Security News – Paul’s DigitalMunition #603

The top 5 mistakes that create field days for hackers, WordPress 5.2 brings new security features, a discontinued Insulin pump with security a security flaw in high demand, and how to communicate privately in the age of digital policing!

Paul’s Stories

1. Locked Computers – Schneier on Security – Best part is from the comments: The problem? Mice were stolen regularly. We’ve made a contraption: got out one unused backplate from each case, drilled two holes through it and ran mouse cable through them (plus some rubber padding). Then we screwed the backplates back in and closed the cases. The cable run from the serial port plug through the drilled backplate (in and out) and then to the mouse itself. You couldn’t steal the mouse now without cutting the cable or opening the locked case. Problem solved – for some time.Some time later someone – probably out of frustration that he can’t steal mice – stole all the balls from them. That was over the top. We’ve closed the venue and posted a message “Closed until all balls are returned”. Some patrons must have got really angry at the thief and had a few pleasant words with him – the balls were found in a bag near the door next morning…
2. Choosing Imagery for Your Security Awareness Program – If the only tip you take from this article is this, you are winning: Instead, look for imagery that works to evoke emotion. You can do this with imagery that is positive, colorful, and inviting. Unexpected image compositions can also help give a modern look and feel to your campaign.
3. Top 5 Configuration Mistakes That Create Field Days for Hackers – Sometimes I believe we complicate security too much. This article highlights 1. Default passwords 2. Password re-use 3. Exposed remote management services 4. Missing patches 5. Logging disabled or non-existent.
4. Quantifying Measurable Security – Okay, but so why is Android not-so-secure? Both Android and Chrome OS have dedicated security teams who are tasked with continually enhancing the security of these operating systems through new features and anti-exploitation techniques. In addition, each team leverages a mature and comprehensive security development lifecycle process to ensure that security is always part of the process and not an afterthought.
5. Facial recognition will not ensure public safety and heres why – This is why it will never work: Detecting faces means also detecting emotions: if you look worried, angry or nervous, the machine will spot it, and think maybe, you’re up to no good…
6. WordPress 5.2 Brings New Security Features | SecurityWeek.Com – For the first release, WordPress will (by default) soft-fail if the signature is not valid. In future releases, the default will be configured to a hard failure. The reason for this unsafe default is to ensure updates aren’t blocked if there’s a bug in the update code, Okay great, you are validating software updates. WTF, is this really how attackers are exploiting WordPress? No. It’s through the plugins. Good solution, wrong problem to solve.
7. Hackers exploit Jenkins flaw CVE-2018-1000861 to Kerberods malware
8. Securing satellites: The new space race – Help Net Security – Okay, sign me up: For hackers with deeper pockets, they could realistically launch their own CubeSat into orbit and then conduct hacking operations from there. The benefits are primarily related to proximity to other satellites and not having to wait for a satellite to pass over the ground station to perpetrate an attack. Whatever the method, compromising a satellite is now a realistic and attainable opportunity for hackers.
9. MobileIron introduces zero sign-on technology to eliminate passwords – Help Net Security
10. How to Communicate Privately in the Age of Digital Policing
11. Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked – This is not a big deal for two reasons: 1) Most Alpine containers do not contain a shell (and certainly you can configure them that way), minimizing the likelyhood that PAM can even be accessed to exploit this flaw 2) This only gets you “root” inside the container, not the host system or any other containers.
12. Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers – VICE
13. San Diego man arrested after rifle-shaped bong causes gun scare – I mean okay, for one marijuana is legal in CA. Two, I mean people in CA love their weed, so I can see people getting bored and being like “Dude, ya know man, we should get a bong that’s a rifle, like a rifle bong”. And if you do that in comfort of your own home, not having to drive or have much other responsibilities, I’m cool with it. However, they smoked out of this thing in a hotel room in full view of a WINDOW. Common sense was absent that day.
14. ‘Software delivered to Boeing’ now blamed for 737 MAX warning fiasco
15. Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers
16. Extinguishing the IoT Insecurity Dumpster Fire
17. Microsoft Windows 10 will get a full built-in Linux Kernel for WSL 2 – If you’re going to run Linux, just run Linux… I do want to see a lower cost device, that actually works, that is a small computer that sits in a PCIe slot that you can run Linux on. Heck, I run Linux and I’d still buy one just to have an extra Linux box in my computer.
18. Amazon workers purloin $100,000 worth of Apple Watches | Cult of Mac

Larry’s Stories

1. Tenants win rights to have physical keys over smart locks
2. backdoor getting commands from exchange
3. Russians compromise three major AV companies
4. Ever, a photo storage and backup app, reportedly used millions of images uploaded to the service to train a commercial facial recognition system that it offers to law enforcement and private companies. The problem, according to NBC News, Ever didn’t disclose this to its app users.
5. One week after a researcher revealed a publicly configured database exposing more than 275 million sensitive records on Indian citizens, a hacking group removed that data and replaced it with an apparent ransom note.

Jeff’s Stories

1. Tribe of Hackers Summit The event was live streamed, so here’s the whole enchilada (I’m sorry, taco)
2. Freedom Mobile Server Leak Exposed Customer Data Log files, that explains it. But why were they passed to a third party?
3. No Reason to Ship Credit Card Data to Third Parties, Says Former Freedom Mobile CISO So much wrong with what is described here – and all fingers point to Freedom Mobile not the third party
4. “RobbinHood” ransomware takes down Baltimore City government network

Lee’s Stories

1. Microsoft WSL 2 Announced WLS 2 will include a Linux kernel, with better integration. Still includes Debian package manager.
2. Discontinued Insulin pump with security flaw in high demand Users are hacking old Insulin pumps, using OpenAPS, to provide looping of insulin for better quality of life.

Johnny’s Stories

1. Airbnb Superhost Secretly Recorded Guests with Hidden Bedroom Camera The article states: “The unfortunate guest told local news outlets that she worked in information security, and so was more vigilant than the average person when it came to always checking her hotel rooms for signs of surveillance devices. After inspecting and unscrewing the router, the guest found that there was a digital memory card inside.” – Honestly, amazing discovery of a hidden camera. Who would think to look inside the router, finding a hidden cam, and then finding out the AirBnB host was filming people in the bedroom since March 19′. Hats off, and check your s#&*!!

Full Show Notes

Follow us on Twitter: https://www.twitter.com/securityweekly

http://traffic.libsyn.com/sw-all/Security_News_-_Pauls_Security_Weekly_603_converted.mp3