Exciting Blog Changes Just Around the Corner

I am excited to announce the upcoming launch of our redesigned and refreshed blog.

Over the past six years, WatchGuard Security Center has provided IT professionals with breaking news and analysis about the most important information security (InfoSec) issues. Our mission has always been to distill the often complex topics of computer and network security into something any technical professional can understand and act on. Our newly redesigned blog, Secplicity, takes this mission to the next level.

Our team has worked hard to create a faster, easier to browse, and more useful blog for everyone interested in information security—based in part on your feedback. On top of the design changes, you’ll also enjoy more regular content, both written and video, from a more diverse group of authors and researchers. We also plan to cater our content to your questions and feedback.

The new site goes live in the next 48 hours. When it does, we’ll automatically redirect WatchGuardSecurityCenter.com visitors to the new Secplicity.org site. Your email, WordPress, and RSS subscriptions should continue to work, but in the event that you stop receiving updates please visit the blog and re-subscribe.

We’re looking forward to many more years of InfoSec community service, and hope you continue to visit us for the latest security news and analysis, simplified.

— Corey Nachreiner, CISSP (@SecAdept)

July 2016 Patch Day – Daily Security Byte EP. 289

It’s that time again. Patch Day! On the second Tuesday of the month, both Microsoft and Adobe release their security updates. This month, you should probably focus on Adobe’s updates first. If you use Adobe and Microsoft products, watch the video below to learn more, and check out the reference section to find links to the patches. 

(Episode Runtime: 3:16

Direct YouTube Link: https://www.youtube.com/watch?v=rsj41RqhyLs

EPISODE REFERENCES:

• Microsoft July Path Day summary – Microsoft
• Adobe’s security page with July’s bulletins – Adobe
• Good summary of Microsoft Patch Day – Ghacks

— Corey Nachreiner, CISSP (@SecAdept)

Password Sharing Illegal? – Daily Security Byte EP. 288

In general, security experts like me are against sharing passwords, even among family and friends. Sure, we can all think of cases where sharing passwords with family might be useful, but why not just setup privileged accounts for those family members?

However, today’s episode isn’t about whether or not password sharing is a risk, it’s about whether or not it’s even legal at all. A US appeals court made a ruling on a case recently, basing their decision on the Computer Fraud and Abuse Act (CFAA). The EFF thinks it’s a dangerous ruling, that would have a far-reaching affect on the legality of password sharing. Watch Monday’s video to learn what I think. 

(Episode Runtime: 4:46

Direct YouTube Link: https://www.youtube.com/watch?v=K1vpqFdTe7A

EPISODE REFERENCES:

• EFF against going to jail for sharing passwords – EFF
• Is sharing Netflix passwords a federal crime – Independent
• US court shares password sharing anxiety – BBC
• Wikipedia article on the case against David Nosal – Wikipedia

— Corey Nachreiner, CISSP (@SecAdept)

Backdoor in Pokemon Go – Daily Security Byte EP. 287

To keep Friday’s story fun, I covered an incident that involves both gaming and infosec. Attackers have already created a malicious version of the popular Pokemon Go app. If you’re an Android user trying to download Pokemon Go from non-official sources, this story is no joke. Watch below to learn more.

(Episode Runtime: 3:16

Direct YouTube Link: https://www.youtube.com/watch?v=Kt54wJ3gpsY

EPISODE REFERENCES:

• Research blog post describing the backdoored Pokemon Go app – Proofpoint
• Remote access tool found in Pokemon Go – Android Central

— Corey Nachreiner, CISSP (@SecAdept)

Fitbits Hack ATMs? – Daily Security Byte EP. 286

University researchers have shown how you can use the various tracking sensors in wearable devices to recover keypad passwords of their owners. Article headlines suggest attackers might user this to steal your bank PIN. Is this threat real, or science fiction? The answer is a mix of both. Watch below to learn more. 

(Episode Runtime: 5:12

Direct YouTube Link: https://www.youtube.com/watch?v=N4yiI52Pxy4

EPISODE REFERENCES:

• Your smart watch is recording your PIN – Wired
• Wearables give away your password – Science Daily
• ACM link to research paper [pay gate] – ACM.org

— Corey Nachreiner, CISSP (@SecAdept)

July Android Security Update – Daily Security Byte EP. 285

If you use Android devices, it’s time to update. Google released an Android update that fixes hundreds of vulnerabilities, including the Qualcomm chipset flaw that has been in the news lately. Watch today’s video to learn more, and update your Android device when you can. Also, check out Marc Laliberte’s post to learn about HummingBad, a prolific malware variant that’s affecting Android users.

(Episode Runtime: 1:55

Direct YouTube Link: https://www.youtube.com/watch?v=z4B7E8qfbFM

EPISODE REFERENCES:

• Big Google Android patch fixes 100 vulnerabilities – PCWorld
• Google’s July Android security update – Android.com
• Android Qualcomm flaw affects millions of devices – Threat Post
• Watch out for HummingBad android malware – WGSC

— Corey Nachreiner, CISSP (@SecAdept)

Eleanor Mac Backdoor – Daily Security Byte EP. 284

Many Mac users think they’re immune to malware, but unfortunately that’s untrue. Though Windows malware variants still greatly outweigh Apple ones, Mac malware is starting to appear more regularly. Today’s Byte video covers a new Mac trojan discovered by Bitdefender, and what you can do to avoid it. 

(Episode Runtime: 3:04

Direct YouTube Link: https://www.youtube.com/watch?v=6K4lU6bcQ_w

EPISODE REFERENCES:

• Research blog post about  Eleanor Mac OS X trojan – Bitdefender
• Technical paper on the Eleanor OS X Backdoor – Bitdefender

— Corey Nachreiner, CISSP (@SecAdept)

ThinkPwn: UEFI Vulnerability – Daily Security Byte EP. 283

The Unified Extensible Firmware Interface (UEFI) is the new type of firmware that replaces Basic Input/Output System (BIOS) firmware on PCs. Among other new features, UEFI supports security mechanisms like Secure Boot for Windows. Unfortunately, a researcher found a flaw in Lenovo’s UEFI that could allow attackers to bypass this mechanism. Watch the video to learn more. 

(Episode Runtime: 2:21

Direct YouTube Link: https://www.youtube.com/watch?v=jlXtXG8YdKM

EPISODE REFERENCES:

• News article on Lenovo firmware exploit – Network World
• Cr4sh’s blog post on Lenovo UEFI flaw – Cr4.sh
• ThinkPwn readme – Github
• ThinkPwn Pr00f-of-Concept exploit – Github
• Lenovo’s security advisory on firmware vulnerability – Lenovo

— Corey Nachreiner, CISSP (@SecAdept)

Critical Symantec AV Flaws – Daily Security Byte EP. 282

Tavis Ormanday, a well-known security engineer for Google, disclosed a number of critical vulnerabilities in some of Symantec’s endpoint security products. If you use Symantec or Norton’s antivirus (AV), watch the video below to learn how bad these flaws are, and where to find the updates. You can also stick around to hear what I think about vulnerabilities in security products in general. 

(Episode Runtime: 7:13

Direct YouTube Link: https://www.youtube.com/watch?v=gWr_U2iH7-E

EPISODE REFERENCES:

• Ormandy’s Project Zero Symantec disclosure – Google Project Zero
• Symantec’s advisory on the seven AV vulnerabilities – Symantec
• Project Zero discloses serious Symantec security flaws – Tech Target
• Google researcher slams Symantec’s security – Uber Gizmo
• Symantec woes exposes security gaps in AV – Wired

— Corey Nachreiner, CISSP (@SecAdept)

Fansmitter Hacks Air Gaps – Daily Security Byte EP. 281

Back-channel attacks, where attackers send information using unusual and hard to spot communication channels, are not new. However, I think they’re cool, if not a bit impractical. In this video, I cover the Fansmitter research from an Israeli University’s Cyber Security team. I don’t think this type of attack will affect you any time soon, but it’s still a fascinating idea. 

(Episode Runtime: 4:14

Direct YouTube Link: https://www.youtube.com/watch?v=i62FCE0ydWA

EPISODE REFERENCES:

• Computer fans used to break an air gap – Wired
• Researchers’ whitepaper on the Fansmitter attack – Wired

— Corey Nachreiner, CISSP (@SecAdept)