Spotify Password PSA – Daily Security Byte EP. 253

Was Spotify hacked? No one seems to know for sure. However, we do know that some Spotify credentials have shown up on Pastebin, and accounts have gotten hijacked. Watch Tuesday’s Byte to learn more about it, and what you should do if you use Spotify.

(Episode Runtime: 2:06)

Direct YouTube Link: https://www.youtube.com/watch?v=Ad1f_lEkWnc

EPISODE REFERENCES:

• Spotify credentials turn up on Pastebin – TechCrunch

— Corey Nachreiner, CISSP (@SecAdept)

Whitehat Finds Blackhat on Facebook – Daily Security Byte EP. 252

Bug Bounty programs are great ways for companies to get security researchers to help find and fix vulnerabilities in their products or infrastructure, but no one expected them to also reveal hackers in your network. Watch today’s video to hear how one pen-tester found more than he bargained for when researching Facebook’s network.

(Episode Runtime: 3:38)

Direct YouTube Link: https://www.youtube.com/watch?v=8WruUtxLHko

EPISODE REFERENCES:

• Pen-tester’s Facebook bug bounty uncovers more than expected – devco.re
• Researcher finds hackers in Facebook’s network – The Guardian

— Corey Nachreiner, CISSP (@SecAdept)

Big Changes Ahead for this Blog – Your Feedback is Appreciated!

Over the past 6 years WatchGuard has been publishing breaking news and in-depth analysis on the most important network security issues on this blog.  Even before that, we shared security articles, podcasts, and various malware analysis videos with our LiveSecurity subscribers. This content has been well-received by our loyal audience, but we want to do even more to help our followers and the network security community.

To achieve this goal we have decided to completely redesign the blog. In fact, you probably already noticed a few small changes, including more content from new writers. However, our more strategic plan is to create a broader industry community and forum for all network security professionals. You can help us achieve this vision.

Your feedback is important to us, and will play a major role in the quality and direction of our blog redesign. If you’d like to make sure our new blog meets your needs, please fill out our survey below. It takes less than 5 minutes, and will ensure that we deliver content that serves you. Your input and time is very much appreciated. — Corey Nachreiner, CISSP (@SecAdept)

http://secure.watchguard.com/blog-redesign-survey

 

Hacking Team Breach Unveiled – Daily Security Byte EP. 250

Almost a year ago, an Italian security company called the Hacking Team suffered an embarrassing network breach. This week, the alleged attackers behind the hack detail exactly how they did it. Watch today’s Byte to see what you can learn from this particular attack.

(Episode Runtime: 5:02)

Direct YouTube Link: https://www.youtube.com/watch?v=p9yEvODyGZI

EPISODE REFERENCES:

• Antisec’s alleged e-zine describing the Hacking Team breach in detail – Pastebin
• Hackers tell all about the Hacking Team attack – Computer World
• Our original Byte on the Hacking Team breach – WatchGuard Blog

— Corey Nachreiner, CISSP (@SecAdept)

Staminus Hack – Daily Security Byte EP. 230

Thursday, a company that offers Distributed Denial of Service (DDoS) protection had their network go down, which affected the web sites of their customers. Turns out, a hacktivist group had breached their organization, and stolen a ton of data. Watch Friday’s Daily Security Byte to learn how you can avoid the mistakes that lead to the Staminus breach.

(Episode Runtime: 2:43)

Direct YouTube Link: https://www.youtube.com/watch?v=IVzdQ42SJWw

EPISODE REFERENCES:

• Brian Krebs covers the Staminus data breach – Krebs on Security
• FTA’s e-zine bragging about the hack – Hastebin
• KKK’s site affected by the Staminus hack – The Next Web
• Reddit post discussing the Staminus breach – Reddit

— Corey Nachreiner, CISSP (@SecAdept)

Vtech Update Proves SQLi – Daily Security Byte EP. 184

 

On Monday, I highlighted the Vtech breach. A hacker was able to steal millions of records from an online kid’s toy manufacturer, which including information about children. Over the past day, we’ve learned two new updates about this story. One increases the scope of the breach, and the other explains how it happened (Spoiler: my hunch was correct). Watch today’s for these updates, and to learn how to protect your web site from the flaw that allowed this attack.

Show note: This is Wednesday’s episode, but technical issues delayed my posting until today. 

(Episode Runtime: 3:23)

Direct YouTube Link: https://www.youtube.com/watch?v=BGngzbhBE-A

EPISODE REFERENCES:

• Vtech breach actually affects over 6.3M children – Motherboard
• Alleged Vtech hacker shares why and how he did it – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)

Vtech Leaks Kids Data – Daily Security Byte EP. 182

What’s worse than the average data breach? A breach that involves our childrens’ private information!

In Monday’s episode, I talk about how a “greyhat” hacker stole over 190GBs of data from a company that makes an Internet-connected kid’s toy. Luckily, he doesn’t seem to plan on using the data with malicious intent. Nonetheless, it’s still an eye-opening hack. Watch the vlog to learn more about this attack, and why we all need to think about what types of data we share online.

Show note: This is Monday’s episode, but technical issues delayed my posting until today. 

(Episode Runtime: 2:50)

Direct YouTube Link: https://www.youtube.com/watch?v=WL3c_cXOZQA

EPISODE REFERENCES:

• Hacker steals children’s headshots from toy manufacturer – Motherboard
• Vtech’s official response to this data breach – Vtech

— Corey Nachreiner, CISSP (@SecAdept)

iOS Bounties, Android Auto-root, and Guy Fawkes Day – WSWiR Episode 168

Nowadays, each week has more information security news that we used to have each month. If you find yourself falling behind, and need a shortcut to stay informed, this is the weekly video for you. Every Monday, I summarize our daily security video from last week.

Today’s episode covers a new Android malware variant, an iOS zero day that’s bad for the industry, a couple hacktivism campaigns, and more. Watch the YouTube video for all the details, and check out the references below to learn more.

(Episode Runtime: 13:13)

Direct YouTube Link: https://www.youtube.com/watch?v=z7Xgnd8CHQ8

EPISODE REFERENCES:

• Monday: 000Webhost has 000 Security – Daily Security Byte EP. 169
  • 13M+ password leaked from popular web hosting company – Forbes
  • Original blog disclosing the 000webhost breach – Troy Hunt
  • 000Webhost’s breach due to outdated PHP – Computer Weekly
• Tuesday: Claimed iOS Bounty is Bad News – Daily Security Byte EP. 170
  • Vulnerability researchers claim a $1M iOS 9.1 hack bounty – Motherboard
  • iOS bounty claimed, but Apple won’t be informed – Wired
  • The original iOS 9 hack bounty – Zerodium
• Wednesday: vBulletin Breach and 0day – Daily Security Byte EP. 171
  • vBulletin’s site and forum software hacked – Ars Technica
  • vBulletin asks users to reset password – vBulletin
  • vBulletin released patch for forum software – vBulletin
  • Researcher discloses his vBulletin RCE vuln – Twitter
    • His actual Pastie disclosure – Pastie
  • Hacker claims responsibility for breach – The Admin Zone
  • Coldzer0 attempts to sell vBulletin 0day – oday.today
  • Video demonstrating the vBulletin exploit –  YouTube
• Thursday: Auto-rooting Android Malware – Daily Security Byte EP. 172
  • Three Android malware families quietly roots phones and digs in – Ars Technica
  • Researcher’s blog post describing these new Android threats – Lookout
• Friday: Guy Fawkes Day Hacktivism – Daily Security Byte EP. 173
  • Anonymous Doxxes 1000 alleged KKK members as part of #OpKKK – ZDNet
  • Anonymous threatens #OpKKK on Nov. 5th: Epic fail – USA Today
  • CWA doxxed more government employees – Motherboard
  • CIA Director hackers break into arrest database – Wired
  • Information about Guy Fawkes night – Wikipedia

EXTRAS:

• 11yr old girl will give you a secure password for $2 – The Telegraph
• CISA passes the Senate despite privacy issues – Wired
• Big tech companies don’t like CISA either – CNN
• EFF unveils vulnerabilities in automatic license plate readers – EFF
• Can humanity build a computer security AI? – TechCrunch
• BGP is still a security risk (nothing new here) – SC Magazine
• Nice article on man-in-the-middle attacks – Network World
• Millions of passwords leaked from a free web hoster – Forbes
• Lots of issues with SSL certificate revocation systems – Phys
  • Google warns Symantec to clean up certificates – Ars Technica
• More browser vulnerabilities allow for zombie cookies –  Ars Technica
• Duuzer trojan seems to target South Korean manufacturing industry – Computer World
• Strengthen your security with passive DNS – Network World
• It’s ok to hack stuff you own for research – Wired
• NSA director says state sponsored attacks increasing – Time
• Tennis star recommends affirmations as passwords – Wired
• Chipped cards get hacked too – Network World
• DARPA keeping an eye on security researchers – Motherboard
• A third of stolen cars in France were hacked – Telegraph
• UK to ban strong encryption on social sites – The Telegraph
• No three arrested in association with the TalkTalk hack – Dark Reading
• Citrix patches some serious (and old) Xen vulnerabilities – The Register
• Researchers collect the $1M iPhone root vulnerability bounty – Forbes
• Zerodium to pay a $1M iOS hack bounty – Motherboard
• Apple doesn’t approve security conference app because of hacking talks – The Register
• Fascinating piece on ex-employees of The Hacking Team – Motherboard
• Will ransomware threaten to disclose your files publicly? – Tripwire Blog
• DMCA exemptions allow hacking for security research – SC Magazine
• British Gas data breach affects 2200 customers – IBTimes
• UK national arrested in association with DroidJack – BBC
• Cyber criminals suck at information security too – The Register
• CCTV (or Linux) botnet DDoSes victims – Incapsala
• Anti-adblocker CDN hijacked and served malicious fake Flash update – The Register
• KeeFarce targets popular password manager – Ars Technica
• Latest Android update fixes 23 vulns including another “Stagefright” – Forbes
• Researchers find new Windows flaw that bypasses EMET – Threatpost
• Cryptowall’s revenue may go to one criminal group – PC World
• Backdoor found in Chinese iOS ad SDK – Threatpost
• UK government wants to increase surveillance – The Intercept
• Tinba still spreading, and targeting Japanese and Russian banks – Threatpost
• FBI is budging a bit on back doors. Servants to the people – Ars Technica
• Longest DDoS attack lasted 320 hours – IT Pro
• Signing malware with valid certs has become an underground service – The Register
• XcodeGhost still lurking, this time on US Appstore – Dark Reading
• Google’s project Zero found 11 vulnerabilities in latest Samsung phone – The Inquirer
• White House reveals the Cybersecurity Strategy Implementation Plan (CSIP) – WhiteHouse.gov
• U.S. Officials targeted by cyber attacks after Iranian hacker’s arrest – Reuters
• Hackers pull heist on a heist video game over microtransactions – Motherboard
• Details surface about two older gambling payment processor breaches – Forbes
• Like the NSA, MI5 uses hacking for investigations – Motherboard
• 14yr old Japanese boy arrested for having the Zeus trojan (video) – NBC News
• Apparently, CIA Director’s email hackers are targeting others – Motherboard
• Good article asking if we learned from Stuxnet – Dark Reading
• Proton email suffers DDoS and pays extortionists $6000 in bitcoin – Forbes
• A look at the person modeled for the CSI:Cyber character – Telegraph
• Finfisher government spyware company still alive and well – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)

000Webhost has 000 Security – Daily Security Byte EP. 169

A popular hosting company suffered a network breach and lost over 13M user records. Not only did the company not know about the breach until five months later, the stolen records included clear text passwords. Watch today’s video to see what you can learn from this web hoster’s mistakes; of which they made many.

(Episode Runtime: 2:23)

Direct YouTube Link: https://www.youtube.com/watch?v=ILnyVCV3spA

EPISODE REFERENCES:

• 13M+ password leaked from popular web hosting company – Forbes
• Original blog disclosing the 000webhost breach – Troy Hunt
• 000Webhost’s breach due to outdated PHP – Computer Weekly

— Corey Nachreiner, CISSP (@SecAdept)

TalkTalk Hacked by Teenager? – Daily Security Byte EP. 166

Last week, TalkTalk’s suffered a data breach for the third time this year. It took awhile for the details to surface, but it looks like the attackers exploited a SQL injection flaw in TalkTalk’s website to steal 4M customers’ personally identifying information. Watch today’s information to learn the latest news about this breach, and what you should do if you’re a victim.

(Episode Runtime: 3:32)

Direct YouTube Link: https://www.youtube.com/watch?v=IQhwPq24khk

EPISODE REFERENCES:

• TalkTalk hit by a significant cyber breach – BBC
• Krebs coverage of the TalkTalk breach – Krebs on Security
• Mother says her identity was stolen from the breach – Huffington Post
• Stolen info used to help social engineer victims – ZDNet
• 15yr old arrested in connection with the Talk Talk breach – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)