From Security Weekly Wiki
Jump to navigationJump to search
157 bytes removed ,  17:36, 10 December 2019
no edit summary
#[ 'Hackable' karaoke and walkie talkie toys found by Which?] - Looks like basic Bluetooth pairing vulnerabilities: ''A stranger could, for example, use a Vtech's KidiGear walkie talkie to pair to another one of the devices being used by a child - from a distance of up to 200m (656ft). The Bluetooth pairing of devices, however, would have to take place within a 30-second window, once the child's device was activated.'' and ''Which? also found that the Singing Machine SMK250PP karaoke machine had been designed so that a stranger could stream audio to a child from a distance of up to 10 metres because the Bluetooth connection did not ask for authentication.''
#[ Linux Bug Opens Most VPNs to Hijacking] - ''According to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), “allows…an attacker to determine if…a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” In an advisory released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client’s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream.''
#[ Hardware-based Password Managers Store Credentials in Plaintext]
#[ Microsoft to end updates to Windows 7's free AV software, Security Essentials] - Let's face it, if you're still on Windows 7 you need something better than the built-in A/V from Microsoft: ''"No, your Windows 7 computer is not protected by MSE ((Microsoft Security Essentials)) after January 14, 2020," the company said in a support document mainly concerned about the Extended Security Updates (ESU) being shilled to enterprises. "MSE is unique to Windows 7 and follows the same lifecycle dates for support." Security Essentials, a free antivirus (AV) program that launched in 2008, was originally limited to consumers. However, in 2010, Microsoft expanded the licensing to small businesses, defined as those with 10 or fewer PCs. Two years after that, MSE was replaced by Windows Defender with the launch of Windows 8. Since then, Defender has been baked into each follow-up version of the OS, including Windows 10. Windows 7, though, has been stuck with MSE.''
#[ New Office 365 Feature Provides Detailed Information on Email Attack Campaigns] - Cool stuff: ''The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack. This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).''
#[ Snatch ransomware pwns security using sneaky safe mode reboot] - We covered this technique on [ Paul's Security Weekly Episode 482] with researchers from Cyberark Labs in September 2016.
#[ Google Confirms Critical Android 8, 9 And 10 Permanent Denial Of Service Threat] - ''CVE-2019-2232 has been rated as the most severe of three critical vulnerabilities addressed in the December Android Security Bulletin. The official NIST National Vulnerability Database description of the vulnerability says that improper input validation in the "handleRun of" could create a "possible application crash." In other words, a maliciously-crafted message could cause a denial of service to your Android device. A permanent denial of service attack that could effectively kibosh your smartphone. "User interaction is not needed for exploitation," the description continues, and the remote denial of service attack needs "no additional execution privileges," for good measure. The vulnerability applies to Android 8.0, Android 8.1, Android 9 and Android 10 versions.''


Navigation menu