Ransomware Exploits Flash 0day – Daily Security Byte EP. 244

Next week is Microsoft and Adobe’s Patch Day. However, on Thursday Adobe released an emergency security advisory to fix a zero day Flash vulnerability. Watch the episode below to learn why you should get this update to avoid drive-by download attacks pushing ransomware.

(Episode Runtime: 1:44)

Direct YouTube Link: https://www.youtube.com/watch?v=F2MKTU9ZIO4

EPISODE REFERENCES:

• Emergency Adobe Flash Security Advisory and update – Abode
• Ransomware using Flash 0day in drive-by download – Reuters

— Corey Nachreiner, CISSP (@SecAdept)

Badlock – Daily Security Byte EP. 242

Last week, a researcher mysteriously warned the world about an upcoming critical SMB flaw, without sharing any technical details. The warning says the flaw is bad enough that network administrators will want to prepare for it, so they know what to patch immediately. Watch below to learn what little we know about this flaw, and how the security community has reacted to the early warning.

(Episode Runtime: 3:37)

Direct YouTube Link: https://www.youtube.com/watch?v=HnpMNsprYlU

EPISODE REFERENCES:

• Early warning about a new Samba and Windows vulnerability – Badlock
• Some criticize the Badlock warning – Wired
• Getting ready for Badlock – ISC SANS
• The latest rumors about Badlock – ThreatPost

— Corey Nachreiner, CISSP (@SecAdept)

Flash 0day & Patches – Daily Security Byte EP. 229

Frankly, I’m a bit sick of talking about patches and security updates after focusing on them for the last two days. However, so many important security updates got released today that I have to cover them for a third day in a row. If you use Adobe Flash, Microsoft products, Firefox, or a Cisco cable modem, watch today’s video to learn about these important patches, including one that fixes a zero day flaw.

Show Note: Please excuse the irritating audio pops. I have since replaced the defective mic.

(Episode Runtime: 2:37)

Direct YouTube Link: https://www.youtube.com/watch?v=6LDgnICKE-Y

EPISODE REFERENCES:

• Adobe’s out of cycle Flash update – Adobe
  • Adobe’s emergency update fixes 0day flaw – Ars Technica
• Microsoft’s out of cycle Flash bulletin – Microsoft
• Firefox 45 fixes 40 vulnerabilities – ZDNet
• Cisco fixes critical flaw in cable modem – CSO Online

— Corey Nachreiner, CISSP (@SecAdept)

Joomla Attack in Wild – Daily Security Byte EP. 192

If you use Joomla to manage content on your website, you’re going to want to patch immediately. Today’s daily video covers a new zero day flaw in the open source content management system (CMS) that attackers are actively exploiting in the wild.

(Episode Runtime: 1:42)

Direct YouTube Link: https://www.youtube.com/watch?v=oLcHEBQb274

EPISODE REFERENCES:

• Article on Joomla new vulnerability – Ars Technica
• Blog post about Joomla zero day exploit in the wild – Securi
• Joomla’s advisory about the 0day flaw – Joomla
• Joomla’s software update – Joomla

— Corey Nachreiner, CISSP (@SecAdept)

Android Chrome 0day – Daily Security Byte EP. 176

Last week, a Chinese security research disclosed a new zero day Android vulnerability at PacSec’s Pwn2Own competition. Watch today’s video to learn a little more about this flaw, and what to do about it until it’s patched.

(Episode Runtime: 2:13)

Direct YouTube Link: https://www.youtube.com/watch?v=GzE9VpfhkaE

EPISODE REFERENCES:

• Researcher discloses Android Chrome zero day vulnerability at PacSec Pwn2Own – Security Affairs
• One shot Android exploit demonstrated at Pwn2Own – The Register
• Japan’s PacSec Security conference – PacSec

— Corey Nachreiner, CISSP (@SecAdept)

vBulletin Breach and 0day – Daily Security Byte EP. 171

The creators of vBulletin are having a bad week. Not only did they have a data breach that resulted in around 400,00 stolen user records, but it sounds like the attacker leveraged a zero day vulnerability in their own software to compromise their network. Watch today’s Daily Byte to learn more about this story, and what you should do if you use vBulletin software.

(Episode Runtime: 2:10)

Direct YouTube Link: https://www.youtube.com/watch?v=5XIwY4seah0

EPISODE REFERENCES:

• vBulletin’s site and forum software hacked – Ars Technica
• vBulletin asks users to reset password – vBulletin
• vBulletin released patch for forum software – vBulletin
• Researcher discloses his vBulletin RCE vuln – Twitter
  • His actual Pastie disclosure – Pastie
• Hacker claims responsibility for breach – The Admin Zone
• Coldzer0 attempts to sell vBulletin 0day – oday.today
• Video demonstrating the vBulletin exploit –  YouTube

— Corey Nachreiner, CISSP (@SecAdept)

Patches, Drone Hacks, and Evil USB – WSWiR Episode 166

Did you miss last week’s security news since you were too busy keeping your network running? If so, you’re not alone. However, staying up to date with the latest threats is important, so let our short weekly security summary keep you informed. If you don’t have time to follow our daily security videos, I summarize them in this video every Monday.

Today’s episode includes a root vulnerability in popular consumer routers, a zero day Adobe Flash issue, and drone hacking. If that’s not enough, you should watch just to learn about last week’s Microsoft and Adobe patches. Watch the video for the details, and check the References section for links to other security stories from the past few weeks.

(Episode Runtime: 10:56)

Direct YouTube Link: https://www.youtube.com/watch?v=77R3I5fw9Ao

EPISODE REFERENCES:

• Monday: 0day Root Netgear Flaw – Daily Security Byte EP.156
  • Attackers starting to exploit 0day Netgear router flaws – ISPreview
  • Blog post on 0day Netgear authentication bypass flaw – Shellshock Labs
  • Blog post on 0day Netgear command injection flaw – Shellshock Labs
  • Full Disclosure post on Netgear vulnerabilities – Full Disclosure
• Tuesday: Patch Day Improves Browser Security – Daily Security Byte EP.157
  • Summary post for October’s Microsoft Patch Day – Microsoft
    • October’s Internet Explorer update – Microsoft
    • October’s Edge update – Microsoft
    • October’s Windows Jscript/VBscript update – Microsoft
    • October’s Windows Shell update – Microsoft
    • October’s Office update – Microsoft
    • October’s Windows Kernel update – Microsoft
  • Don’t forget to check out Microsoft’s new security advisories – Microsoft
  • Latest security update for Adobe Flash – Adobe
• Wednesday: Computer Frying USB Stick – Daily Security Byte EP.158
  • Researcher creates malicious USB key that fries devices (Russian) – Habrahabr
  • Original USB Killer idea – Habrahabr
  • Video of USB Killer 2.0 in action – YouTube
  • English article about USB Killer 2.0 – Graham Cluley
  • Reddit post discussion the video – Reddit
• Thursday: Flash 0day Surfaces – Daily Security Byte EP.159
  • Researchers find Pawn Storm using a new Flash flaw – Trend Micro
  • Adobe’s security bulletin on the new Flash flaw – Adobe
  • The fix for this 0day Flash issue – Adobe
• Friday: Drone Hacking – Daily Security Byte EP. 160
  • Researcher post about a MAVLink vulnerability – Shellntel
  • Video showing the Shellntel researchers’ attack – YouTube
  • Reddit discusses a multicopter attack – Reddit
  • Exploiting drones with MAVLink – Hackaday

EXTRAS:

• Obama says no to encryption backdoors, but Fed has other ways in – Wired
• Silly Chrome extension allows a “friend” to force sites on your browser – Wired
• Zhone routers, used by an unnamed ISP, are full of vulnerabilities – The Register
• Dow Jones hacked, 3500 records stolen – Slashgear
• Swatter sentenced to 1yr community service – FoxCT
• Hacking costs US firms $15M a year – CNN
• Journalist found guilty of helping Anonymous deface the Times – Motherboard
• Attackers tried to hack Clinton’s email server – Seattle Times
• Uber suspects they were hacked by Lyft – Business Insider
• Paper on a malware free “insider” attack [PDF] – Crowd Strike
• US authorities out Chinese companies that allegedly benefit from IP theft – Financial Times
• US-CERT warns about a resurgence in Dridex banking malware – US-CERT
• Microsoft plugs a XSRF hole in Outlook.com – The Register
• The Wall Street Journal’s database hacked – Engadget
• Researcher rewarded for temporarily taking over Google.com – BBC
  • His Linkedin post describing how he did it – Linkedin
• “Weev” threatens prosecutors with Doxing – Motherboard
• Attackers exploit old Cisco SSL VPN flaw to install backdoor – Volexity
• Researcher finds vulnerabilities in Huawei 4G USB modems – The Register
• LoopPay hacked. Samsung Pay not affected – Digital Trends
• Kemoge: Yet another Android malware variant – Ars Technica
• A botnet that can generate “fake” listens on Spotify – Motherboard
• Malaysian student arrested for hacking for ISIS – The Register
  • And he was very careless – Motherboard
• New Siri hack isn’t that big a real world threat – Wired
• Bit9 says OS X malware is exploding – Document Cloud
• Mandiant fights a very sophisticated threat actor – The Register
• UK bank plugs a pretty big security hole – The Register
• TPP could hurt security research – Slate
• Daily Mail affected by Angler kit malvertising – The Register
• Hackers steal 150K credit card records from casino – The Register
• FBI take down Dridex – ZDNet
• Yahoo offers password free sign-in – Engadget
• NSA leveraging flaw to crack crypto – Threatpost
• The value of stolen data by type – Dark Reading
• Older posts from the week before
  • Biometric authentication has issues too – Forbes
  • Saudi Arabia allegedly wanted to buy The Hacking Team – The Register
  • Surprise, Surprise! A pirate site serves malware – The Register
  • Hilton still researching if they’ve been hacked or not – The Inquirer
  • Nice article on new Windows 10 security features – Expert Reviews
  • Researcher finds holes in Dendroid Android exploit kit – The Register
  • Researcher finds vulnerabilities in Starbucks servers – Fouad’s Blog
  • PoC allows you to steal other’s keys in Amazon EC2 – Ars Technica
  • Political propaganda spread via Twitter botnet – Motherboard
  • Video blog on whether or not China is hacking the US – Network World
  • Elevation of privilege flaws patched in TrueCrypt – Threatpost
  • Apple fixes last week’s iOS lock screen bypass issue – Apple
  • New report confirms ICS under attack & supply chain a weakness – Network World
  • Researchers find iOS pwning vulnerability in 3rd party app – SC Magazine
  • Security vulnerability puts nail in TrueCrypt’s legacy coffin – ZDNet
  • Kaspersky update on the Gaza cybergang hacktivists – Securelist
  • A Linux botnet capable of 150Gb DDoS attacks – Akamai
  • New study shows the danger in patching late – Kenna Security

— Corey Nachreiner, CISSP (@SecAdept)

Flash 0day Surfaces – Daily Security Byte EP.159

Adobe just released a new Flash update Tuesday, but researchers have already found sophisticated threat actors leveraging a new zero day Flash exploit in the wild. Trend Micro, one of our security partners, found the Pawn Storm attackers leveraging this new Flash exploit. Watch today’s video to learn when the next patch will come out, and what to do in the meantime.

UPDATE: Adobe actually sped up their schedule to release a fix. Go get it now.

(Episode Runtime: 1:27)

Direct YouTube Link: https://www.youtube.com/watch?v=_HFC6VFBdu0

EPISODE REFERENCES:

• Researchers find Pawn Storm using a new Flash flaw – Trend Micro
• Adobe’s security bulletin on the new Flash flaw – Adobe
• The fix for this 0day Flash issue – Adobe

— Corey Nachreiner, CISSP (@SecAdept)

0day Root Netgear Flaw – Daily Security Byte EP.156

If you use a Netgear router, you’ll want to disable remote administration. In today’s video, I talk about two zero day vulnerabilities the Shellshock Labs found in a line of popular Netgear broadband routers. In a nutshell, if an attacker can access the administrative web page, she can gain complete control of your router. Press play to learn more about these flaws, and what you can do until Netgear patches.

(Episode Runtime: 2:01)

Direct YouTube Link: https://www.youtube.com/watch?v=DPbRUoWqYvg

EPISODE REFERENCES:

• Attackers starting to exploit 0day Netgear router flaws – ISPreview
• Blog post on 0day Netgear authentication bypass flaw – Shellshock Labs
• Blog post on 0day Netgear command injection flaw – Shellshock Labs
• Full Disclosure post on Netgear vulnerabilities – Full Disclosure

— Corey Nachreiner, CISSP (@SecAdept)

Apple Flaws and Cyber Sanctions – WSWiR Episode 163

Are you interested in the latest security news, but have no time to source it yourself? No problem! Let our weekly video summarize the latest for you in ten minutes or less. If you want to watch the video Friday, subscribe to our YouTube channel. Otherwise, we’ll post the weekly episode on the first day of the following week.

This week’s “traveling” episode included a story about US cyber sanctions, two different threats to Apple products, and news of a security breach to Mozilla’s bug tracking system. Watch below, and check out the references for more of last week’s infosec news.

(Episode Runtime: 7:55)

Direct YouTube Link: https://www.youtube.com/watch?v=sJ993RVG48s

EPISODE REFERENCES:

• Monday: Cyber Espionage Sanctions – Daily Security Byte EP.134
  • Article on Obama admin’s rumored cyber sanctions – The Washington Post
  • US considering sanction against Russia as well – Reuters
• Tuesday: iOS KeyRaider – Daily Security Byte EP.135
  • KeyRaider iOS malware targets jailbroken devices – PC World
  • Article on iCloud pirates stealing thousands of accounts – The Register
  • Original researcher blog post on iOS KeyRaider threat – Palo Alto Networks
  • How to tell if you’re a KeyRaider victim – BGR
• Wednesday:
  • N/A
• Thursday: OS X Keychain Broken – Daily Security Byte EP.136
  • Beirut researchers disclose zero day OS X Keychain vulnerability – Engadget
  • Adware caught using the Keychain vulnerability – Ars Technica
  • Attackers may have exploited this a far back as 2011 – Ars Technica
• Friday: Mozilla Hacked – Daily Security Byte EP.137
  • Article about attackers spying on Mozilla bugs – The Register
  • Mozilla’s FAQ on their bugzilla network breach [PDF] – Mozilla

EXTRAS:

• Researcher finds flaws in Siemen’s ICS software – The Register
• Smart phones shipping with malware pre-installed – SC Magazine
• Sony reaches a settlement with employees over hack – CNET
• French hacker pwns road signs – The Register
• How to disable the Win10 “keylogger” – PC World
• Gozi malware author pleads guilty – Ars Technica
• Leaked docs shows how NSA treats 0day – The Register
• Match.com had malicious ads – Tech World
• A new way to remember complex passwords – PC World
• Browsers shunning RC4 – SC Magazine
• My HTTPS interfaces suffer SSL flaw – Ars Technica
  • Original research paper [PDF] – Redhat

— Corey Nachreiner, CISSP (@SecAdept)