Don’t Listen to the FBI – Daily Security Byte EP. 168

At a small security conference in Boston, an FBI agent said that they often recommend victims to just pay the ransom associated with ransomware like Crytpowall and Cryptolocker. Watch today’s video to see what I think of this, and to get a small Halloween-themed surprise.

(Episode Runtime: 3:59)

Direct YouTube Link: https://www.youtube.com/watch?v=25ncoN7CDfk

EPISODE REFERENCES:

• The FBI advises you pay ransom for malware – The Security Ledger

— Corey Nachreiner, CISSP (@SecAdept)

The Three “Ps” of Cyber Protection

As October ends, so does National Cyber Security Awareness month, and I recently had the opportunity to go over to KOMO Radio and talk about what I call the three “Ps” of protecting yourself from cyber crime.

To listen in on our conversation, click play below (or download the file [MP3] directly):

(Runtime: 2:27)

Don’t have time right now to listen? Here’s a summary:

• Patches– Though the numbers change from year to year, experts estimate that around 90% of the exploits bad guys use prey on vulnerabilities that software companies have already fixed. If you set yourself up for automatic updates, you eliminate those threats.
• Passwords– It’s not enough to have one long, strong password. You need to use different passwords for different accounts. Try using a password management tool, pass phrase, or best yet, multifactor authentication whenever possible.
• Precaution– This is really about using common sense. How often are things free? Do I really have a long lost relative who is Nigerian royalty? If it doesn’t make sense, don’t click the link or launch the program.

— Corey Nachreiner, CISSP (@SecAdept)

Emergency Shockwave Update – Daily Security Byte EP. 167

If you use Adobe Shockwave, it’s time to patch. This week, Adobe released an out-of-cycle update fixing a critical flaw in the popular multimedia player. Watch the video to learn more, including why I recommend against Shockwave.

(Episode Runtime: 1:10)

Direct YouTube Link: https://www.youtube.com/watch?v=LFKIM8k8nf8

EPISODE REFERENCES:

• Adobe releases out of cycle Shockwave update – Adobe

— Corey Nachreiner, CISSP (@SecAdept)

TalkTalk Hacked by Teenager? – Daily Security Byte EP. 166

Last week, TalkTalk’s suffered a data breach for the third time this year. It took awhile for the details to surface, but it looks like the attackers exploited a SQL injection flaw in TalkTalk’s website to steal 4M customers’ personally identifying information. Watch today’s information to learn the latest news about this breach, and what you should do if you’re a victim.

(Episode Runtime: 3:32)

Direct YouTube Link: https://www.youtube.com/watch?v=IQhwPq24khk

EPISODE REFERENCES:

• TalkTalk hit by a significant cyber breach – BBC
• Krebs coverage of the TalkTalk breach – Krebs on Security
• Mother says her identity was stolen from the breach – Huffington Post
• Stolen info used to help social engineer victims – ZDNet
• 15yr old arrested in connection with the Talk Talk breach – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)

PWNed CIA, hacked Fitbit, and Fake Chrome- WSWiR Episode 167

Are you feeling overwhelmed by your normal IT job, but wish you had time to keep up with information security (infosec)? No worries! Let our weekly security video fill you in. Every Monday, I quickly summarize the biggest network and information security stories from the previous week, so you can keep up with the latest threats.

Today’s episode includes a story about a teenager hacking the CIA Director’s email, a new Fitbit hack, a malicious Chrome lookalike, and lots of patches. Press play to learn more, and check the references for other stories.

(Episode Runtime: 13:27)

Direct YouTube Link: https://www.youtube.com/watch?v=aqb7WIjuv94

EPISODE REFERENCES:

• Monday: CIA Director’s Email Hacked – Daily Security Byte EP. 161
  • Teen claims to have hacker CIA Director’s AOL account – New York Post
  • CIA Director’s personal email had documents with SSN numbers – Motherboard
  • Hacker shares some emails with Wikileaks – Wikileaks
  • UPDATE: More details on how the 20yr old did it – Wired
  • UPDATE: Brennan’s hacker doesn’t want to go to jail – Motherboard
• Tuesday: Oracle CPU for Oct. 2015 – Daily Security Byte EP. 162
  • Oracle’s Critical Patch Update advisory for October 2015 – Oracle
  • Great blog post summarizing the most important details of Oracle’s CPU – Oracle
  • Oracle’s general security page – Oracle
• Wednesday: Malicious Chrome Look-alike – Daily Security Byte EP. 163
  • PC Risk’s write up on the  potentially malicious eFast browser – PC Risk
  • Malware Bytes analysis on eFast’s file and URL associations – Malware Bytes
  • Article on evil Chrome-browser look-alike – Network World
• Thursday: Apple’s October Updates – Daily Security Byte EP. 164
  • Apple’s Security page with the latest October updates – Apple
• Friday: Overstated Fitbit Hack – Daily Security Byte EP. 165
  • The 10 second Fitbit hack – The Register
  • Fitbit vulnerability allows trackers to spread malware – Darknet
  • The actual Fitbit presentation released on Wednesday [PDF] – Hack.lu
  • The Fitbit hack PoC video – YouTube
  • The research admits limitation on Twitter – Twitter
  • Fitbit denies that malware vector too – NBC

EXTRAS:

• You’re more likely to download something bad if you are multitasking – Phys.org
• Researchers hack and boil over iKettles – The Register
• Facebook will inform users of state sponsored hacking – BigThink
• Chinese attackers allegedly already break cyber pact – CBR Online
• HTTPS everywhere is a bit closer with free trusted certs – Lets Encrypt
• NSA Director’s three cyber security nightmares – Business Insider
• More threats and malware using the Dark Web to hide C&C – Motherboard
• Tim Cook says, “No!” to backdoors in Apple encryption – Ars Technica
• Apple identifies 256 apps collecting private data via ad SDK – Slashgear
• Anonymous DDoSes two Japanese airports for dolphin hunting – SC Magazine
• Sony’s settlement with employees for hack may reach $8M  – Reuters
• How to make threat intel work for you – Computer World
• Support scams starting to plague Mac users – Ars Technica
• Flaw in self-encrypting HDs allow attackers to see your data – Network World
• Hackers can “Dox” non-connected people too – NYTimes
• Vulnerability found in a particular 1password feature – Apple Insider
• A few companies join battle against US CISA bill – Information Week
• Attackers DDoS and extort e-retailers in UK – Channel Register
• Avoid fake Apple refund phishing scam – Digital Spy
• Shakespeare can help you with strong passwords – Slate
• Interesting research on us how we fall for cyber scams – Phys
• CISA is advancing in US Senate – Reuters
• Congress’ car hacking bill not going well – Motherboard
• Cyber criminals targeting security researchers – Computing
• LowLevel04: New ransomware spreads via RDP – Bleeping Computer
• Bad David Pogue article about car hacking – Scientific America
  • Response article about Pogues bad reporting – Wired
• Just for fun: Remember the old Half-Life 2 source code hack – Kotaku

— Corey Nachreiner, CISSP (@SecAdept)

Overstated Fitbit Hack – Daily Security Byte EP. 165

This week, the media was all over a Fitbit hack that allegedly could transfer malware from an infected Fitbit to a victim computer. However, the research—though interesting—didn’t deliver on this nightmare scenario. Watch today’s video to learn what the discoverer really did, and what some news stories are overstating.

(Episode Runtime: 4:58)

Direct YouTube Link: https://www.youtube.com/watch?v=jHYbLgKxg6E

EPISODE REFERENCES:

• The 10 second Fitbit hack – The Register
• Fitbit vulnerability allows trackers to spread malware – Darknet
• The actual Fitbit presentation released on Wednesday [PDF] – Hack.lu
• The Fitbit hack PoC video – YouTube
• The research admits limitation on Twitter – Twitter
• Fitbit denies that malware vector too – NBC

— Corey Nachreiner, CISSP (@SecAdept)

Apple’s October Updates – Daily Security Byte EP. 164

 

Are you an Apple fan, or do you at least use Safari or iTunes for Windows? If so, yesterday was Apple patch day. If you haven’t updated yet, watch today’s video to learn what you’re missing.

(Episode Runtime: 1:08)

Direct YouTube Link: https://www.youtube.com/watch?v=AMSg5eyRynI

EPISODE REFERENCES:

• Apple’s Security page with the latest October updates – Apple

— Corey Nachreiner, CISSP (@SecAdept)

Malicious Chrome Look-alike – Daily Security Byte EP. 163

Have you installed free software lately. If so, there’s a chance you might think you’re surfing with Chrome, but in reality a look-alike browser is snooping on your web connections and forcing ads on you. In today’s video, I discuss eFast browser, a potentially unwanted program (PUP) shipping with certain free software installers.

Show note: I’m traveling tomorrow, and may not be able to post a daily video. If not, I’ll return Friday.

(Episode Runtime: 3:00)

Direct YouTube Link: https://www.youtube.com/watch?v=Ez1CwTwQwzI

EPISODE REFERENCES:

• PC Risk’s write up on the  potentially malicious eFast browser – PC Risk
• Malware Bytes analysis on eFast’s file and URL associations – Malware Bytes
• Article on evil Chrome-browser look-alike – Network World

— Corey Nachreiner, CISSP (@SecAdept)

Oracle CPU for Oct. 2015 – Daily Security Byte EP. 162

Oracle follows a quarterly patch cycle, and today they released their big Critical Patch Update (CPU) for October 2015. Since they only update four times a year, they tend to release tons of patches at once. Today’s update fixes 154 vulnerabilities in a wide selection of their products—from MySQL to the Siebel CRM. Most importantly, they also released a Java update. If you use Oracle products, watch today’s video to learn more about the scope and impact of today’s CPU.

(Episode Runtime: 2:00)

Direct YouTube Link: https://www.youtube.com/watch?v=o4sfU3uS_mw

EPISODE REFERENCES:

• Oracle’s Critical Patch Update advisory for October 2015 – Oracle
• Great blog post summarizing the most important details of Oracle’s CPU –Oracle
• Oracle’s general security page – Oracle

— Corey Nachreiner, CISSP (@SecAdept)

CIA Director’s Email Hacked – Daily Security Byte EP. 161

Lately, the nation has been been criticizing Hilary Clinton for running an insecure personal email server. However, she’s apparently not the only government employee with insecure email practices. Today, a high school hacker claimed to hijack the personal email account of the Director of the CIA. Watch today’s episode to learn what sensitive documents the director shared with his personal email account, and how you might prevent this from happening at your organization.

(Episode Runtime: 2:54)

Direct YouTube Link: https://www.youtube.com/watch?v=34TbTEVkS5g

EPISODE REFERENCES:

• Teen claims to have hacker CIA Director’s AOL account – New York Post
• CIA Director’s personal email includes documents with SSN numbers – Motherboard
• UPDATE: More details on how the 20yr old did it – Wired

— Corey Nachreiner, CISSP (@SecAdept)