From Paul's Security Weekly
Recorded April 11, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcast with ServiceNow by going to securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand.
- If you have a suggestion for a guest on any of our shows, fill out the form at securityweekly.com/guests. We released our 2019 Security Weekly 25 Index Survey. Please go to securityweekly.com and click the Survey link to help us understand who’s evaluating, using, or formerly used any of the Security Weekly 25 companies. The results will be summarized and presented back to all responders in a private webcast.
- Some of you told us that you are overwhelmed by the amount of content we distribute! In an attempt to make it a little easier for you to find what you’re interested in, we’ve created our new listener interest list! Sign up for list and select your interests by visiting: securityweekly.com/subscribe and clicking the button to join the list!
- The Layer 8 Conference has two tracks of talks on social engineering and Open Source Intelligence gathering. The conference is the only one of its kind and will be on Saturday, June 8th in Providence, Rhode Island. Check out the Mental Health Hackers village, the TOOOL lockpick village, the CTF with Trace Labs, all at layer8conference.com
- John Strand will be teaching Active Defense and Cyber Deception at Black Hat 2019. Please register here! https://www.blackhat.com/us-19/training/schedule/index.html#a-guide-to-active-defense-cyber-deception-and-hacking-back-14124
Interview: Gabriel Gumbs, Spirion - 6:00-6:30PM
- What is "sensitive" data?
- How can you start to develop classifications of data?
- Given large data stores and fast networks, how can you detect sensitive data?
- What if data is encrypted? How do you detect the sensitivity level at rest and in motion?
- Most organizations don't know what assets they have, how can we detect sensitive data on assets we don't know exist?
Interview: Merissa Villalobos & Jessica Gullick, Women's Society of Cyberjutsu - 6:30 - 7:30PM
Topic: What WSC is doing and how they can get involved.
- What is the Women's Society of Cyberjutsu?
- How do women get involved and how does it help them?
- Is it free to join?
- How do you help women find careers in tech?
- How can someone apply to be a mentor?
- There is a study that shows at one time doctors were 85% men, and now its a 50/50 split. How can we use this as a model (or can we?)? (Ref: https://www.athenahealth.com/insight/healthcare-future-female)
- What can we do to ensure there is equal pay as this still appear to be a problem!?!?!?!???
- What can others do to support WSoC?
Security News - 7:30PM-8:30PM
- Patch blues-day: Microsoft yanks code after some PCs are rendered super secure (and unbootable) following update - It's all a bit unfortunate, since the patches include security fixes that administrators should really install sooner rather than later. And yes, both the security-only updates and monthly roll-ups are affected. Ugh. Also, your system crashes if you have Sophos (and other) endpoint protection software installed. I am curious how the update broke these systems, could this be an exploit?
- Bitcoin mining ban considered by China's economic planner - A notice published online in Mandarin by the country's economic planning agency added "virtual currency mining activities [including] the production process of Bitcoin" to a list of industries that could be shut down. The suggestion is that the power consumed by the industry contributes to pollution and wastes resources. Pollution and waste resources, riiiight.
- Yahoo strikes $117.5 million data breach settlement after earlier... - Yahoo has struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. So, 3 billion accounts were affected in this breach, meaning $0.04 per user? Or do I suck at math? Or is that not how it works?
- Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords - These attacks will be around for a while: There are two ways to perform such a downgrade hack. The first is to perform a man-in-the-middle attack that modifies the wireless beacons in a way that makes a WPA3-enabled router represent itself as being able to only use WPA2. While a WPA3 client device will eventually detect the spoofed beacons and abort the handshake, this security mechanism isn’t tripped until after the attacker has captured the four-way handshake. A variation of this downgrade attack—usable if the SSID name of the targeted WPA3 network is known—is to forgo the man-in-the-middle tampering and instead create a WPA2-only network with the same name. As long as clients are in transitional mode, they will connect to the WPA2-only access point. As soon as that happens, attackers have the four-way handshake.
- Regulating the IoT: Impact and new considerations for cybersecurity and new government regulations - Help Net Security - Not too helpful: Last year, California became the first state in the U.S. to pass a cybersecurity law covering IoT devices: SB-327, set to be put into law in 2020. The law requires that manufacturers of a device that connects directly or indirectly to the internet must be equipped with “reasonable” security features that are designed to prevent unauthorized access, modification or information disclosure. The bill aims to protect consumers as a first step, but could also potentially be applied to larger, enterprise solutions with future revisions.
- Docker, Nginx & Letsencrypt: Easy & Secure Reverse Proxy - If you are looking for an easy project to learn Docker, this article is helpful.
- WikiLeaks Founder Julian Assange arrested and charged in US with computer hacking conspiracy - But why? According to a note released by London’s Metropolitan Police Service, the arrest has happened just after the Ecuadorian government today withdraws the political asylum.
- CIOs and CISOs hold off on crucial updates due to potential impact on business operations - Help Net Security - This is actually the most interesting stat in the article: the majority (80%) of CIOs and CISOs having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result. And this problem is only going to get worse as it becomes easier to deploy new technology and applications, along with the cost going down.
- DMSniff POS Malware uses DGA to stay active DMSniff malware uses DGA techniques to avoide detection searches direct memory for card numbers and send them to the C2. Includes 11 variants of DGA.