks about presidential canidates could impact voter confidence. So, in the end, to quote Flava Flav, don't believe the hype.