2016-04-07

TrustedSec Security Podcast Episode 40 for April 7, 2016.  This podcast is hosted by Rick Hayes, Scott White, Martin Bos, Justin Elze, and Geoff Walton.

Visit the show notes page to download the Podcast or check us out on iTunes!

Download Page https://www.trustedsec.com/podcasts/trustedsec-security-podcast-episode-40.mp3
XML Page https://www.trustedsec.com/podcasts/trustedsecsecuritypodcast.xml

Announcements:
TrustedSec TV
https://www.youtube.com/watch?v=4Vxh7hGMDnE

Atlantic Security Conference
When: April 7-8, 2016

Where: Halifax, Nova Scotia
http://atlseccon.com

Bsides Rochester 2016
When: April 23, 2016

Where: Rochester NY (RIT, GCCIS Building)
https://twitter.com/bsidesroc

CactusCon
When: May 6-7, 2016

Where: Phoenix, AZ
http://www.cactuscon.com

Charlotte ISSA Annual Summit

When: May 19, 2016

Where: Charlotte, NC
https://www.charlotteissa.org

BSidesSATX
When: May 21, 2016

Where: San Antonio, TX
http://www.securitybsides.com/w/page/62049224/BSidesSATX

BSides Boston
When: May 20-21, 2016

Where: Boston, MA
http://www.bsidesboston.org

BSidesPGH
When: June 10, 2016

Where: Pittsburgh, PA
https://bsidespgh.com/2016

ShowmeCon
When: June 13-14, 2016

Where: St. Louis, MO
http://showmecon.com

BSidesCLE
When:  June 24-25, 2016

Where: Cleveland, OH
https://bsidescle.com

Converge
When: July 14-15, 2016

Where: Detroit, MI
http://convergeconference.org/main

Hackers on Planet Earth (HOPE) XI
When: July 22- 24, 2016
http://x.hope.net

Stories:

Source: http://www.bbc.com/news/technology-35980629It has been 30 years since inventor Sir Clive Sinclair sold the marketing and merchandising rights for his inventions to his then rival, Amstrad, for £5m.

His company rose to prominence in the 1970s with the success of its pocket calculators, and then became one of Britain’s leading computer manufacturers the following decade with the ZX81 and ZX Spectrum home computers.

Source: http://www.securityweek.com/osvdb-shut-down-permanently
https://blog.osvdb.org/2016/04/05/osvdb-fin
The maintainers of the Open Sourced Vulnerability Database (OSVDB) announced this week that the project will be shut down permanently due to the lack of support from the industry.

“As of today, a decision has been made to shut down the Open Sourced Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form,” Brian Martin, aka Jericho, one of the leaders of the OSVDB project, said in a blog post.

Source: http://www.scmagazineuk.com/github-recovers-from-major-outage-cause-unknown/article/487757
GitHub, a frequent target of distributed denial of service (DDoS) attacks, experienced a major outage Tuesday morning; however, the software development hosting service tweeted shortly thereafter that it identified the problem and that its online operations were running normally again.

As of writing, it is not publicly known if the outage stemmed from an internal error or from the latest in a series of external cyber-attacks against the service. GitHub’s site performance was noticeably impacted just this past 23 March following a DDoS assault against the website.

Source: http://www.itsecurityguru.org/2016/04/07/eset-warns-facebook-users-viral-ad-scam
ESET researchers have spotted a scam campaign on Facebook that steals the social network users’ payment card details. Instead of buying luxury sunglasses at a 90% discount, shoppers might end up victims of a payment card fraud.

In several countries, among them Slovakia, Czech Republic, Chile, China, France, Spain and the United Kingdom, Facebook users are facing a wave of spam advertisements that are spread via hacked Facebook accounts which attackers have taken control of using malware and social engineering tactics.

Source: https://www.f-secure.com/en_GB/web/press_gb/news-clippings/-/journal_content/56/1082184/1577225?p_p_auth=87Q9lLTM&refererPlid=894723
An investigation conducted in early 2016 by cyber security company F-Secure discovered thousands of severe weaknesses in corporate networks that attackers can use to infiltrate companies. The investigation used F-Secure Radar, a vulnerability scanning and management solution, to uncover tens of thousands of instances of misconfigured systems, unpatched software and other weaknesses, confirming to security experts that many companies don’t have enough visibility over their networks.

Source: http://www.scmagazine.com/researcher-nets-500-for-reporting-paypal-vulnerabilities/article/487440
A German researcher reportedly netted $500 (£354) from PayPal’s bug bounty programme for a vulnerability that could have allowed an attacker to carry out phishing and other attacks.

Vulnerability Laboratory researcher Benjamin Kunz Mejri discovered what he described as a “Filter Bypass and Persistent Profile Mail Encoding Web Vulnerability,” according to a 30 March advisory.

Source: https://www.secureworks.com/resources/rp-2016-underground-hacker-marketplace-report
Dell SecureWorks, has released a report which provides the average prices data and services offered around the world. It shows how cheap it is to get into business.

It costs only $500 (all prices U.S.) to hire someone to crack a corporate mailbox, or $129 to break into a Gmail/Yahoo account. To break into a Web site a service charges $350. For $90 you can get a victim’s IP address.

Source: http://spamnews.com/The-News/Latest/Remaiten-is-a-New-DDoS-Bot-Targeting-Routers-based-on-Linux-2016040718372/
Sophisticated exploits are not required for making botnets with modems, wireless access points, routers, as well as with other devices of networking. Remaiten, a new worm infecting embedded systems, increases due to weak passwords of Telnet.

Remaiten is the latest personification of distributed denial-of-service Linux bots, which are intended for embedded architectures. It was in fact called KTN-Remastered by its authors, where KTN in all probability referred to a well-known Linux bot known as Kaiten.

Source: http://www.pcworld.com/article/3052817/security/apple-fixes-ios-lock-screen-bypass-that-gives-access-to-photos-contacts.html
Apple has reportedly fixed a vulnerability that could have allowed hackers to bypass the passcode on iPhone 6s and 6s Plus running iOS 9.3.1 in order to access the address book and photos.

The bypass technique was discovered by researchers from German security firm Evolution Security and takes advantage of Siri’s integration with apps like Twitter or Facebook and the new 3D Touch feature that’s only available on the iPhone 6s and 6s Plus models.

Source: http://www.eweek.com/security/panama-papers-breach-reveals-astonishingly-lax-network-security.html
The breach of a vast trove of financial and related information from the Panamanian law firm Mossack Fonseca was to channel John Le Carré and his famed Panamanian tailor/spy Harry Pendel. However, the reality is much less interesting. The story is actually about a company with third-rate security that gets exploited by a routine hack.

Source: https://www.grahamcluley.com/2016/04/emergency-adobe-flash-update-prepped-hackers-actively-exploit-flaw/
Adobe has announced that it will be issuing an emergency security update for its widely-used Flash Player, after discovering hackers were actively exploiting a security hole to hijack control of computer systems.

“A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

Source: https://www.eff.org/deeplinks/2016/04/nest-reminds-customers-ownership-isnt-what-it-used-be
Nest Labs, a home automation company acquired by Google in 2014, will disable some of its customers’ home automation control devices in May. This move is causing quite a stir among people who purchased the $300 Revolv Hub devices—customers who reasonably expected that the promised “lifetime” of updates would enable the hardware they paid for to actually work, only to discover the manufacturer can turn their device into a useless brick when it so chooses.

Source:  http://gizmodo.com/there-are-some-super-shady-things-in-oculus-rifts-terms-1768678169
The Oculus Rift is starting to ship, what you may not be aware of is that if you create something using Oculus’ services, the Terms of Service say that you surrender all rights to that work and that Oculus can use it whenever it wants, for whatever purposes.

The post TrustedSec Security Podcast Episode 40 – Sinclair, OSVDB, GitHub, Facebook, Weaknesses, PayPal, Marketplace, Remaiten, Apple appeared first on TrustedSec - Information Security.

Show more