Teen Hackers, WTF Apple, Finding iPhones, & Getting Wise to Wyze – PSW #735
In the Security News for this week: Ransomware that was a breeze, getting an eyeful while charging your electric vehicle, scanning for secrets, find my iPhone is useful, WTF Apple moments and why I run Linux, Wyze is not very wise, stopping teen hackers, ranking endpoint detection, & more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
Paul Asadoorian
Principal Security Evangelist at Eclypsium
- 1. A cyber attack forced the wind turbine manufacturer Nordex Group to shut down some of IT systems"Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it felt victim to a ransomware attack."
- 2. Electric Vehicle Chargers Hacked to Show PornGives a whole new meaning to a supply chain attack: "We are saddened to learn that a third-party web address displayed on our electric vehicle (EV) signage appears to have been hacked."
- 3. Peace through Pegasus: Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware – The Citizen Lab
- 4. GitHub Advanced Security: Introducing security overview beta and general availability of secret scanning for private repositoriesNice: "Expanded secret scanning’s pattern coverage to cover tokens from more than 35 partners, Added an API and webhooks for secret scanning alerts, Started sending notifications to commit authors (as well as admins) when they commit secrets"
- 5. Hackers have found a clever new way to steal your Microsoft 365 credentials
- 6. Cash App notifies 8.2 million US customers about data breach
- 7. Establishment of the Bureau of Cyberspace and Digital Policy – United States Department of State"The CDP bureau includes three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom."
- 8. Ukrainians use ‘Find My iPhone’ to see where Russians took their stolen Apple devices"Thefts include technology, allowing Ukrainians to use Apple's 'Find My iPhone' feature to track troop movements. "Ukrainians are locating their devices on the territory of the Homiel region, Belarus, where part of the Russian army retreated" - You'd think that tech stolen by Russian troops would go into RF shielding bags/cases, but no, they are being tracked (thankfully).
- 9. Apple Neglects to Patch Two Zero-Day, Wild Vulnerabilities for macOS Big Sur, Catalina – The Mac Security BlogThis is why I run Linux (and no, not because it does not have vulnerabilities, but at least MOST security issues are out in the open and at least there if you look for them).
- 10. Results Overview: 2022 MITRE ATT&CK Evaluation – Wizard Spider and Sandworm EditionInteresting to see the results, Microsoft coming in at #6 especially.
- 11. Vulnerabilities Identified in Wyze Cam IoT DeviceIt seems like the authentication bypass has not yet been fixed, but the other two issues were addressed. But get this, Wyze did a terrible job handling the disclosure. Also, Bitdefender was generous and gave them like 18 months before they published. This is one hot mess for sure.
- 12. I’m done with Wyze
- 13. A Former Teen Hacker Explains Why It’s So Hard to Stop Teen HackersActually, he (Marcus Hutchins who is interviewed for this article) doesn't explain it at all but does provide some insights.
- 14. Critical GitLab vulnerability lets attackers take over accounts
- 15. Cybercriminals Fighting Over Cloud Workloads for Cryptomining
Joff Thyer
Security Analyst at Black Hills Information Security
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element