Difference between revisions of "HNNEpisode225"

From Security Weekly Wiki
Jump to navigationJump to search
Line 19: Line 19:
  
 
==Security News==
 
==Security News==
#[https://www.schneier.com/blog/archives/2019/07/yubico_security.html Yubico Security Keys with a Crypto Flaw] -   
+
#[https://www.schneier.com/blog/archives/2019/07/yubico_security.html Yubico Security Keys with a Crypto Flaw] -  Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 have a reduced randomness of the cryptographic keys it generates.  Security keys with ECDSA signatures are in particular danger since 80 bits of the 256 bits that generate the key remain static. The security keys in question are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.
#[https://securityaffairs.co/wordpress/87756/hacking/medtronic-insulin-pumps.html Vulnerability in Medtronic insulin pumps allow hacking devices] -  
+
#[https://securityaffairs.co/wordpress/87756/hacking/medtronic-insulin-pumps.html Vulnerability in Medtronic insulin pumps allow hacking devices] - Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks. The flaw, known as CVE-2019-10964, is an improper access control issue that could be exploited by an attacker to inject, replay, modify, and/or intercept data by having adjacent access to one of the vulnerable insulin pumps to interfere with the wireless RF (radio frequency) communications to or from the product. According to FDA, Medtronic has identified 4,000 patients who are potentially using insulin pumps affected by the flaw.  The fix is providing an alternate insulin pump, which is more secure, to patients.
#[https://medium.com/swlh/you-have-no-right-to-privacy-b90e9c5b310 You Have No Right to Privacy] -  
+
#[https://www.darkreading.com/attacks-breaches/new-exploit-for-microsoft-excel-power-query-/d/d-id/1335083 New Exploit for Microsoft Excel Power Query] - Proof-of-concept, which allows remote code execution, is latest to exploit Dynamic Data Exchange (DDE) and is another reminder why organizations must ensure Office settings are secure. Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query, a feature that lets users connect their spreadsheets with other structured and unstructured data sources, to remotely drop and run malware on a user's system to escalate privileges and other malicious activity. For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page.
#[https://www.securityweek.com/italy-fines-facebook-over-cambridge-analytica-case Italy Fines Facebook Over Cambridge Analytica Case] -
+
#[https://medium.com/swlh/you-have-no-right-to-privacy-b90e9c5b310 You Have No Right to Privacy] - Mark Zuckerberg declares that privacy is a core and fundamental part of Facebook’s vision, but we are now discovering that its lawyers state that Facebook users have no right to privacy. Representing Facebook before U.S. District Judge Vince Chhabria was Orin Snyder of Gibson Dunn & Crutcher, who claimed that the plaintiffs’ charges of privacy invasion were invalid because Facebook users have no expectation of privacy on Facebook. The simple act of using Facebook, Snyder claimed, negated any user’s expectation of privacy. This is why I do not use Facebook. In a related story, [https://www.securityweek.com/italy-fines-facebook-over-cambridge-analytica-case Italy Fines Facebook Over Cambridge Analytica Case]. Italy's data protection watchdog slammed Facebook with a fine of one million euros ($1.1 million) for violating privacy laws over the Cambridge Analytica scandal. Facebook's controversy will continue...
#[https://www.securityweek.com/senate-report-shows-decade-long-failure-gov-agencies-protect-personal-data Senate Report Shows Decade-Long Failure of Gov Agencies to Protect Personal Data] -  
+
#[https://www.securityweek.com/senate-report-shows-decade-long-failure-gov-agencies-protect-personal-data Senate Report Shows Decade-Long Failure of Gov Agencies to Protect Personal Data] - And it looks like Facebook is not alone. A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information. According to the report, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration all failed to ensure adequate protection for personal information.  According to Rob Portman, chairman of the Permanent Subcommittee on Investigations, “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”
#[https://nakedsecurity.sophos.com/2019/07/01/cloud-computing-giant-pcm-hacked/ Cloud computing giant PCM hacked] -  
+
#[https://nakedsecurity.sophos.com/2019/07/01/cloud-computing-giant-pcm-hacked/ Cloud computing giant PCM hacked] - A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.  Discovered in mid-May, the attackers stole administrative credentials for Office 365 accounts. After compromising a system, the group would use a custom version of Mimikatz to collect usernames and passwords from memory for organizations dealing in gift cards. That information would be used for money transfer services, payment processing services, and clearing houses to conduct gift card fraud. According to PCM, "no consumers’ personal information was accessed or acquired by an unauthorized party" and "[the] impact to its systems was limited, and the matter has been remediated."
#[https://securityaffairs.co/wordpress/87734/data-breach/attunity-data-leak.html Attunity data leak: Netflix, Ford, TD Bank data exposed by Open AWS Buckets] -  
+
#[https://securityaffairs.co/wordpress/87734/data-breach/attunity-data-leak.html Attunity data leak: Netflix, Ford, TD Bank data exposed by Open AWS Buckets] - Attunity data integration and big data management firm , now owned by Qlik, exposed a significant amount of sensitive data through unprotected Amazon S3 buckets. The data leak was discovered on May 13 by UpGuard. According to UpGuard, "The total size is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups.” The cause, a misconfiguration in Amazon S3, not a new problem, but one that AWS has added more visibility into.  Yet another reason to manage your configurations, especially in the cloud.
#[https://www.tripwire.com/state-of-security/featured/florida-pay-out-ransomware-gangs/ $1.1 million in two weeks – Florida cities pay out big to ransomware gangs] -  
+
#[https://www.tripwire.com/state-of-security/featured/florida-pay-out-ransomware-gangs/ $1.1 million in two weeks – Florida cities pay out big to ransomware gangs] - Less than a week after the city of Riviera Beach, 80 miles from Miami, unanimously voted to pay US $600,000 worth of Bitcoins to an extortionist who had locked their IT systems with ransomware, Lake City has come to the same decision.  The small Northern Florida city will pay US $460,000 worth of Bitcoin to hackers in order to regain control of its email systems and servers. Fortunately, insurance is expected to pay all but US $10,000. With recent ransomware payouts, all cities and municipalities need to be prepared to defend against these attacks, including secure offsite backups of their systems and data.
#[https://www.darkreading.com/attacks-breaches/new-exploit-for-microsoft-excel-power-query-/d/d-id/1335083 New Exploit for Microsoft Excel Power Query] -
+
 
 
  <!--<center>{{#ev:youtube|kcgvsi0Iqpk}}</center> -->
 
  <!--<center>{{#ev:youtube|kcgvsi0Iqpk}}</center> -->
  

Revision as of 14:04, 2 July 2019

Recorded July 2, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Yubico Security Keys with a Crypto Flaw - Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 have a reduced randomness of the cryptographic keys it generates. Security keys with ECDSA signatures are in particular danger since 80 bits of the 256 bits that generate the key remain static. The security keys in question are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.
    2. Vulnerability in Medtronic insulin pumps allow hacking devices - Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks. The flaw, known as CVE-2019-10964, is an improper access control issue that could be exploited by an attacker to inject, replay, modify, and/or intercept data by having adjacent access to one of the vulnerable insulin pumps to interfere with the wireless RF (radio frequency) communications to or from the product. According to FDA, Medtronic has identified 4,000 patients who are potentially using insulin pumps affected by the flaw. The fix is providing an alternate insulin pump, which is more secure, to patients.
    3. New Exploit for Microsoft Excel Power Query - Proof-of-concept, which allows remote code execution, is latest to exploit Dynamic Data Exchange (DDE) and is another reminder why organizations must ensure Office settings are secure. Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query, a feature that lets users connect their spreadsheets with other structured and unstructured data sources, to remotely drop and run malware on a user's system to escalate privileges and other malicious activity. For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page.
    4. You Have No Right to Privacy - Mark Zuckerberg declares that privacy is a core and fundamental part of Facebook’s vision, but we are now discovering that its lawyers state that Facebook users have no right to privacy. Representing Facebook before U.S. District Judge Vince Chhabria was Orin Snyder of Gibson Dunn & Crutcher, who claimed that the plaintiffs’ charges of privacy invasion were invalid because Facebook users have no expectation of privacy on Facebook. The simple act of using Facebook, Snyder claimed, negated any user’s expectation of privacy. This is why I do not use Facebook. In a related story, Italy Fines Facebook Over Cambridge Analytica Case. Italy's data protection watchdog slammed Facebook with a fine of one million euros ($1.1 million) for violating privacy laws over the Cambridge Analytica scandal. Facebook's controversy will continue...
    5. Senate Report Shows Decade-Long Failure of Gov Agencies to Protect Personal Data - And it looks like Facebook is not alone. A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information. According to the report, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration all failed to ensure adequate protection for personal information. According to Rob Portman, chairman of the Permanent Subcommittee on Investigations, “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”
    6. Cloud computing giant PCM hacked - A hacking group has gained access to the internal infrastructure of large cloud services provider PCM. Discovered in mid-May, the attackers stole administrative credentials for Office 365 accounts. After compromising a system, the group would use a custom version of Mimikatz to collect usernames and passwords from memory for organizations dealing in gift cards. That information would be used for money transfer services, payment processing services, and clearing houses to conduct gift card fraud. According to PCM, "no consumers’ personal information was accessed or acquired by an unauthorized party" and "[the] impact to its systems was limited, and the matter has been remediated."
    7. Attunity data leak: Netflix, Ford, TD Bank data exposed by Open AWS Buckets - Attunity data integration and big data management firm , now owned by Qlik, exposed a significant amount of sensitive data through unprotected Amazon S3 buckets. The data leak was discovered on May 13 by UpGuard. According to UpGuard, "The total size is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups.” The cause, a misconfiguration in Amazon S3, not a new problem, but one that AWS has added more visibility into. Yet another reason to manage your configurations, especially in the cloud.
    8. $1.1 million in two weeks – Florida cities pay out big to ransomware gangs - Less than a week after the city of Riviera Beach, 80 miles from Miami, unanimously voted to pay US $600,000 worth of Bitcoins to an extortionist who had locked their IT systems with ransomware, Lake City has come to the same decision. The small Northern Florida city will pay US $460,000 worth of Bitcoin to hackers in order to regain control of its email systems and servers. Fortunately, insurance is expected to pay all but US $10,000. With recent ransomware payouts, all cities and municipalities need to be prepared to defend against these attacks, including secure offsite backups of their systems and data.


    Expert Commentary: - Jason Wood, Paladin Security

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+