iOS Bounties, Android Auto-root, and Guy Fawkes Day – WSWiR Episode 168

Nowadays, each week has more information security news that we used to have each month. If you find yourself falling behind, and need a shortcut to stay informed, this is the weekly video for you. Every Monday, I summarize our daily security video from last week.

Today’s episode covers a new Android malware variant, an iOS zero day that’s bad for the industry, a couple hacktivism campaigns, and more. Watch the YouTube video for all the details, and check out the references below to learn more.

(Episode Runtime: 13:13)

Direct YouTube Link: https://www.youtube.com/watch?v=z7Xgnd8CHQ8

EPISODE REFERENCES:

• Monday: 000Webhost has 000 Security – Daily Security Byte EP. 169
  • 13M+ password leaked from popular web hosting company – Forbes
  • Original blog disclosing the 000webhost breach – Troy Hunt
  • 000Webhost’s breach due to outdated PHP – Computer Weekly
• Tuesday: Claimed iOS Bounty is Bad News – Daily Security Byte EP. 170
  • Vulnerability researchers claim a $1M iOS 9.1 hack bounty – Motherboard
  • iOS bounty claimed, but Apple won’t be informed – Wired
  • The original iOS 9 hack bounty – Zerodium
• Wednesday: vBulletin Breach and 0day – Daily Security Byte EP. 171
  • vBulletin’s site and forum software hacked – Ars Technica
  • vBulletin asks users to reset password – vBulletin
  • vBulletin released patch for forum software – vBulletin
  • Researcher discloses his vBulletin RCE vuln – Twitter
    • His actual Pastie disclosure – Pastie
  • Hacker claims responsibility for breach – The Admin Zone
  • Coldzer0 attempts to sell vBulletin 0day – oday.today
  • Video demonstrating the vBulletin exploit –  YouTube
• Thursday: Auto-rooting Android Malware – Daily Security Byte EP. 172
  • Three Android malware families quietly roots phones and digs in – Ars Technica
  • Researcher’s blog post describing these new Android threats – Lookout
• Friday: Guy Fawkes Day Hacktivism – Daily Security Byte EP. 173
  • Anonymous Doxxes 1000 alleged KKK members as part of #OpKKK – ZDNet
  • Anonymous threatens #OpKKK on Nov. 5th: Epic fail – USA Today
  • CWA doxxed more government employees – Motherboard
  • CIA Director hackers break into arrest database – Wired
  • Information about Guy Fawkes night – Wikipedia

EXTRAS:

• 11yr old girl will give you a secure password for $2 – The Telegraph
• CISA passes the Senate despite privacy issues – Wired
• Big tech companies don’t like CISA either – CNN
• EFF unveils vulnerabilities in automatic license plate readers – EFF
• Can humanity build a computer security AI? – TechCrunch
• BGP is still a security risk (nothing new here) – SC Magazine
• Nice article on man-in-the-middle attacks – Network World
• Millions of passwords leaked from a free web hoster – Forbes
• Lots of issues with SSL certificate revocation systems – Phys
  • Google warns Symantec to clean up certificates – Ars Technica
• More browser vulnerabilities allow for zombie cookies –  Ars Technica
• Duuzer trojan seems to target South Korean manufacturing industry – Computer World
• Strengthen your security with passive DNS – Network World
• It’s ok to hack stuff you own for research – Wired
• NSA director says state sponsored attacks increasing – Time
• Tennis star recommends affirmations as passwords – Wired
• Chipped cards get hacked too – Network World
• DARPA keeping an eye on security researchers – Motherboard
• A third of stolen cars in France were hacked – Telegraph
• UK to ban strong encryption on social sites – The Telegraph
• No three arrested in association with the TalkTalk hack – Dark Reading
• Citrix patches some serious (and old) Xen vulnerabilities – The Register
• Researchers collect the $1M iPhone root vulnerability bounty – Forbes
• Zerodium to pay a $1M iOS hack bounty – Motherboard
• Apple doesn’t approve security conference app because of hacking talks – The Register
• Fascinating piece on ex-employees of The Hacking Team – Motherboard
• Will ransomware threaten to disclose your files publicly? – Tripwire Blog
• DMCA exemptions allow hacking for security research – SC Magazine
• British Gas data breach affects 2200 customers – IBTimes
• UK national arrested in association with DroidJack – BBC
• Cyber criminals suck at information security too – The Register
• CCTV (or Linux) botnet DDoSes victims – Incapsala
• Anti-adblocker CDN hijacked and served malicious fake Flash update – The Register
• KeeFarce targets popular password manager – Ars Technica
• Latest Android update fixes 23 vulns including another “Stagefright” – Forbes
• Researchers find new Windows flaw that bypasses EMET – Threatpost
• Cryptowall’s revenue may go to one criminal group – PC World
• Backdoor found in Chinese iOS ad SDK – Threatpost
• UK government wants to increase surveillance – The Intercept
• Tinba still spreading, and targeting Japanese and Russian banks – Threatpost
• FBI is budging a bit on back doors. Servants to the people – Ars Technica
• Longest DDoS attack lasted 320 hours – IT Pro
• Signing malware with valid certs has become an underground service – The Register
• XcodeGhost still lurking, this time on US Appstore – Dark Reading
• Google’s project Zero found 11 vulnerabilities in latest Samsung phone – The Inquirer
• White House reveals the Cybersecurity Strategy Implementation Plan (CSIP) – WhiteHouse.gov
• U.S. Officials targeted by cyber attacks after Iranian hacker’s arrest – Reuters
• Hackers pull heist on a heist video game over microtransactions – Motherboard
• Details surface about two older gambling payment processor breaches – Forbes
• Like the NSA, MI5 uses hacking for investigations – Motherboard
• 14yr old Japanese boy arrested for having the Zeus trojan (video) – NBC News
• Apparently, CIA Director’s email hackers are targeting others – Motherboard
• Good article asking if we learned from Stuxnet – Dark Reading
• Proton email suffers DDoS and pays extortionists $6000 in bitcoin – Forbes
• A look at the person modeled for the CSI:Cyber character – Telegraph
• Finfisher government spyware company still alive and well – Motherboard

— Corey Nachreiner, CISSP (@SecAdept)

PWNed CIA, hacked Fitbit, and Fake Chrome- WSWiR Episode 167

Are you feeling overwhelmed by your normal IT job, but wish you had time to keep up with information security (infosec)? No worries! Let our weekly security video fill you in. Every Monday, I quickly summarize the biggest network and information security stories from the previous week, so you can keep up with the latest threats.

Today’s episode includes a story about a teenager hacking the CIA Director’s email, a new Fitbit hack, a malicious Chrome lookalike, and lots of patches. Press play to learn more, and check the references for other stories.

(Episode Runtime: 13:27)

Direct YouTube Link: https://www.youtube.com/watch?v=aqb7WIjuv94

EPISODE REFERENCES:

• Monday: CIA Director’s Email Hacked – Daily Security Byte EP. 161
  • Teen claims to have hacker CIA Director’s AOL account – New York Post
  • CIA Director’s personal email had documents with SSN numbers – Motherboard
  • Hacker shares some emails with Wikileaks – Wikileaks
  • UPDATE: More details on how the 20yr old did it – Wired
  • UPDATE: Brennan’s hacker doesn’t want to go to jail – Motherboard
• Tuesday: Oracle CPU for Oct. 2015 – Daily Security Byte EP. 162
  • Oracle’s Critical Patch Update advisory for October 2015 – Oracle
  • Great blog post summarizing the most important details of Oracle’s CPU – Oracle
  • Oracle’s general security page – Oracle
• Wednesday: Malicious Chrome Look-alike – Daily Security Byte EP. 163
  • PC Risk’s write up on the  potentially malicious eFast browser – PC Risk
  • Malware Bytes analysis on eFast’s file and URL associations – Malware Bytes
  • Article on evil Chrome-browser look-alike – Network World
• Thursday: Apple’s October Updates – Daily Security Byte EP. 164
  • Apple’s Security page with the latest October updates – Apple
• Friday: Overstated Fitbit Hack – Daily Security Byte EP. 165
  • The 10 second Fitbit hack – The Register
  • Fitbit vulnerability allows trackers to spread malware – Darknet
  • The actual Fitbit presentation released on Wednesday [PDF] – Hack.lu
  • The Fitbit hack PoC video – YouTube
  • The research admits limitation on Twitter – Twitter
  • Fitbit denies that malware vector too – NBC

EXTRAS:

• You’re more likely to download something bad if you are multitasking – Phys.org
• Researchers hack and boil over iKettles – The Register
• Facebook will inform users of state sponsored hacking – BigThink
• Chinese attackers allegedly already break cyber pact – CBR Online
• HTTPS everywhere is a bit closer with free trusted certs – Lets Encrypt
• NSA Director’s three cyber security nightmares – Business Insider
• More threats and malware using the Dark Web to hide C&C – Motherboard
• Tim Cook says, “No!” to backdoors in Apple encryption – Ars Technica
• Apple identifies 256 apps collecting private data via ad SDK – Slashgear
• Anonymous DDoSes two Japanese airports for dolphin hunting – SC Magazine
• Sony’s settlement with employees for hack may reach $8M  – Reuters
• How to make threat intel work for you – Computer World
• Support scams starting to plague Mac users – Ars Technica
• Flaw in self-encrypting HDs allow attackers to see your data – Network World
• Hackers can “Dox” non-connected people too – NYTimes
• Vulnerability found in a particular 1password feature – Apple Insider
• A few companies join battle against US CISA bill – Information Week
• Attackers DDoS and extort e-retailers in UK – Channel Register
• Avoid fake Apple refund phishing scam – Digital Spy
• Shakespeare can help you with strong passwords – Slate
• Interesting research on us how we fall for cyber scams – Phys
• CISA is advancing in US Senate – Reuters
• Congress’ car hacking bill not going well – Motherboard
• Cyber criminals targeting security researchers – Computing
• LowLevel04: New ransomware spreads via RDP – Bleeping Computer
• Bad David Pogue article about car hacking – Scientific America
  • Response article about Pogues bad reporting – Wired
• Just for fun: Remember the old Half-Life 2 source code hack – Kotaku

— Corey Nachreiner, CISSP (@SecAdept)

Patches, Drone Hacks, and Evil USB – WSWiR Episode 166

Did you miss last week’s security news since you were too busy keeping your network running? If so, you’re not alone. However, staying up to date with the latest threats is important, so let our short weekly security summary keep you informed. If you don’t have time to follow our daily security videos, I summarize them in this video every Monday.

Today’s episode includes a root vulnerability in popular consumer routers, a zero day Adobe Flash issue, and drone hacking. If that’s not enough, you should watch just to learn about last week’s Microsoft and Adobe patches. Watch the video for the details, and check the References section for links to other security stories from the past few weeks.

(Episode Runtime: 10:56)

Direct YouTube Link: https://www.youtube.com/watch?v=77R3I5fw9Ao

EPISODE REFERENCES:

• Monday: 0day Root Netgear Flaw – Daily Security Byte EP.156
  • Attackers starting to exploit 0day Netgear router flaws – ISPreview
  • Blog post on 0day Netgear authentication bypass flaw – Shellshock Labs
  • Blog post on 0day Netgear command injection flaw – Shellshock Labs
  • Full Disclosure post on Netgear vulnerabilities – Full Disclosure
• Tuesday: Patch Day Improves Browser Security – Daily Security Byte EP.157
  • Summary post for October’s Microsoft Patch Day – Microsoft
    • October’s Internet Explorer update – Microsoft
    • October’s Edge update – Microsoft
    • October’s Windows Jscript/VBscript update – Microsoft
    • October’s Windows Shell update – Microsoft
    • October’s Office update – Microsoft
    • October’s Windows Kernel update – Microsoft
  • Don’t forget to check out Microsoft’s new security advisories – Microsoft
  • Latest security update for Adobe Flash – Adobe
• Wednesday: Computer Frying USB Stick – Daily Security Byte EP.158
  • Researcher creates malicious USB key that fries devices (Russian) – Habrahabr
  • Original USB Killer idea – Habrahabr
  • Video of USB Killer 2.0 in action – YouTube
  • English article about USB Killer 2.0 – Graham Cluley
  • Reddit post discussion the video – Reddit
• Thursday: Flash 0day Surfaces – Daily Security Byte EP.159
  • Researchers find Pawn Storm using a new Flash flaw – Trend Micro
  • Adobe’s security bulletin on the new Flash flaw – Adobe
  • The fix for this 0day Flash issue – Adobe
• Friday: Drone Hacking – Daily Security Byte EP. 160
  • Researcher post about a MAVLink vulnerability – Shellntel
  • Video showing the Shellntel researchers’ attack – YouTube
  • Reddit discusses a multicopter attack – Reddit
  • Exploiting drones with MAVLink – Hackaday

EXTRAS:

• Obama says no to encryption backdoors, but Fed has other ways in – Wired
• Silly Chrome extension allows a “friend” to force sites on your browser – Wired
• Zhone routers, used by an unnamed ISP, are full of vulnerabilities – The Register
• Dow Jones hacked, 3500 records stolen – Slashgear
• Swatter sentenced to 1yr community service – FoxCT
• Hacking costs US firms $15M a year – CNN
• Journalist found guilty of helping Anonymous deface the Times – Motherboard
• Attackers tried to hack Clinton’s email server – Seattle Times
• Uber suspects they were hacked by Lyft – Business Insider
• Paper on a malware free “insider” attack [PDF] – Crowd Strike
• US authorities out Chinese companies that allegedly benefit from IP theft – Financial Times
• US-CERT warns about a resurgence in Dridex banking malware – US-CERT
• Microsoft plugs a XSRF hole in Outlook.com – The Register
• The Wall Street Journal’s database hacked – Engadget
• Researcher rewarded for temporarily taking over Google.com – BBC
  • His Linkedin post describing how he did it – Linkedin
• “Weev” threatens prosecutors with Doxing – Motherboard
• Attackers exploit old Cisco SSL VPN flaw to install backdoor – Volexity
• Researcher finds vulnerabilities in Huawei 4G USB modems – The Register
• LoopPay hacked. Samsung Pay not affected – Digital Trends
• Kemoge: Yet another Android malware variant – Ars Technica
• A botnet that can generate “fake” listens on Spotify – Motherboard
• Malaysian student arrested for hacking for ISIS – The Register
  • And he was very careless – Motherboard
• New Siri hack isn’t that big a real world threat – Wired
• Bit9 says OS X malware is exploding – Document Cloud
• Mandiant fights a very sophisticated threat actor – The Register
• UK bank plugs a pretty big security hole – The Register
• TPP could hurt security research – Slate
• Daily Mail affected by Angler kit malvertising – The Register
• Hackers steal 150K credit card records from casino – The Register
• FBI take down Dridex – ZDNet
• Yahoo offers password free sign-in – Engadget
• NSA leveraging flaw to crack crypto – Threatpost
• The value of stolen data by type – Dark Reading
• Older posts from the week before
  • Biometric authentication has issues too – Forbes
  • Saudi Arabia allegedly wanted to buy The Hacking Team – The Register
  • Surprise, Surprise! A pirate site serves malware – The Register
  • Hilton still researching if they’ve been hacked or not – The Inquirer
  • Nice article on new Windows 10 security features – Expert Reviews
  • Researcher finds holes in Dendroid Android exploit kit – The Register
  • Researcher finds vulnerabilities in Starbucks servers – Fouad’s Blog
  • PoC allows you to steal other’s keys in Amazon EC2 – Ars Technica
  • Political propaganda spread via Twitter botnet – Motherboard
  • Video blog on whether or not China is hacking the US – Network World
  • Elevation of privilege flaws patched in TrueCrypt – Threatpost
  • Apple fixes last week’s iOS lock screen bypass issue – Apple
  • New report confirms ICS under attack & supply chain a weakness – Network World
  • Researchers find iOS pwning vulnerability in 3rd party app – SC Magazine
  • Security vulnerability puts nail in TrueCrypt’s legacy coffin – ZDNet
  • Kaspersky update on the Gaza cybergang hacktivists – Securelist
  • A Linux botnet capable of 150Gb DDoS attacks – Akamai
  • New study shows the danger in patching late – Kenna Security

— Corey Nachreiner, CISSP (@SecAdept)

Lots of Apple Hacks- WSWiR Episode 165

If you have no time to keep up with security news, but do want to know about the most concerning threats, our weekly video was made for you. It summarizes the biggest infosec stories each week (which I also cover in daily videos), and shares tips to protect your organization.

Today’s episode includes a couple of Apple software related threats, a new ATM malware variant, and the latest Flash update. Watch the video below, and check out the Reference section if you are hungry from more security news from the past week.

(Episode Runtime: 8:34)

Direct YouTube Link: https://www.youtube.com/watch?v=tuzi8SBq804

EPISODE REFERENCES:

• Monday: XcodeGhost Pwns App Store – Daily Security Byte EP.147
  • Palo Alto’s posts on XcodeGhost
    • Original XcodeGhost post – Palo Alto
    • At least 39 App Store apps infected – Palo Alto
    • Malicious XcodeGhost apps can phish and steal passwords – Palo Alto
  • What you need to know about Xc0deGhost – Forbes
  • Apple removes 344 XcodeGhost apps – Geek
  • UPDATE: Apple emails devs to share how to validate Xcode – Apple
  • UPDATE 2: Now up to 4000 affected apps in the App Store – BBC
• Tuesday: Critical Flash Patch – Daily Security Byte EP.148
  • Adobe’s out-of-cycle Flash advisory – Adobe
  • Adobe’s critical update fixes 23 vulnerabilities – Computing
  • 18 of 23 Flash flaws allow code execution – Computer World
• Wednesday: iOS 9 Lockscreen Bypass – Daily Security Byte EP.149
  • Video post demonstrating the new iOS 9 lockscreen bypass – YouTube
  • YouTuber shares the iOS 9 lockscreen flaw with media – BGR
• Thursday: Missed due to travel
  • N/A
• Friday: GreenDispenser – Daily Security Byte EP.150
  • GreenDispenser infects Mexican ATMs – ProofPoint
  • ATM malware dispenses cash on demand – Network World

EXTRAS:

• AT&T sues inside attackers for unlocking thousands of phones – Ars Technica
• Hackers hack each other and sell the data – Motherboard
• MI5 director also wants access to snooping on encrypted data – BBC
• Article on catching ransomware criminals – IT Pro
• Malware helps authors cheat at online poker – Ars Technica
• Vulnerabilities found in DHS websites – Reuters
• Many systems still vulnerable to Heartbleed – The Register
• Are we finally really our of IPv4 addresses (again) – Ars Technica
• Obama’s administration nixes backdooring encryption – The Register
• Forbes’ website servers malicious ads this month – Forbes
• Twitter makes its shortened links HTTPS – Techdirt
• Korean government approved parental spyware leaks data – Techdirt
• Symantec (rightly) fires employees for issuing rogue HTTPS cert – Ars Technica
• Gray hat vulnerability market company offers $1M bounty on iOS 9 hack – Wired
• Malicious brain test app made it onto Google Play market – IBTimes
• GhostPush virus infected over 600K android devices – CMCM blog
• Russia allegedly the victim of nation state cyber espionage – Tech News World
• Others can easily hijack Chinese Android botnet – The Register
• Malicious images uploaded to Imgur – The Register
• Bad cookies can hose HTTPS – PC World
• President Obama and President Xi discuss cyber espionage – SC Magazine
  • Video of Obama and Xi’s meeting – Bloomberg
• Hilton hotels may have suffered a breach – Krebs on Security
  • Resources for report – ThreatConnect
• Cisco makes a tool to identify SYNful Knock – The Register
• Porn sites hit with malware again – BBC
• Why your identity is only worth a buck on the underground – NBC
• New report highlights new APT actors – ThreatConnect
• 0day flaws in Kaspersky software – Project Zero
• Attackers increasingly relying on memory resident attacks – Computer World
• Pandalabs discovered 21M new malware variants Q2 2015 – BetaNews
• Taking war driving to the next level – Forbes
• New VXWork vulnerability could affect the Mars rover – The Register
• FBI tells consumers to watch out for IoT – IC3.gov
• Neustar claims that most DDoS attacks are a distraction – Computer Weekly
• Latest on the old CVS and Costco Photo Center breach – SC Magazine
• Firefox addon warns you if a site has been breached recently – Ghacks
• New malvertising campaign keep on popping up – Malwarebytes
• Some analysis on the 11M cracked Ashley Madison pwds – Ars Technica
• US DoE had over a hundred cyber attacks in 4 years – Computer World
• Memories of a teenager (reformed) virus author – The Register
• IT pros spend most their time patching flaws – CIO
• The latest on Android Stagefright flaw, including PoC – Zimperium
• Best engineering school (MIT) has the worst security!? – Ars Technica
• Apparently many US citizen’s support government backdoors – Forbes
• New Android malware changes your PIN – Ars Technica
• Another way for attackers to learn about Mozilla’s flaws – Wired
• A good article on the real vs perceived threats – Tech Republic

— Corey Nachreiner, CISSP (@SecAdept)

Adult Ransomware and Hacked WhatsApp – WSWiR Episode 164

Do you have little time for security news, but wish you could keep abreast of the latest threats? In that case, our weekly summary video can help. Every Monday, we summarize last week’s infosec news for you, often in under ten minutes.

This week’s show includes Microsoft and Adobe patches, some adult-themed mobile ransomware, and a sneaky new malware command and control technique. Watch the episode below, and don’t forget to glance at the Reference section if you are interested in other news.

(Episode Runtime: 8:44)

Direct YouTube Link: https://www.youtube.com/watch?v=mnJivvR7nRw

EPISODE REFERENCES:

• Monday: N/A
  • Happy Labor Day!
• Tuesday: September Patch Day – Daily Security Byte EP.138
  • Microsoft September Patch Day summary post – Microsoft
  • Quick SANS summary of Microsoft Patch Day – SANS
  • Adobe’s Shockwave Advisory – Adobe
• Wednesday: WhatsApp Hacked – Daily Security Byte EP.139
  • Researcher finds critical flaw in WhatsApp web client – Checkpoint
  • Article describing the WhatsApp vulnerability (best headline) – The Register
• Thursday: Adult Mobile Ransomware – Daily Security Byte EP.140
  • Security group finds adult-themed mobile ransomware – Zscaler
  • Article describing the porn app ransomware – BBC
• Friday: Satellite C&C Channel – Daily Security Byte EP.141
  • Russian attackers use satellite internet to hide C&C – Wired
  • Kaspersky’s research on Satellite-based C&Cs – SecureList

EXTRAS:

• Apple pushes back against US gov. request for user data – NY Times
  • More news on Apple refusing DoJ order to decrypt data – TechDirt
• CopperheadOS: An open source “secure” android distro – Liliputing
• Grey hat researcher wants payment for FireEye 0day flaws – The Register
  • FireEye’s response to new flaws [PDF] – FireEye
  • Cluley’s comments on the FireEye 0day – Graham Cluley Blog
  • FireEye sues researcher to prevent disclosure – Ars Technica
• Using old email clients for security (don’t recommend) – Motherboard
• Researcher discloses critical vulnerability in Kaspersky AV – PC World
• James Clapper thinks the next state threat is data manipulation – The Guardian
• Group finds flaw that allows them to crack Ashley Madison passwords – CynosurePrime
  • Article on how the flaw allows faster bcrypt cracking – Ars Technica
• North Korea allegedly hacked popular South Korean word processor – Business Insider
• An “APT” group used a leaked criminal botnet – PC World
• Researcher hacks the sensors on self-driving cars – Techspot
• Major vulnerabilities in Seagate wireless hard drives – The Inquirer
• Health insurer loses 10M member records – Reuters
• Ashley Madison CTO is suing Krebs for claiming he hacked competitor – TechDirt
• John McAfee is running for president!?! WTH! – The Inquirer
  • His video campaign announcement – YouTube
  • More on why McAfee is running for president – Digital Trends
• Spear phishing is a big threat. Train your employees – Ars Technica
• Akamai reports an increase in DDoS from a particular gang – SC Magazine
• CoreBot includes banking crime modules – ZDNet
• GM took five years to fix an Onstar flaw – Business Insider
• Does GHCQ want simple passwords so they can crack them? – The Guardian
• Get your Google Nexus security updates for September – Android Police

— Corey Nachreiner, CISSP (@SecAdept)

Apple Flaws and Cyber Sanctions – WSWiR Episode 163

Are you interested in the latest security news, but have no time to source it yourself? No problem! Let our weekly video summarize the latest for you in ten minutes or less. If you want to watch the video Friday, subscribe to our YouTube channel. Otherwise, we’ll post the weekly episode on the first day of the following week.

This week’s “traveling” episode included a story about US cyber sanctions, two different threats to Apple products, and news of a security breach to Mozilla’s bug tracking system. Watch below, and check out the references for more of last week’s infosec news.

(Episode Runtime: 7:55)

Direct YouTube Link: https://www.youtube.com/watch?v=sJ993RVG48s

EPISODE REFERENCES:

• Monday: Cyber Espionage Sanctions – Daily Security Byte EP.134
  • Article on Obama admin’s rumored cyber sanctions – The Washington Post
  • US considering sanction against Russia as well – Reuters
• Tuesday: iOS KeyRaider – Daily Security Byte EP.135
  • KeyRaider iOS malware targets jailbroken devices – PC World
  • Article on iCloud pirates stealing thousands of accounts – The Register
  • Original researcher blog post on iOS KeyRaider threat – Palo Alto Networks
  • How to tell if you’re a KeyRaider victim – BGR
• Wednesday:
  • N/A
• Thursday: OS X Keychain Broken – Daily Security Byte EP.136
  • Beirut researchers disclose zero day OS X Keychain vulnerability – Engadget
  • Adware caught using the Keychain vulnerability – Ars Technica
  • Attackers may have exploited this a far back as 2011 – Ars Technica
• Friday: Mozilla Hacked – Daily Security Byte EP.137
  • Article about attackers spying on Mozilla bugs – The Register
  • Mozilla’s FAQ on their bugzilla network breach [PDF] – Mozilla

EXTRAS:

• Researcher finds flaws in Siemen’s ICS software – The Register
• Smart phones shipping with malware pre-installed – SC Magazine
• Sony reaches a settlement with employees over hack – CNET
• French hacker pwns road signs – The Register
• How to disable the Win10 “keylogger” – PC World
• Gozi malware author pleads guilty – Ars Technica
• Leaked docs shows how NSA treats 0day – The Register
• Match.com had malicious ads – Tech World
• A new way to remember complex passwords – PC World
• Browsers shunning RC4 – SC Magazine
• My HTTPS interfaces suffer SSL flaw – Ars Technica
  • Original research paper [PDF] – Redhat

— Corey Nachreiner, CISSP (@SecAdept)

Hacking Team Updates and RC4 Insecurity – WSWiR Text Edition

 RC4’s Dead and White House On Security

Last week, I was in the UK attending a WatchGuard Partner conference, and as a result I only shot two videos and skipped my weekly summary. Nonetheless, there was still plenty of interesting information security (infosec) news, which I don’t want you to miss. So to make up for it, let me quickly share three infosec stories I would have covered if I had had more time:

1. Lots of The Hacking Team breach updates: Through the week, we learned a lot more about The Hacking Team organization from the 400GBs of data made public by their network breach. For instance, they had more zero day exploits that first suspected; They leveraged BGP flaws to launch man-in-the-middle attacks, and they worked with both the FBI and DEA to snoop out TOR users. If you’re following this infosec drama, Wikileaks has made all The Hacking Team’s stolen email public. Check out the links below to learn the latest Hacking Team gossip.
2. The White House brags about cybersecurity: Last week, the White House released a CyberSecurity Fact Sheet detailing everything the US government has done this year to improve the nation’s cybersecurity stance. Highlights include creating a new office in charge of the problem, and encouraging the government and private industry to share threat intelligence. Check out the references if you’d like more details.
3. RC4 gets another nail in its coffin: RC4 is a very popular hashing algorithm we’ve used for decades. Unfortunately, over the years it has been proven weak due to many vulnerabilities in this old function. Most security experts already consider RC4 dead, that said, new research [PDF] has proven RC4 even weaker. Without going into the details, this new discovery mean bad guys can break RC4 in days instead of months. If you are using RC4, it’s time to move on.

Those are the stories I missed, but the week included many others. If you are interested in all of them, feel free to peruse the Reference section below. I’ll get back to my regularly scheduled videos this week.

References:

• Hacking Team Updates
  • Wikileaks posts The Hacking Team’s email – Engadget
  • FBI worked with The Hacking Team to snoop on TOR – ZDNet
  • The Hacking Team thinks they are the “good guys” – Engadget
  • The Hacking Team exploits BGP in MitM attacks – Ars Technica
  • Hacking Team sat on three Flash 0days – Computer World
  • Hacking Team breach suspects include ex-employees – Reuters
  • The DEA cancels The Hacking Team contract – Motherboard
  • The FBI also had a The Hacking Team contract – Motherboard
• The White House details its 2015 cybersecurity efforts – IT Pro Portal
  • The actual 2015 cybersecurity Fact Sheet – WhiteHouse.gov
• RC4 was broken, but this is the nail in the coffin – Ars Technica
  • Scientific paper on new RC4 weakness [PDF] – RC4NoMore
• Harvard University got hacked – The Register
• Epic Games forums hacked and credentials stolen – Kotaku
• Hackers target Bitstamp to steal Bitcoin – Business Insider
• POS malware targeting Trump hotels? – Computer World
• TeslaCrypt gaming malware gets worse – Business Insider
• One anonymizing router project disappears, another pops up – Business Insider
• HackNet: An upcoming new game/hacking simulator – Motherboard
• PawnStorm attackers leveraging a patched Java 0day – Trend Micro
• MalwareBytes releases a free Mac version of their software – MalwareBytes
• Facebook execs say kill Flash – ZDNet
• Voat (a site similar to Reddit) hit by DDoS – Business Insider
• Chinese government can shut down citizen’s Internet – The Register
• Apparently Subway makes a pretty secure mobile app – The Register
• White hats score 1M miles with United bug bounty program – CBC
• UCLA Health breach affects 4.5M patients – The Register
• The FBI exploits Drive-by downloads to catch criminals – Motherboard

 

— Corey Nachreiner, CISSP (@SecAdept)

Grounded Airline, Snowden Leak, and Mr. Robot – WSWiR Episode 158

If you’re feeling behind on critical information security news, you’re not alone. There are so many new InfoSec stories each week that only a dedicated few can keep up with the latest. If you need a little help following what’s important, let our weekly security news summary video keep you informed.

Last Friday’s episode covered an 0day Flash flaw, the latest Snowden leak, my review of a cool new infosec related show, and more. Watch the video below for the details, and check out the References section for other stories.

(Episode Runtime: 11:20)

Direct YouTube Link: https://www.youtube.com/watch?v=cvZCDHCc4ec

EPISODE REFERENCES:

• Monday: Hackers Ground Airline – Daily Security Byte EP.101
  • Attackers ground 1400 passengers in Warsaw – Reuters
  • Polish airline delays 10 planes due to cyber attack – Gizmodo
  • The attack against LOT could affect all airlines – Wired
• Tuesday: Spam Spreads 0day Flash Exploit – Daily Security Byte EP.102
  • Adobe releases out-of-cycle Flash update for 0day – Adobe
  • Alleged Chinese threat actors exploiting 0day Flash flaw – Forbes
  • Researchers write-up on Operation Clandestine Wolf – FireEye Blog
  • FireEye’s IoC for APT3 group – Github
• Wednesday: Nation States Spy on AV Vendors – Daily Security Byte EP.103
  • Latest Snowden leak accuses NSA/GCHQ of hacking/reversing AV– The Intercept
• Thursday: Ransomware Costs $18M – Daily Security Byte EP.104
  • Cyber criminal make over $18M from ransomware – Ars Technica
  • FBI’s official warning about ransomware – IC3.gov
• Friday: Mr. Robot Rocks! – Daily Security Byte EP.105
  • USA Network streams pilot of Mr. Robot of free – USA Network
  • Mr. Robot brings security paranoia to the mainstream – Ars Technica
  • Why you need to be watching Mr. Robot – Gizmodo

EXTRAS:

• Great long form article on L0pht – The Washington Post
• Uber collects location data with app is in the background – Ars Technica
• AV-Test audits wearable devices’ security posture – Graham Cluley
• Latest OPM Updates
  • Latest details about the OPM data breach – Ars Technica
  • Alleged analysis of how the OPM hack happened – Threat Connect
  • John McAfee’s thoughts on the OPM breach and AV – IBTimes
  • Richard Clarke has strong feelings on the OPM breach response – CNN
  • OPM attackers got FBI files too – Business Insider
  • OPM director says they are trying hard – Ars Technica
• Make sure you get Chrome’s security updates with auto-update – ThreatPost
• Wireless pita bread device sniffs leaked radio emissions – BBC
• UK Big Brother celeb’s Twitter feed hacked – Naked Security
• Was the first live hack on BBC in 1983? – Motherboard
• New password reset scam social engineers your SMS token – Symantec
• Analysis of ChinaZ, new Chinese Linux malware – MMD Blog
• FBI says crypto ransomware has made criminals over $18M in the US – Ars Technica
• Government log in details found all over the web – Wired
• Android accounts for 97% of mobile malware – The Inquirer
• Blackshades RAT author gets 5yrs in prison – NY Post
• “A Tech Dad’s” tool automatically emails password leak victims – Motherboard
• FUN: Funny skit on North Korea hacking a company – The Next Web
• ESET AV users should patch immediately – The Register
• Emoji passwords probably won’t catch on – Motherboard
• Research find many flaws in Font driver, but already patched – J00ru blog
• Anonymous claims to have leaked credit card info of Canadian officials – Motherboard
• Facebook can identify you without you face – Slate
• Cybercrime has gotten more organized – CSO Online
• Inside the Sony Pictures hack – Fortune
• Facebook’s AI chief on facial recognition – Motherboard
• Java updater still includes crapware – ZDNet
• Lots of government passwords leaked – BGR
• Researcher finds lots of font parsing vulnerabilities – J00ru Blog

— Corey Nachreiner, CISSP (@SecAdept)

Baseball Hacks and Mobile Threats – WSWiR Episode 157

Do you want to know about the latest security threats, but find yourself too busy solving business critical IT problems to keep up to date? Well maybe our videos can help. This weekly video summarizes the most interesting InfoSec news from the week. Or if you prefer, you can catch the shorter dailies.

Last Friday’s episode covered a cracked cloud password vault, an unusual baseball franchise data breach, and a couple threats affecting the most popular mobile platforms. Press play in the window below to learn more.

(Episode Runtime: 9:19)

Direct YouTube Link: https://www.youtube.com/watch?v=n1fnylUcBzk

EPISODE REFERENCES:

• Monday:LastPass Hacked – Daily Security Byte EP.98
  • LastPass, the password vault vendor, had a network breach – The Guardian
  • LastPass’s official announcement on the network breach – LastPass
• Thursday: Baseball Cyber Espionage – Daily Security Byte EP.99
  • Original article about the Astros data breach – NY Times
  • How the baseball attack is similar to nation state attacks – The Washington Post
  • Baseball gets a rude awakening to the age of cyber espionage – Five Thirty Eight
• Friday:Two Mobile Platform Threats – Daily Security Byte EP.100
  • Researcher disclose vulnerabilities to steal iOS and OS X passwords – MacRumors
  • XARA password stealing flaws – ThreatPost
  • What you need to know about XARA – iMore
  • A detailed, layman friendly, description of the XARA flaws – iMore
  • The complete XARA research paper (very technical) [PDF] – Google Drive
  • 600M Samsung mobiles vulnerable to new vulnerability – BGR
  • Samsung promises to fix the flaw – Samsung Tomorrow
  • Many Android apps fail at HTTPS login – Ars Technica

EXTRAS:

• OPM breach allegedly tied to Chinese intelligence – Reuters
• Sites not moving to HTTPS have no excuse – ZDNet
• Reddit defaults to HTTPS – SC Magazine
• A 2015 botnet research report [PDF] – Level 3
• Duqu 2.0 allegedly uses a stolen signature from Foxconn – Ars Technica
• Interesting documentary on Romania’s Hackerville – Motherboard
• Drupal fixes critical OpenID vulnerabilities – The Register
• Anonymous DDoSes Canadian government web sites – NBC
• The Sunday Times claims Snowden leaks docs to Russia: Others disagree – Ars Technica
• Stegoloader hides malicious communications in images – IT Pro Portal

— Corey Nachreiner, CISSP (@SecAdept)

APTs, Updates, and OPM – WSWiR Episode 156

Information Security is a hot topic right now; unfortunately not for all the right reasons. Nowadays, it’s not unusual to have a big data breach, new zero day malware, and a ton of security updates all in the same week. If you’re part of an IT organization that’s concerned with protecting your network, but that doesn’t have time to keep up with the deluge of InfoSec news, this weekly video is for you.

Last week’s episode covered a nasty new variant of point-of-sale (POS) malware, Microsoft and Adobe’s monthly security updates, and a significant network breach of a well-respected security company. If you want to learn about all these stories and more, watch the episode below. Also, take a peek at the Reference section if you are interested in other InfoSec items from the week.

(Episode Runtime: 13:25)

Direct YouTube Link: https://www.youtube.com/watch?v=52reUvOR6FE

Show Note: On some occasions, I will not be able to post the blog update associated with these videos immediately, even though the video is already online. If you’d like to know about the latest video as soon as it’s posted, subscribe to my YouTube channel. Also, if you want email updates for each blog post, don’t forget to subscribe to this blog in the top right corner.

EPISODE REFERENCES:

• Monday: MalumPOS Targets Oracle MICROS – Daily Security Byte EP.93
  • Memory scraping malware targets Oracle POS systems – Network World
  • Trend Micro’s blog post on MalumPOS – Trend Micro
  • In depth white paper on MalumPOS [PDF] – Trend Micro
• Tuesday: US Federal Sites Use HTTPS – Daily Security Byte EP.94
  • US Government makes HTTPS a federal standards – Silicon Republic
  • The HTTPS-Only standard – CIO.gov
• Wednesday: Microsoft Posts Critical Patches – Daily Security Byte EP.95
  • Microsoft’s June Patch Day Summary Bulletin – Microsoft
  • Nice blog write up will all you need for June Patch Day – Ghacks.net
• Thursday: Kaspersky Gets an APT – Daily Security Byte EP.96
  • Kaspersky’s network breached by nation state actors – Kaspersky blog
  • The mystery of Duqu 2.0 – Securelist
  • Duqu 2.0 FAQ [PDF] – Securelist
  • In-depth report on Duqu 2.0 [PDF] – Securelist
  • Duqu 2.0 Indicators of Compromise (IoC) – Securelist
  • Kaspersky’s Forbes editorial on Duqu 2.0 – Forbes
  • P5+1 hotels also affected by Duqu 2 – WSJ
  • Graham Cluley on the Kaspersky hack –  Graham Cluley blog
• Friday: OPM Breach Gets Worse – Daily Security Byte EP.97
  • OPM breach is worse than first realized – The Guardian
  • 14M records stolen during OPM breach – Seattle Times
  • Federal union president says no encryption on OPM SSNs – Tech Dirt
  • Cyber criminal claims credit for OPM breach and drops emails – Motherboard
  • Good article on how using PII for authentication is bad – Network World

EXTRAS:

• Research hacks hospital drug pumps – Wired
• Hackers target SMBs too – NY Times
• 80% of firms have been breached – Phys.org
• WordPress spread Linux bot is still out there – The Register
  • More detailed article on Mumblehard – Ars Technica
• Adware spreading through Skype – Betanews
• US Energy sector worried about power grid attacks – Scientific America
• Australian web provider hit by database attack – Reuters
• FreeParking hit by DDoS – The Register
• SEA defaces US Army web site – Raw Story
• DDoS attacks used in Bitcoin extortion – The Register
• Changing passwords is not enough after a breach, replace certs – Computer World
• AUSCert speaker talks about how SDN helps security – The Register
• Some good news. Cyber crime arrests in Europe – Reuters
• Tech industry asks US gov. not to weaken encryption – The Guardian
• FBI seizes computers related to celebrity photo hack – The Guardian
• Powerliks; the fileless trojan – ZDNet
• Ransomware and CTB Locker blow up – Business Insider
• NK threatens US with cyber attacks – Computer World
• Nearly all UK orgs have been breached –  Computer Weekly
• Wikipedia added to list of sites defaulting to HTTPS – Tech Crunch
• IE adds HTTPS Strict Transport Security – The Register

— Corey Nachreiner, CISSP (@SecAdept)