Flash 0day and MS Patch Day – Daily Security Byte EP. 273

The second Tuesday of each month is infamously known as Microsoft Patch Day by IT pros. However, this month Adobe’s security news trumps Microsoft’s. Watch today’s video to learn why you should update Flash before your Microsoft products, but also why you shouldn’t skimp on the Microsoft patches either.

(Episode Runtime: 2:59

Direct YouTube Link: https://www.youtube.com/watch?v=cPo6vF9vrCU

EPISODE REFERENCES:

• Microsoft June Patch Day summary page – Microsoft
• Adobe Security bulletin summary page – Adobe
  • Adobe fixes Flash 0day vulnerability – Adobe
• Good overall summary of Microsoft Patch Day – Ghacks

— Corey Nachreiner, CISSP (@SecAdept)

Apple’s May Updates – Daily Security Byte EP. 263

It time to update your OS X software before hackers take a bite out of your Apple. This week, Apple released five software updates fixing security flaws in many of their most popular operating systems and products. Watch the “traveling edition” of my Daily Security Byte for the details. 

(Episode Runtime: 1:33)

Direct YouTube Link: https://www.youtube.com/watch?v=dRI7-CxTtRw

EPISODE REFERENCES:

• Apple security alert summary page – Apple

— Corey Nachreiner, CISSP (@SecAdept)

May Day, May Day, Patch Day – Daily Security Byte EP. 261

Do you want to stay safe online? Then you need to keep your patches up-to-date since most Internet exploits target old flaws. Tuesday’s Byte video covers Microsoft and Adobe’s security bulletins for May. Watch below, but more importantly, go update.

(Episode Runtime: 2:38)

Direct YouTube Link: https://www.youtube.com/watch?v=tbmSGgL3TzY

EPISODE REFERENCES:

• Summary of Microsoft’s May 2016 Patch Day – Microsoft
• Adobe’s main security summary page – Adobe
• A good write-up of Microsoft Patch Day – Ghacks

— Corey Nachreiner, CISSP (@SecAdept)

Remove QuickTime for Windows – Daily Security Byte EP. 248

Trend Micro researchers found two serious vulnerabilities in Quicktime for Windows. Normally I’d tell you to patch, but instead I’m suggestion you remove. Watch today’s video to find out why.

(Episode Runtime: 1:36)

Direct YouTube Link: https://www.youtube.com/watch?v=9JmCwViLPuM

EPISODE REFERENCES:

• Trend Micro find two remote code execution flaws in Quictime for Windows – Trend Micro
• US-CERT recommend you remove Quicktime for Windows – US-CERT

— Corey Nachreiner, CISSP (@SecAdept)

April Patch Day 2016 – Daily Security Byte EP. 247

Microsoft and Adobe have delivered a fresh batch of security updates for April. If you use products from either vendor, watch today’s short Security Byte to get a summary of the updates, and more importantly, follow the links below to get your patches.

(Episode Runtime: 2:00)

Direct YouTube Link: https://www.youtube.com/watch?v=r95SPareQU4

EPISODE REFERENCES:

• Microsoft Patch Day summary for April 2016 – Microsoft
• Adobe’s April Security updates – Adobe

— Corey Nachreiner, CISSP (@SecAdept)

Apple Patches iMessage and More – Daily Security Byte EP. 236

Today, Apple released security updates for all their operating systems, Safari, and Xcode. The updates fix many vulnerabilities, including a number of remote code execution flaws, and some cryptography issues with iMessage. Watch today’s video to learn more, and be sure to download the updates if you use Apple software.

(Episode Runtime: 2:29)

Direct YouTube Link: https://www.youtube.com/watch?v=ZdrxbfygTrk

EPISODE REFERENCES:

• Apple’s security page with links to all today’s advisories – Apple
• Apple’s updates fix remote code execution flaws – The Register
• John Hopkins researcher’s paper on the iMessage flaws – JHU.edu

— Corey Nachreiner, CISSP (@SecAdept)

Flash 0day & Patches – Daily Security Byte EP. 229

Frankly, I’m a bit sick of talking about patches and security updates after focusing on them for the last two days. However, so many important security updates got released today that I have to cover them for a third day in a row. If you use Adobe Flash, Microsoft products, Firefox, or a Cisco cable modem, watch today’s video to learn about these important patches, including one that fixes a zero day flaw.

Show Note: Please excuse the irritating audio pops. I have since replaced the defective mic.

(Episode Runtime: 2:37)

Direct YouTube Link: https://www.youtube.com/watch?v=6LDgnICKE-Y

EPISODE REFERENCES:

• Adobe’s out of cycle Flash update – Adobe
  • Adobe’s emergency update fixes 0day flaw – Ars Technica
• Microsoft’s out of cycle Flash bulletin – Microsoft
• Firefox 45 fixes 40 vulnerabilities – ZDNet
• Cisco fixes critical flaw in cable modem – CSO Online

— Corey Nachreiner, CISSP (@SecAdept)

February Patch Day Plugs Microsoft and Adobe Flaws- Daily Security Byte EP. 214

If you’re an IT administrator, you probably know that yesterday was Microsoft Patch Day. You might even know that Adobe shares this day. Watch today’s video for a quick summary of the affected products, and the scope and impact of some of the flaws. More importantly, be sure to follow the links in the Reference section to find out where to get the updates so you can patch quickly.

(Episode Runtime: 2:48)

Direct YouTube Link: https://www.youtube.com/watch?v=bhZFzPAjN8Q

EPISODE REFERENCES:

• Microsoft’s February Patch Day summary post – Microsoft
• Microsoft’s new advisories for February –Microsoft
• Good summary of Microsoft Patch Day – Ghacks
• Microsoft announces an update history page for Windows 10 – Microsoft
• Adobe’s security page with February advisories – Adobe

— Corey Nachreiner, CISSP (@SecAdept)

A Dozen Microsoft Updates – Daily Security Byte EP. 174

If you use Microsoft or Adobe products—as the majority of computer users do—it’s that time again… Patch Day.

For November’s Patch Day, Microsoft released a dozen bulletins fixing many flaws in their most popular products. Watch today’s video for the quick highlights about these and Adobe’s updates.

UPDATE: As gung-ho as I am about applying patches quickly, there have been reports that some of the Windows 10 updates can cause problems. You may want to test these updates before deploying them throughout your network.

(Episode Runtime: 1:43)

Direct YouTube Link: https://www.youtube.com/watch?v=xGj2grkLQfk

EPISODE REFERENCES:

• Microsoft Patch Day Summary for November 2015 – Microsoft
• Adobe Flash bulletin for November 2015 – Abode
• Two new Microsoft security advisories for November – Microsoft

— Corey Nachreiner, CISSP (@SecAdept)

iOS Bounties, Android Auto-root, and Guy Fawkes Day – WSWiR Episode 168

Nowadays, each week has more information security news that we used to have each month. If you find yourself falling behind, and need a shortcut to stay informed, this is the weekly video for you. Every Monday, I summarize our daily security video from last week.

Today’s episode covers a new Android malware variant, an iOS zero day that’s bad for the industry, a couple hacktivism campaigns, and more. Watch the YouTube video for all the details, and check out the references below to learn more.

(Episode Runtime: 13:13)

Direct YouTube Link: https://www.youtube.com/watch?v=z7Xgnd8CHQ8

EPISODE REFERENCES:

• Monday: 000Webhost has 000 Security – Daily Security Byte EP. 169
  • 13M+ password leaked from popular web hosting company – Forbes
  • Original blog disclosing the 000webhost breach – Troy Hunt
  • 000Webhost’s breach due to outdated PHP – Computer Weekly
• Tuesday: Claimed iOS Bounty is Bad News – Daily Security Byte EP. 170
  • Vulnerability researchers claim a $1M iOS 9.1 hack bounty – Motherboard
  • iOS bounty claimed, but Apple won’t be informed – Wired
  • The original iOS 9 hack bounty – Zerodium
• Wednesday: vBulletin Breach and 0day – Daily Security Byte EP. 171
  • vBulletin’s site and forum software hacked – Ars Technica
  • vBulletin asks users to reset password – vBulletin
  • vBulletin released patch for forum software – vBulletin
  • Researcher discloses his vBulletin RCE vuln – Twitter
    • His actual Pastie disclosure – Pastie
  • Hacker claims responsibility for breach – The Admin Zone
  • Coldzer0 attempts to sell vBulletin 0day – oday.today
  • Video demonstrating the vBulletin exploit –  YouTube
• Thursday: Auto-rooting Android Malware – Daily Security Byte EP. 172
  • Three Android malware families quietly roots phones and digs in – Ars Technica
  • Researcher’s blog post describing these new Android threats – Lookout
• Friday: Guy Fawkes Day Hacktivism – Daily Security Byte EP. 173
  • Anonymous Doxxes 1000 alleged KKK members as part of #OpKKK – ZDNet
  • Anonymous threatens #OpKKK on Nov. 5th: Epic fail – USA Today
  • CWA doxxed more government employees – Motherboard
  • CIA Director hackers break into arrest database – Wired
  • Information about Guy Fawkes night – Wikipedia

EXTRAS:

• 11yr old girl will give you a secure password for $2 – The Telegraph
• CISA passes the Senate despite privacy issues – Wired
• Big tech companies don’t like CISA either – CNN
• EFF unveils vulnerabilities in automatic license plate readers – EFF
• Can humanity build a computer security AI? – TechCrunch
• BGP is still a security risk (nothing new here) – SC Magazine
• Nice article on man-in-the-middle attacks – Network World
• Millions of passwords leaked from a free web hoster – Forbes
• Lots of issues with SSL certificate revocation systems – Phys
  • Google warns Symantec to clean up certificates – Ars Technica
• More browser vulnerabilities allow for zombie cookies –  Ars Technica
• Duuzer trojan seems to target South Korean manufacturing industry – Computer World
• Strengthen your security with passive DNS – Network World
• It’s ok to hack stuff you own for research – Wired
• NSA director says state sponsored attacks increasing – Time
• Tennis star recommends affirmations as passwords – Wired
• Chipped cards get hacked too – Network World
• DARPA keeping an eye on security researchers – Motherboard
• A third of stolen cars in France were hacked – Telegraph
• UK to ban strong encryption on social sites – The Telegraph
• No three arrested in association with the TalkTalk hack – Dark Reading
• Citrix patches some serious (and old) Xen vulnerabilities – The Register
• Researchers collect the $1M iPhone root vulnerability bounty – Forbes
• Zerodium to pay a $1M iOS hack bounty – Motherboard
• Apple doesn’t approve security conference app because of hacking talks – The Register
• Fascinating piece on ex-employees of The Hacking Team – Motherboard
• Will ransomware threaten to disclose your files publicly? – Tripwire Blog
• DMCA exemptions allow hacking for security research – SC Magazine
• British Gas data breach affects 2200 customers – IBTimes
• UK national arrested in association with DroidJack – BBC
• Cyber criminals suck at information security too – The Register
• CCTV (or Linux) botnet DDoSes victims – Incapsala
• Anti-adblocker CDN hijacked and served malicious fake Flash update – The Register
• KeeFarce targets popular password manager – Ars Technica
• Latest Android update fixes 23 vulns including another “Stagefright” – Forbes
• Researchers find new Windows flaw that bypasses EMET – Threatpost
• Cryptowall’s revenue may go to one criminal group – PC World
• Backdoor found in Chinese iOS ad SDK – Threatpost
• UK government wants to increase surveillance – The Intercept
• Tinba still spreading, and targeting Japanese and Russian banks – Threatpost
• FBI is budging a bit on back doors. Servants to the people – Ars Technica
• Longest DDoS attack lasted 320 hours – IT Pro
• Signing malware with valid certs has become an underground service – The Register
• XcodeGhost still lurking, this time on US Appstore – Dark Reading
• Google’s project Zero found 11 vulnerabilities in latest Samsung phone – The Inquirer
• White House reveals the Cybersecurity Strategy Implementation Plan (CSIP) – WhiteHouse.gov
• U.S. Officials targeted by cyber attacks after Iranian hacker’s arrest – Reuters
• Hackers pull heist on a heist video game over microtransactions – Motherboard
• Details surface about two older gambling payment processor breaches – Forbes
• Like the NSA, MI5 uses hacking for investigations – Motherboard
• 14yr old Japanese boy arrested for having the Zeus trojan (video) – NBC News
• Apparently, CIA Director’s email hackers are targeting others – Motherboard
• Good article asking if we learned from Stuxnet – Dark Reading
• Proton email suffers DDoS and pays extortionists $6000 in bitcoin – Forbes
• A look at the person modeled for the CSI:Cyber character – Telegraph
• Finfisher government spyware company still alive and well – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)