Oracle and Cisco Patches – Daily Security Byte EP. 251

In today’s quick Security Byte video, I cover the Oracle and Cisco patches that have come out over the past few days. If you use products from either company, watch the video for highlights, and check the links below.

(Episode Runtime: 2:20)

Direct YouTube Link: https://www.youtube.com/watch?v=uIc7UrapLus

EPISODE REFERENCES:

• Oracle CPU advisory for April 2016 – Oracle
• Cisco Security Advisory summary page – Cisco
• Article on Oracle Patch Day and  new CVSS – Network World
• Article on Cisco DDoS vulnerabilities – Computer World

— Corey Nachreiner, CISSP (@SecAdept)

Oracle & Apple Patches – Daily Security Byte EP. 206

Another week, another pile of patches. If you use Apple or Oracle products, it’s time to download the latest updates to keep your computers and servers safe. Watch today’s video for a quick summary of the affected products and issue, and check the link below to learn more.

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=NT5OqG8VG9k

EPISODE REFERENCES:

• Summary of Apple security updates – Apple
• Summary of Oracle’s January CPU – Oracle

— Corey Nachreiner, CISSP (@SecAdept)

PWNed CIA, hacked Fitbit, and Fake Chrome- WSWiR Episode 167

Are you feeling overwhelmed by your normal IT job, but wish you had time to keep up with information security (infosec)? No worries! Let our weekly security video fill you in. Every Monday, I quickly summarize the biggest network and information security stories from the previous week, so you can keep up with the latest threats.

Today’s episode includes a story about a teenager hacking the CIA Director’s email, a new Fitbit hack, a malicious Chrome lookalike, and lots of patches. Press play to learn more, and check the references for other stories.

(Episode Runtime: 13:27)

Direct YouTube Link: https://www.youtube.com/watch?v=aqb7WIjuv94

EPISODE REFERENCES:

• Monday: CIA Director’s Email Hacked – Daily Security Byte EP. 161
  • Teen claims to have hacker CIA Director’s AOL account – New York Post
  • CIA Director’s personal email had documents with SSN numbers – Motherboard
  • Hacker shares some emails with Wikileaks – Wikileaks
  • UPDATE: More details on how the 20yr old did it – Wired
  • UPDATE: Brennan’s hacker doesn’t want to go to jail – Motherboard
• Tuesday: Oracle CPU for Oct. 2015 – Daily Security Byte EP. 162
  • Oracle’s Critical Patch Update advisory for October 2015 – Oracle
  • Great blog post summarizing the most important details of Oracle’s CPU – Oracle
  • Oracle’s general security page – Oracle
• Wednesday: Malicious Chrome Look-alike – Daily Security Byte EP. 163
  • PC Risk’s write up on the  potentially malicious eFast browser – PC Risk
  • Malware Bytes analysis on eFast’s file and URL associations – Malware Bytes
  • Article on evil Chrome-browser look-alike – Network World
• Thursday: Apple’s October Updates – Daily Security Byte EP. 164
  • Apple’s Security page with the latest October updates – Apple
• Friday: Overstated Fitbit Hack – Daily Security Byte EP. 165
  • The 10 second Fitbit hack – The Register
  • Fitbit vulnerability allows trackers to spread malware – Darknet
  • The actual Fitbit presentation released on Wednesday [PDF] – Hack.lu
  • The Fitbit hack PoC video – YouTube
  • The research admits limitation on Twitter – Twitter
  • Fitbit denies that malware vector too – NBC

EXTRAS:

• You’re more likely to download something bad if you are multitasking – Phys.org
• Researchers hack and boil over iKettles – The Register
• Facebook will inform users of state sponsored hacking – BigThink
• Chinese attackers allegedly already break cyber pact – CBR Online
• HTTPS everywhere is a bit closer with free trusted certs – Lets Encrypt
• NSA Director’s three cyber security nightmares – Business Insider
• More threats and malware using the Dark Web to hide C&C – Motherboard
• Tim Cook says, “No!” to backdoors in Apple encryption – Ars Technica
• Apple identifies 256 apps collecting private data via ad SDK – Slashgear
• Anonymous DDoSes two Japanese airports for dolphin hunting – SC Magazine
• Sony’s settlement with employees for hack may reach $8M  – Reuters
• How to make threat intel work for you – Computer World
• Support scams starting to plague Mac users – Ars Technica
• Flaw in self-encrypting HDs allow attackers to see your data – Network World
• Hackers can “Dox” non-connected people too – NYTimes
• Vulnerability found in a particular 1password feature – Apple Insider
• A few companies join battle against US CISA bill – Information Week
• Attackers DDoS and extort e-retailers in UK – Channel Register
• Avoid fake Apple refund phishing scam – Digital Spy
• Shakespeare can help you with strong passwords – Slate
• Interesting research on us how we fall for cyber scams – Phys
• CISA is advancing in US Senate – Reuters
• Congress’ car hacking bill not going well – Motherboard
• Cyber criminals targeting security researchers – Computing
• LowLevel04: New ransomware spreads via RDP – Bleeping Computer
• Bad David Pogue article about car hacking – Scientific America
  • Response article about Pogues bad reporting – Wired
• Just for fun: Remember the old Half-Life 2 source code hack – Kotaku

— Corey Nachreiner, CISSP (@SecAdept)

Oracle CPU for Oct. 2015 – Daily Security Byte EP. 162

Oracle follows a quarterly patch cycle, and today they released their big Critical Patch Update (CPU) for October 2015. Since they only update four times a year, they tend to release tons of patches at once. Today’s update fixes 154 vulnerabilities in a wide selection of their products—from MySQL to the Siebel CRM. Most importantly, they also released a Java update. If you use Oracle products, watch today’s video to learn more about the scope and impact of today’s CPU.

(Episode Runtime: 2:00)

Direct YouTube Link: https://www.youtube.com/watch?v=o4sfU3uS_mw

EPISODE REFERENCES:

• Oracle’s Critical Patch Update advisory for October 2015 – Oracle
• Great blog post summarizing the most important details of Oracle’s CPU –Oracle
• Oracle’s general security page – Oracle

— Corey Nachreiner, CISSP (@SecAdept)

July Patch Avalanche – Daily Security Byte EP.114

This Patch Tuesday, Adobe and Oracle shared the spotlight with Microsoft, releasing updates for well over 200 vulnerabilities. Furthermore, the patches included fixes for flaws leaked during The Hacking Team fiasco. Watch today’s video for details, and be sure to update as soon as you can.

Show Note: Due to continued travel, there will likely be no video on Thursday, though I will return with one on Friday. I’ll probably skip the weekly video this time due to the light week.

(Episode Runtime: 2:21)

Direct YouTube Link: https://www.youtube.com/watch?v=aoLhMVu4zzI

EPISODE REFERENCES:

• Microsoft July Patch Day summary – Microsoft
  • A good Patch Tuesday summary – ZDNet
  • A few Microsoft Security Advisories – Microsoft
• • IE11 update fixes a Hacking Team 0day – Help Net Security
• Adobe’s security update summary – Adobe
• Oracle’s July CPU advisory – Oracle
  • A decent Oracle CPU summary – ZDNet

— Corey Nachreiner, CISSP (@SecAdept)

Patches, Patches Everywhere – Daily Security Byte EP.66

I thought I’d only have to cover Microsoft Patch Day today, but Adobe, Oracle, and Google also came along for the ride. Patching is one of the easiest and most practical ways you can improve your network’s security. Watch today’s video to learn of all the products you should update.

 

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=8mWnk6OKDl0

EPISODE REFERENCES:

• Consolidated alert covering Microsoft’s April Patch Day – WatchGuard Blog
• Adobe’s Patch Day
  • Flash security bulletin – Adobe
  • ColdFusion security bulletin – Adobe
  • Flex security bulletin – Adobe
• Oracle’s Critical Patch Update (CPU) for April – Oracle
• Google fixes dozens of Chrome vulnerabilities – ThreatPost

— Corey Nachreiner, CISSP (@SecAdept)

IE11 0day XSS Flaw – Daily Security Byte EP.17

Beware of phishers leveraging a new zero day Internet Explorer (IE) 11 flaw that affects the latest, fully-patched version of Windows. Click play for details.

(Episode Runtime: 1:35)

Direct YouTube Link: https://www.youtube.com/watch?v=AIKDoTGBaTU

EPISODE REFERENCES:

• New XSS vulnerability affects IE 11 running on Windows 8.1 – Computer World
• Full Disclosure post about the flaw – Seclists
• Follow up post on Full Disclosure – Seclists
• Proof-of-Concept exploit illustrating the issue – Packet Storm

— Corey Nachreiner, CISSP (@SecAdept)

Syrian Honey Trap – Daily Security Byte EP.16

Bad actors have always tried to lure us into doing things we shouldn’t by appealing to our base, carnal instincts. Today’s daily infosec video shares why you might want to avoid “hot girls” in general online.

(Episode Runtime: 1:38)

Direct YouTube Link: https://www.youtube.com/watch?v=TyivxEiCuKM

EPISODE REFERENCES:

• “Hot Girls” are still an effective lure, even among nation-state attackers – Gizmodo
• FireEye’s report on the Syrian “Hot Girl” attack campaign [PDF] – FireEye

— Corey Nachreiner, CISSP (@SecAdept)

Lots of 0day – WSWiR Episode 136

Every network admin I know is buried under a list of tasks, and has little time to spend learning about the latest information security news. If that sounds like you, check out our weekly news recap video.

This episode, from the third week of January, covers rumors the NSA hacked North Korea, a warning about attackers exploiting an zero day Flash flaw, Oracle’s quarterly critical patch day, and more. Watch the video for more details, and check out the References section below for all the links.

(Episode Runtime: 4:45)

Direct YouTube Link: https://www.youtube.com/watch?v=_4i6zGmXyRg

EPISODE REFERENCES:

• Daily Security Bytes:
  • Monday: NSA Hacks DPRK – Daily Security Byte EP.6
  • Tuesday: Oracle CPU Jan. 2015 – Daily Security Byte EP.7
  • Wednesday: Flash 0day – Daily Security Byte EP.8
  • Thursday: Barrett Brown Case – Daily Security Byte EP.9
  • Friday: Three OS X 0day – Daily Security Byte EP.10
• NSA allegedly hacked North Korea years ago
  • US had pwned North Korea networks long ago – Reuters
  • New York Times article on NSA tapping DPRK – NY Times
  • Snowden leaks share classified  source document – Der Spiegel
  • Robert Graham doesn’t believe this story – Errata Sec
• Oracle’s quarterly Critical Patch Update
  • Litchfield finds crazy Oracle eBusiness Suite vulnerability – Forbes 
  • Oracle Critical Patch Update fixes 169 flaws – Oracle
• Flash 0day leverage in the wild
  • Flash 0day exploited in the wild – Malware Don’t Need Coffee
  • Adobe already released a patch – Adobe
• Barrett Brown trial
  • Barrett Brown Sentenced to 63 months in prison – The Verge
  • Barrett Brown statement on “the rule of law enforcement” – The Guardian
  • Boing Boing on Barrett Brown’s Sentence – Boing Boing
• Project Zero outs three OS X vulnerabilities – CNET

EXTRAS:

• 1800 Minecraft passwords leaked; mostly German – Heise
• GCHQ and NSA have been snooping on journalists (as a “test”)  – The Guardian
• PolarSSL suffers a serious security vulnerability – Threatpost
• Krebs’ primer on various types of digital CC theft – KrebsonSecurity
• Vulnerabilities in VLC affect Windows XP users – Naked Security
• iStegSiri: Using Siri’s communications for Steganography – Security Week
• Linux malware still leveraging ShellShock – Malware Must Die
• Quick analysis of Cryptowall 3.0 traffic – SANS ISC Diary
• Apparently Obama supports backdoors in encryption – WSJ
• Unnamed sources say Sony hack involved 0day – Re/code
• Beyond Trust releases tester script for MS telnet issue – PasteBin
• Employees the weakest link. Perhaps we’ll take end user training serious now – Computing
• Malware hidden in official League of Legends installer (Asia) – Ars Technica
• Australian travel insurance company breached – ZDNet
• Snowden won’t use an iPhone due to paranoia – BGR
• POS Malware found at Texas WingStops – SC Magazine
• Ubuntu releases some security updates – ThreatPost
• Interesting stories around the Silk Road trial
  • Did Mt Gox owner set up Ulbicht? – Ars Technica
  • At least 20% of the defendant’s Bitcoin comes from Silk Road – Ars Technica
  • Ulbricht’s family was surprised by his involvement – Ars Technica
• Wired’s great article on some of Obama’s proposed “cyber” changes – Wired
• Lizard squad members arrested, and Stressor tool customers leaked – Digital Trends
• NSA hijacks criminal botnets to load their own malware – Computer World
• Healthcare.gov is sending your info to others – EFF
• A seven year old girls pulls of a WiFi MitM attack – Information Age
• Commentary on potential CFAA changes – TechDirt
• Negative commentary around Obama’s SOTU on cyber security – Gizmodo
• More plead guilty to Xbox IP stealing charges – Phys.org
• Twitter launches new two-factor authentication option – The Verge
• TOOL: Privacy Badger extension from EFF – EFF
• TOOL: Nice article on using PEStudio to unveil potential malware – BetaNews

— Corey Nachreiner, CISSP (@SecAdept)

Evil Tor Exit Node – WSWiR Episode 127

Security FUD, Black Energy, and Tor Terror

Happy Halloween!

The Internet “threatscape” has changed drastically over the past few years, with many more cyber security incidents each year and tons of information security (infosec) news in the headlines. Can you keep up? If not, maybe my weekly infosec video will help.

In today’s quick update, I rant a bit about infosec misinformation, share the latest on the Black Energy ICS attack campaign, and talk about an Evil Tor exit node that dynamically adds malware to downloads. Press play for the scoop, and enjoy your spooky Halloween weekend.

(Episode Runtime: 10:44)

Direct YouTube Link: https://www.youtube.com/watch?v=HjejYd_9Oik

Episode References:

• Russian cyber campaign to steal military secrets (just Sandworm again) – ZDNet
  • APT28 is just more about Sandworm – FireEye
• FBI publishes fake Seattle Times story online to nab criminal with spyware – Ars Technica
  • Outrage over fake Seattle Times story is an overreaction (story overstated) – Geekwire
• US-CERT warns of Black Energy ICS/SCADA attack and malware – US-CERT
• Tor exit node is actively injecting binaries with malware – Threatpost
  • Researcher’s blog post on the malicious Tor exit node – Leviathan Security

Extras:

• Samsung Android’s suffer from CSRF vulnerability with DoS impact – The Register
• Proof-of-Concept video of the Samsung Android flaw – YouTube
• American’s are more afraid of hacking than any other crime (Gallup poll) – Forbes
• Data breaches in 2013 have put over half of California’s PII at risk – Reuters
• Targeted Attacks are on the Rise – SFGate
• MPAA wants you to know pirated stuff may contain malware (and they are right!) – Ars Technica
• Researcher finds vulnerability in “Strings” that could affect security researchers – Computer World
  • Researcher’s blog post on the “Strings” vulnerability – Lcamtuf’s blog
• Beware of more Ebola themed malware emails – SC Magazine
• Hacker’s (allegedly Russian) breach Whitehouse network – Silicon Republic
• CurrentC (and ApplyPay and Google Wallet competitor) was hacked; emails leaked – CNN
  • Unrelated article on the data CurrentC collects – Imore
• 61% of security experts expect a majorly damaging cyber attack by 2025 – Phys.org
• Botnet is trying to exploit Shellshock over SMTP (email) – SANS ISC Diary
• Microsoft warns about Crowti ransomware (another name for Cryptowall?) – Threatpost
• NSA director says companies shouldn’t strike (hack) back – Government Executive
• Piratebay co-founder convicted of Blackhat hacking – Ars Technica
• Underground crimeware-as-a-service tools promise to better leverage stolen credit cards – The Register
• Dyreza trojan continues to evolve – Threatpost
• Coalition of security firms helps clean infections from state-sponsered (Axiom group) malware – Novetta
• Malware leverages Gmail drafts for a super stealthy C&C channel – BGR
• Remember that Drupal flaw? It’s still affecting web sites – v3.co.uk
• Samsung’s Fort Knox Android encryption stores password in clear – Threatpost
• More hacked and stolen Bitcoin? – The Guardian
• Don’t let the government take away citizen’s right to crypto – The Guardian
• US police can force you to unlock a phone with your fingerprint (but not get your password) – ZDNet
• Are you afraid of your Smart TV (maybe you should be) – Brennan Center

— Corey Nachreiner, CISSP (@SecAdept)