Nokia 9, Julian Assange, & Tenable – Paul’s Security Weekly #602

In the Security News, how Tenable experts found 15 flaws in wireless penetration systems, Julian Assange refused exfiltration to the US, PoC exploits for old SAP config flaws increase risk of attacks, and how 1.75 million dollars was stolen from a Church through a phishing attack!

Paul's Stories

  1. Open source security: The risk issue is unpatched software, not open source use - Some selection bias here: The 2019 Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,200 audits of commercial applications and libraries, performed by the Black Duck Audit Services team. The report highlights trends and patterns in open source use, as well as the prevalence of both insecure open source components and license conflicts. However, the bias could mean the problem is even worse. The survey is based on organizations who, perhaps, believed the problem was so bad they paid for an audit. You could also theorize that some were forced to have an audit, either for compliance reasons or someone had evidence to believe the problem was so bad that they needed external auditors to tell everyone how bad the problem is...
  2. Tenable experts found 15 flaws in wireless presentation systems - “Tenable found multiple vulnerabilities while investigating a Crestron AM-100. Tenable also discovered that the Crestron AM-100 shared a code base with the Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly others.” This type of IoT gear especially is lacking security controls in our experience. The connectivity provided typically does not take into account any security measures or consider any threats. I believe much of the AV industry is in the "why would anyone want to hack these devices?" camp.
  3. Is a sticky label the answer to the IoTs security problems? - Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general. 1) “IoT device passwords must be unique and not resettable to any universal factory setting.” 2) “Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.” 3)“Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.” In fact, he is the subject of an extradition warrant, despite what we may have said in a previous show.
  4. Assange Refuses Extradition to US; Long Legal Fight Expected - We did not communicate all of the details on this story, and even mis-spoke on a previous episode as this news was breaking: A defiant Julian Assange told a London court Thursday he will fight extradition to the United States to face charges of conspiring to hack into a Pentagon computer, arguing that his work as WikiLeaks founder has benefited the public.Speaking by video link from Belmarsh Prison in southeast London, Assange said: “I do not wish to surrender myself for extradition for doing journalism that has won many awards and protected many people.”
  5. PoC Exploits for Old SAP Configuration Flaws Increase Risk of Attacks | SecurityWeek.Com - Shits going down according to Onapsis: n 2005, SAP released a security note (8218752) providing instructions on how users can properly set up an ACL for the Message Server. Four years later, the company released another security note (14080813) with instructions on how to properly configure the access list for Gateway. Then, in 2010, it released another note (14210054) reinforcing the importance of properly configuring the Message Server ACL. However, Onapsis, a company that specializes in securing SAP and Oracle business applications, discovered that many organizations have still failed to properly configure their installations. The company warned last year that most SAP systems were vulnerable to attacks due to these misconfigurations. Exploits designed to target improperly configured systems were made public for the first time last month by two researchers who had a session on SAP configuration and architecture issues at the OPCDE cybersecurity conference in Dubai
  6. 50,000 companies exposed to hacks of 'business critical' SAP...
  7. Evaluating the GDPR experiment | SC Media
  8. Security Doesn't Trust IT - and IT Doesn't Trust Security - The survey is almost too easy to pick on: Most (93%) practitioners polled say they face challenges. Securing new technologies is at the top of the list, with 48% of respondents saying it was an issue, followed by restrictive budgets (39%) and a lack of understanding between IT operations and security (35%), which tied with legacy systems. Eighty percent of those surveyed say digital transformation drives cybersecurity risk, with 73% reporting they are now more dependent on software than they were 12 months ago.
  9. Docker Hub database access compromises 190,000 accounts | SC Media
  10. Dell laptops and computers vulnerable to remote hijacks | ZDNet
  11. Attackers actively exploiting Atlassian Confluence and Oracle WebLogic flaws - Help Net Security
  12. Why Are We Still Celebrating World Password Day? - I like Frank a lot: Frank Dickson, a research vice president at IDC who covers security, says companies have relied on passwords for decades, plus they are easy and inexpensive to create. Moving to a system where developers bake more security into applications slows down time-to-market and takes a lot more planning and effort, he adds. But Dickson also says the industry tends to miss a really important point: "Better security is about 50% of the equation," Dickson says. "We tend to forget that we can create a better user experience by eliminating the password."
  13. Hackers lurked in Citrix systems for six months | ZDNet
  14. Why You Should Say Goodbye to Password Vaults - Ha! Looks like this article was taken down before I had a chance to read it (and pulled from the Google cache).
  15. Stop using free VPNs for privacy and security
  16. World's first laser radio transmitter/receiver paves way for ultra-high-speed Wi-Fi
  17. Wisconsin church distributes marijuana as sacrament - This is just really funny: church co-founder Jesse Schworck considers it a religious sacrament and part of the worship at a Rastafarian church in an old storefront near the University of Wisconsin-Madison campus. and Its members use and distribute marijuana freely. That's really the only requirement for membership. "We all have to agree that we all break bread and use this one sacrament: cannabis," Schworck said. The church doesn't try to hide the marijuana use there. It is very open about it, even smoking right in the window for anyone on the street to see.

Larry's Stories

  1. Selling 0-day to groups like Fancy Bear, SandCat, and FruityArmor
  2. critical security issues with Cisco Nexus switches
  3. RCE on most Dell computers
  4. Cartoon Network streaming services hacked to stream male strippers
  5. Retail hacks for CC data more lucrative than ever with card not present transactions
  6. DHS changes policy; now agencies must patch critical flaws found in systems in 15 days, not 30.
  7. The Citrix hack goes deeper than previously thought…and Equifax comes in to "help"

Lee's Stories

  1. "Virus Infection" Prevents access to patient records Malware or Ransomware? 190K records not accessible due to attack. DR Plan recovered data.
  2. $1.75M Stolen by Crooks in Church BEC attack St. Ambrose Catholic Parrish in Cleveland was compromised through phishing attack convincing staff one of their contractors had a new bank account.
  3. Data Breach exposes data of 80 Million US Households The origin of the breach is unknown, Microsoft has contacted the owner of the Azure cloud DB and removed public access. Yet another unsecured cloud database.
  4. CUNA calls for Substantial Data Security Legislation Credit Union National Association calls for congress to treat data privacy as a national security issue; fix the weak links in the system; and set a strong federal data standard that preempts state laws.
  5. Tiwan Military holds 'Anti-Fake News' Exercises This week, April 22-26, Tiwaneese military began simulation of the 35th Han Kuang exercises that include exercises to combat disinformation and "fake news" online to thwart disinformation campaigns from the Communist Party of China (CCP.)
  6. Fingerprint Errors on over 200,000 Danish Passports Danish authorities find errors in over 200,000 Danish Passports. Apparently right and left hand fingerprints were swapped. Authorities looking for a fix without making citizens pay for new passports. The Danish passport offers visa-free access to over 187 countries making it one of the most attractive in the world.
  7. Nokia 9 bug allows unlock with - anything Android 9 Pie update 4.22 likely introduced bug that allows any fingerprint (or other ojbects) to unlock the device once one is configured.
  8. Hackers are stealing millions in Bitcoin Thieves use SIM swapping to get access to email and other data that allows access to cryptocurrency wallets, laundering millions.
  9. Online thief cracks private keys to steal $54m in ETH Weak private keys used in the ETH blockchain allowed thieves to steal $54M, highlighting the need for tested, verified good key management practices versus rolling your own.

Jeff's Stories

  1. How the Boeing 737 Max Disaster looks to a Software Developer An examination of the 737 Max problem, origin and hardware issues the MACS attempts to solve, and the deficiencies of that solution by a software designer and private pilot.

Johnny's Stories

  1. Cartoon Network Hacked Worldwide to Show Brazilian Stripper Videos Apparently, a pair of Brazilian hackers exploited a vulnerability in Cartoon Network's website management platform. They streamed footage of a Brazilian stripper named Ricardo Milos, "known for wearing a red bandana on his head and an American flag thong", from April 25 until the channel was notified on April 28, across 16 different regions. From what I can see, I don't think the videos were explicit, but when people went to stream content, they were faced by a Brazilian male stripper. Interesting.

Full Show Notes

Follow us on Twitter:

[audio src="" ]

prestitial ad