Mobile, Intrusion detection, Email security, Social engineering

PSW #620

September 20, 2019

Jason Lang is the Sr. Security Consultant of TrustedSec. Modern day red teaming against some of the largest company’s in the US. Current passion is Ansible for red teamers (i.e. fast infrastructure buildout).

To learn more about TrustedSec, visit: https://securityweekly.com/trustedsec

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Anything Red/Purple Teaming

Hosts

Joff Thyer

Joff Thyer – Security Analyst

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Guests

Jason Lang

Jason Lang – None – worked on TrustedSec’s Adversary Emulation and Threat Research team. His job is red teaming, purple teaming, pentesting. Jason has been in Infosec for 10+ years, with over 5 years in offensive security / pentesting. He has a background in enterprise. He enjoys coding in C#, Powershell, python – DerbyCon speaker/trainer – “Amish Hacker”. He lives in the middle of nowhere. Jason enjoys woodworking, fly fishing, and beekeeping.

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man’s talk as well!

 

 

In the Security News, how an iOS 13 flaw could provide access to contacts with passcode, Equifax demands more information before making payouts, confidential data of 24.3 million patients were discovered online, and a SIM Flaw that lets hackers hijack any phone by sending SMS!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

iOS, Equifax Is Back, & phpMyAdmin CSRF Zero-Day

Larry’s Stories

  1. Update on the Coalfire pentesters…
  2. WeWork WiFi – Documents sent on WeWork’s unsecured network included financial records, bank account credentials and a cat photo of Nicolas Cage. Play stupid games, win stupid prizes.
  3. Github Acquires Semmle – does that mean we now get free code audits?
  4. Snowden sued for his memoir – because he did not submit it to the publications office first…
  5. MITRE updates the top CWE 25

Lee’s Stories

  1. iOS 13 Flaw Could Provide Access to Contacts without Passcode iOS 13 flaw discovered in beta product. Likely fixed in iOS 13.1 scheduled for release September 20.
  2. Entercom Raido Network Deals with Ransomware-Like Incident Malware infectection stemming from programming department has spread. Internal memo released prohibiting external discussions of issues.
  3. SIM Flaw lets Hackers Hijack any Phone by sending SMS Exploits vulnerability in [email protected] Browser to obtain location and IMEI information. Fix will require updated (replacement) SIM cards.
  4. Equifax demands more information before making payouts While the Equifax settlement is out there, those signed up for payments are being asked more question before payment is agreed to…
  5. LastPass Fixes Password-Leaking Flaw LastPass browser plugin could expose credentails when used with Opera or Chrome. Update to 4.33.0 to resolve the problem
  6. Cyber Fraud Hits Superannuation As much as $10M AUD was stolen by fraud and ID theft syndicate. Stolen funds laundered through cryptocurrency and untraceable assets back to Australia.
  7. phpMyAdmin CSRF Zero-Day CVE-2019-12922 CSRF vulnerability in phpMyAdmin can be used to delete any server configured through the setup panel. User interaction required to exploit. Not patched yet.
  8. Confidental Data of 24.3 Million Patients Discovered Online590 of 2300 medical imaging systems analyzed world-wide were found to be insecure, revealing X-rays, CT scans, MRI scans, etc plus full names, DOB, exam dates and associated data. 39 servers had neither access control nor HTTPS access.
  9. CFPB probes fake credit card accounts at Bank of America BofA accused of opening accounts without user consent reminiscent of Wells Fargo. BofA also not collecting signature of intent for account openings.
  10. Google Calendars possibly leaking private information online Shared Google Calendars are indexed by their search engine, the links to the indexed content are public. Accessing the link can be used to read/update the corresponding calendar. Review calendar sharing settings.
  11. CookieMiner malware targets Mac, steals passwords and SMS messages, mines for cryptocurrency Hunts for files containing passwords, web auth tokens, private keys for cryptocurrency wallets. Mines for Koto, the Zcash-based cryptocurrency associated with Japan.
  12. New report: AI can’t offer protection from ‘deepfakes’ Beware of quick fixes, true detection is a complex problem, requiring social and technical fixes and detection capabilities.

Hosts

Joff Thyer

Joff Thyer – Security Analyst

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man’s talk as well!

 

 

Wes Widner is the Cloud Engineering Manager at CrowdStrike. Wes will be talking about personal voice assistants are the wave of the future. So naturally we should wonder about the unique attack vectors they pose. I’d like to discuss my research into this field and share a few tips on how you can keep yourself safe around voice assistants.

Full Show Notes: https://wiki.securityweekly.com/Episode620

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Audio Security

Segment Resources:
https://github.com/kai5263499/audio-security-awesome

Hosts

Joff Thyer

Joff Thyer – Security Analyst

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Guests

Wes Widner

Wes Widner – None – engineers clouds with Crowdstrike. Large-scale distributed threat intelligence systems that span a range of threat vectors are his bread and butter. His work history includes data engineering with McAfee Labs’s Global Threat Intelligence department and malware pipelining with Norse Corporation. In his ample spare time, Wes also enjoys teaching children how to hack, ethically of course.

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man’s talk as well!
prestitial ad