Patch Management

Bye Bye Chrome, GhostHook, and Cisco – Paul’s Security Weekly #519

June 29, 2017

Silence is Golden: Microsoft Should Be Silent!

Why Firefox is superior, spies in Mexico, WannaCry shuts down a car plant, Cisco patches critical vulnerabilities, hacking air-gapped networks, and more security news! See below for all of the security news articles. We talk A LOT about Microsoft. Watch the video above to see the hilarity!

Paul's Stories

  1. Bye Bye Chrome! Why We Switched to Firefox - I was skeptical, but pretty convincing. Also, I noticed FF was better at web site debugging, better views, get responses of all requests in a sortable tab, just better than Chrome.
  2. Talos Targets Disinformation with Fake News Challenge Victory
  3. Exclusive: Upcoming Windows 10 Version May Have Built-in EMET to Boost Security - See, better: However, we tried to reach out to two of the Microsoft researchers, one of them hasn't responded yet, while other denied commenting at this moment.
  4. Critical RCE Flaw Found in OpenVPN that Escaped Two Recent Security Audits - Take away: make sure your software security "Audit" includes fuzzing.
  5. Brutal Kangaroo: CIA-developed Malware for Hacking Air-Gapped Networks Covertly - I gotta know more: The previous version of Brutal Kangaroo was named as EZCheese, which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using "unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system."
  6. No, WannaCry Is Not Dead! Hits Honda & Traffic Light Camera System
  7. Supreme Court Ignores EFF "Dancing Baby" Fair Use Case - The copyright owner in question is Universal Music Group, which issued a copyright takedown notice to Stephanie Lenz after she posted a video of her then three-year-old son, Holden, dancing to the Prince song "Let's Go Crazy." Universal is the copyright owner of "Let's Go Crazy." Lenz contested the video's removal, and it was eventually restored. But EFF sued Universal Music Group and said that Universal should be made to pay damages under a section of the Digital Millennium Copyright Act that bars false or misleading DMCA takedown notices.
  8. Mexico Spied On Journalists, Lawyers, And Activists
  9. No Recourse For The 200 Million Compromised Due To The RNC - "Affected people may not have a clear way to get recourse because most laws about data security and data breaches don't contemplate the kinds of harms we will see from what happened here," Monroe said. "Some states have laws requiring that businesses have reasonable security measures in place to protect personal information, but those laws are generally directed toward financial harms like identity theft. The information here, while many would consider it sensitive, probably wouldn't be subject to those laws." So, no recourse if your name, birthday and crap are leaked online. Sucks.
  10. GhostHook Attack Bypasses Windows 10 PatchGuard - This is neat, and no patch! The bypass, which has been nicknamed GhostHook, is a post-exploitation attack and requires an attacker already be present on a compromised machine and running code in the kernel. As a result, Microsoft said it will not patch the issue, but may address it in a future version of Windows, CyberArk said. And Microsoft's advice is SO LAME: “This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,” a Microsoft representative said in a statement provided to Threatpost. Dear Microsoft, it would be better for you if you just didn't respond at all. A lame response is worse than no response, haven't you learned that from Apple?
  11. WannaCry Ransomware Blamed for Honda Car Plant Shutdown - Pure LOLZ: The plant was only shut down on June 19, with normal operations restored on June 20. Honda reportedly discovered the WannaCry infection on June 18 at Sayama, with no reports of its other plants being impacted.
  12. Drupal Patches Three Vulnerabilities in Core Engine - The YAML parser in Drupal 8, PECL, failed to handle PHP objects safely during operations with Drupal Core, according to the advisory. That could have opened it up to remote code execution. In case you were wondering...
  13. Microsoft Says Fireball Threat Overblown - Microsoft said it has been tracking Fireball infections since 2015 and that the malware has been consistently bundled with programs users are downloading when looking for apps, media, pirated games, or keygens that would activate certain software. The malware arrives in these “clean programs,” Microsoft said, which are used as host processes to load the malware and evade detection by security software. BUt, overblow...
  14. Average Cost of Breach Goes Down For the First Time Ever - The global average cost of a data breach last year dropped 11.4 percent from 2015 to $3.6 million. The reduction is attributed mostly to a strong U.S. dollar, with wins also offset by a 1.8 percent increase in the size of breaches in 2016.Pfft, Math. I think we are measuring the wrong thing. We should be measuring the impact of the breach, which may look like a different formula: Hard costs + reputation damage + customers lost as a result + ?, thoughts?
  15. Cisco Patches XXE, DOS, Code Execution Vulnerabilities - Fancy name: One of the issues, an XML External Entity (XXE) vulnerability, exists in versions 1.1 through 3.1.6 of Cisco’s Prime Infrastructure software. The vulnerability is dependent on an admin getting tricked into importing a malicious XML file. By doing so in the web-based user interface Cisco says an authenticated, remote attacker could achieve read and write access to data stored in vulnerable systems, or perform remote code execution.
  16. Two Arrested For Microsoft Network Intrusion - Over a three-month period earlier this year, the two men reportedly made repeated efforts to hack into Microsoft's network, according to the report. And while Microsoft notes no customer data was taken in the incident, it is not yet clear whether the group was able to access other information, the BBC noted. Big question: how did they do it? Bigger question: How do you do it without getting caught? Personal question: Do you own a wizard robe and how would you hack Microsoft?
  17. 2 handy yet hidden Chromebook security features - For me there is only one, A fresh Linux install :)

Larry's Stories

  1. GirlScouts to get a Cyber Security Badge
  3. Cisco uses Machine Learning to "Solve" the encrypted traffic and malware problem
  4. The RNC Files...

Jeff's Stories

  1. How an Entire Nation Became Russia’s Test Lab for Cyberwar

Full Show Notes

[audio src=""]

prestitial ad