From Security Weekly WikiJump to navigationJump to search
Recorded July 9, 2019 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- US Cyber Command warns of Iran-linked hackers exploiting Outlook - US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook. The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim's Outlook credentials to change the user's home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened. Fortunately, the bug was patched by Microsoft in October of 2017, as long as you patch your systems...
- D-Link agrees to overhaul security in FTC Settlement - D-Link has agreed to implement a comprehensive security program to settle accusations by the U.S. Federal Trade Commission (FTC) claiming that the company failed to implement proper security mechanisms in its routers and IP cameras. The case stems from a 2017 complaint where the FTC stated the company failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, including the use of hard-coded login credentials and storing login credentials in clear, readable text on mobile devices. Additionally, D-Link will have to obtain independent assessments of its security program every two years over the next 10 years.
- New "WannaHydra" malware a triple threat to Android - The latest variant of WannaLocker is a banking Trojan, spyware tool, and ransomware. The three-pronged threat, which Avast calls WannaHydra, is currently targeting users of four major banks in Brazil. But if it takes off, the malware could prove to be a major issue for Android users everywhere. The latest version works by presenting users with a fake message urging them to sign into their accounts to address some account-related issue. Once installed, the malware collects device manufacturer, phone number, text messages, call log, photos, contact list, microphone audio data, and GPS location information. To avoid infection, Android users should only download apps from trusted developers on certified app stores, like Google Play, and verify number of downloads and reviews.
- DDoS attacker who ruined gamers' Christmas gets 27 months in prison - Austin Thompson, the 23 year old hacker from Utah, who carried out massive DDoS attacks on Sony, EA, and Steam, gets a 27-month prison sentence. The hacker, a.k.a. "DerpTroll," pledged guilty back in November 2018 after he admitted to being a part of DerpTrolling, a hacker group that was behind the DDoS attacks. In addition to the prison sentence, Thompson was also ordered to pay $95,000 in restitution to one of the victims – Daybreak Games, formerly Sony Online Entertainment. Thompson is currently free on bond and has been ordered to surrender to authorities on August 23, 2019 in order to begin his sentence.
- Canonical GitHub Account Hijacked - Canonical, the company behind the Ubuntu operating system, confirmed over the weekend that one of its GitHub accounts was hacked. According to Canonical, "there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities" on July 6. "Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub."
- British Airways slapped with record $230M fine - A proposed $230 million fine on British Airways after a data breach would be the biggest GDPR penalty yet. On Monday, the Information Commissioner’s Office (ICO), a U.K. privacy watchdog organization, said it will fine British Airways $230.5 million for infringements of GDPR. In September 2018, British Airways experienced a data breach that impacted 500,000 customers. The fine would be the largest levied by GDPR, surpassing the fine against Google for $57M. Privacy experts say that the penalty represents a “wake-up” call for companies when it comes to ramifications for data privacy incidents.
- Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software - Google Project Zero finds Apple iMessage bug that bricks iPhones running older versions of the company’s iOS software. Apple patched a high-severity iMessage bug in iOS 12.3 on May 13, 2019 that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device. iOS devices receiving the malicious message are rendered inoperable, or bricked. The proof-of-concept attack method targets “A method in IMCore [that] can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString. As of last month, 47 percent of iOS devices worldwide are running a vulnerable version of iOS. It's time to update your iOS devices...