Security News: September 12, 2019 – PSW #619

This week, we present the Security News, to discuss New ransomware grows 118% as cybercriminals adopt fresh tactics and code innovations, Period Tracker Apps share data with Facebook, U.S. Cyber Command trolls North Korea with Malware Release, and a lot more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Security News: September 12, 2019

Paul’s Stories

  1. Gamification Can Transform Company Cybersecurity Culture – I don’t buy it: According to findings from the American Psychological Association, competition increases physiological and psychological activation, which prepares employees’ minds for increased effort and enables higher performance. In this case, higher performance means being better able to detect and thwart security threats. Sure, its great to create this sort of system, and it does help to a certain extent. However, if you train your employees to look for certain conditions that are malicious, you are going to lose at some point. Attackers change behavior and tactics all the time and you’ll end up in a neverending loop that always leaves a gap. Rather than look for certain conditions, change the behavior of the users in clear and concise ways.
  2. Simjacker attack exploited in the wild to track users for at least two years | ZDNet
  3. Ransomware Attack Hits School District Twice in 4 Months | SecurityWeek.Com – This is becoming VERY common. Sitting in open house last night for our son’s school turns out they were also victims of a ransomeware attack.
  4. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs – Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone’s SSH password, from Intel’s CPU cache. Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel’s DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.
  5. Firmware: A New Attack Vector Requiring Industry Leadership – The emergence of firmware as a new attack vector has reignited an age-old debate within industry: Who’s responsible for addressing device cybersecurity? Is it the device manufacturer, or is it the company purchasing the device? This “chicken or the egg” debate has hampered cybersecurity for too long.. First, firmware as an attack vector is not new. Second, the device manufacturer must be held responsible, at least in some capacity. Third, just as with software we purchase and run, firmware needs to be checked by the company who is running it to discover any vulnerabilties, backdoors or mis-configuration. Prove me wrong.
  6. Infosec prophet Bruce Schneier (peace be upon him) is only as famous as half of Salt-N-Pepa – Numbers four and five on Redscan’s list are Bruce Schneier and Troy Hunt respectively, who rank alongside Sandra Denton (Pepa from 1980s hip-hop duo Salt-N-Pepa) and English footballer Lucy Bronze, who plays for French club Olympique Lyonnais. Push it real good Bruce…
  7. DNS-over-HTTPS Coming to Chrome 78 | SecurityWeek.Com – Yes, more features to make Chrome even slower and resource hungry.
  8. Attacking the VM Worker Process – Microsoft Security Response Center
  9. How a Nearly Forgotten (RIP) Physicist Shaped Your Internet Access – With multiple users sharing one computer, files had to be assigned to individual researchers, and available only to them. The availability was what led Dr. Corbato to develop the password system. In a system now familiar to everyone, every user was given a unique name and password, and their files stored in a way that they were available only to one user.
  10. Security holding back employers from meeting employees remote working expectations – Help Net Security – Interestingly, nine in ten (92%) workers believe it’s their employer’s responsibility to ensure IT security when using a different device or working remotely. However, the research also highlights that IT departments continue to face a balancing act between employee productivity and security – 42% of workers state that their company’s security policies make it more difficult to do their job. I’m convinced this story is 100% crap.
  11. Stealing JWTs in localStorage via XSS
  12. APIs Get Their Own Top 10 Security List
  13. A Definitive Guide to Crowdsourced Vulnerability Management
  14. Logitech keyboards and mice vulnerable to extensive cyber attacks – Mengs demonstrates how to infect a system with a backdoor (remote shell) through which he can control the system remotely by radio. In a way, it’s an elegant hack, because he simply piggybacks on the wireless Logitech connection to infect the system and to communicate with the backdoor. That means even computers who are not online are ripe for the hack.
  15. Why Businesses Fail to Address DNS Security Exposures
  16. More than 99% of cyberattacks rely on human interaction – Help Net Security
  17. Stop Using CVSS to Score Risk | SecurityWeek.Com – I agree: I would caution any bug hunter, security analyst, software vendor, or device manufacturer to not rely on CVSS as the pointy end of the stick for prioritizing remediation. It is an important variable in the risk calculation – but it is not an adequate risk qualifier by itself. Prove me and Gunter wrong.

Lee’s Stories

  1. Fileless Malware Attacks up 265% Trend Micro publishes trends for first half of 2019.
  2. China Hacks Asian Telcos to spy on Uighur Travelers Beyond Border installation of spyware on mobile devices, they are now tracking them on non-China services.
  3. New ransomware grows 118% as cybercriminals adopt fresh tactics and code innovations McAfee Labs saw an average of 504 new threats per minute in Q1 2019, and a resurgence of ransomware.
  4. XKCD forum breach exposes 560,000 user accounts number one password “Password” number two “correct battery horse staple.”
  5. Soldiers may ‘wear’ unhackable computers into combat Wearable systems with sensors and strong encryption aid soldiers on the front line. Unhackable? Padding messages with fake data, encrypting smaller chunks for efficiency – may work.
  6. Exploit for BlueKeep Windows Bug Released The Metasploit framework released a “work in progress” exploit for BlueKeep (CVE-2019-0708). Vital to patch immediately. Tenable (and others) can detect unpatched systems.
  7. Telnet Backdoor Vulnerabulities impact IoT Radio Devices Vulnerable telnet server on Telestar Digital GmbH IoT radio devices can be used to obtain privileges. Patch available.
  8. Period Tracker Apps share data with Facebook Lots of sensitive information shared, health, sex life, mood, and more. Beware of side-effects from apps that share information about eating, health, spending or sensitive data.
  9. U.S. Cyber Command trolls North Korea with Malware Release U.S. Cyber command uploaded malware samples to Virus total 9/8/19, these belong tothe HANGMAN family, used by the North Koreans since 2013. HANGMAN wraps communications in SSL, can upload/download/update files and system information. SSL header is standard, buy payload is custom binary protocol.
  10. Wikipedia goes dark across Europe, Middle East after DDOS Attack Details sketchy, but DDOS took Wikipedia out for several parts of the globe.
  11. NSA: Just say NO to Hacking back NSA takes strong stance against hacking back. Hacking back can go wrong so many ways.
  12. Unstall 24 Android Apps infected with new ‘Joker’ Malware These apps made it into the Google Play store. While removed, if you don’t have Play Protect, they require manual removal.
  13. Baltimore CIO, who managed Ransomware response, on leave Scapegoat or legit failure? CIO on indefinite leave for lack of transparency, communication and having a response plan.

Jeff’s Stories

  1. Microsoft Patches 2 Windows Flaws Already Being Exploited
  2. Secret Service Investigates Breach at U.S. Govt IT Contractor
  3. Apple Slaps Google For Stoking Fear Over Massive iPhone Security Breach In Shockingly Rare Rebuttal
  4. Chinese Woman Who Breached Mar-A-Lago Security Found Guilty
  5. New cyber directorate reorgs to help NSA shift focus on nation state adversaries
  6. Google To Fix Malicious Invites Issue For 1 Billion Calendar Users
  7. HGTV’s restoration of Brady Bunch house unveiled—and they didn’t mess it up

Hosts

Jeff Man
Jeff Man – Sr. InfoSec Consultant
Joff Thyer
Joff Thyer – Security Analyst
Lee Neely
Lee Neely – Senior Cyber Analyst
Paul Asadoorian
Paul Asadoorian – Founder & CTO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man’s talk as well!