From Security Weekly WikiJump to navigationJump to search
Recorded December 10, 2019 at G-Unit Studios in Rhode Island!
- Register for one of our upcoming webcasts with Bryce Shroeder and Barbara Kay of ServiceNow, Kevin O'Brien of GreatHorn, or Steve Laubenstein of Core Security (or all of them!) by going to securityweekly.com -> Click the webcast dropdown & Select Registration! If you have missed any of our previously recorded webcasts, you can find our on-demand library by selecting on-demand from the webcast drop down! If you attend any of our webcasts, you will receive 1 CPE credit per webcast!
- How Panasonic is using internet honeypots to improve IoT device security - This is really cool: in order to ensure development teams have as much information about potential security vulnerabilities in products as possible, both unreleased and on-the-market products are placed in the honeypots, which are monitored to gain insight into how devices are attacked by real-world hackers. "We deploy our real appliances as a honeypot and we collect attacks and malware targeting our devices. We can deploy products under development as well," Osawa explained. The Panasonic IoT threat-intelligence platform has been active for two years and in that time the company has collected information on about 30 million cyberattacks and 4,000 kinds of IoT malware – all attacks that are targeting real devices put through the security tests.
- A new Windows 10 ransomware threat? Examining claims of a potentially unstoppable vulnerability - Lets clear up the sensational headline, first this is a vulnerability in Microsoft's CFA (Controlled Folder Access): The idea behind CFA is simple: if you haven’t prevented malware from executing on the system...CFA can at least provide protection by thwarting the main thing that ransomware does: encrypt key files. and an example of one of the bypass techniques is as follows: in the “RIPlace” technique, malicious code replaces the file with its encrypted version rather than deleting the file first. Based on conversations with Nyotron, this situation occurs due to an error in the way that CFA is monitoring files to protect them. Also important to note, Microsoft is not motivated to fix this issue.
- Birth Certificate Data Laid Bare on the Web in Multiple States - Basically someone is operating with their pants down and has no clue: The bucket contained more than 752,000 applications, with names, addresses, email, phone numbers, family member info, dates of birth and the reason for making the application. According to TechCrunch, which verified the data, the bucket is still open – and updates daily. In one week, it added 9,000 applications to the database. The owner didn’t respond to multiple contact efforts; Amazon said that it would notify the owner, but no action has been taken, according to Fidus. For that reason, the company has not been named.
- 'Hackable' karaoke and walkie talkie toys found by Which? - Looks like basic Bluetooth pairing vulnerabilities: A stranger could, for example, use a Vtech's KidiGear walkie talkie to pair to another one of the devices being used by a child - from a distance of up to 200m (656ft). The Bluetooth pairing of devices, however, would have to take place within a 30-second window, once the child's device was activated. and Which? also found that the Singing Machine SMK250PP karaoke machine had been designed so that a stranger could stream audio to a child from a distance of up to 10 metres because the Bluetooth connection did not ask for authentication.
- Linux Bug Opens Most VPNs to Hijacking - According to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), “allows…an attacker to determine if…a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” In an advisory released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client’s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream.
- Microsoft to end updates to Windows 7's free AV software, Security Essentials - Let's face it, if you're still on Windows 7 you need something better than the built-in A/V from Microsoft: "No, your Windows 7 computer is not protected by MSE ((Microsoft Security Essentials)) after January 14, 2020," the company said in a support document mainly concerned about the Extended Security Updates (ESU) being shilled to enterprises. "MSE is unique to Windows 7 and follows the same lifecycle dates for support." Security Essentials, a free antivirus (AV) program that launched in 2008, was originally limited to consumers. However, in 2010, Microsoft expanded the licensing to small businesses, defined as those with 10 or fewer PCs. Two years after that, MSE was replaced by Windows Defender with the launch of Windows 8. Since then, Defender has been baked into each follow-up version of the OS, including Windows 10. Windows 7, though, has been stuck with MSE.
- New Office 365 Feature Provides Detailed Information on Email Attack Campaigns - Cool stuff: The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack. This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).
- Snatch ransomware pwns security using sneaky safe mode reboot - We covered this technique on Paul's Security Weekly Episode 482 with researchers from Cyberark Labs in September 2016.
- Google Confirms Critical Android 8, 9 And 10 Permanent Denial Of Service Threat - CVE-2019-2232 has been rated as the most severe of three critical vulnerabilities addressed in the December Android Security Bulletin. The official NIST National Vulnerability Database description of the vulnerability says that improper input validation in the "handleRun of TextLine.java" could create a "possible application crash." In other words, a maliciously-crafted message could cause a denial of service to your Android device. A permanent denial of service attack that could effectively kibosh your smartphone. "User interaction is not needed for exploitation," the description continues, and the remote denial of service attack needs "no additional execution privileges," for good measure. The vulnerability applies to Android 8.0, Android 8.1, Android 9 and Android 10 versions.