Black Hat & DEF CON Aftermath – WSWiR Episode 160

Two weeks ago, the Black Hat and DEF CON conferences unveiled tons of new security research, which means last week was packed with interesting security stories. If you find yourself falling behind on security news, and need a “one stop shop” to keep you up to date, this weekly video does just that.

Last week’s stories included many car hacks, a OS X firmware worm, a big UK breach, tons of patches, and more. If you don’t watch my Daily Bytes, you can catch up all at once with the weekly video below. More importantly, I couldn’t cover many other interesting stories from last week, so if you are interested in those, check out the Reference section below.

(Episode Runtime: 15:10)

Direct YouTube Link: https://www.youtube.com/watch?v=AAIiPp3os1k

EPISODE REFERENCES:

• Monday: Carphone Warehouse Gets Robbed – Daily Security Byte EP.122
  • Attackers steal 2.4M records from Carphone Warehouse – BBC
  • Carphone Warehouse releases breach FAQ for customers – CarPhone Warehouse
  • Talk Talk stored unprotected passwords – Computing
• Tuesday: Thunder Strikes Mac Firmware Again – Daily Security Byte EP.123
  • A new Black Hat 0day can brick your Mac – TechCrunch
  • Thunderstrike 2 infects Mac firmware – Ars Technica
  • Researcher’s post on Thunderstrike 2 – TRMM.net
  • ThunderStrike 2 detailed presentation – TRMM.net
• Wednesday: Piles of August Patches – Daily Security Byte EP.124
  • Microsoft Patch Day Summary for August 2015 – Microsoft
  • Adobe Flash security bulletin for August 2015 – Adobe
  • Get the latest Firefox security update, it’s big  – US-CERT
  • Apple’s security page, including August patches – Apple
• Thursday: Car Hacking Revolution – Daily Security Byte EP.125
  • The full detailed white paper on the Uconnect hack – Illmatics
  • After 2yrs, researchers can finally release a vulnerability Volkswagen sued to suppress – Ars Technica
  • Text message hacks a Corvette via an “insurance dongle”  – Wired
  • Tesla Model S hackable [Link removed due to reports of malicious ads] – Mashable 
  • Tesla already fixed this – Bloomberg
  • The OwnStar attack allows hackers to unlock many cars – Engadget
• Friday: Cisco iOS ROMMON hacks – Daily Security Byte EP.126
  • Cisco’s advisory on the mysterious iOS ROMMON attack – Cisco
  • Article covering this Cisco router attack – Ars Technica

EXTRAS:

• My episode 8 analysis of Mr. Robot’s Hacking accuracy – GeekWire
• Hacktivists deface Trump site to say Goodbye to Jon Stewart
  • Hacktivists hijack a Trump site to say goodbye to Jon Stewart – Motherboard
  • Archive post of Telecomix’s Stewart post at Trump – Archive.is
  • Interview with the Trump site defacers – Vice
  • Telecomix’s Pastebin post on the “operation” – Pastebin
• Watch out for Windows 10 related social engineering scams – Tech Radar
• Windows 10 spies on you unless you Opt-Out
  • How Win10 monitors you – BGR
  • Wired details Win10 security privacy settings – Wired
  • Win10 privacy tips – BGR
• Attackers exploiting the Mac DYLD vulnerability in the wild – Fox News
• Def Con is cancelled again(regular joke) – Motherboard
• ICANN was breached again – Motherboard
• A “Fed” does a Def Con talk right – Motherboard
• Rolljam plays back codes to hack keyless entry systems – BGR
• ApplePay is more security than US Chip & Pin? – PCMag
• WiFi Sense makes no sense! – CNet
• Hackers pull of real Oceans 11 heist at Def Con – Gizmodo
• The gas pump honeypots – Motherboard
• Pentagon email hacked (again) allegedly by Russia – The Register
• Zeus author associated with Russian nation state actors – Forbes
• Faceplant: An Electronic skateboard hack – Time
• How a popular author dealt with his hijacked account – Ars Technica
• Quick news video on DEF CON – NBC News
• Patch for serious Android flaw now sufficient – Ars Technica
• More news of foreign nation-states hacking UK gov email – The Guardian
• The Hacking Team was using the old iOS Masque attack – Silicon Republic
• Attacker’s hacked early press releases to get a leg up on trades – BGR
• ATM skimmers get smaller and stealthier – Tech Crunch
• Black Hat founder thinks vendor liability for flaws is inevitable – Threat Post
• Oracle’s CSO tell white hat’s that vulnerability research breaks EULA – Mashable
  • Archived copy of the offending post – Archive.org
• Researchers turn Square into CC skimmer – Mashable
• Blackhat researcher pokes at GPS satellites – Time
• CISA/CISPA keeps coming back, and getting tweaked – The Guardian
• Researchers awarded for finding a new class of vulnerability in browsers – Phys.org
• A pen-testing drone previewed at DEF CON – PDDNet
• Using sound for two-factor auth – Wired
• Hacker steals $46M from Ubiquiti – Krebs on Security
• ProxyHAM: DEF CON hackers extend WiFi via radio proxies – TechHive
• Researchers turn a computer into a cellular antenna to leak info – Computer World
• Kaspersky accused of faking malware to weaken competitors – Reuters
• Lenovo is still using tricks to install bloatware – Ars Technica
• Stock hacker ring busted for insider trading – Reuters
• Highlights article for DEF CON 23 – Wired
• Malicious Ads on Weather.com – Ars Technica
• The Android Stagefright patch doesn’t work – Ars Technica
• Android vulnerabilities could leak fingerprints – Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

Piles of August Patches – Daily Security Byte EP.124

While there’s lots of interesting security stories I could share today, one of the most practical infosec actions you can take is to keep your software patched. Yesterday was Microsoft and Adobe patch day, and Mozilla also recently released a pretty important Firefox update. Watch the video to learn about these important fixes, and more importantly, follow the links below to learn how to apply the relevant updates.

UPDATE: On Thursday, Apple released a hand full of security advisories and updates as well, fixing flaws in iOS, OS X, and Safari. This wasn’t covered in the video, but check the links below for more info on those updates.

(Episode Runtime: 2:25)

Direct YouTube Link: https://www.youtube.com/watch?v=yZ6A09t5oWA

EPISODE REFERENCES:

• Microsoft Patch Day Summary for August 2015 – Microsoft
• Adobe Flash security bulletin for August 2015 – Adobe
• Get the latest Firefox security update, it’s big  – US-CERT
• Apple’s security page, including August patches – Apples

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

• Windows and its components,
• Office (Word),
• Internet Explorer (IE),
• and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

• Microsoft released eight bulletins, two rated Critical and the rest Important.
• The affected products include
  • Windows
  • Office
  • Internet Explorer (IE)
  • and Sharepoint Server.
• Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
• As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities

Microsoft’s March Patch Day is live, and looks to be by the numbers. As expected, they released five bulletins, including one that contains a fix for a zero day vulnerability in Internet Explorer. Their Patch Day summary highlights five security bulletins that fix 23 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, such as Silverlight. They rate two of these bulletins as Critical, and the rest as Important.

As I mentioned in my notification post, the most important update this month is the IE cumulative patch. Besides fixing 23 memory corruption flaws, many of which attackers could exploit to execute code, one specifically fixes a critical zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make sure to install the IE update on all your clients as soon as possible. Hopefully, you already have Automatic Updates set to do it for you. Of course, you should also install the Windows updates too, especially the DirectShow one. If an attacker can trick one of your users into viewing a malicious JPEG image, he could exploit it to gain control of that user’s computer, with their privileges. You don’t want that.

While we are talking about Windows updates, let me take this time to continue to remind you that these updates are among the last that Windows XP will receive. XP users will likely see a few more updates next month, but after than it goes End-of-Life. Hopefully, most of you are saying, “Why do I care? I’ve been using Windows 7 or above for years.” But for the stragglers out there, you might want to consider upgrading to a more recent version of Windows. While I don’t want to come off as promoting Microsofts “upgrade” sales message, I do believe XP will likely pose more risk once the official updates stop. It seems very likely that some cyber attacker (or nation-state groups) out there are sitting on a zero day XP exploit or two; saving them until after Microsoft’s fixes run out. You might want to get away from XP before that happens.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day. Meanwhile, check out the March  bulletin summary now, if you’d like an early peek. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: IE Fix Leads the List of Critical Updates

Today’s Microsoft Patch Day will probably be a bit busier than expected. It looks like Microsoft called a last minute audible, releasing seven security bulletins rather than the five I mention in last week’s security video. The good news is this last minute play change might help your security team win the game by providing your users with a more protected web browser.

Microsoft Patch Day: Feb, 2014

February’s Patch Day summary highlights seven security bulletins that fix 32 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, and Forefront Protection for Exchange. They rate four of these bulletins as Critical, and the rest as Important.

This month, the most important updates are probably the most unexpected ones. Microsoft’s original advisory suggested they planned on releasing updates for Windows and one of their security products (which we now know is Forefront Protection), but they had not mentioned the IE or VBScript updates they released today. However, both these unexpected updates make great additions to this month’s Patch Day. The IE cumulative patch fixes 24 serious vulnerabilities, including one disclosed publicly; many of which attackers can leverage to execute code in drive-by download attacks. Though Microsoft hasn’t seen anyone exploiting these flaws in the wild yet, I expect attackers will surely reverse this update and start exploiting these flaws soon. The VBscript update is no slouch either, as it too fixes a code execution flaw. If bad guys can entice you to a web page with malicious code, they can use these flaws to”pwn” your computer.

Of course, you shouldn’t ignore the expected updates either. Two of them—the critical flaws in Direct2D and Forefront Protection for Exchange—also allow remote attackers to execute code on your systems. In short if you are a Microsoft administrator, you should apply today’s critical updates as soon as you can, and take care of the Important while you’re at it. In general, I recommend you test Microsoft updates before deploying them throughout your production network, especially server related updates that affect critical production servers. This is probably especially this month, for the two surprise updates. Since the IE and VBScript updates came out a bit earlier than expected, they may not have gone through as rigorous a QA process as usual. You might want to give them a whirl on non-production machines, or your virtual testing environment before sharing them with your users.

For more details on today’s Patch Day, check out the February bulletin summary now, or wait for our detailed, consolidated alerts which I’ll post on the blog through the day. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Install the IE Update First

If you follow the blog, you’re surely aware that today’s Microsoft Patch Day; and it’s an especially important one. Though it doesn’t set any records, Microsoft has released an update to fix a fairly significant, zero day Internet Explorer (IE) vulnerability, which many attackers have exploited in the wild for the past few weeks. If you can only apply one patch today, I recommend the IE one.

In their summary post, Microsoft shares details about eight security bulletins that fix 27 vulnerabilities in many of their popular products. They rate half the bulletins as Critical, and the other half as Important. Here’s the breakdown of affected products:

• Internet Explorer (IE) [10 issues fixed]
• Windows and its components [12 issues fixed]
• Office products [5 issues fixed]
  • SharePoint Server
  • Word
  • Excel

If you use any of these products, you should update as soon as possible. As mentioned earlier, I recommend you install the IE update first; and try to get to it as quickly as you can. Though Microsoft previously released a FixIt for this issue (which I hope you’re running), it’s better to be safe than sorry. That said, don’t discount the other Critical updates. In general, I recommend you download, test and deploy all of Microsofts patches as soon as you can. For more details on today’s Patch Day, check out the October bulletin summary, or wait for our detailed alerts.

On the subject of patching, today is also Adobe patch day too. They’ve released updates to fix Reader, Acrobat, and Robohelp. I’d also recommend you install those updates (the Reader one likely affects most people) as soon as you can. You can learn more about Adobe’s updates on their security page, but I’ll release an alert about them later today.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day Fixes 0day and Warning for Adobe Users

Download, test, patch, and repeat. That should be the mantra for Microsoft administrators every month.

By now, you’re likely quite used to Microsoft’s regular monthly patch cycle, so you’re already expecting next week’s updates. However, this month’s updates are especially important, since one fixes a fairly prevalent zero day flaw that attackers are exploiting in the wild. According to their advanced notification, Microsoft plans on releasing eight security bulletins next Tuesday to fix vulnerabilities in Windows, Internet Explorer (IE), Office, and the .NET and SilverLight frameworks. They rate half the bulletins as Critical, and the other half as Important.

This would all sound like business as usually for Microsoft Patch Day, except that one of the Critical updates fixes the very serious zero day IE flaw, which I warned you about a few weeks ago. Since that initial warning, more and more attackers have started exploiting this vulnerability. Worse yet, researchers have released a Metasploit exploit for the flaw, which means anyone can try it out. I expect every smart network attacker to start incorporating this flaw into their exploit kits, if they haven’t already. You should get this IE update as soon as it’s available next week.

Also, don’t forget that Adobe now shares Microsoft’s Patch Tuesday, and they too will release updates next week. According to a pre-notification post, they plan on releasing an Adobe Reader and Acrobat update on the 8th.

While I’m talking about Adobe, if you’re an Adobe customer, it’s time to change your user credentials on their site. Today, Adobe released an important announcement informing their customers that their network has been breached. Attackers made off with 2.9 million customer records, including email addresses and encrypted credit card numbers. They plan on emailing affected customers, so be sure to change your password if you get this email. As an aside, the attackers also seem to have acquired some Adobe source code. For more information on this attack, I recommend you read Brian Krebs’ blog post.

So to summarize:

• Microsoft administrators should get ready for next Tuesday’s important Patch Day. Install the IE update first,
• If you use Adobe product, get ready for the Reader updates too,
• And if you have credentials on Adobe’s site, change them immediately.

I’ll share more details about all these updates next Tuesday. So stay tuned. — Corey Nachreiner, CISSP (@SecAdept)