Spectre, ATMs, and Japan’s Minister – Paul’s Security Weekly #583
November 18, 2018
7 new Spectre/Meltdown attacks, Hacking ATM's for free cash is easier than Windows XP, AI can now fake fingerprints fooling ID scanners, and Japan's cybersecurity minister admits he's never used a computer!
WPA2 encryption bypass: Using Defensics to uncover behavioral vulnerabilities - Okay, this was for D-Link: As part of Defensics SafeGuard development, we uncovered a vulnerability in D-Link DIR-850L Wireless AC routers with hardware revision A. The vulnerability gives an attacker full access to a wireless network without needing credentials. Our method skips a critical step during access point connection, bypassing encryption altogether.
Should You Send Your Pen Test Report to the MSRC? - Wow, just Wow: Pen test reports sent to us commonly contain a statement that a product is vulnerable to an attack, but do not contain specific details about the attack vector or demonstration of how this vulnerability could be exploited. Often, mitigations are available to customers that do not require a change in the product code to remediate the identified security risk. I can't even believe we are having this conversation. The skills shortage seems to be with AD security, and its bad.
Some of the Most Popular Coding Languages Pose a Huge Security Problem - We need to shift ourselves from treating each memory unsafety vulnerability as an isolated incident, and instead treat them as the deeply rooted systemic problem they are. And then we need to invest in engineering research into how we can build better tools to solve this problem. hrm...
[caption id="attachment_210" align="alignleft" width="120"] Paul Asadorian - CEO, Security Weekly.[/caption]
[caption id="attachment_210" align="alignleft" width="120"] Joff Thyer - Security Analyst, Black Hills Information Security.[/caption]
[caption id="attachment_210" align="alignleft" width="120"] Carlos Perez - Principal Consultant, Team Lead for Research, TrustedSec.[/caption]
[caption id="attachment_210" align="alignleft" width="120"] Jeff Man - Sr. InfoSec Consultant, Online Business Systems.[/caption]
[audio src="http://traffic.libsyn.com/sw-all/Spectre_ATMs_and_Japans_Minister_-_Pauls_Security_Weekly_583_converted.mp3" ]
Infosec teams struggle to detect Linux-based threats such as Vermillion Strike due to an overemphasis on Windows malware, a lack of effective solutions for protecting data centers, and the immaturity of sandboxes.