Active Directory, Encryption, Firewall

Security News: November 7, 2019 – PSW #626

November 8, 2019

 

 

In the Security News, Who is responsible for Active Directory security within your organization?, Apple publishes new technical details on privacy features, How to ensure online safety with DNS over HTTPS, Amazons Ring Video Doorbell could open the door of your home to hackers, and much more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor's Page

Security News: November 7, 2019

Paul's Stories

  1. Who is responsible for Active Directory security within your organization? - Help Net Security - But 24% said that they don’t know who is responsible for Active Directory security within their organization – showing that sometimes this important function can fall through the cracks between IT and security teams. If you are one of these companies, we need to chat :)
  2. Presentation Template: Build Your 2020 Security Plan - Just one slide, big letters: We're Screwed.
  3. A Warning About Viruses From Weird Al - Thanks for burning my best email phishing campaign, "Stinky Cheese" was so successful!
  4. Apple publishes new technical details on privacy features - Apple also outlined steps it has taken to cut off app developers that circumvent its rules. For example, even when users have turned off location-based services that use an iPhone’s GPS chips, app developers can scan for nearby Wi-Fi networks and Bluetooth devices to approximate the user’s location. Developers now must ask permission for Bluetooth access, for example, and explain why it is needed, Apple’s guides said. Googles respons is classic: Google Chief Executive Sundar Pichai said in a New York Times op-ed that “privacy cannot be a luxury good offered only to people who can afford to buy premium products.” Says the company with a $1k phone with less feature's than the iPhone 11...
  5. Facebook reveals privacy flaw in Groups - Crap, now they know where I get my memes: With permission, app developers could access a group's name, the number of members and the content of posts. However, they could only access member names and photos if people explicitly opted in. But on Tuesday, the company revealed that about 100 "partners" retained access following the change.
  6. Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own | SecurityWeek.Com
  7. Camgirl sites expose millions of members and users
  8. How to ensure online safety with DNS over HTTPS
  9. Mobile security firms will help protect Google Play - Help Net Security
  10. Printers: The overlooked security threat in your enterprise | TECHtalk - Overlooked for sure, but attackers don't need to hack your printer. Largely we've observed attackers using other methods to obtain data, and printer attacks are not popular, yet. Email phishing and lateral movement within the domain using credentials wins almost every time. When we force attackers to step outside this technique, they may turn to printers, however its still an opportunistic attack.
  11. Capital One Shifts Its CISO to New Role - Dark Reading
  12. Amazons Ring Video Doorbell could open the door of your home to hackers - The controversial title is beyond irresponsible, which I am shocked as this site is typically pretty good. First, you'd have to have a smart lock on your front door, and not use any other type of lock as a backup. Also, if you have smart locks, be certain you have cameras. And yes, an attacker could use the Doorbell vulnerability to get the Wifi password, open the door and then delete the recordings from the camera. But holy crap, how did we get here? In any case, in order for the vulnerability to be exploitable, the Ring doorbell must be re-configured. The article suggests that a constant de-auth attack could then, in turn, cause the user to re-configure the device, leaving it exposed to the vulnerability that will cough up the Wifi password. All of this will likely just go away once Ring pushes an update. Every IoT security flaw is not the end of the world or even deserves an article to be written about it.
  13. Bill Gates says people would be using Windows Mobile if not for the Microsoft antitrust case - “There’s no doubt the antitrust lawsuit was bad for Microsoft, and we would have been more focused on creating the phone operating system, and so instead of using Android today, you would be using Windows Mobile if it hadn’t been for the antitrust case,” Gates, a Microsoft co-founder and board member, said at the New York Times’ DealBook conference in New York. Really? Somone send Bill a copy of "Extreme Ownership".
  14. What you probably didnt know about sudo
  15. New 'unremovable' xHelper malware has infected 45,000 Android devices | ZDNet

WTF:

  1. People are posting their genitals on Reddit to get STI diagnoses - “Social media was not built to deliver health care,” UC San Diego scientist and study co-author Alicia Nobles told CNBC.

Joff's Stories

  1. Who is reading your SMS Texts?

Hosts

[caption id="attachment_210" align="alignleft" width="120"]Joff Thyer Joff Thyer - Security Analyst[/caption] [caption id="attachment_210" align="alignleft" width="120"]Larry Pesce Larry Pesce - Senior Managing Consultant and Director of Research[/caption] [caption id="attachment_210" align="alignleft" width="120"]Paul Asadoorian Paul Asadoorian - Founder & CTO[/caption] [caption id="attachment_210" align="alignleft" width="120"]Tyler Robinson Tyler Robinson - Managing Director of Network Operations[/caption]

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand

[audio src="http://traffic.libsyn.com/sw-all/PSW_626_-_Security_News-0_converted.mp3"]

prestitial ad