Name: Unearthed Easter Eggs, Black Hat/DEF CON Talks, Decrypting Oz, & 27 Factor Auth – PSW #751
Uploaded: 2022-08-10T00:00:00.000-04:00
Description: Unearthed Easter Eggs, Black Hat/DEF CON Talks, Decrypting Oz, & 27 Factor Auth – PSW #751

In the Security News, key fob hacks and stealing cars, the best Black hat and defcon talks of all-time, open redirects are still open, the keys to decrypt the wizard of oz are in a strange place, why the Linux desktop sucks, why businesses should all switch to Linux desktops, SGX attacks, let me send you an Uber to take you to the bank, 27-factor authentication, start your management engines, and guess what, your DMs are not private and you should have used Signal.

Featured image for Unearthed Easter Eggs, Black Hat/DEF CON Talks, Decrypting Oz, & 27 Factor Auth – PSW #751 segment from PPWorks

Don't miss any of your favorite Security Weekly content! Visit <a rel="noopener" target="_blank" href="https://securityweekly.com/subscribe">https://securityweekly.com/subscribe</a> to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media &amp; our streaming platforms!

Subscribe

We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting <a rel="noopener" target="_blank" href="https://securityweekly.com/guests">https://securityweekly.com/guests</a> and completing the form!

Suggest A Guest

Don't forget to check out our library of on-demand webcasts &amp; technical trainings at securityweekly.com/ondemand.

Webcasts/Trainings/OnDemand

Facebook gave up a teen's DM's to police, under subpoena, to prosecute her and her mother. The crime? The teen was getting an abortion. 

Facebook DM’s, private? Or not?

The best Black Hat and DEF CON talks of all time

I Tried the Honda Key Fob Hack on My Own Car. It Totally Worked

Guide for a first time defcon visitor. Not bad.

First Defcon?

When there is a buffer overflow in your login CGI-script LOLz will ensue.

Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers

The arcade world’s first Easter egg discovered after fraught journey

Windows gets too much malware, just switch to Linux, agree? Okay?

Businesses should dump Windows for Linux

28 years later, Super Punch-Out!!’s 2-player mode has been discovered

For the love of all things please fix your open redirects! "Attackers took advantage of redirect vulnerabilities affecting American Express and Snapchat domains, the former of which eventually was patched while the latter still is not, researchers said."

Open Redirect Flaw Snags Amex, Snapchat User Data

Washington Post Hacked into a Chevy Volt to Show How Much Cars Are Spying on Their Owners

Scientists hid encryption key for Wizard of Oz text in plastic molecules

Supposedly Quantum Resistant Encryption Cracked by Basic-Ass PC

If you read this article you will never want to run Linux as your desktop OS. I read it, but I will still use Linux as my "daily driver". While Linux has issues, not gonna lie because it does, so do other operating systems, hardware, and firmware. You can't escape the technology fiasco just based on your choice of OS alone.

Main Linux problems on the desktop, 2022 edition or why Linux sucks on the desktop

Slack resets passwords after exposing hashes in invitation links

WTH does this mean: "CVEID: CVE-2022-30601 - Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access." - Does it send credentials in clear-text that you can snag and then login? Again, the escalation of privilege and authentication bypass is different.

Intel Patches Severe Vulnerabilities in Firmware, Management Software

All information is provided for educational purposes only. Follow these instructions at your own risk. Neither the authors nor their employer are responsible

Intel Microcode Decryptor

Technion in Haifa has successfully broken into Siemens’ Simatic S7

Technion Hackers Expose Dangerous Vulnerabilities in Siemens PLC Firmware

"“ÆPIC Leak enables attacks against SGX enclaves on Ice Lake CPUs, forcing specific data into caches and leaking targeted secrets,” the researchers wrote. “We show attacks that allow leaking data held in memory and registers. We demonstrate how ÆPIC Leak completely breaks the guarantees provided by SGX, deterministically leaking AES secret keys, RSA private keys, and extracting the SGX sealing key for remote attestation.”"

SGX, Intel’s supposedly impregnable data fortress, has been breached yet again

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Kali Linux 2022.3 adds 5 new tools, updates Linux kernel, and more

Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws

Microsoft Patches Zero-Day Actively Exploited in the Wild

Slack exposed hashed passwords for years

Emergency Alert System Flaws Could Let Attackers Transmit Fake Messages

Twitter admits to being hacked

This is a crazy scam: "They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'"

Scammers Sent Uber to Take Elderly Lady to the Bank

DHS warns of critical flaws in Emergency Alert System devices

Cisco Business Routers Found Vulnerable to Critical Remote Hacking Flaws

Universities Put Email Users at Cyber Risk

New Malware Can Access Your Gmail Inbox Without Your Password Or 2FA

"Currently over 35k repositories are infected - So far found in projects including: crypto, golang, python, js, bash, docker, k8s - It is added to npm scripts, docker images and install docs" - And this is why we can't have nice things, or rather why we will need 27-factor authentication, signed commits, and signed code updates...

Stephen Lacy on Twitter

Hackers knock out 7-Eleven stores in Denmark

File this in the "almost everything you ever needed or wanted to know about Intel ME/AMT" category. I spent A LOT of time pulling all of this information together on Intel ME. Full of open-source tools and examples of how to discover ME vulnerabilities on your systems and more!

Firmware Security Realizations – Part 2 – Start Your Management Engine

Scammers Sent Uber to Take Elderly Lady to the Bank – Krebs on Security

Paul's Security Weekly

If you&#8217;re looking for a bunch of us security nerds to get together and talk shop, then Paul’s Security Weekly is for you. This show features interviews with folks in the security community; technical segments, which are just that, very technical; and security news, which is an open discussion forum for the hosts to express their opinions about the latest security headlines, breaches, new exploits and vulnerabilities, “not” politics, “cyber” policies and more. The topics vary greatly and the atmosphere is relaxed and very conversational. This is a longer show, typically 2+ hours, for those with a long commute.

Unearthed Easter Eggs, Black Hat/DEF CON Talks, Decrypting Oz, & 27 Factor Auth – PSW #751

Announcements

Hosts

Related

Surprise Cam Nudes, Staples, Turtle, Apple, 23andme, P2Pinfect, Gmail, Jason Woods – SWN #346

Chimera, Aliquippa, FNF, Lazarus, DARPA, Namedrop, Google, Aaran Leyland, and More – SWN #344

Cashwarp vs. Reptar, Rackspace, BlackCat, Bots, Aaran Leyland and More – SWN #343