SalesForce, iPhones, & Old Androids – Paul’s Security Weekly #607

 

 

In the Security News, SalesForce bans customers from gun sales, what is your iPhone talking to overnight, Office retires support for old Android versions, and really how likely are weaponized cars?!

Paul’s Stories

  1. VMware addressed flaws in its Workstation and Tools
  2. Streaming Video Fans Open to TV Hijacking
  3. When Security Goes Off the Rails – Perhaps most interesting are the training findings: “Amtrak did not provide sufficient training on all characteristics of the Charger locomotive,” and “Engineers could better master the characteristics of a new locomotive with the use of simulators.” How many of us have gotten “sufficient training” on “all characteristics” of the software we use to get our jobs done? What would that even mean for a systems administrator? How long is sufficient RedHat system administration training? What does it mean to get sufficient training on an Amazon Web Services component, which is subject to change at any time? How many of us have ever used a simulator or range?
  4. Experts Call For IoT Security Regulation
  5. YouTube bans kids live-streaming without an adult present
  6. 0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day
  7. 440 Million Android Users Plagued By Extremely Obnoxious Pop-Ups – Attackers are getting more sneaky and patient: For instance, it takes a little sleep before swinging into action. “These ads do not immediately bombard the user once the offending application is installed, but become visible at least 24 hours after the application is launched,” the researchers said. “For example, obtrusive ads did not present themselves until two weeks after the application ‘Smart Scan’ had been launched on a Lookout test device.”
  8. PLATINUM APT Found Using Text-based Steganography to Hide Backdoor – The Steganographic Nature of Whitespace or SNOW for short, is a steganographic covert messaging technique that involves “…concealing messages in ASCII text by appending whitespace to the end of [sentence] lines” (Kwan, 2013). The technique exploits the fact that most text viewer applications do not show spaces and tabs which hide encrypted messages that are unreadable even if detected without the correct decryption key.
  9. Exclusive: Cisco SVP Jeff Reed Talks Firewall of the Future – SDx
  10. Apple’s Find My feature requires two devices, boasts extreme security safeguards
  11. It’s Time To Pay Attention To Zorin OS 15, The Best Desktop Linux Distro You’ve Never Heard Of
  12. Switching to Windows? These Are the Best Mac Alternatives
  13. How to Bypass UAC & Escalate Privileges on Windows Using Metasploit

Larry’s Stories

  1. Exim 0-day “the worlds most popular e-mail server”
  2. Apple announced the ‘Sign in with Apple’ API, and restrictions on location-tracking
  3. Tap ’n Ghost – Researchers have created a novel proof-of-concept (PoC) attack named Tap ‘n Ghost, which targets Near Field Communication (NFC)-enabled Android smartphones. This allows an attacker to take control of a target phone simply by tricking the victim into placing their handset on a specially crafted surface, such as a table in a public space that has been maliciously implanted
  4. 12m records exposed via Quest….and others, Optum360, AMCA – American Medical Collection Agency
  5. [1] Rogue TV broadcasts with smart TVs
  6. TVA fails DHS audit – The Tennessee Valley Authority (TVA) inspector general has reported that 115 TVA registered domains were found not meeting the Department of Homeland Security (DHS) standards for cybersecurity during an audit earlier this year. A memo published by the TVA Inspector General’s Office on May 29, 2019, reported that internal auditors also found that encryption requirements were inadequate on 20 TVA websites.
  7. cDc releases behind the scenes video of the BO2K release and talk

Lee’s Stories

  1. SalesForce bans customers from gun sales SalesForce new customer agreement bans new and existing customers from certain types of weapons sales. How does a SaaS dictate your business plan or morality?
  2. The Password is dead, long live the Password Microsoft updates password change guidance to align with NIST 800-63B nit changing passwords on a schedule.
  3. What is your iPhone talking to Overnight? App trackers, Android and iOS, are sending your information to third parties, often invisible to users.
  4. Microsoft Office retires support for old Android versions Microsoft is reducing the number of Android versions supported by their productivity apps July 1st. Choice: update your Android, or move to alternative suite.
  5. Russian Government Requires Tinder to share user data Tinder is being compelled to cooperate with FSB, while they have registered, they are not yet sharing data. Last app that refused, Telegram, is now banned in Russia.
  6. Chinese Military to give up on Windows for custom OS Back in 2014 China laid out plans for removing Windows from all government computers. They also don’t trust Linux as an OS source, so they will be writing their own OS. I guess the foot’s on the other hand now.
  7. ANU Suffers second hack in a year Good news: new controls implemented were able to detect this attack. Bad News: not enough completed (in the last two weeks) to prevent the attack. The attack came in late 2018, so there was a delay detecting.
  8. How likely are weaponized cars? Security considerations including secure updates, testing, recall, and life-cycle, become increasingly important at scale.
  9. Unit 42 Discovers Vulnerabilties in Acrobat and Reader and Foxit Reader, shares at BlueHat Shanghai 2019. Palo Alto Unit 42 is actively seeking and sharing vulnerabilities discovered.

Full Show Notes

Follow us on Twitter: https://www.twitter.com/securityweekly

Hosts

Paul Asadorian
Paul Asadorian – CTO, Security Weekly.
Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research, InGuardians.
Lee Neely
Lee Neely – Senior Cyber Analyst , Lawrence Livermore National Laboratory.

 

 

 

 

 

 

Announcements

  • Register for our upcoming webcasts with SaltStack, DomainTools, and LogRhythm by going to securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Security Weekly is returning to Vegas this August for BlackHat and DefCon! If you would like to request a briefing or sponsor an interview on-site at BlackHat, please go to securityweekly.com/booking and submit your request!
  • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a 15% discount to sit for any of their Bootcamp Courses or Workshops! Visit Securityweekly.com/hackerhalted to register now!