YouTube Censorship & Vulnerabilities- Paul’s Security Weekly #596 | SC Media

YouTube Censorship & Vulnerabilities- Paul’s Security Weekly #596

March 1, 2019



YouTube controversy on ALL fronts, Cisco SOHO wireless VPN firewalls and routers open to attack, Ring doorbell flaw opens door to spying, bot plagues, free hacking toolkits, and everything you need to know about the Huawei controversy!

Paul's Stories

YouTube Controversy

The examples in this post are enough to make anyone want to turn off YouTube in your house and for your children. There are benefits to watching YouTube (my son developed a love for Marvel super heroes, which is awesome). However, when does the negative outweigh the positive? Most importantly, what will YouTube do about this? What can we as the security community do to help? (I promised my 5-year-old son that I'd ask all my hacker friends to track down the "bad people" on YouTube, and there are few things that are more upsetting than an disappointed child).

  1. Harassment, hate and bile, suicide instructions for kids... anything else social media's good at? Ah yes, cybercrime
  2. YouTube loses advertisers over "wormhole into pedophilia ring" - The companies pulled advertising days after YouTuber Matt Watson posted a video detailing what he calls "a wormhole into a soft-core pedophilia ring on YouTube." "YouTube's recommended algorithm is facilitating pedophiles' ability to connect with each other, trade contact info, and link to actual CP [child pornography] in the comments," Watson reported. "I can consistently get access to it from vanilla, never-before-used YouTube accounts via innocuous videos in less than ten minutes, in sometimes less than five clicks."
  3. Cyber expert says deleting Momo 'is not as straight forward as we think'
  4. Parents: don't panic about Momo – worry about YouTube Kids instead - YouTube’s key failing here is that it relies on a “flagging” system to find and purge inappropriate content, which means someone has to actually see the video in question and report it before anything can be done. Pre-moderation, where videos don’t make it on to YouTube Kids until they’ve been watched in full by a human being, is realistically the only way to keep the platform safe from malicious pranksters. But YouTube has shown no appetite for this, instead emphasizing its “robust” content-reporting features in its responses to these continual controversies. Also, I hate the flagging system as what happens when a group of people has a bone to pick with someone or some channel?


  1. A Case Study in Wagging the Dog: Computer Takeover
  2. Cloudborne IaaS Attack Allows Persistent Backdoors in the Cloud - Far from a targetted attack: “While physical servers are dedicated to one customer at a time, they don’t stay that way forever,” researchers explained in a Tuesday posting. “Servers are provisioned and reclaimed over time and naturally move from customer to customer. The issue is that all too often, the servers’ firmware is not re-flashed (overwritten to factory settings, essentially) when a server is reclaimed by the cloud provider to be moved on to a new user. This allows the firmware to persist from customer to customer, including any changes a malicious user might make to it. In the Cloudborne scenario, an attacker can first use a known vulnerability in Supermicro hardware (present in many cloud providers’ infrastructure, the firm said), to overwrite the firmware of a Baseboard Management Controller (BMC). BMCs are a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting.
  3. PDF zero-day samples harvest user data when opened in Chrome - Exploit detection service EdgeSpot spotted several PDF documents that exploit a zero-day vulnerability in Chrome to harvest data on users who open the files through the popular web browser. The experts initially detected the specially-crafted PDF files in December 2018.
  4. Cisco SOHO wireless VPN firewalls and routers open to attack - This is still happening: The flaw is in the devices’ web-based management interface and arose due to improper validation of user-supplied data. By sending a malicious HTTP requests to a vulnerable device, an attacker may be able to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.
  5. Researchers and businesses need to work together to expose IoT vulnerabilities - Don't mess with my coffee, there is no tech in my french press coffee maker: Two new vulnerabilities have been unocovered within connected devices that allow hackers access to the personal lives of consumers, according to McAfee researchers. A vulnerability within BoxLock smart padlock enables hackers to unlock the device within a few seconds, and a vulnerability within the Mr. Coffee brand coffee maker with Wemo grants hackers access to home networks.
  6. Thunderclap: Apple Macs at risk from malicious Thunderbolt peripherals - DMA strikes again, balancing security and performance is tricky.
  7. Ring Doorbell Flaw Opens Door to Spying - However, BullGuard researchers found that audio and video footage sent from the doorbell to the app was transmitted in plaintext – meaning that an attacker could extract that data. “The data seems sensible, and therefore we might be able to extract it,” they said. “Using our handy videosnarf [VoIP Sniffer and security tool] utility, we get a viewable MPEG file. This means anyone with access to incoming packets can see the feed! Similarly, we can also extract the audio G711 encoded stream.”
  8. Bots Plague Ticketing Industry
  9. Vulnerability exposes the location of thousands of malware C&C servers - LOVE this: Over the past few years, Cobalt Strike slowly became the go-to toolkit for many threat actors, such as the FIN6 and FIN7 (Carbanak) cyber-criminal gangs, but also nation-state hackers such as APT29 (Cozy Bear) But unbeknownst to all these hacker groups was that Fox-IT researchers discovered a bug in the Cobalt Strike server component. Built on NanoHTTPD, a Java-based web server, crooks didn't know that it contained a bug that allowed Fox-IT to track them since 2015. According to Fox-IT researchers, the NanoHTTPD server accidentally added an additional space in the server's HTTP responses, like in the image below. This extra whitespace allowed Fox-IT to detect Cobalt Strike communications between beacons and their C&C servers across the years, until January 2, 2019, when Cobalt Strike developers patched the bug and removed the extra space in version 3.13.


  1. A basic question about TCP - From the time the phone system was created in the 1800s up until the 2007 release of the iPhone, phone companies wanted to control the applications that users ran on their network. The OSI Model that you learn as the basis of networking isn't what you think it is: it was designed with the AT&T phone network and IBM mainframes being in control over your applications. The creation of TCP/IP and the Internet changed this, putting all the power in the hands of the ends of the network. The version of the OSI Model you end up learning is a retconned model, with all the original important stuff stripped out, and only the bits that apply to TCP/IP left remaining.
  2. LDAP for AWS without Servers - Could Amazon (and other) become viable alternatives to MS Active Directory?
  3. Becoming Better At RSA - Becoming better appears to be the theme, what can we do better as a security community and/or industry?
  4. The Huawei controversy: Everything you need to know - The Chinese telecom giant may have run into its biggest trouble yet in late January when the US Justice Department unsealed indictments that included 23 counts pertaining to the theft of intellectual property, obstruction of justice and fraud related to its alleged evasion of US sanctions against Iran. But the core issue with Huawei has been concerns over its coziness with the Chinese government and fears that its equipment could be used to spy on other countries and companies. It's the reason why the US banned companies from using Huawei networking equipment in 2012.
  5. Security Firm to Offer Free Hacking Toolkit

Lee's Stories

  1. TurboTax accounts compromised, Intuit offers credit monitoring Attackers use compromised credentials to access TurboTax Accounts, Intuit locks down affected accounts
  2. Blockchain security issues discoverd Implementation flaws and algorythmic weakesses (such as a 51% attack) revealed as more blockchains created
  3. Sandia supercharges the Honeypot Vince Urias from SNL works to create honeypots that emulate full environment
  4. SEDC customer passwords stored in the clear Web sites offered password recovery by emailing clear text passwords were storing them in the clear. Passwords being converted to salted hashes.
  5. All chips inherently vulnerable to Spectre/Meltdown FUD aside, Google researchers say that fundamental chip design cannot distinguish good and bad commands, meaning meltdown and spectre are here to stay.

Jeff's Stories

I've got a busy week coming up - mostly surrounding RSA Conference next week:

  1. I'm presenting 'Spies, Ciphers, Symbols, & Secret Writings' at BSidesNoVa
  2. Tribe of Hackers Panel at MACH37 & CIT Launch Lounge at RSA Conference
  3. Presenting 'The Art of the Jedi Mind Trick' Workshop during Peerlyst trainings during RSA Conference 2019

Full Show Notes

Follow us on Twitter:


[caption id="attachment_210" align="alignleft" width="120"]Lee Neely Lee Neely - Senior Cyber Analyst , Lawrence Livermore National Laboratory.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Paul Asadorian Paul Asadorian - CEO, Security Weekly.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Matt Alderman Matt Alderman - CEO, Security Weekly.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Jeff Man Jeff Man - Sr. InfoSec Consultant, Online Business Systems.[/caption] [caption id="attachment_210" align="alignleft" width="120"]Joff Thyer Joff Thyer - Security Analyst, Black Hills Information Security.[/caption]








  • Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to to submit your request!
  • SecureWorld Boston is hosting their 15th annual conference March 27-28 @ the Hynes Convention Center. Security Weekly Listeners save $100 off a full conference pass by visiting and using the code 'SecurityWeekly'
  • OSHEAN is hosting RI Cybersecurity Exchange Day on March 13th at the O'Hare Academic Building at Salve Regina in Newport, RI! Register Now @


[audio src="" ]

prestitial ad