Taylor Swift, KringleCon, & 3D Head – Paul’s Security Weekly #586

December 14, 2018
How Taylor Swift used Facial Recognition to Thwart Stalkers, unlocking android phones with a 3D printed head, Ticketmaster fails to take responsibility for malware, and it's December of 2018, To Hell with it, Just patch your stuff already!

Paul's Stories

  1. Taylor Swift Used Facial Recognition to Thwart Stalkers - According to Rolling Stone, a facial-recognition camera was hidden inside a kiosk playing clips of Swift from rehearsals. As fans approached the kiosk to watch, the camera would stealthily snap their photo. Those images were then compared to a database of Swift's known stalkers."Despite the obvious privacy concerns—for starters, who owns those pictures of concertgoers and how long can they be kept on file?—the use of facial-recognition technology is on the rise at stadiums and arenas," the report notes. Ticketmaster, for instance, recently invested in Austin, Texas-based facial recognition startup Blink Identity, which says its technology can identify 60 people a minute walking at full speed past a sensor, meaning paper and digital tickets may soon be a thing of the past. The same tech can be used throughout a venue to allow concertgoers to purchase drinks, snacks, and merchandise.
  2. Unlocking Android phones with a 3D-printed head - Rather worryingly (if someone has managed to make a 3D-printed version of your head), all four Android phones were duped into thinking they were looking at the real Tom. Only the iPhone X wasn’t duped. It’s certainly impressive to see Apple’s iPhone X not be tricked by Thomas Brewster’s fake head, and it may surprise owners of Android smartphones who have had at best mixed experiences with facial recognition.
  3. New Australian Backdoor Law
  4. Warning! Unprivileged Linux Users With UID > INT_MAX Can Execute Any Command - Oops: The issue, tracked as CVE-2018-19788, impacts PolicyKit version 0.115 which comes pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS. The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX. Where, INT_MAX is a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF). So it means, if you create a user account on affected Linux systems with any UID greater than INT_MAX value, the PolicyKit component will allow you to execute any systemctl command successfully.
  5. Humble Bundle Breach Could Be First Step In Wider Attack
  6. OpSec Mistake Brings Down Network Of Dark Web Money Counterfeiter - Encrypt everything: A source knowledgeable of the case's details told ZDNet today that the suspect had failed to protect his operation's business transactions with proper encryption. While the suspect used cryptocurrency to receive payments, he still kept a list of mailing addresses where he sent packages containing the counterfeit banknotes.
  7. Ticketmaster Fails To Take Responsibility For Malware - Finger pointing: In a statement on its website, Inbenta said: "Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code... Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it."
  8. It's December Of 2018 And, To Hell With It, Just Patch Your Stuff - The gift that keeps giving, vulnerabilities: Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them.
  9. Ethical Hacking Growing In Popularity At Data Breaches Increase
  10. UK Whitehats Blacklisted By Cisco Talos
  11. Worst password offenders of 2018 exposed
  12. Education Gets an 'F' for Cybersecurity
  13. Grammarly Launches Public Bug Bounty Program
  14. WordPress Releases Security Update

Joff's Stories

  1. Australia's New Anti-Encryption Law
  1. CIO Review and BHIS

Larry's Stories

  1. DOSfuscation, just goes to show that strings analysis is still useful.
Full Show Notes Follow us on Twitter: https://www.twitter.com/securityweekly

Hosts

[caption id="attachment_210" align="alignleft" width="120"]Larry Pesce Larry Pesce - Senior Managing Consultant and Director of Research, InGuardians.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Paul Asadorian Paul Asadorian - CEO, Security Weekly.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Joff Thyer Joff Thyer - Security Analyst, Black Hills Information Security.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Keith Hoodlet Keith Hoodlet - Application Security Manager, Thermo Fisher Scientific.[/caption] [audio src="http://traffic.libsyn.com/sw-all/Taylor_Swift_KringleCon__3D_Head_-_Pauls_Security_Weekly_586_converted.mp3" ]
prestitial ad