Difference between revisions of "HNNEpisode226"

From Security Weekly Wiki
Jump to navigationJump to search
Line 19: Line 19:
  
 
==Security News==
 
==Security News==
<!-- #[https://www.schneier.com/blog/archives/2019/07/yubico_security.html Yubico Security Keys with a Crypto Flaw] - Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 have a reduced randomness of the cryptographic keys it generates. Security keys with ECDSA signatures are in particular danger since 80 bits of the 256 bits that generate the key remain static. The security keys in question are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.
+
# [https://securityaffairs.co/wordpress/87895/breaking-news/cve-2017-11774-apt33-attacks.html US Cyber Command warns of Iran-linked hackers exploiting Outlook] - US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook. The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim's Outlook credentials to change the user's home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened. Fortunately, the bug was patched by Microsoft in October of 2017, as long as you patch your systems...
#[https://securityaffairs.co/wordpress/87756/hacking/medtronic-insulin-pumps.html Vulnerability in Medtronic insulin pumps allow hacking devices] - Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks. The flaw, known as CVE-2019-10964, is an improper access control issue that could be exploited by an attacker to inject, replay, modify, and/or intercept data by having adjacent access to one of the vulnerable insulin pumps to interfere with the wireless RF (radio frequency) communications to or from the product. According to FDA, Medtronic has identified 4,000 patients who are potentially using insulin pumps affected by the flaw. The fix is providing an alternate insulin pump, which is more secure, to patients.
+
# [https://www.scmagazine.com/home/security-news/iot/d-link-agrees-to-overhaul-security-in-ftc-settlement/ D-Link agrees to overhaul security in FTC Settlement] - D-Link has agreed to implement a comprehensive security program to settle accusations by the U.S. Federal Trade Commission (FTC) claiming that the company failed to implement proper security mechanisms in its routers and IP cameras.  The case stems from a 2017 complaint where the FTC stated the company failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, including the use of hard-coded login credentials and storing login credentials in clear, readable text on mobile devices. Additionally, D-Link will have to obtain independent assessments of its security program every two years over the next 10 years.
#[https://www.darkreading.com/attacks-breaches/new-exploit-for-microsoft-excel-power-query-/d/d-id/1335083 New Exploit for Microsoft Excel Power Query] - Proof-of-concept, which allows remote code execution, is latest to exploit Dynamic Data Exchange (DDE) and is another reminder why organizations must ensure Office settings are secure. Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query, a feature that lets users connect their spreadsheets with other structured and unstructured data sources, to remotely drop and run malware on a user's system to escalate privileges and other malicious activity. For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page.
+
# [https://www.darkreading.com/attacks-breaches/new-wannahydra-malware-a-triple-threat-to-android/d/d-id/1335148 New "WannaHydra" malware a triple threat to Android] - The latest variant of WannaLocker is a banking Trojan, spyware tool, and ransomware. The three-pronged threat, which Avast calls WannaHydra, is currently targeting users of four major banks in Brazil. But if it takes off, the malware could prove to be a major issue for Android users everywhere. The latest version works by presenting users with a fake message urging them to sign into their accounts to address some account-related issue. Once installed, the malware collects device manufacturer, phone number, text messages, call log, photos, contact list, microphone audio data, and GPS location information. To avoid infection, Android users should only download apps from trusted developers on certified app stores, like Google Play, and verify number of downloads and reviews.
#[https://medium.com/swlh/you-have-no-right-to-privacy-b90e9c5b310 You Have No Right to Privacy] - Mark Zuckerberg declares that privacy is a core and fundamental part of Facebook’s vision, but we are now discovering that its lawyers state that Facebook users have no right to privacy. Representing Facebook before U.S. District Judge Vince Chhabria was Orin Snyder of Gibson Dunn & Crutcher, who claimed that the plaintiffs’ charges of privacy invasion were invalid because Facebook users have no expectation of privacy on Facebook. The simple act of using Facebook, Snyder claimed, negated any user’s expectation of privacy. This is why I do not use Facebook. In a related story, [https://www.securityweek.com/italy-fines-facebook-over-cambridge-analytica-case Italy Fines Facebook Over Cambridge Analytica Case]. Italy's data protection watchdog slammed Facebook with a fine of one million euros ($1.1 million) for violating privacy laws over the Cambridge Analytica scandal. Facebook's controversy will continue...
+
# [https://thehackernews.com/2019/07/christmas-ddos-attacks.html DDoS attacker who ruined gamers' Christmas gets 27 months in prison] - Austin Thompson, the 23 year old hacker from Utah, who carried out massive DDoS attacks on Sony, EA, and Steam, gets a 27-month prison sentence. The hacker, a.k.a. "DerpTroll," pledged guilty back in November 2018 after he admitted to being a part of DerpTrolling, a hacker group that was behind the DDoS attacks. In addition to the prison sentence, Thompson was also ordered to pay $95,000 in restitution to one of the victims –  Daybreak Games, formerly Sony Online Entertainment.  Thompson is currently free on bond and has been ordered to surrender to authorities on August 23, 2019 in order to begin his sentence.
#[https://www.securityweek.com/senate-report-shows-decade-long-failure-gov-agencies-protect-personal-data Senate Report Shows Decade-Long Failure of Gov Agencies to Protect Personal Data] - And it looks like Facebook is not alone. A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information. According to the report, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration all failed to ensure adequate protection for personal information.  According to Rob Portman, chairman of the Permanent Subcommittee on Investigations, “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”
+
# [https://www.securityweek.com/canonical-github-account-hijacked Canonical GitHub Account Hijacked] - Canonical, the company behind the Ubuntu operating system, confirmed over the weekend that one of its GitHub accounts was hacked. According to Canonical, "there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities" on July 6. "Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub."
#[https://nakedsecurity.sophos.com/2019/07/01/cloud-computing-giant-pcm-hacked/ Cloud computing giant PCM hacked] - A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.  Discovered in mid-May, the attackers stole administrative credentials for Office 365 accounts. After compromising a system, the group would use a custom version of Mimikatz to collect usernames and passwords from memory for organizations dealing in gift cards. That information would be used for money transfer services, payment processing services, and clearing houses to conduct gift card fraud. According to PCM, "no consumers’ personal information was accessed or acquired by an unauthorized party" and "[the] impact to its systems was limited, and the matter has been remediated."
+
# [https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/ British Airways slapped with record $230M fine] - A proposed $230 million fine on British Airways after a data breach would be the biggest GDPR penalty yet. On Monday, the Information Commissioner’s Office (ICO), a U.K. privacy watchdog organization, said it will fine British Airways $230.5 million for infringements of GDPR. In September 2018, British Airways experienced a data breach that impacted 500,000 customers. The fine would be the largest levied by GDPR, surpassing the fine against Google for $57M. Privacy experts say that the penalty represents a “wake-up” call for companies when it comes to ramifications for data privacy incidents.
#[https://securityaffairs.co/wordpress/87734/data-breach/attunity-data-leak.html Attunity data leak: Netflix, Ford, TD Bank data exposed by Open AWS Buckets] - Attunity data integration and big data management firm , now owned by Qlik, exposed a significant amount of sensitive data through unprotected Amazon S3 buckets. The data leak was discovered on May 13 by UpGuard. According to UpGuard, "The total size is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups.The cause, a misconfiguration in Amazon S3, not a new problem, but one that AWS has added more visibility into.  Yet another reason to manage your configurations, especially in the cloud.
+
# [https://threatpost.com/apple-patches-imessage-bug/146277/ Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software] - Google Project Zero finds Apple iMessage bug that bricks iPhones running older versions of the company’s iOS software. Apple patched a high-severity iMessage bug in iOS 12.3 on May 13, 2019 that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device. iOS devices receiving the malicious message are rendered inoperable, or bricked. The proof-of-concept attack method targets “A method in IMCore [that] can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString. As of last month, 47 percent of iOS devices worldwide are running a vulnerable version of iOS. It's time to update your iOS devices...
#[https://www.tripwire.com/state-of-security/featured/florida-pay-out-ransomware-gangs/ $1.1 million in two weeks – Florida cities pay out big to ransomware gangs] - Less than a week after the city of Riviera Beach, 80 miles from Miami, unanimously voted to pay US $600,000 worth of Bitcoins to an extortionist who had locked their IT systems with ransomware, Lake City has come to the same decision. The small Northern Florida city will pay US $460,000 worth of Bitcoin to hackers in order to regain control of its email systems and servers. Fortunately, insurance is expected to pay all but US $10,000. With recent ransomware payouts, all cities and municipalities need to be prepared to defend against these attacks, including secure offsite backups of their systems and data. -->
 
  
 
  <!--<center>{{#ev:youtube|kcgvsi0Iqpk}}</center> -->
 
  <!--<center>{{#ev:youtube|kcgvsi0Iqpk}}</center> -->

Revision as of 21:18, 8 July 2019

Recorded July 9, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. US Cyber Command warns of Iran-linked hackers exploiting Outlook - US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook. The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim's Outlook credentials to change the user's home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened. Fortunately, the bug was patched by Microsoft in October of 2017, as long as you patch your systems...
    2. D-Link agrees to overhaul security in FTC Settlement - D-Link has agreed to implement a comprehensive security program to settle accusations by the U.S. Federal Trade Commission (FTC) claiming that the company failed to implement proper security mechanisms in its routers and IP cameras. The case stems from a 2017 complaint where the FTC stated the company failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, including the use of hard-coded login credentials and storing login credentials in clear, readable text on mobile devices. Additionally, D-Link will have to obtain independent assessments of its security program every two years over the next 10 years.
    3. New "WannaHydra" malware a triple threat to Android - The latest variant of WannaLocker is a banking Trojan, spyware tool, and ransomware. The three-pronged threat, which Avast calls WannaHydra, is currently targeting users of four major banks in Brazil. But if it takes off, the malware could prove to be a major issue for Android users everywhere. The latest version works by presenting users with a fake message urging them to sign into their accounts to address some account-related issue. Once installed, the malware collects device manufacturer, phone number, text messages, call log, photos, contact list, microphone audio data, and GPS location information. To avoid infection, Android users should only download apps from trusted developers on certified app stores, like Google Play, and verify number of downloads and reviews.
    4. DDoS attacker who ruined gamers' Christmas gets 27 months in prison - Austin Thompson, the 23 year old hacker from Utah, who carried out massive DDoS attacks on Sony, EA, and Steam, gets a 27-month prison sentence. The hacker, a.k.a. "DerpTroll," pledged guilty back in November 2018 after he admitted to being a part of DerpTrolling, a hacker group that was behind the DDoS attacks. In addition to the prison sentence, Thompson was also ordered to pay $95,000 in restitution to one of the victims – Daybreak Games, formerly Sony Online Entertainment. Thompson is currently free on bond and has been ordered to surrender to authorities on August 23, 2019 in order to begin his sentence.
    5. Canonical GitHub Account Hijacked - Canonical, the company behind the Ubuntu operating system, confirmed over the weekend that one of its GitHub accounts was hacked. According to Canonical, "there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities" on July 6. "Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub."
    6. British Airways slapped with record $230M fine - A proposed $230 million fine on British Airways after a data breach would be the biggest GDPR penalty yet. On Monday, the Information Commissioner’s Office (ICO), a U.K. privacy watchdog organization, said it will fine British Airways $230.5 million for infringements of GDPR. In September 2018, British Airways experienced a data breach that impacted 500,000 customers. The fine would be the largest levied by GDPR, surpassing the fine against Google for $57M. Privacy experts say that the penalty represents a “wake-up” call for companies when it comes to ramifications for data privacy incidents.
    7. Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software - Google Project Zero finds Apple iMessage bug that bricks iPhones running older versions of the company’s iOS software. Apple patched a high-severity iMessage bug in iOS 12.3 on May 13, 2019 that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device. iOS devices receiving the malicious message are rendered inoperable, or bricked. The proof-of-concept attack method targets “A method in IMCore [that] can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString. As of last month, 47 percent of iOS devices worldwide are running a vulnerable version of iOS. It's time to update your iOS devices...


    Expert Commentary: - Jason Wood, Paladin Security

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+