Defecting Chinese, IoT Smartwatch, and Malicious SDKs – PSW #629

 

 

Netflix: BPF is a new type of software we use to run Linux apps securely in the kernel, Automated security tests with OWASP ZAP, HackerOne Breach Leads to $20,000 Bounty Reward, US-CERT AA19-339A: Dridex Malware , and much more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Defecting Chinese, IoT Smartwatch, and Malicious SDKs

Paul’s Stories

  1. Netflix: BPF is a new type of software we use to run Linux apps securely in the kernel | ZDNet
  2. Automated security tests with OWASP ZAP
  3. HackerOne Breach Leads to $20,000 Bounty Reward
  4. OpenBSD patches authentication bypass, privilege escalation vulnerabilities | ZDNet
  5. HackerOne breach lets outside hacker read customers private bug reports – Oops: , the HackerOne analyst sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to. One must be careful when sharing information with a bunch of hackers.
  6. Hackers Find Ways Around a Years-Old Microsoft Outlook Fix – “We’ve been using Outlook Home Page attacks for several years in our red team engagements,” says Dave Kennedy, TrustedSec’s founder and CEO. “Our goal is to use real-world attacks and adversary capabilities against our customers, and Home Page attacks largely go unnoticed in almost every organization. When you have a Microsoft Office product making modifications to the Office Registry, it’s very difficult for defenders to pick up on because it looks legitimate.”
  7. Two malicious Python libraries caught stealing SSH and GPG keys | ZDNet
  8. Mystery Server Found to Host Private Data in the Open for 1.2…
  9. Palo Alto Networks Employee Data Breach Highlights Risks Posed by Third Party Vendors – 3rd party risk management companies are loving this: After all, it wasn’t their company which leaked the data and placed it on the internet. Instead, it was an external company, contracted to provide a service to Palo Alto Networks, which was careless with the sensitive information.
  10. Hacking robotic vehicles is easier than you might think – Help Net Security
  11. If You Bought a Smart TV on Black Friday, the FBI Has a Warning for You – Huh? Backdoor through my router? “Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router.” – An attacker still needs a way to get software on the TV to spy on you, maybe it’s a backdoor in an app that is installed on the TV, perhaps a backdoor in the firmware, maybe intercepting domains the TV’s use to call out to apply updates or get other data. Suggesting that we put tape over the cameras is just silly. How about we address the actual security vulnerabilities, rather than send people into a panic and have them do things that don’t really fix the problem?
  12. New crypto-cracking record reached, with less help than usual from Moores Law
  13. Inside Mastercard’s Push for Continuous Security | SecurityWeek.Com
  14. Screw Productivity Hacks: My Morning Routine Is Getting up Late

Larry’s Stories

  1. Injecting traffic into tunneled VPNs
  2. Auth bypass and privesc on OpenBSD
  3. CobaltStrike 4.0 released
  4. Disney+ “hacked”

Lee’s Stories

  1. US-CERT AA19-339A: Dridex Malware Consolidtaion of IOCs, information and recommendations about Dridex Malware – very useful reference.
  2. CyrusOne data centers infected by REvil (Sodinokibi) ransomware New York area Managed Service Providers have outages due to encrypted devices. Co-location centers not impacted.
  3. Defecting Chinese Spy offers information trove to AU Government Interesting release of data and confirmation of TTPs from defector Wang “William” Liqiang.
  4. Twitter, Facebook user data improperly accessed via malicious SDKs Data aggregators leverage SDKs on Android to access additional user data. Use caution with application permissions granted.
  5. IoT Smartwatch exposes Kid’s persona, GPS data Shenzhen SMA M2 Smartwatch can be exploited to listen in on conversations, GPS data and other PII.
  6. Smash-and-grab car thieves use Bluetooth to target cars containing tech gadgets Emissions indicate the presence of laptops, tablets, smartphones. Don’t leave devices in vehicles in sleep mode.
  7. Church’s Chicken Restaurants hit by Payment Card Breach Breach only impacted company owned restaurants, not franchised locations.
  8. Vistaprint left customer service database unprotected Calls, Chats, Emails exposed. The database is now offline, but the data it contained included sensitive data.

Tyler’s Stories

  1. Ransomware attack hits major US data center provider
  2. UK Government Releases Photos of Russian Hackers, Whose Lives Look Awesome
  3. Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Hosts

Joff Thyer
Joff Thyer – Security Analyst
Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research
Lee Neely
Lee Neely – Senior Cyber Analyst
Paul Asadoorian
Paul Asadoorian – Founder & CTO
Tyler Robinson
Tyler Robinson – Managing Director of Network Operations

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand