TrustedSec Security Podcast Episode 37 for March 10, 2016. This podcast is hosted by Rick Hayes, Martin Bos, Justin Elze, and Geoff Walton.
Visit the show notes page to download the Podcast or check us out on iTunes!
Download Page https://www.trustedsec.com/podcasts/trustedsec-security-podcast-episode-37.mp3
XML Page https://www.trustedsec.com/podcasts/trustedsecsecuritypodcast.xml
Announcements:
TrustedSec TV
https://www.youtube.com/watch?v=4Vxh7hGMDnE
CypherCon
When: March 11-12, 2016
Where: Milwaukee, WI
http://cyphercon.com
Atlantic Security Conference
When: April 7-8, 2016
Where: Halifax, Nova Scotia
http://atlseccon.com
Bsides Rochester 2016
When: April 23, 2016
Where: Rochester NY (RIT, GCCIS Building)
https://twitter.com/bsidesroc
Charlotte ISSA Annual Summit
When: May 19, 2016
Where: Charlotte, NC
https://www.charlotteissa.org
BSidesSATX
When: May 21, 2016
Where: San Antonio, TX
http://www.securitybsides.com/w/page/62049224/BSidesSATX
ShowmeCon
When: June 13-14, 2016
Where: St. Louis, MO
http://showmecon.com
BSidesCLE
When: June 24-25, 2016
Where: Cleveland, OH
https://bsidescle.com
Converge
When: July 14-15, 2016
Where: Detroit, MI
http://convergeconference.org/main
Stories:
Source: https://source.android.com/security/bulletin/2016-03-01.html
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49H or later and Android M with Security Patch Level of March 01, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level.
Source: http://ithare.com/password-hashing-why-and-how/
Password hashing is a non-trivial topic, which has recently become quite popular. While it is certainly not the only thing which you need to do make your network app secure, it is one of those security measures every security-conscious developer should implement. In this article, we’ll discuss what it is all about, why hash functions need to be slow, and how password hashing needs to be implemented in your applications.
Source:
http://www.informationsecuritybuzz.com/hacker-news/weak-bank-password-policies-leave-350-million-vulnerable
In a study that looked at the password strength required to access website account for Wells Fargo, Capital One and 15 other banks, researchers found that 35 percent had significant weaknesses in their password policies, according to University of New Haven Cyber Forensic Research and Education Group.
The crux of UNH’s finding center around the fact all the banks in question had website password policies that do not differentiate between upper and lower-case letters. That, according to the study, is the difference between a “strong” password and a less secure password. Tim Erlin, director of security and product management at Tripwire have the following comments on it.
Source:
http://www.siliconbeat.com/2016/03/07/google-hires-creator-website-hosted-hacked-celeb-nudes
Google has brought aboard the man who created 4chan, the notorious message-board website infamous for having published hacked celebrity nude photos.
“When meeting with current and former Googlers, I continually find myself drawn to their intelligence, passion, and enthusiasm — as well as a universal desire to share it with others,” Chris Poole (Moot) wrote Monday on his blog.
Well, certainly, Poole is all about sharing. He went on to describe what he brings to the tech giant.
“I can’t wait to contribute my own experience from a dozen years of building online communities, and to begin the next chapter of my career at such an incredible company.”
Source: http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
A simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.
Source: http://uk.reuters.com/article/us-apple-encryption-idUKKCN0W92HX
The U.S. Justice Department on Monday sought to overturn a ruling which protects Apple from unlocking an iPhone in a New York drug case.
A magistrate judge in Brooklyn last week ruled that the Justice Department could not compel the tech giant to unlock the phone. The government on Monday resubmitted its arguments to a higher judge overseeing the matter. Prosecutors are relying on the same law in its fight against Apple in a California court, where a judge ordered Apple to unlock an encrypted phone belonging to one of the San Bernardino shooters. The clash has intensified a long-running debate over how much law enforcement and intelligence officials should be able to monitor digital communications.
Source:
http://www.techweekeurope.co.uk/security/security-management/seagate-employees-personal-data-phishing-187501#IA0VkA6Icw5AkkCw.99
Seagate employees in the US have had their social security numbers, salaries, work and home addresses, and other data stolen in a phishing attack. An employee, most likely high up in the chain of command in HR at the company, was duped by a bogus email requesting W-2 forms of Seagate employees. On March 1, the conned employee acquiesced the request for W-2 forms in an email purportedly from CEO Stephen Luczo, who said he wanted the data for current and past Seagate employees.
Source: http://www.kolotv.com/content/news/Clark-County-water-district-hit-with-cyber-attack-371363811.html
The Clark County Water Reclamation District has been hit with a cyber-attack but officials say operations haven’t been disrupted and no customer or employee information was hacked. The agency said in a statement Monday that its computer system was attacked late Friday night.
Computers were shut down as a precaution but operations at all seven treatment facilities and customer service centers were not affected. Authorities are investigating and law enforcement has been notified.
Source: http://www.itnews.com.au/blogentry/is-the-drown-vulnerability-really-that-bad-416517
Even if you’re not in the information security industry, chances are you will have heard about the new TLS-related vulnerability in the SSLv2 protocol that was revealed last week, dubbed DROWN.
DROWN is estimated to be affecting one third of the world’s webservers, allowing an attacker to steal the server’s private key and subsequently decrypt encrypted browsing sessions, steal passwords, personally identifiable information, credit card details, etc.
Source: http://www.spamfighter.com/News-20144-Data-Hack-at-Snapchat-Follows-an-Employees-Response-to-Phishing-E-Mail.htm
A data hack into Snapchat systems during the weekend followed when an employee at the company got tricked with a phishing electronic mail which enquired payroll information while posing as a message from Evan Spiegel the CEO of the company.
Snapchat however, has sent out an assurance globally telling the hackers couldn’t breach its servers; therefore, there’s been no compromise of end-user data; however, it has informed current and erstwhile employees because their secret details have been shared outside the company.
Source: http://www.tripwire.com/state-of-security/latest-security-news/u-s-dod-announces-hack-the-pentagon-bug-bounty-program
The US Department of Defense (DoD) announced last week the first ever cyber bug bounty program in the history of the federal government, inviting vetted hackers to test the security of the department’s network, website and applications.
Dubbed “Hack the Pentagon,” the agency said its pilot bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products and digital services.
Source: https://nakedsecurity.sophos.com/2016/03/08/ransomware-arrives-on-the-mac-osxkeranger-a-what-you-need-to-know/
Ransomware for the Mac has finally arrived and it’s called OSX/KeRanger-A. The malware will scramble everything in can find in your home directory (that means in and below /Users/YourNameHere), and a long list of file types on all mounted volumes such as USB keys, removable disks and network shares (on OS X, that’s everything under /Volumes). If you try to open any of the .encryptedfiles, you’ll be confronted with random-looking binary garbage.
In fact, because your files have been strongly encrypted with random keys using the AES algorithm, they are indistinguishable from random garbage.
Update: http://www.theregister.co.uk/2016/03/09/first_macosx_ransomware_actually_linux_port
KeRanger, is really a Mac version of the Linux Encoder Trojan, according to new research from Romanian security software firm Bitdefender. The infected OS X torrent update carrying KeRanger looks virtually identical to version 4 of the Linux Encoder Trojan that has already infected thousands of Linux servers this year.
KeRanger spread via an infected version of an otherwise legitimate open source BitTorrent application, Transmission. The tainted version (2.90) was available for download between March 4 and March 5, 2016 and came signed with a legitimate developer certificate.
Apple’s OS X ships with a security feature called Gatekeeper, allowing users to restrict which sources they can install applications from in order to minimize the likelihood of deploying a malicious app.
Source: http://www.cloudview.co/dls/white/cyber-attack-white-paper.pdf
New research from cloud-based video surveillance company Cloudview suggests that the majority of CCTV systems can be hacked, providing an open door to cyber attackers.
The report, entitled Is your CCTV system secure from cyber attack?, says there are “major vulnerabilities” in both traditional DVR-based CCTV systems, as well as cloud-based video systems. Hackers can “easily” hijack connections to the device’s IP address, putting a lot of people, their properties and data at risk.
How did they do it? They placed five routers, DVRs and IP cameras on the open internet. They were all running their latest software and firmware. According to the report, one device was hacked within a few minutes, while the rest were done and dusted within a day. They didn’t say which device was the first, and the last to fall, though.
The post TrustedSec Security Podcast Episode 37 – Nexus, Banking Passwords, Moot, FB, iPhone, Seagate, CCWRD, DROWN, Snapchat, DoD Bounty, KeRanger-A appeared first on TrustedSec - Information Security.