Apple’s May Updates – Daily Security Byte EP. 263

It time to update your OS X software before hackers take a bite out of your Apple. This week, Apple released five software updates fixing security flaws in many of their most popular operating systems and products. Watch the “traveling edition” of my Daily Security Byte for the details. 

(Episode Runtime: 1:33)

Direct YouTube Link: https://www.youtube.com/watch?v=dRI7-CxTtRw

EPISODE REFERENCES:

• Apple security alert summary page – Apple

— Corey Nachreiner, CISSP (@SecAdept)

FBI Delays Apple Case – Daily Security Byte EP. 237

The FBI vs Apple court hearing was supposed to start Tuesday, but the FBI delayed it. What happened? Watch my daily video to find out and to learn what I think this means to the case.

(Episode Runtime: 4:52)

Direct YouTube Link: https://www.youtube.com/watch?v=L0hVttpqeB0

EPISODE REFERENCES:

• FBI delays the Apple hearing – The Verge
• FBI thinks it might be able to unlock terrorist’s phone – LA Times

— Corey Nachreiner, CISSP (@SecAdept)

Apple Patches iMessage and More – Daily Security Byte EP. 236

Today, Apple released security updates for all their operating systems, Safari, and Xcode. The updates fix many vulnerabilities, including a number of remote code execution flaws, and some cryptography issues with iMessage. Watch today’s video to learn more, and be sure to download the updates if you use Apple software.

(Episode Runtime: 2:29)

Direct YouTube Link: https://www.youtube.com/watch?v=ZdrxbfygTrk

EPISODE REFERENCES:

• Apple’s security page with links to all today’s advisories – Apple
• Apple’s updates fix remote code execution flaws – The Register
• John Hopkins researcher’s paper on the iMessage flaws – JHU.edu

— Corey Nachreiner, CISSP (@SecAdept)

Apple vs.The FBI – Daily Security Byte EP. 218

This week, Apple’s CEO, Tim Cook, posted a public letter to his customers explaining why Apple intends to fight a court order demanding that they help crack the security of a dead terrorist’s iPhone. Hearing this, you might think, “I don’t use Apple stuff, so I don’t care,” or “this doesn’t affect me and I want them to catch terrorists.” The problem is, this issue could set a precedent that will affect all of us. Watch today’s Byte to learn more about this issue and why it could affect you, and check out the references below—especially Cook’s Letter—for more details.

Show Note: Unfortunately, this episode is posting a few days late, and I missed a day of the Daily Byte. Technical issues forced me to re-shoot the content. 

(Episode Runtime: 8:01)

Direct YouTube Link: https://www.youtube.com/watch?v=IIVHl-tO0BQ

EPISODE REFERENCES:

• Tim Cook’s letter to customers on FBI order – Apple
• FBI uses old law to force Apple to weaken security – Slate
• The actual U.S. court order to Apple [PDF] – Document Cloud
• Editorial debate on FBI or Apple – Bloomberg View
• What is the All Writs Act? – Daily Dot
• How U.S. lawmakers are reacting to the issue – Techdirt
• Well-known hacker’s technical view on this case – Fox News
• Other tech companies back Apple – ZDNet
• Blocking encryption products will not prevent terrorists from using others – Schneier.com
• UPDATE: LA Congressman’s response to the Apple issue (hear, hear!) – House.gov
• UPDATE: Screw up prevents a cloud backup retrieval wo/backdoor –  Gizmodo
• FUN: Eccentric McAfee claims FBI doesn’t need Apple, he can crack the iPhone – Uber Gizmo

— Corey Nachreiner, CISSP (@SecAdept)

Oracle & Apple Patches – Daily Security Byte EP. 206

Another week, another pile of patches. If you use Apple or Oracle products, it’s time to download the latest updates to keep your computers and servers safe. Watch today’s video for a quick summary of the affected products and issue, and check the link below to learn more.

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=NT5OqG8VG9k

EPISODE REFERENCES:

• Summary of Apple security updates – Apple
• Summary of Oracle’s January CPU – Oracle

— Corey Nachreiner, CISSP (@SecAdept)

IT Pros Get Patches for Xmas? – Daily Security Byte EP. 188

It’s hard to call today, “Microsoft Patch Day,” when both Adobe and Apple piled on with tons of security fixes of their own. Microsoft released a dozen security bulletins today, eight rated Critical; Adobe released a Flash update fixing 78 vulnerabilities; and Apple released fixes for all their OSes and a few other products. If you use software from any of those three vendors, watch today’s episode to learn what to do, and check out the references below for more details on the updates.

(Episode Runtime: 2:54)

Direct YouTube Link: https://www.youtube.com/watch?v=6Of-SSZ7gtc

EPISODE REFERENCES:

• Microsoft’s security bulletin summary for  December 2015 – Microsoft
• Microsoft added three new security advisories this month – Microsoft
• Great blog post summarizing Microsoft Patch Day – gHacks.net
• Adobe Flash security bulletin for December 2015 – Adobe
• Apple’s security summary page with links to alerts – Apple

— Corey Nachreiner, CISSP (@SecAdept)

iOS Bounties, Android Auto-root, and Guy Fawkes Day – WSWiR Episode 168

Nowadays, each week has more information security news that we used to have each month. If you find yourself falling behind, and need a shortcut to stay informed, this is the weekly video for you. Every Monday, I summarize our daily security video from last week.

Today’s episode covers a new Android malware variant, an iOS zero day that’s bad for the industry, a couple hacktivism campaigns, and more. Watch the YouTube video for all the details, and check out the references below to learn more.

(Episode Runtime: 13:13)

Direct YouTube Link: https://www.youtube.com/watch?v=z7Xgnd8CHQ8

EPISODE REFERENCES:

• Monday: 000Webhost has 000 Security – Daily Security Byte EP. 169
  • 13M+ password leaked from popular web hosting company – Forbes
  • Original blog disclosing the 000webhost breach – Troy Hunt
  • 000Webhost’s breach due to outdated PHP – Computer Weekly
• Tuesday: Claimed iOS Bounty is Bad News – Daily Security Byte EP. 170
  • Vulnerability researchers claim a $1M iOS 9.1 hack bounty – Motherboard
  • iOS bounty claimed, but Apple won’t be informed – Wired
  • The original iOS 9 hack bounty – Zerodium
• Wednesday: vBulletin Breach and 0day – Daily Security Byte EP. 171
  • vBulletin’s site and forum software hacked – Ars Technica
  • vBulletin asks users to reset password – vBulletin
  • vBulletin released patch for forum software – vBulletin
  • Researcher discloses his vBulletin RCE vuln – Twitter
    • His actual Pastie disclosure – Pastie
  • Hacker claims responsibility for breach – The Admin Zone
  • Coldzer0 attempts to sell vBulletin 0day – oday.today
  • Video demonstrating the vBulletin exploit –  YouTube
• Thursday: Auto-rooting Android Malware – Daily Security Byte EP. 172
  • Three Android malware families quietly roots phones and digs in – Ars Technica
  • Researcher’s blog post describing these new Android threats – Lookout
• Friday: Guy Fawkes Day Hacktivism – Daily Security Byte EP. 173
  • Anonymous Doxxes 1000 alleged KKK members as part of #OpKKK – ZDNet
  • Anonymous threatens #OpKKK on Nov. 5th: Epic fail – USA Today
  • CWA doxxed more government employees – Motherboard
  • CIA Director hackers break into arrest database – Wired
  • Information about Guy Fawkes night – Wikipedia

EXTRAS:

• 11yr old girl will give you a secure password for $2 – The Telegraph
• CISA passes the Senate despite privacy issues – Wired
• Big tech companies don’t like CISA either – CNN
• EFF unveils vulnerabilities in automatic license plate readers – EFF
• Can humanity build a computer security AI? – TechCrunch
• BGP is still a security risk (nothing new here) – SC Magazine
• Nice article on man-in-the-middle attacks – Network World
• Millions of passwords leaked from a free web hoster – Forbes
• Lots of issues with SSL certificate revocation systems – Phys
  • Google warns Symantec to clean up certificates – Ars Technica
• More browser vulnerabilities allow for zombie cookies –  Ars Technica
• Duuzer trojan seems to target South Korean manufacturing industry – Computer World
• Strengthen your security with passive DNS – Network World
• It’s ok to hack stuff you own for research – Wired
• NSA director says state sponsored attacks increasing – Time
• Tennis star recommends affirmations as passwords – Wired
• Chipped cards get hacked too – Network World
• DARPA keeping an eye on security researchers – Motherboard
• A third of stolen cars in France were hacked – Telegraph
• UK to ban strong encryption on social sites – The Telegraph
• No three arrested in association with the TalkTalk hack – Dark Reading
• Citrix patches some serious (and old) Xen vulnerabilities – The Register
• Researchers collect the $1M iPhone root vulnerability bounty – Forbes
• Zerodium to pay a $1M iOS hack bounty – Motherboard
• Apple doesn’t approve security conference app because of hacking talks – The Register
• Fascinating piece on ex-employees of The Hacking Team – Motherboard
• Will ransomware threaten to disclose your files publicly? – Tripwire Blog
• DMCA exemptions allow hacking for security research – SC Magazine
• British Gas data breach affects 2200 customers – IBTimes
• UK national arrested in association with DroidJack – BBC
• Cyber criminals suck at information security too – The Register
• CCTV (or Linux) botnet DDoSes victims – Incapsala
• Anti-adblocker CDN hijacked and served malicious fake Flash update – The Register
• KeeFarce targets popular password manager – Ars Technica
• Latest Android update fixes 23 vulns including another “Stagefright” – Forbes
• Researchers find new Windows flaw that bypasses EMET – Threatpost
• Cryptowall’s revenue may go to one criminal group – PC World
• Backdoor found in Chinese iOS ad SDK – Threatpost
• UK government wants to increase surveillance – The Intercept
• Tinba still spreading, and targeting Japanese and Russian banks – Threatpost
• FBI is budging a bit on back doors. Servants to the people – Ars Technica
• Longest DDoS attack lasted 320 hours – IT Pro
• Signing malware with valid certs has become an underground service – The Register
• XcodeGhost still lurking, this time on US Appstore – Dark Reading
• Google’s project Zero found 11 vulnerabilities in latest Samsung phone – The Inquirer
• White House reveals the Cybersecurity Strategy Implementation Plan (CSIP) – WhiteHouse.gov
• U.S. Officials targeted by cyber attacks after Iranian hacker’s arrest – Reuters
• Hackers pull heist on a heist video game over microtransactions – Motherboard
• Details surface about two older gambling payment processor breaches – Forbes
• Like the NSA, MI5 uses hacking for investigations – Motherboard
• 14yr old Japanese boy arrested for having the Zeus trojan (video) – NBC News
• Apparently, CIA Director’s email hackers are targeting others – Motherboard
• Good article asking if we learned from Stuxnet – Dark Reading
• Proton email suffers DDoS and pays extortionists $6000 in bitcoin – Forbes
• A look at the person modeled for the CSI:Cyber character – Telegraph
• Finfisher government spyware company still alive and well – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)

Claimed iOS Bounty is Bad News – Daily Security Byte EP. 170

Some happy researchers apparently claimed a one million dollar bounty by finding a remote root jailbreak vulnerability in iOS 9. Yet, as exciting as that might sound, it’s bad news for Apple users because the bounty was offered by a company that doesn’t plan to disclose the flaw to Apple. Watch today’s video to learn more about this news, and why I think companies like Zerodium are bad for security.

(Episode Runtime: 2:35)

Direct YouTube Link: https://www.youtube.com/watch?v=ILF_lR3TsIc

EPISODE REFERENCES:

• Vulnerability researchers claim a $1M iOS 9.1 hack bounty – Motherboard
• iOS bounty claimed, but Apple won’t be informed – Wired
• The original iOS 9 hack bounty – Zerodium

— Corey Nachreiner, CISSP (@SecAdept)

Apple’s October Updates – Daily Security Byte EP. 164

 

Are you an Apple fan, or do you at least use Safari or iTunes for Windows? If so, yesterday was Apple patch day. If you haven’t updated yet, watch today’s video to learn what you’re missing.

(Episode Runtime: 1:08)

Direct YouTube Link: https://www.youtube.com/watch?v=AMSg5eyRynI

EPISODE REFERENCES:

• Apple’s Security page with the latest October updates – Apple

— Corey Nachreiner, CISSP (@SecAdept)

YiSpecter iOS Malware – Daily Security Byte EP.154

Another piece of iOS malware is affecting Chinese and Taiwanese users. It works against non-jailbroken devices and uses Apple’s private APIs to hide its malicious activities. Watch today’s video to learn more about it, and what users should do to avoid it.

(Episode Runtime: 3:17)

Direct YouTube Link: https://www.youtube.com/watch?v=1lAUaPeiHCo

EPISODE REFERENCES:

• Detailed YiSpecter iOS malware blog post – Palo Alto Networks
• iOS malware targeting Chinese and Taiwanese users – Wired

— Corey Nachreiner, CISSP (@SecAdept)