Passwords, Splunk, & Nest Microphones – Paul’s Security Weekly #595

 

 

In the Security News, password managers leaking data in memory, security analysts are only human, Splunk changes position of Russian customers, Google admits error over hidden microphone, and a nasty code-execution bug in WinRAR threatened millions of users for 14 years!

Paul’s Stories

  1. Password managers leaking data in memory, but you should still use one – Clearly, if passwords – especially master passwords – are hanging around in memory when the application is locked, this raises the possibility that malware could steal this data after infecting a computer. Two-factor FTW, use it on your password managers.
  2. Security Analysts Are Only Human – SOC security analysts shoulder the largest cybersecurity burden. Automation is the way to circumvent the unavoidable human factor. Third in a six-part series.
  3. Drupal Releases Security Updates | US-CERT – To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.
  4. New Free Tool Scans for Chrome Extension Safety – The CRXcavator scans a set of factors including permissions, external calls, third-party libraries, content security, and metadata to give security and IT staff insight into the safety of the browsers on their companies’ computers. According to the blog post announcing the tool’s availability, Duo researchers scanned 120,463 extensions and apps in January and found that many developers have used poor programming practices in their software. For example, 38,289 extensions ” … used third-party libraries that contain publicly known vulnerabilities,” wrote the researchers.
  5. Why Cybersecurity Burnout Is Real (and What to Do About It) – The constant stresses from advanced malware to zero-day vulnerabilities can easily turn into employee overload with potentially dangerous consequences. Here’s how to turn down the pressure.
  6. No One is Safe: the Five Most Popular Social Engineering Attacks Against Your Companys Wi-Fi Network – Security Boulevard – Make sure your network users understand the risk of connecting to open access points and are well aware of the techniques mentioned. Running simulations of the above attacks is also recommended. I believe Pwnie Express has a great solution for this.
  7. Jenkins – Remote Code Execution
  8. Kerberoasting Revisited
  9. Experts found a Remote Code Execution flaw in WordPress 5.0.0 – The experts discovered that the flaw could be exploited by an attacker who gains access to an account with at least ‘author‘ privileges on a WordPress install to execute arbitrary PHP code on the underlying server.
  10. GitHub bug bounty: Microsoft ramps up payouts to $30,000-plus | ZDNet
  11. Nasty code-execution bug in WinRAR threatened millions of users for 14 years – The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.
  12. Google admits error over hidden microphone – In response to criticism, Google said on Tuesday: “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part.” It added: “The microphone has never been on and is only activated when users specifically enable the option. “Security systems often use microphones to provide features that rely on sound sensing. We included the mic on the device so that we can potentially offer additional features to our users in the future, such as the ability to detect broken glass.” – Turn off features you are not using!
  13. Researcher: Not Hard for a Hacker to Capsize a Ship at Sea – Once the hacker is able to reach the control systems, it would for instance be possible to replay the Hoegh Osaka incident, where a car carrier’s ballast tanks weren’t properly filled, which resulted in the ship developing a heavy list during a tight turn out of the port. It narrowly avoided capsize, thanks only to a favorable wind blowing.

Lee’s Stories

  1. Group FaceTime bug prevents adding users to existing call While you can initiate a Group FaceTime call, you cannot add a user to one.
  2. Stratcom study on Cognative Cyber Challenges (Social Engineering) OSINT, Social Engineering, Social Media very effective at gathering OPSEC data from military personnel. Social media fake group/org detection and removal less effective than expected.
  3. Crowdstrike released 2019 global threat report
  4. Splunk changes position on Russian customers Splunk is no longer selling or renewing licenses to customers in Russia – threat response or a political ploy?
  5. Swedish Healthcare Hotline exposes sensitive calls Repository of call recordings available without authentication. Twist: this appears to be a GDPR violation – will there be a penality?
  6. LPG Company leaked Aadhaar details of 6.7M Indian customers Weakness in gas dealer portal could be used to enumerate dealers and their customers. Company denies vulnerability, researchers have provided dumps. The Aadhaar details of Indian citizens is a unique number assigned to each citizen as part of India’s biometric identity program maintained by the government’s Unique Identification Authority of India (UIDAI).

Larry’s Stories

  1. ATM hacking, gamified
  2. Cobalt Strike Team server study…
  3. Hacked Sex robots can kill you
  4. Domain fronting with CloudFlare and others
  5. Pwning with the clipboard and copy/paste

Full Show Notes

Follow us on Twitter: https://www.twitter.com/securityweekly

Hosts

Joff Thyer
Joff Thyer – Security Analyst, Black Hills Information Security.

 

Matt Alderman
Matt Alderman – CEO, Security Weekly.

 

Jason Wood
Jason Wood – Founder; Primary Consultant, Paladin Security.

 

Lee Neely
Lee Neely – Senior Cyber Analyst , Lawrence Livermore National Laboratory.

 

Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research, InGuardians.

 

Paul Asadorian
Paul Asadorian – CEO, Security Weekly.

 

 

 

 

 

 

Announcements

  • RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request! Submission deadline for interviews or briefings is February 22nd @ 3:00pm ET
  • Join us April 1-3, at Disney’s Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
  • SecureWorld Boston is hosting their 15th annual conference March 27-28 @ the Hynes Convention Center. Security Weekly Listeners save $100 off a full conference pass by visiting secureworldexpo.com and using the code ‘SecurityWeekly’
  • OSHEAN is hosting RI Cybersecurity Exchange Day on March 13th at the O’Hare Academic Building at Salve Regina in Newport, RI! Register Now @ OSHEAN.org/events.