Mailing USBs, DoS in DoorLock, Moxie Resigns, QR Code Mystery, & Jarring Revelations – PSW #723
This week in the Security News: Attacking RDP (from the inside), NetUSB exposed, the old mailing USB drives trick, a persistent DoS in your doorLock, Signal gets a new CEO, attacking the patching software, where does that QR code go, we heard you liked cryptominers, Pluton will fix that and retiring from a jarring career, & more!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
We had an absolute blast putting together this year's SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!
Seems they are getting hammered on this point: "It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI." - I don't believe this is why Moxie left, I think he created something truly awesome (and private AND secure) and needs to move on to find another challenge...
"Lacework Labs researcher Greg Foss (@35Foss) spent some time analyzing the Automox Windows agent and ultimately discovered a local privilege escalation flaw with a CVSS score of 7.8 (High) due to how the agent handles PowerShell script execution at run-time."
What could go wrong? Buffer overflow for one: "The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This is made possible using the proprietary NetUSB protocol and a Linux kernel driver that launches a server, which makes the USB devices available via the network. For remote users, it’s as if the USB devices are physically plugged into their local systems."
"The QR codes found by Austin police department directed unsuspecting users to a fraudulent website which would ask for payment details with the false promise that their parking session would be paid for. The City of Austin checked its parking meters after being notified of a similar QR code scam by officials in San Antonio. They had discovered over 100 parking meters similarly stickered in late December."
"This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. This could lead to data privacy issues, lateral movement and privilege escalation."
"According to reports, the cryptocurrency miner was included in the Norton antivirus in June last year to help Norton 360 users earn some extra bucks from their graphics card. The tool is called Norton Crypto, and it mines Ethereum. Users can keep 85% of the cut while the remaining goes to NortonLifeLock."
Oops: "However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers."
Sounds like a challenge: "Pluton is designed to fix all of that. It’s integrated directly into a CPU die, where it stores crypto keys and other secrets in a walled-off garden that is completely isolated from other system components. Microsoft has said that the data stored there can’t be removed, even when an attacker has installed malware or has full physical possession of the PC."
Product Security Research and Analysis Director at Finite State
A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit.
That could be triggered by changing a HomeKit device's name to a string longer than 500,000 characters. According to Trevor Spiniolas, who uncovered the flaw, once the string is loaded, iOS and iPadOS will reboot and become unusable.
Storage devices manufactured by various vendors are reportedly affected by two vulnerabilities (CVE-2021-36750 and CVE-2021-36751) that were uncovered in third-party encryption software used by all the manufactures and could be exploited to conduct brute-force attacks and obtain users' passwords. Potential for brute forcing accounts. Requires local access.
Researchers say that after conducting a study of 16 different Uniform Resource Locator (URL) parsing libraries, they found that those libraries contained "inconsistencies and confusions" that could be exploited by attackers to bypass validations and create a variety of attack vectors.
A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber.
The vulnerability is in one of Uber's servers which isn't properly sanitizing input, rather than their email servers.
Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz.
Make sure your development and CI processes are using up-to-date libraries. Don't wait to qualify new versions.
Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Apache is urging customers to upgrade as soon as possible to prevent exploitation. According to reports, the moderate-severity issue results from a lack of additional controls on JDNI access in Log4j.
Credential stuffing attacks, where credentials are obtained from third-party breachs not relating to Lastpass, result in valid credentials used from unusual locations which are blocked.
Use unique passwords and enable MFA...
Shutterfly said on Dec. 26 that it was hit by a ransomware attack that struck portions of its network and interrupted elements of its Groovebook app, Lifetouch and BorrowLenses business, manufacturing operations, and some internal systems.
U.K. Minister of State Security and Borders Damian Hinds has accused China, Iran, and Russia of conducting disinformation campaigns and of being involved in various ways in terms of spies on the ground, cyber attacks, soldiers on standby, and disinformation operations.
A deep-rooted cyber security culture is crucial, and it goes as far back as the hiring process…
10 years ago, a typical hiring process consisted of working your way through a checklist, hiring individuals based solely on a CV. Today, the ‘Simon Sinek’ culture is gaining more prevalence, with employers realizing that hiring the right person, rathe...
Despite certain economic indicators warning that a recession is on the horizon, investment remains healthy within the security market amid thirst for cloud security, in particular. One such emerging field is data security posture management (DSPM), which aims to bridge the gap between business goals and a comprehensive security mechanism that leave...
In the leadership and communications section, The Sacrificial CISO heralds a new age for cybersecurity, To Coach Leaders, Ask the Right Questions, How to Handle Criticism Gracefully: 12 Pro Tips, and more!