Tesla, YouTube, & Sexy Selfies – Paul’s Security Weekly #597

 

 

New WordPress flaw lets unauthenticated remote attackers hack sites, Tesla allegedly spied on and ran a smear campaign on a whistleblower, Facebook and Instagram suffer most severe outage ever, a man drives 3,300 miles to talk to YouTube about a deleted video, and what do sexy selfies, search warrants, and tax files have in common?

Paul’s Stories

  1. New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites – Comments in WordPress are just evil, and not worth it in my opinion for a host of reasons: WordPress doesn’t use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator. Comments posted by an administrator account are not sanitization and can include arbitrary HTML tags, even SCRIPT tags. WordPress frontend is not protected by the X-Frame-Options header, allowing attackers to open targeted WordPress site in a hidden iFrame from an attacker-controlled website.
  2. HackInOS: 1 – I did not validate anything about this project, but it sounded neat: HackinOS is a beginner level CTF style vulnerable machine. I created this VM for my university’s cyber security community and all cyber security enthusiasts.
  3. Intel Windows 10 Graphics Drivers Riddled With Flaws – The more serious of these (CVE-2018-12216) has a CVSS score of 8.2 and stems from insufficient input validation in the kernel mode driver within Intel Graphics Driver for Windows. The kernel mode driver of a graphics driver executes any instruction it needs on the CPU without waiting, and can reference any memory address that is available. Could this also open up firmware attacks against the GPU hardware? Though I would believe that any kernel driver can access any hardware directly? I have to read this more carefully: https://docs.microsoft.com/en-us/windows-hardware/drivers/display/driver-protection but it does state that the described driver protection is optional.
  4. DMSniff POS Malware has flown under the radar for at least four years – Sure it had a domain name generation algorythm, but didn’t seem especially stealthy to me. How did it evade detection, one could guess: “DMSniff is another name in a growing list of evolving threats for the point-of-sale malware world. During our research we found that this malware was primarily utilized to target small to medium sized businesses such as restaurants and theaters.” concludes the experts. “It also contains a domain generation algorithm, something that is rare to see in point-of-sale malware”
  5. What do sexy selfies, search warrants, tax files have in common? They’ve all been found on resold USB sticks – While entertaining: Troublingly, the material recovered was often fairly sensitive. There were nude images of a middle-aged man, along with contact details. There were legal documents like a search warrant and risk assessments. There were financial papers dating back years, along with personal data. There were also tax forms, wage slips and the like. Not really news. We covered this with SIM cards back in the day. It seems people like to sell electronics without scrubbing the data.
  6. InfoSec Handlers Diary Blog – Tip: Ghidra & ZIP Files
  7. Facebook and Instagram suffer most severe outage ever – And GMail and YouTube: https://bgr.com/2019/03/13/gmail-google-drive-outage-youtube-down-too/ – Gmail started on Tuesday night and Facebook started on Wed. Coincidence? What are the chances that both Facebook and Google had major outages at the same time and there was no connection?
  8. Tesla allegedly spied on and ran smear campaign on a whistleblower | SC Media – A former security manager told Bloomberg Businessweek that Tesla hacked, spied on, and engaged in a smear campaign against whistleblower Martin Tripp. Sean Gouthro, a former security manager at Tesla’s Nevada Gigafactory, claimed Elon Musk personally hired Tesla investigators to hack into an employee’s phone, spy on his messages, and even mislead police about a potential mass shooting, all in response to whistleblowing.
  9. Proof-of-concept code published for Windows 7 zero-day | ZDNet
  10. Man drives 3,300 miles to talk to YouTube about deleted video – LOL: On Sunday, police in Mountain View, California, where Google is headquartered, arrested a man who drove more than 3,300 miles from Maine to discuss what he thought was the company’s removal of his YouTube account and the one video he’d posted – one about getting rich quick. It was not, in fact, deleted by YouTube. It turns out, his wife deleted it, concerned as she was about her husband’s mental state. She told BuzzFeed News that the video, created by 33-year-old Kyle Long, was “rambling” and “bizarre.”
  11. WordPress Releases Security Update | US-CERT
  12. Cisco Patches Critical Default Password Bug
  13. Code Execution Flaw Found in Sonatype Nexus Repository Manager | SecurityWeek.Com
  14. DARPA Is Developing an Open-Source Voting System – Schneier on Security

Lee’s Stories

  1. Cyberattacks will soon kill people Security expert warns that evolution of Cyber Attacks can lead to attacks designed to kill people.
  2. Android VPN Apps tracking personal information The BestVPN research found several free Android apps have excessive permissions. Premium VPN apps are much cleaner. Revoke the excess permissions under advanced settings, which may break them.
  3. Boost Federal Email Security NIST Releases SP 800-177R1 as a guide to OMB BOD 18-01 regarding the use of SPF, DKIM, DMARC and TLS to enhance email security. Implementing these also helps email security in the private sector.
  4. Box Links are leaking sensitive data. Anonymous access links, as opposed to specific users, to cloud data repositories (Box, OneDrive, Dropbox, Google Drive, etc.) are being indexed and/or shared and used to access sensitive data. mitigation: share with specific users, remove sharing when no longer required.

Full Show Notes

Follow us on Twitter: https://www.twitter.com/securityweekly

Hosts

Paul Asadorian
Paul Asadorian – CEO, Security Weekly.

 

Jeff Man
Jeff Man – Sr. InfoSec Consultant, Online Business Systems.

 

Lee Neely
Lee Neely – Senior Cyber Analyst , Lawrence Livermore National Laboratory.

 

Matt Alderman
Matt Alderman – CEO, Security Weekly.

 

Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research, InGuardians.

 

 

 

 

 

 

Announcements

  • Join us April 1-3, at Disney’s Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
  • SecureWorld Boston is hosting their 15th annual conference March 27-28 @ the Hynes Convention Center. Security Weekly Listeners save $100 off a full conference pass by visiting secureworldexpo.com and using the code ‘SecurityWeekly’
  • OSHEAN is hosting RI Cybersecurity Exchange Day on March 13th at the O’Hare Academic Building at Salve Regina in Newport, RI! Register Now @ OSHEAN.org/events.