Data security, Vulnerability management

Yard Sales, Bitcoin Thief Charged, Mouse Privilege Escalation, & LED Eavesdropping – PSW #708

This week in the Security News: Some describe T-Mobile security as not good, if kids steal bitcoin just sue the parents, newsflash: unpatched vulnerabilities are exploited, insiders planting malware, LEDs can spy on you, hacking infusion pumps, PRISM variants, 1Password vulnerabilities, plugging in a mouse gives you admin, & yard sales!

Full episode and show notes


  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit to register now!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at


Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents – Krebs on Security - Interesting: "Mark Rasch, a former prosecutor with the U.S. Justice Department, said the plaintiff is claiming the parents are liable because he gave them notice of a crime committed by their kids and they failed to respond. “A lot of these crimes are being committed by juveniles, and we don’t have a good juvenile justice system that’s well designed to both civilly and criminally go after kids,” Rasch said."
  2. 2. Linux Attackers Take Advantage of Unpatched Vulnerabilities - "“The answer to the question of why so many systems are still running end-of-life versions of Linux distributions is patching, misconfigurations and software-defined infrastructure,” explained Aaron Ansari, vice president of cloud security at Trend Micro. “People start out with outdated images, or misconfigure them or never patch them due to inability or fear of breaking the custom app.”"
  3. 3. Cybercriminals Inducing Insiders to Plant Malware - Is training and awareness enough? - "The takeaway here is that companies should expect to see more of these types of pitches, both cold and warm, via email and other communication mediums. Why? Because they are effective, even if the batting average is below .200. The cost for cybercriminals to engage is low, and every success produces an attractive ROI. Provide your employees with triage training and a path to report when that proverbial knock sounds at their door."
  4. 4. Firmware: Beyond Securing the Software Stack - I'd say this must be part of your vulnerability and patch management programs today. Malware already exists that exploits firmware, so, there's that.
  5. 5. CERIAS – Center for Education and Research in Information Assurance and Security
  6. 6. F5 Bug Could Lead to Complete System Takeover
  7. 7. From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits – The Citizen Lab
  8. 8. Google, Amazon, Microsoft unveil massive cybersecurity initiatives after White House meeting
  9. 9. How Data Brokers Sell Access to the Backbone of the Internet - But the data can be used for good too! - ""Thanks to Team Cymru for providing access to their Pure Signal Recon product. Their tool’s ability to show Internet traffic telemetry from the past three months provided the breakthrough we needed to identify the initial victim from Candiru’s infrastructure," the report reads. " - This is netflow data...
  10. 10. Security and compliance still a challenge for container architectures – Help Net Security
  11. 11. How do I select an automated red teaming solution for my business? – Help Net Security
  12. 12. Details Disclosed for Zoom Exploit That Earned Researchers $200,000
  13. 13. New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox
  14. 14. Top 10 Things You Must Do to Avoid Getting Hacked - Not a bad list, one that I would use to have a conversation with users and/or develop a security policy. Multi-factor, password vault, keep software updated, use something other than SMS for 2nd factor, don't install random crap software from the Internet (and browser extensions too).
  15. 15. IoT devices are insecure by default
  16. 16. HP OfficeJet 4630/7110 MYM1FN2025AR 2117A Cross Site Scripting - Stored XSS in a printer, could be an interesting sleeper attack? Not sure what else you could get other than the creds to the printer, if they have any to begin with...
  17. 17. Watch as hackers disrupt Iran’s prison computers; leak live footage
  18. 18. Get a Free SSL Certificate From AWS
  19. 19. Will Low-Code Development Lead to Security Problems and Data Breaches?
  20. 20. Vulnerability allowed hackers to tamper medication in infusion pump - No details, but an interesting video: - Looks like how some of the AV gear is configured, as there is not authentication (or easily bypassed) and you can interact with the device and send commands, causing the device to behave differently in the real-world.
  21. 21. AWS privilege escalation: exploring odd features of the Trust Policy
  22. 22. How Threat Detection is Evolving
  23. 23. People shouldn’t care about privacy - The use-cases for fully homomorphic encryption are interesting, but also the limiting factor as many different data types and processes will actually need to read your data, therefore you should still care about privacy: "Preventive Medicine: Imagine knowing in advance what you need to do to stay healthy throughout your life. This is increasingly possible with AI but requires sharing all your health data — everything from your DNA to your medical history to your lifestyle habits. With FHE, you could send all of this data in encrypted form, and the AI would respond with encrypted health recommendations that you alone could see. Facial Recognition: From science fiction to the palm of your hand, facial recognition is now a part of our everyday experience. We use facial recognition to enter buildings, to unlock our phones, to tag people in pictures, and soon, to log in to websites everywhere. This, however, requires your biometric fingerprint to be on file, which, in the wrong hands, can be used to impersonate you. With FHE, you could authenticate yourself securely, without anybody being able to steal this biometric data. Voice Assistants: Every time you or someone in your family speaks to Siri, Alexa, or Google Assistant, personal information is sent to the companies behind them. With FHE, your voice query would be sent encrypted to your AI assistant, and they could respond without actually knowing what you asked! This means you would no longer have to worry about your family’s data being misused or stolen. It would no longer matter if you had microphones in the most sensitive places in your home because nobody would be able to listen to what you say."
  24. 24. Microsoft Breaks Silence on Barrage of ProxyShell Attacks
  25. 25. New variant of PRISM Backdoor ‘WaterDrop’ targets Linux systems - “The threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” - - "We have conducted further investigation of the samples and discovered that several campaigns using these malicious executables have managed to remain active and under the radar for more than 3.5 years. The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November, 2017." - It's HTTP and it's using a specific User-Agent, I would think this could be easily detected...
  26. 26. Phishing campaign uses XSS vuln to distribute malware
  27. 27. 1Password Secret Retrieval?—?Methodology and Implementation - IN-depth technical article that details what was tried and what worked to accomplish this: "This .NET application is built on the same version of the CLR (4.7.2) the latest 1Password binary uses at the time of upload (8/13/21). This binary gets function pointers to various critical functions responsible for decrypting secrets within the 1Password SQLite database and waits until the 1Password application is unlocked by the user. Once unlocked, it writes the results as a JSON array to C:UsersPublic1Password.log for you to view and parse." (
  28. 28. Razer bug lets you become a Windows 10 admin by plugging in a mouse - "When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong. When you change the location of your folder, a 'Choose a Folder' dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open 'Open PowerShell window here,' which will open a PowerShell prompt in the folder shown in the dialog." - I also saw on Twitter a theory that you could do this with any programmable USB device, like a rubber ducky... (
Jeff Man
Jeff Man
Information Security Evangelist at Online Business Systems
Joff Thyer
Joff Thyer
Security Analyst at Black Hills Information Security
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. Linux turns 30: Linus Torvalds on his “just a hobby” operating system - Thank you Gus! In 1991, Unix was an important but secondary x86 operating system. That year, on August 25, a mild-mannered Finnish graduate student named Linus Benedict Torvalds announced on the Usenet group comp.os.minix that he was working on "a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones." No one knew it, not even Torvalds, but the technology was going to change forever.
  2. 2. Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported - Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems automatically detected and mitigated a 17.2 million request-per-second (rps) DDoS attack, an attack almost three times larger than any previous one that they are aware of. For perspective on how large this attack was: Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of their Q2 average rps rate of legitimate HTTP traffic.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
prestitial ad