Malware, Vulnerability management, Security awareness

Unearthed Easter Eggs, Black Hat/DEF CON Talks, Decrypting Oz, & 27 Factor Auth – PSW #751

In the Security News, key fob hacks and stealing cars, the best Black hat and defcon talks of all-time, open redirects are still open, the keys to decrypt the wizard of oz are in a strange place, why the Linux desktop sucks, why businesses should all switch to Linux desktops, SGX attacks, let me send you an Uber to take you to the bank, 27-factor authentication, start your management engines, and guess what, your DMs are not private and you should have used Signal.

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. The best Black Hat and DEF CON talks of all time - Do you agree with this list?
  2. 2. Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers - When there is a buffer overflow in your login CGI-script LOLz will ensue.
  3. 3. Businesses should dump Windows for Linux - Windows gets too much malware, just switch to Linux, agree? Okay?
  4. 4. Open Redirect Flaw Snags Amex, Snapchat User Data - For the love of all things please fix your open redirects! "Attackers took advantage of redirect vulnerabilities affecting American Express and Snapchat domains, the former of which eventually was patched while the latter still is not, researchers said."
  5. 5. Scientists hid encryption key for Wizard of Oz text in plastic molecules
  6. 6. Main Linux problems on the desktop, 2022 edition or why Linux sucks on the desktop - If you read this article you will never want to run Linux as your desktop OS. I read it, but I will still use Linux as my "daily driver". While Linux has issues, not gonna lie because it does, so do other operating systems, hardware, and firmware. You can't escape the technology fiasco just based on your choice of OS alone.
  7. 7. Intel Patches Severe Vulnerabilities in Firmware, Management Software - WTH does this mean: "CVEID: CVE-2022-30601 - Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access." - Does it send credentials in clear-text that you can snag and then login? Again, the escalation of privilege and authentication bypass is different.
  8. 8. Technion Hackers Expose Dangerous Vulnerabilities in Siemens PLC Firmware - Technion in Haifa has successfully broken into Siemens’ Simatic S7
  9. 9. SGX, Intel’s supposedly impregnable data fortress, has been breached yet again - "“ÆPIC Leak enables attacks against SGX enclaves on Ice Lake CPUs, forcing specific data into caches and leaking targeted secrets,” the researchers wrote. “We show attacks that allow leaking data held in memory and registers. We demonstrate how ÆPIC Leak completely breaks the guarantees provided by SGX, deterministically leaking AES secret keys, RSA private keys, and extracting the SGX sealing key for remote attestation.”"
  10. 10. Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited
  11. 11. Kali Linux 2022.3 adds 5 new tools, updates Linux kernel, and more
  12. 12. Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws
  13. 13. Microsoft Patches Zero-Day Actively Exploited in the Wild
  14. 14. Slack exposed hashed passwords for years
  15. 15. Emergency Alert System Flaws Could Let Attackers Transmit Fake Messages
  16. 16. Twitter admits to being hacked
  17. 17. Scammers Sent Uber to Take Elderly Lady to the Bank - This is a crazy scam: "They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'"
  18. 18. DHS warns of critical flaws in Emergency Alert System devices
  19. 19. Cisco Business Routers Found Vulnerable to Critical Remote Hacking Flaws
  20. 20. Universities Put Email Users at Cyber Risk
  21. 21. New Malware Can Access Your Gmail Inbox Without Your Password Or 2FA
  22. 22. Stephen Lacy on Twitter - "Currently over 35k repositories are infected - So far found in projects including: crypto, golang, python, js, bash, docker, k8s - It is added to npm scripts, docker images and install docs" - And this is why we can't have nice things, or rather why we will need 27-factor authentication, signed commits, and signed code updates...
  23. 23. Hackers knock out 7-Eleven stores in Denmark
  24. 24. Firmware Security Realizations – Part 2 – Start Your Management Engine - File this in the "almost everything you ever needed or wanted to know about Intel ME/AMT" category. I spent A LOT of time pulling all of this information together on Intel ME. Full of open-source tools and examples of how to discover ME vulnerabilities on your systems and more!
  25. 25. Scammers Sent Uber to Take Elderly Lady to the Bank – Krebs on Security
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
  1. 1. Facebook DM’s, private? Or not? - Facebook gave up a teen's DM's to police, under subpoena, to prosecute her and her mother. The crime? The teen was getting an abortion.
  2. 2. First Defcon? - Guide for a first time defcon visitor. Not bad.
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
prestitial ad