Apple’s May Updates – Daily Security Byte EP. 263

It time to update your OS X software before hackers take a bite out of your Apple. This week, Apple released five software updates fixing security flaws in many of their most popular operating systems and products. Watch the “traveling edition” of my Daily Security Byte for the details. 

(Episode Runtime: 1:33)

Direct YouTube Link: https://www.youtube.com/watch?v=dRI7-CxTtRw

EPISODE REFERENCES:

• Apple security alert summary page – Apple

— Corey Nachreiner, CISSP (@SecAdept)

Oracle & Apple Patches – Daily Security Byte EP. 206

Another week, another pile of patches. If you use Apple or Oracle products, it’s time to download the latest updates to keep your computers and servers safe. Watch today’s video for a quick summary of the affected products and issue, and check the link below to learn more.

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=NT5OqG8VG9k

EPISODE REFERENCES:

• Summary of Apple security updates – Apple
• Summary of Oracle’s January CPU – Oracle

— Corey Nachreiner, CISSP (@SecAdept)

IT Pros Get Patches for Xmas? – Daily Security Byte EP. 188

It’s hard to call today, “Microsoft Patch Day,” when both Adobe and Apple piled on with tons of security fixes of their own. Microsoft released a dozen security bulletins today, eight rated Critical; Adobe released a Flash update fixing 78 vulnerabilities; and Apple released fixes for all their OSes and a few other products. If you use software from any of those three vendors, watch today’s episode to learn what to do, and check out the references below for more details on the updates.

(Episode Runtime: 2:54)

Direct YouTube Link: https://www.youtube.com/watch?v=6Of-SSZ7gtc

EPISODE REFERENCES:

• Microsoft’s security bulletin summary for  December 2015 – Microsoft
• Microsoft added three new security advisories this month – Microsoft
• Great blog post summarizing Microsoft Patch Day – gHacks.net
• Adobe Flash security bulletin for December 2015 – Adobe
• Apple’s security summary page with links to alerts – Apple

— Corey Nachreiner, CISSP (@SecAdept)

Apple’s October Updates – Daily Security Byte EP. 164

 

Are you an Apple fan, or do you at least use Safari or iTunes for Windows? If so, yesterday was Apple patch day. If you haven’t updated yet, watch today’s video to learn what you’re missing.

(Episode Runtime: 1:08)

Direct YouTube Link: https://www.youtube.com/watch?v=AMSg5eyRynI

EPISODE REFERENCES:

• Apple’s Security page with the latest October updates – Apple

— Corey Nachreiner, CISSP (@SecAdept)

Researcher Storms Gatekeeper- Daily Security Byte EP.152

Today, Apple fixed a few security flaws but also suffered from a new one. A researcher has found a new way to bypass Gatekeeper—the OS X component that’s supposed to keep suspicious software off Macs. Watch the video below to learn a bit about this flaw.

(Episode Runtime: 2:11)

Direct YouTube Link: https://www.youtube.com/watch?v=LvZ3zN7D4Ng

EPISODE REFERENCES:

• Research finds easy exploit to bypass Apple Gatekeeper – Ars Technica
• Wardle’s upcoming talk at VirusBulletin about Gatekeeper flaw – VirusBtn
• Apple’s security page with new OS X, iOS, and Safari updates – Apple

— Corey Nachreiner, CISSP (@SecAdept)

Black Hat & DEF CON Aftermath – WSWiR Episode 160

Two weeks ago, the Black Hat and DEF CON conferences unveiled tons of new security research, which means last week was packed with interesting security stories. If you find yourself falling behind on security news, and need a “one stop shop” to keep you up to date, this weekly video does just that.

Last week’s stories included many car hacks, a OS X firmware worm, a big UK breach, tons of patches, and more. If you don’t watch my Daily Bytes, you can catch up all at once with the weekly video below. More importantly, I couldn’t cover many other interesting stories from last week, so if you are interested in those, check out the Reference section below.

(Episode Runtime: 15:10)

Direct YouTube Link: https://www.youtube.com/watch?v=AAIiPp3os1k

EPISODE REFERENCES:

• Monday: Carphone Warehouse Gets Robbed – Daily Security Byte EP.122
  • Attackers steal 2.4M records from Carphone Warehouse – BBC
  • Carphone Warehouse releases breach FAQ for customers – CarPhone Warehouse
  • Talk Talk stored unprotected passwords – Computing
• Tuesday: Thunder Strikes Mac Firmware Again – Daily Security Byte EP.123
  • A new Black Hat 0day can brick your Mac – TechCrunch
  • Thunderstrike 2 infects Mac firmware – Ars Technica
  • Researcher’s post on Thunderstrike 2 – TRMM.net
  • ThunderStrike 2 detailed presentation – TRMM.net
• Wednesday: Piles of August Patches – Daily Security Byte EP.124
  • Microsoft Patch Day Summary for August 2015 – Microsoft
  • Adobe Flash security bulletin for August 2015 – Adobe
  • Get the latest Firefox security update, it’s big  – US-CERT
  • Apple’s security page, including August patches – Apple
• Thursday: Car Hacking Revolution – Daily Security Byte EP.125
  • The full detailed white paper on the Uconnect hack – Illmatics
  • After 2yrs, researchers can finally release a vulnerability Volkswagen sued to suppress – Ars Technica
  • Text message hacks a Corvette via an “insurance dongle”  – Wired
  • Tesla Model S hackable [Link removed due to reports of malicious ads] – Mashable 
  • Tesla already fixed this – Bloomberg
  • The OwnStar attack allows hackers to unlock many cars – Engadget
• Friday: Cisco iOS ROMMON hacks – Daily Security Byte EP.126
  • Cisco’s advisory on the mysterious iOS ROMMON attack – Cisco
  • Article covering this Cisco router attack – Ars Technica

EXTRAS:

• My episode 8 analysis of Mr. Robot’s Hacking accuracy – GeekWire
• Hacktivists deface Trump site to say Goodbye to Jon Stewart
  • Hacktivists hijack a Trump site to say goodbye to Jon Stewart – Motherboard
  • Archive post of Telecomix’s Stewart post at Trump – Archive.is
  • Interview with the Trump site defacers – Vice
  • Telecomix’s Pastebin post on the “operation” – Pastebin
• Watch out for Windows 10 related social engineering scams – Tech Radar
• Windows 10 spies on you unless you Opt-Out
  • How Win10 monitors you – BGR
  • Wired details Win10 security privacy settings – Wired
  • Win10 privacy tips – BGR
• Attackers exploiting the Mac DYLD vulnerability in the wild – Fox News
• Def Con is cancelled again(regular joke) – Motherboard
• ICANN was breached again – Motherboard
• A “Fed” does a Def Con talk right – Motherboard
• Rolljam plays back codes to hack keyless entry systems – BGR
• ApplePay is more security than US Chip & Pin? – PCMag
• WiFi Sense makes no sense! – CNet
• Hackers pull of real Oceans 11 heist at Def Con – Gizmodo
• The gas pump honeypots – Motherboard
• Pentagon email hacked (again) allegedly by Russia – The Register
• Zeus author associated with Russian nation state actors – Forbes
• Faceplant: An Electronic skateboard hack – Time
• How a popular author dealt with his hijacked account – Ars Technica
• Quick news video on DEF CON – NBC News
• Patch for serious Android flaw now sufficient – Ars Technica
• More news of foreign nation-states hacking UK gov email – The Guardian
• The Hacking Team was using the old iOS Masque attack – Silicon Republic
• Attacker’s hacked early press releases to get a leg up on trades – BGR
• ATM skimmers get smaller and stealthier – Tech Crunch
• Black Hat founder thinks vendor liability for flaws is inevitable – Threat Post
• Oracle’s CSO tell white hat’s that vulnerability research breaks EULA – Mashable
  • Archived copy of the offending post – Archive.org
• Researchers turn Square into CC skimmer – Mashable
• Blackhat researcher pokes at GPS satellites – Time
• CISA/CISPA keeps coming back, and getting tweaked – The Guardian
• Researchers awarded for finding a new class of vulnerability in browsers – Phys.org
• A pen-testing drone previewed at DEF CON – PDDNet
• Using sound for two-factor auth – Wired
• Hacker steals $46M from Ubiquiti – Krebs on Security
• ProxyHAM: DEF CON hackers extend WiFi via radio proxies – TechHive
• Researchers turn a computer into a cellular antenna to leak info – Computer World
• Kaspersky accused of faking malware to weaken competitors – Reuters
• Lenovo is still using tricks to install bloatware – Ars Technica
• Stock hacker ring busted for insider trading – Reuters
• Highlights article for DEF CON 23 – Wired
• Malicious Ads on Weather.com – Ars Technica
• The Android Stagefright patch doesn’t work – Ars Technica
• Android vulnerabilities could leak fingerprints – Ars Technica

— Corey Nachreiner, CISSP (@SecAdept)

Piles of August Patches – Daily Security Byte EP.124

While there’s lots of interesting security stories I could share today, one of the most practical infosec actions you can take is to keep your software patched. Yesterday was Microsoft and Adobe patch day, and Mozilla also recently released a pretty important Firefox update. Watch the video to learn about these important fixes, and more importantly, follow the links below to learn how to apply the relevant updates.

UPDATE: On Thursday, Apple released a hand full of security advisories and updates as well, fixing flaws in iOS, OS X, and Safari. This wasn’t covered in the video, but check the links below for more info on those updates.

(Episode Runtime: 2:25)

Direct YouTube Link: https://www.youtube.com/watch?v=yZ6A09t5oWA

EPISODE REFERENCES:

• Microsoft Patch Day Summary for August 2015 – Microsoft
• Adobe Flash security bulletin for August 2015 – Adobe
• Get the latest Firefox security update, it’s big  – US-CERT
• Apple’s security page, including August patches – Apples

— Corey Nachreiner, CISSP (@SecAdept)

June Apple Patch Day – Daily Security Byte EP.107

If you use Apple products—on Mac or PC—know that today is Apple Patch Day. The popular software company released six security advisories (originally five, but they had a late breaking advisory) fixing many security flaws in most of their most popular products. Watch today’s video to learn which products are affected, and what you should patch (or check the Reference section for a link to the page with all the details).

As an aside: Sorry about the bad links yesterday, and thanks for those that informed me. If you go to the blog, the link for yesterday’s video is corrected there.

(Episode Runtime: 1:24)

Direct YouTube Link: https://www.youtube.com/watch?v=KwyHlFUPga4

EPISODE REFERENCES:

• Apple’s Security page, with links to all June’s advisories – Apple
• Article on today’s Apple updates – The Register

— Corey Nachreiner, CISSP (@SecAdept)

Patches, APT Gangs, and Sony Wikileaks- WSWiR Episode 148

Want to know what went on this week in the InfoSec world? Well then, check out my weekly security news recap video. This week I cover a ton of software security patches, news of China’s DDoS and man-in-the-middle tool, and the latest drama in the Sony breach saga. Press play to learn more, and enjoy your weekend.

(Episode Runtime: 13:25)

Direct YouTube Link: https://www.youtube.com/watch?v=uBeOUz40tws

EPISODE REFERENCES:

• Monday: China’s Great Cannon – Daily Security Byte EP.65
  • Citizen Lab researchers uncover China’s Great Cannon – CitizenLab
  • Ars Technica on the Great Cannon – Ars Technica
  • Motherboard covers China’s Great Cannon – MotherBoard
• Tuesday: Patches, Patches Everywhere- Daily Security Byte EP.66
  • Consolidated alert covering Microsoft’s April Patch Day – WatchGuard Blog
  • Adobe’s Patch Day
    • Flash security bulletin – Adobe
    • ColdFusion security bulletin – Adobe
    • Flex security bulletin – Adobe
  • Oracle’s Critical Patch Update (CPU) for April – Oracle
  • Google fixes dozens of Chrome vulnerabilities – ThreatPost
• Wednesday: APT Spy vs. Spy – Daily Security Byte EP.67
  • Kaspersky’s report on Naikon vs Hellsing – Securelist
  • Article on the rival APT gangs – Ars Technica
• Thursday: Wikileaks Spread Sony Dirt – Daily Security Byte EP.68
  • Wikileaks creates searchable database of stolen Sony files – The Seattle Times
  • Sony condemns Wikileaks for leak – Reuters
  • Sony breach investigators interviewed on 60 minutes – TechTarget
• Friday: Match.com InfoSec Fail – Daily Security Byte EP.69
  • Reporter demonstrates clear text login for Match.com – Ars Technica
  • Twitter users tips Ars reporter to the issue – Twitter
  • Not sure how long the issue has gone on – Twitter
  • Netflix to default to HTTPS – Ars Technica

 

EXTRAS:

• Security researcher yanked from a plane by FBI after making a hacking joke – Network World
  • CNN’s article on the incident – CNN
• Oracle Quarterly Patch Day; 98 flaws fixed – Oracle
• Decade long Chinese cyber espionage campaign (APT 30( [PDF] – FireEye
• Cylance finds an new SMB weakness – Reuters
• Schneier really things IoT security is a disaster – Network World
• Web app attacks, PoS malware, and cyber espionage lead the threat landscape – Computer World
• Five out of six companies targeted by cyber attacks – Computer Weekly
• Voting machines are hackable again (no surprise) – The Guardian
• The latest airplanes are hackable story – Reuters
• 90% of security events are user based – Computer World
• Punkey: New PoS malware – Betanews
• 0day exploits sold on the Dark Web (old news) – Wired
• Google not paying back a customer for cyber fraud – The Register
• Google moving ads to HTTPS too – TechCrunch
• Evasive new banking malware – PC Advisor
• Sounds like CSI:Cyber is still bad – Gizmodo
• Kaspersky can decrypt CoinVault ransomware – Extremetech
• MineCraft DoS vulnerability – Ubergizmo
• DEA buying suspect off-the-shelf malware – Gizmodo
• Simda botnet takedown! – Ars Technica
• White House pushing for crypto backdoor – TechDirt
• Small Banks targeted by cyber attackers – Third Certainty
• Verizon says mobile threats are overblown – Engadget

— Corey Nachreiner, CISSP (@SecAdept)

TV5Monde Pwned, White House Hack, and Snowden – WSWiR Episode 147

Information security threats and attacks are evolving faster than IT generalists can keep up with. If you’re falling behind in your InfoSec news, and need a quick summary, this weekly video can help.

Topics from today’s episode include, more details on an old White House breach, cyber attackers blacking out a French broadcaster, and a funny yet enlightening Snowden interview. Press play to get informed.

(Episode Runtime: 10:38)

Direct YouTube Link: https://www.youtube.com/watch?v=tLbtqmNIGsQ

EPISODE REFERENCES:

• Monday: John Oliver Interviews Snowden – Daily Security Byte EP.60
  • John Oliver interviews Edward Snowden on Last Week Tonight – YouTube
  • The Intercept comments on this John Oliver episode – The Intercept
  • A humorous site based on new context in Olivers interview (adult) – See Link
  • The Verge article referring to the site above – The Verge
• Tuesday: Fake Government Sites – Daily Security Byte EP.61
  • FBI’s PSA advisory on fake government site scam – IC3.gov
  • FBI warns of fake government sites stealing your PII – Threat Post
• Wednesday: White House Breach Unveiled – Daily Security Byte EP.62
  • CNN on how Russian hackers infiltrated the White House – CNN
  • White House attack allegedly did results in theft of sensitive data – CNET
  • USA today on White House Breach – USA Today
  • Article covering how the breach happened – Help Net Security
  • Original story on last years White House Breach – The Washington Post
• Thursday: April Apple Patches – Daily Security Byte EP.63
  • Apple’s April Patch Day Summary
    • April OS X updates – Apple
    • April iOS (8.3) update – Apple
    • April Safari updates – Apple
    • April Apple TV updates – Apple
    • April Xcode updates – Apple
  • Latest OS X update fixes over 80 vulnerabilities – ThreatPost
  • iOS update fixes Phantom flaw – ThreatPost
  • Researcher shares details about OS X root privilege flaw – TrueSecDev
• Friday: Hackers Pwn TV – Daily Security Byte EP.64
  • Alleged ISIS hackers attack TV5Monde – The Guardian
  • TV5Monde taken off the air due to cyber attack – ZDNet
  • French network blames ISIS for cyber attack – Ars Technica
  • TV5Monde expose passwords on a TV broadcast – Ars Technica

EXTRAS:

• How much Infosec truth is in TV? – Engadget
• How stolen data travels through the underground – Help Net Security
• Vulnerability in Dell software gets it marked as malware – Ars Technica
• Bad cyber security legislation could affect InfoSec research – Dark Reading
• Great article on “sinkholing” and its risks – Dark Reading
• Criminals use fake Steam pages to deliver malware – Kotaku
• A Firefox security feature exposed a new vulnerability –  Help Net Security
• Many web servers still vulnerable to Heartbleed – Business Insider
• Latest VMware update fixes old Java flaws – Security Week
• CAPTCHAs get more complex – Phys.org
• SMiShers and vishers targeting BECU customers – BECU.org
• A survey suggests attacks are getting more destructive – NBC News
• New IoT devices don’t focus on security (prediction confirmed) – Network World
• Persistent XSS flaw in WP  Super Cache plugin affects over 1M – Ars Technica
• Security researchers are the immune system of the digital age – Scientific America
• Article on the FBI’s malware – Gizmodo
• FBI warns that ISIL is exploiting WordPress flaws – IT Pro
• An article arguing that CSI: Cyber helps recruit new security pros – Cyber Defense Review
• Police chief explains why he paid cyber ransom – Ars Technica
• Watering hole attacks target specific users (Drive-bu-login) – High Tech Bridge
• Google ads succumbs to some malvertisers – Network World
• Story on a Russian Hacktivist group against Putin – The Guardian
• No NSA Congressional oversight because they lack clearance – The Intercept
• AlienSpy delivers Citadel (just another downloader) – Threat Post
• Android scareware leverages fear of malicious installers – Help Net Security
• Websense’s 2015 threat report is sobering – Websense
• US government says yes to HTTPS only – EFF
• Beebone malware morphed 19x a day – BBC
• Details on Beebone botnet takedown – Help Net Security
• Apple actually talks about removing Adware from Macs – Apple
• No surprise; people still don’t read EULAs – F-Secure
• InfoSec Europe’s annual threat survey results – InfoSec Europe
• AT&T to pay $25M fine after employee steals 300K SSNs – The Next Web
• More frequent flier accounts hacked (Lufthansa) – Reuters
• DARPA unveils tech to search for crime on the “Dark Web” – Forbes

— Corey Nachreiner, CISSP (@SecAdept)