Google, Huawei, & Windows 0-Day – Paul’s DigitalMunition #605

In our final segment, Doug, Jeff, Patrick, and Lee give you the latest security news to talk about a Zero Day for Windows, the battle over Huawei with the US and Google, & unpatched hardware and companies tripping themselves up!

Doug’s Stories

1. https://nakedsecurity.sophos.com/2019/05/23/the-city-of-baltimore-is-being-held-hostage-by-ransomware/
2. https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-bug-in-windows-10-task-scheduler/
3. https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories&qid=00906a438725b28e1fe0958213b604e9

//discussion about Google and Huawei//

1. https://theweek.com/articles/842837/googles-huawei-ban-exposes-alarming-app-store-duopoly
2. https://theweek.com/speedreads/841493/report-trump-expected-sign-executive-order-that-block-huawei-from
3. https://www.xda-developers.com/google-revoke-huawei-android-ban-blacklist/

Lee’s Stories

1. Sensitive Data for 2.25 Million Russians exposed online
2. Unsecured Survey Databases exposes infor from 8 Million Marketing data gathered from surveys, free sample requests, etc.
3. Slack for Windows Vulnerability Slack for Windows 3.3.7 weakness can allow attackers to manipulate where user’s files are stored to a hacker file share. Low risk, fixed in version 3.4.0.
4. Salesforce still hasn’t recovered Flaw in Salesforce script resulted in all permissions being granted to every profile, primarily EU and North America customers, service degraded until issue resolved.
5. 20,000+ Linksys routers leaking information Bug is from 2014. Fix: apply latest firmware and enable firewall. These devices are marketed to home users, perhaps better to replace that 5 year old router?
6. DHS warns of ‘Strong Concerns’ that Chinese-made drones are stealing data In short the drone manufacturers are obligated to turn over data to the Chinese government on demand. One of the biggest Chinese drone manufacturers is DJI.
7. Instagram Influencer Account information captured/leaked Information on 49 million users was captured and stored in an open access database.
8. MuddyWater BlackWater campaign using Anti-Detecion Techniques This is a new PowerShell-based downloader leveraging POWERHELLO which replaces POWERSTATS. While highly targeted it is interesting to see new techniques to avoid detection.
9. Future Windows 10 updates will block some Wi-Fi Future Windows 10 updates will discontinue support for WEP or TKIP. Move to WAP2 or 3.
10. New Bill Requires Propbable Cause to Search Electronic Devices at The Border Currently, CBP can search someone’s phone and send the information to DHS without a warrant. CNET reports 30,000 devices searched at The Border last year.
11. ARM Reportedly tells employees to suspend all business with Huawei The ban is due to ARM being US origin technology, and therefore covered by the US Restrictions.
12. Several chip companies stop supplying Huawei Qualcomm, Intel, Xilinx and Broadcom are reportedly no longer supplying Huawei after Trump adminstration blacklist. Expect delays in 5G rollout, and carriers impacted replacing Huawei equipment already purchased.
13. Google cuts of Huawei phones from future Android Updates Google says that it will restrict Huawei’s access to futureAndroid OS updates, Google Play store, tick-tock..
14. All the companies that have cut ties with Huawei Intel, Panasonic, Qualcomm, Xilinix, Broadcom no longer supplying Huawei after blacklist. See also Several Chip companies reportedly stopped supplying Huawei after ban
15. Laptop full of malware for sale high bit $1.1M A laptop deliberately infected with six notorious strains of malware, including WannaCry and ILoveYou, is being auctioned in the US as an art project. Currently air-gapped, will be shipped with Internet disabled.

Jeff’s Stories

1. Assange Indicted Under Espionage Act, Raising First Amendment Issues latebreaking news
2. 12 Dark Secrets of Encryption ooohhh…I wonder what they are
3. Ransomware Cyberattacks Knock Baltimore’s City Services Offline this hits close to home. literally.

Patrick’s Stories

1. Someone Hacked Trump’s Golf Scores
2. UK Prepares to Hack Back
3. Sim Swap Attack Costs Him $100,000 overnight

Full Show Notes

Follow us on Twitter: https://www.twitter.com/securityweekly

http://traffic.libsyn.com/sw-all/Google_Huawei__Windows_0-Day_-_Pauls_Security_Weekly_605_converted.mp3