Difference between revisions of "Episode618"

From Paul's Security Weekly
Jump to: navigation, search
(Larry's Stories)
(Larry's Stories)
Line 33: Line 33:
 
#[https://healthitsecurity.com/news/multi-factor-authentication-blocks-99.9-of-automated-cyberattacks] 2FA defats 99.9% of all cyber attacks] - Microsoft says that systems that leverage multi-factor authentication block nearly all automated cyberattacks, not just on Microsoft platforms – on any online service or website.”  Unless you uses SMS and sim swapping happens….
 
#[https://healthitsecurity.com/news/multi-factor-authentication-blocks-99.9-of-automated-cyberattacks] 2FA defats 99.9% of all cyber attacks] - Microsoft says that systems that leverage multi-factor authentication block nearly all automated cyberattacks, not just on Microsoft platforms – on any online service or website.”  Unless you uses SMS and sim swapping happens….
 
#[https://www.theregister.co.uk/2019/08/28/android_set_boxes_ares_malware/ Android settop boxes prime for malware] - IoT botnets move into the home theater market in search of low-hanging fruit…
 
#[https://www.theregister.co.uk/2019/08/28/android_set_boxes_ares_malware/ Android settop boxes prime for malware] - IoT botnets move into the home theater market in search of low-hanging fruit…
#[https://www.theregister.co.uk/2019/08/28/camscanner_android_malware/ Camscanner Android Malware] -  
+
#[https://www.theregister.co.uk/2019/08/28/camscanner_android_malware/ Camscanner Android Malware] - Android Camscanner PDF creator with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims' phones.
An Android Camscanner PDF creator with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims' phones.
 
 
#[https://www.theregister.co.uk/2019/08/27/tfl_oyster_cards_plain_text_password_form/ My password is Oyster…] - London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard. He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.
 
#[https://www.theregister.co.uk/2019/08/27/tfl_oyster_cards_plain_text_password_form/ My password is Oyster…] - London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard. He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.
  

Revision as of 20:15, 29 August 2019

Recorded August 29, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.


  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.

    Security News - 6:00-6:30PM

    Paul's Stories

    1. Bug Bounties Continue to Rise, but Market Has Its Own 1% Problem
    2. A total of six hackers already become millionaires on HackerOne
    3. New Botnet Targets Android Set-Top Boxes
    4. Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
    5. Hacker Jeopardy, Wrong Answers Only Edition
    6. Second Steam Client Zero-Day Disclosed in a Week
    7. Identifying vulnerable IoT devices by the companion app they use - Help Net Security
    8. How to avoid using RDP in Windows
    9. Asset Management Becomes the New Security Model - Dark Reading
    10. DLL Hijacking Flaw Found in Bitdefender Antivirus Free 2020 | SecurityWeek.Com
    11. LinkedIn Details Features of Fight Against Fakes
    12. Bypassing CSRF Protection
    13. Humans may have been listening to you via your Xbox
    14. Why Your Free Dark Web Scan Doesnt Matter
    15. Harnessing Stunt Hacking for Enterprise Defense | SecurityWeek.Com
    16. 5 Ways to Improve the Patching Process

    Larry's Stories

    1. Android ad clicking - A notepad app and a fitness app downloaded on more than a million devices have been secretly clicking on ads without people knowing for nearly a year, security researchers found.
    2. [1] 2FA defats 99.9% of all cyber attacks] - Microsoft says that systems that leverage multi-factor authentication block nearly all automated cyberattacks, not just on Microsoft platforms – on any online service or website.” Unless you uses SMS and sim swapping happens….
    3. Android settop boxes prime for malware - IoT botnets move into the home theater market in search of low-hanging fruit…
    4. Camscanner Android Malware - Android Camscanner PDF creator with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims' phones.
    5. My password is Oyster… - London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard. He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.

    Jeff's Stories

    1. AT&T employees took bribes to plant malware on the company's network

    Lee's Stories

    1. KNOB Attack Lets Hackers Insert themselves into your Bluetooth Calls KNOB attack expoits CVE-2019-9506 forcing one bite of entropy, allowing for brute force the key. Bluetooth core updated for minimum key of 7 octets. No publicly available exploit code (yet).
    2. Hackers Could Decrypt your GSM Calls Attack leverages weaknesses in the key exchange with the cell tower. Albeit a stingray attack is easier.
    3. Legit-Looking iPhone Lightning Cables will hack your Computer Cable has hotspot and multi-payload capability. Leverages USB device trust settings. O.MG Cable will become available through Hak5. Other cables on radar for similar implementation. MG DEFCON Blog
    4. Adult Site Luscious Data Breach PII of over 1 million users compromised, including .gov email addresses.
    5. Scammer tricks city of Saskatoon in BEC City tricked into sending over $1 million. Target accounts in Canada frozen, retrieval underway.
    6. 80 Suspects Charged with massive BEC Scam 14 arrests made across the us of Nigerian nationals. $6M taken, $40 more atempted via BEC, Romance Scams and other schemes that target the Elderly.
    7. Apple releases updates to iOS, MacOS and tvOS CVE-2019-8605, use after free code execution flaw discovered by Ned Williamson and Project Zero, fixed in iOS 12.4.1, macOS 10.14.6 suplimental update and tvOS 12.4.1.
    8. Passports, Licenses of 300 leaked in New Zealand New Zealand Ministry for Culture and Heritage had 300 individuals records exposed due to a coding error. Detected only after attempted fraudulent use of the data.



    Tech Segment: Corey Thuen, Gravwell - 6:30 - 7:30PM

    Corey Thuen
    is the Co-Founder at Gravwell.
    Corey Thuen co-founded Gravwell to enable log management of every data type an organization might need for success -- analyzing binary packets alongside syslog with a dash of business KPIs enables analytics that improve the entire organization, not just reduce security risk. Prior to founding Gravwell, Corey conducted security assessments on anything from power equipment to vehicle computers to over-engineered juicers while working for companies such as IOActive, Digital Bond, and Southfork Security. Before that Corey did cybersecurity work for the US Department of Energy at Idaho National Laboratory and the FBI.

    Topic: Analyzing custom log sources


    Interview: Christopher Hadnagy, Social-Engineer, LLC.- 7:30PM-8:30PM

    Christopher Hadnagyis the Chief Human Hacker of Social-Engineer, LLC.
    Chris possesses more than 17 years of experience as a practitioner and researcher in the security field. The author of three (soon-to-be four) best-selling books, he also teaches three distinct international courses. Chris has trained various branches of the government, including the United States Special Operations Command and the Federal Bureau of Investigation. Additionally, Chris has debriefed dozens of general officers and government officials inside the Pentagon on social engineering and its effect on the United States.
    Through his educational not-for-profit www.social-engineer.org, Chris established the world’s first social engineering penetration testing framework, and created additional resources which have all become staples in the security industry and trusted references for global organizations. Chris is also the founder and CEO of www.social-engineer.com, where he helps strengthen organizations.
    Chris specializes in understanding how malicious attackers exploit human communication and trust to obtain access to information and resources through manipulation and deceit. Chris is also a certified Expert Level graduate of Dr. Paul Ekman’s Micro Expressions courses, having made the study of non-verbal behaviors one of his fortes. Chris’s goal is to better secure organizations by educating them on the methods used by attackers, identifying their unique vulnerabilities, and mitigating potential issues through appropriate levels of awareness and security.

    Segment Topic:
    SEVillage Orlando 2020, Innocent Lives Foundation

    Segment Description:
    Overview of inaugural SEVillage Orlando 2020. Brief description of the training workshops provided. Mission and information on non-profit Innocent Lives Foundation.

    Segment Resources: