iOS, Equifax Is Back, & phpMyAdmin CSRF Zero-Day – PSW #620

 

 

In the Security News, how an iOS 13 flaw could provide access to contacts with passcode, Equifax demands more information before making payouts, confidential data of 24.3 million patients were discovered online, and a SIM Flaw that lets hackers hijack any phone by sending SMS!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

iOS, Equifax Is Back, & phpMyAdmin CSRF Zero-Day

Larry’s Stories

  1. Update on the Coalfire pentesters…
  2. WeWork WiFi – Documents sent on WeWork’s unsecured network included financial records, bank account credentials and a cat photo of Nicolas Cage. Play stupid games, win stupid prizes.
  3. Github Acquires Semmle – does that mean we now get free code audits?
  4. Snowden sued for his memoir – because he did not submit it to the publications office first…
  5. MITRE updates the top CWE 25

Lee’s Stories

  1. iOS 13 Flaw Could Provide Access to Contacts without Passcode iOS 13 flaw discovered in beta product. Likely fixed in iOS 13.1 scheduled for release September 20.
  2. Entercom Raido Network Deals with Ransomware-Like Incident Malware infectection stemming from programming department has spread. Internal memo released prohibiting external discussions of issues.
  3. SIM Flaw lets Hackers Hijack any Phone by sending SMS Exploits vulnerability in S@T Browser to obtain location and IMEI information. Fix will require updated (replacement) SIM cards.
  4. Equifax demands more information before making payouts While the Equifax settlement is out there, those signed up for payments are being asked more question before payment is agreed to…
  5. LastPass Fixes Password-Leaking Flaw LastPass browser plugin could expose credentails when used with Opera or Chrome. Update to 4.33.0 to resolve the problem
  6. Cyber Fraud Hits Superannuation As much as $10M AUD was stolen by fraud and ID theft syndicate. Stolen funds laundered through cryptocurrency and untraceable assets back to Australia.
  7. phpMyAdmin CSRF Zero-Day CVE-2019-12922 CSRF vulnerability in phpMyAdmin can be used to delete any server configured through the setup panel. User interaction required to exploit. Not patched yet.
  8. Confidental Data of 24.3 Million Patients Discovered Online590 of 2300 medical imaging systems analyzed world-wide were found to be insecure, revealing X-rays, CT scans, MRI scans, etc plus full names, DOB, exam dates and associated data. 39 servers had neither access control nor HTTPS access.
  9. CFPB probes fake credit card accounts at Bank of America BofA accused of opening accounts without user consent reminiscent of Wells Fargo. BofA also not collecting signature of intent for account openings.
  10. Google Calendars possibly leaking private information online Shared Google Calendars are indexed by their search engine, the links to the indexed content are public. Accessing the link can be used to read/update the corresponding calendar. Review calendar sharing settings.
  11. CookieMiner malware targets Mac, steals passwords and SMS messages, mines for cryptocurrency Hunts for files containing passwords, web auth tokens, private keys for cryptocurrency wallets. Mines for Koto, the Zcash-based cryptocurrency associated with Japan.
  12. New report: AI can’t offer protection from ‘deepfakes’ Beware of quick fixes, true detection is a complex problem, requiring social and technical fixes and detection capabilities.

Hosts

Joff Thyer
Joff Thyer – Security Analyst
Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research
Lee Neely
Lee Neely – Senior Cyber Analyst
Paul Asadoorian
Paul Asadoorian – Founder & CTO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man’s talk as well!