Spectre, ATMs, and Japan’s Minister – Paul’s Security Weekly #583

November 18, 2018
7 new Spectre/Meltdown attacks, Hacking ATM's for free cash is easier than Windows XP, AI can now fake fingerprints fooling ID scanners, and Japan's cybersecurity minister admits he's never used a computer!

Paul's Stories

  1. Facebook flaw could have exposed private info of users and their friends
  2. 7 new Spectre, Meltdown attacks uncovered by security researchers - ARM and Intel said these new attacks can be mitigated by previously reported methods. Riiiiiight
  3. Japan's cybersecurity minister admits he's never used a computer - "If a hacker targets this Minister Sakurada, they wouldn't be able to steal any information. Indeed it might be the strongest kind of security!"
  4. WPA2 encryption bypass: Using Defensics to uncover behavioral vulnerabilities - Okay, this was for D-Link: As part of Defensics SafeGuard development, we uncovered a vulnerability in D-Link DIR-850L Wireless AC routers with hardware revision A. The vulnerability gives an attacker full access to a wireless network without needing credentials. Our method skips a critical step during access point connection, bypassing encryption altogether.
  5. Juniper Networks: Cryptomining Exploit Targeting Docker Containers - Yea, basically don't expose the Docker API, that's bad. https://forums.juniper.net/t5/Threat-Research/Container-Malware-Miners-Go-Docker-Hunting-In-The-Cloud/ba-p/400587
  6. Making PCI Requirement 8.3 Bulletproof and Simple - Why limit to just remote connections? Should be all authentication requests in my opinion.
  7. Should You Send Your Pen Test Report to the MSRC? - Wow, just Wow: Pen test reports sent to us commonly contain a statement that a product is vulnerable to an attack, but do not contain specific details about the attack vector or demonstration of how this vulnerability could be exploited. Often, mitigations are available to customers that do not require a change in the product code to remediate the identified security risk. I can't even believe we are having this conversation. The skills shortage seems to be with AD security, and its bad.
  8. Want To Hack An ATM For Free Cash? It's As Easy As Windows XP
  9. Firefox Will Start Alerting You To Recently Breached Sites
  10. Privacy advocates rank the creepiest tech gifts of 2018 - Very little evidence to support their claim of "creepy".
  11. Cybersecurity: Eight Ways You Can Boost Employee Buy-In
  12. AI Can Now Fake Fingerprints That Fool Biometric ID Scanners
  13. Some of the Most Popular Coding Languages Pose a Huge Security Problem - We need to shift ourselves from treating each memory unsafety vulnerability as an isolated incident, and instead treat them as the deeply rooted systemic problem they are. And then we need to invest in engineering research into how we can build better tools to solve this problem. hrm...

Jeff's Stories

  1. Google Internet Traffic Hijacked by Russia and China?
  2. Mozilla Adds Website Breach Notifications to Firefox
  3. Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll have that awful jingle stuck in your head all day
  4. RIP, 'IT Security' (AMEN!)
  5. Meet Brad, the Guy Keeping Your Vibrator Safe from Hackers (for Larry)

April's Stories

Hosts

[caption id="attachment_210" align="alignleft" width="120"]Paul Asadorian Paul Asadorian - CEO, Security Weekly.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Joff Thyer Joff Thyer - Security Analyst, Black Hills Information Security.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Carlos Perez Carlos Perez - Principal Consultant, Team Lead for Research, TrustedSec.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Jeff Man Jeff Man - Sr. InfoSec Consultant, Online Business Systems.[/caption] [audio src="http://traffic.libsyn.com/sw-all/Spectre_ATMs_and_Japans_Minister_-_Pauls_Security_Weekly_583_converted.mp3" ]
prestitial ad