October 8, 2019 – HNN #237



This week, Signal rushes to patch serious eavesdropping vulnerability, Wi-Fi signal let researchers ID people through walls from their gait, the FBI warns about attacks that bypass MFA, Vulnerable Twitter API leaves tens of thousands of iOS apps open to attacks, and D-Link home routers open to remote takeover will remain unpatched! In the expert commentary, we welcome Justin Elze from TrustedSec, to talk about Red Teaming and Adversary Emulation!

To learn more about TrustedSec, visit: https://securityweekly.com/trustedsec

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

October 8, 2019

Security News[edit]

  1. LambdaGuard AWS Lambda Serverless Security Scanner – Really neat tool! LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective…the lambda serverless security scanner can scan for and find such as: Poorly defined policies (Unrestricted Actions, Unrestricted Principal, Undefined Conditions), Public S3 buckets, Public SQS queues, Public API Gateway
  2. Signal Rushes to Patch Serious Eavesdropping Vulnerability | SecurityWeek.Com – The vulnerability can be exploited by using a specially crafted Signal client. The client initiates an audio call to the targeted user, and once it starts ringing, the attacker presses the audio mute button on their end, which forces the called device to answer the call. Silvanovich noted in her bug report that the attacker cannot force the application to answer a video call. After details of the bug were made public, Signal’s creator, Moxie Marlinspike, noted on Twitter that the exploit does not allow an attacker to silently enable the targeted device’s microphone — the victim would see on the screen that there is an ongoing call, and the call is logged in Signal’s list of conversations.
  3. Cisco closes high-impact vulnerabilities in its security offerings – Help Net Security – The vulnerabilities affect Cisco ASA (Adaptive Security Appliance) Software, Cisco FTD (Firepower Threat Defense Software) and Cisco FMC (Firepower Management Center) Software. While DoS flaws might generally not be that big of a deal, these newly patched ones all affect Cisco’s Adaptive Security Appliance, giving attackers many avenues to temporarily put them out of commission, i.e. opening enterprise networks to threats they protect them against. The remote code execution and SQL injection flaws affecting the Cisco Firepower Management Center (the nerve center for managing Cisco network security solutions) have been awarded the highest CVSS Base Score.
  4. Wi-Fi signals let researchers ID people through walls from their gait – Similar research has been presented before, from MIT in 2015 and almost a year ago from a team at University of California Santa Barbara. The UC Santa Barbara researchers are at it again, this time with a new technique: The methodology and experimental results from Mostofi’s team, which will be presented at the 25th International Conference on Mobile Computing and Networking (MobiCom) on 22 October, show that Wi-Fi signals can be used to detect the gait of people through walls and to then match it to previously captured video footage in order to identify individuals. They did this using off-the-shelf WiFi gear and without prior footage or WiFi mapping of an individual.
  5. FBI warns about attacks that bypass multi-factor authentication (MFA) | ZDNet – To get the point across, the FBI listed recent incidents where hackers had used these techniques to bypass MFA and steal money from companies and regular users alike. such as this short story: In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank’s website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims’ accounts.
  6. Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks – Make sure your Twitter App is up-to-date: According to researchers with Germany-based Fraunhofer SIT, the culprit is a flawed TwitterKit library that was replaced by Twitter about a year ago. However, a review of the 2,000 most popular German iOS mobile apps revealed that the bad code is still being in use by 45 applications and impacting millions of German users. Worldwide the number of apps running the buggy Twitter Kit framework could be closer to tens of thousands, researchers said. The flaw, tracked as CVE-2019-16263, is described as a bug in “the Twitter Kit framework through 3.4.2 for iOS does not properly validate the api.twitter.com SSL certificate. Although the certificate chain must contain one of a set of pinned certificates, there are certain implementation errors such as a lack of hostname verification.”
  7. Top enterprise VPN vulnerabilities – Warning: VPN client vulnerabilities are posing risk to organizations, so much so DHS is uring us to patch them: The Cybersecurity and Infrastructure Security Agency (CISA) is aware of vulnerabilities affecting multiple Virtual Private Network (VPN) applications. A remote attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages administrators to review the following security advisories and apply the necessary updates: Palo Alto Security Advisory PAN-SA-2019-0020 FortiGuard Security Advisory FG-IR-18-384 Pulse Secure Security Advisory SA44101
  8. D-Link Home Routers Open to Remote Takeover Will Remain Unpatched – D-Link won’t patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code. The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers). The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function.
  9. Google Patches Remote Code Execution Bugs in Android 10 | SecurityWeek.Com – Google’s October 2019 set of security patches for Android address a total of 26 vulnerabilities in the operating system, including a couple of remote code execution bugs impacting Android 10. The most important of these vulnerabilities are three remote code execution flaws in the Media framework (CVE-2019-2184, CVE-2019-2185, and CVE-2019-2186), all three rated Critical on Android 7.1.1, 7.1.2, 8.0, 8.1, and 9. “The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.


Paul Asadoorian
Paul Asadoorian – Founder & CTO


Justin Elze
Justin Elze – Adversary Emulation and Threat Research Practice Lead


  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand