security.didici.cc
ISC StormCast for Friday, October 19th 2018
1 hour agoCisco Patches https://tools.cisco.com/s
ecurity/center/Search.x?p
ublicationTypeIDs=1&f
irstPublishedStartDate=20
18%2F10%2F17&firstPub
lishedEndDate=2018%2F10%2
F17&lastPublishedStar
tDate=2018%2F10%2F17&
lastPublishedEndDate=2018
%2F10%2F1751% Attack Against Cry ...
The libssh “login with no password” bug – what you need to know [VIDEO]
13 hours agoHere's a video that explains the libssh "no password needed" bug - jargon-free and in plain English. Enjoy...
Is Google’s Android app unbundling good for security?
15 hours agoIf you live in the EU, turning on a new Android device after 29 October 2018 could look quite different...
You don’t have to sequence your DNA to be identifiable by your DNA
16 hours agoIf you have European ancestry, there's a 60% chance that somebody vaguely related to you can be used to find out who you are.
Twitter publishes data on Iranian and Russian troll farms
17 hours agoOver 1m tweets show that we're suckers for funny/sarcastic/edgy, not so much for blah-blah-blah “news” spreaders.
Competitive Horse Racing - Enterprise Security Weekly #111
17 hours agoThis week, John Strand and Paul discuss some companies Paul got a chance to catch up with! They discuss GuardiCore and their Application Segmentation, Cyxtera and their Network Security and Software Defined Perimeters, PreVeil’s Encrypted Email and File ...
ISC StormCast for Thursday, October 18th 2018
1 day agoAbandoned "NewShareCount" Twitter Counter abused https://blog.sucuri.net/2
018/10/malicious-redirect
s-from-newsharecounts-com
-tweet-counter.htmlMultip
le D-Link Vulnerabilities https://seclists.org/full
disclosure/2018/Oct/36RID Hacking in Windows https://ww ...
Hack Naked News #193 - October 16, 2018
1 day agoThis week, Millions of voter records for sale on the Dark Web, Apple passcode bypass can access pictures and contacts, how Chrome and Firefox could ruin your business, Fake Adobe updates, Microsoft Zero-Day patch for JET bug incomplete, and 5 ways attacke ...
Weirdo Twitter messages were a glitch, not a hack
1 day agoWere you one of the dozens of people who got a bizarre Twitter message yesterday? It's OK. It wasn't a disturbance in the Matrix.
W32.Coozie: Discovering Oracle CVE-2018-3253
1 day ago
NOTE: On October 17th, 2018 Oracle released a patch for this vulnerability as several others: https://www.oracle.com/te
chnetwork/security-adviso
ry/cpuoct2018-4428296.htm
l
There are times when finding a 0day in a major-branded product like Oracle takes mo ...
Serious SSH bug lets crooks log in just by asking nicely…
1 day agoA serious bug in libssh could allow crooks to connect to your server - with no password requested or required. Here's what you need to know.
New iPhone lock screen bypass exposes your photos
1 day agoJosé Rodríguez has demonstrated how an attacker with physical access to a device running iOS 12.0.1 can gain access to photos stored on it.
Is this the simple solution to password re-use?
1 day agoResearchers concluded that passphrase requirements such as a 15-character minimum length deter the majority users from reusing them on other sites.
35 million US voter records up for sale on the dark web
1 day agoHe or she is selling off the databases by state. Kansas's voter database has already been sold and published, and Oregon is next up for sale.
Donald Daters app for pro-Trump singles exposes users’ data at launch
1 day agoA security researcher found a publicly exposed Firebase data repository that was hardcoded in the dating app.
Git On That - Application Security Weekly #35
1 day agoThis week, Keith and Paul interview Garrett Gross, Senior Solutions Engineer at Rapid7! They talk about catching bugs earlier in the process of development, what can lead to certain successes in development, and more! In the Application Security News, Git ...
ISC StormCast for Wednesday, October 17th 2018
2 days agoOracle CPU https://www.oracle.com/te
chnetwork/security-adviso
ry/cpuoct2018-4428296.htm
llibssh vulnerability https://www.libssh.org/se
curity/advisories/CVE-201
8-10933.txtVending Machine Mobile App Compromise https://hackernoon.com/ho
w-i-hacked-modern-vendi ...
Risky Business #518 -- "Russian Cambridge Analytica" booted off Facebook after token hack
2 days agoThis edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: More info on the Facebook token hack Facebook boots “Russian Cambridge Analytica” off platform Chinese MSS officer extradited to USA after bein ...
SN 685: Good Samaritans?
2 days agoThis week we observe the untimely death of Microsoft's co-founder Paul Allen, revisit the controversial Bloomberg China supply chain hacking report, catch up on Microsoft's October patching fiasco, follow-up on Facebook's privacy breach, look at the end o ...
Keep It Tight - Business Security Weekly #102
2 days agoThis week, Michael and Paul talk about the Article Discussion on Leadership, Communication, and Innovation! They discuss how to automate habits and never think about them again, why it’s important to explain to employees that organizational changes are ...
US embassy accidentally emails invitation to ‘cat pyjama-jam’ meeting
2 days agoCanberra’s US embassy accidentally exposed details of one of its more enticing get-togethers last week, featuring a cat in a Cookie Monster outfit.
How Chrome and Firefox could ruin your online business this month
2 days agoLast year, Symantec sold off its web certificate business. The new owners are reissuing certs for free - but there's a deadline looming!
Google using lock screen passwords to encrypt Android Cloud backups
2 days agoIf, that is, your phone has updated to the Android 9 operating system, otherwise known as Pie. If so, say hi to the Titan chip!
How to buy (and set up) a safe and secure baby monitor
2 days agoWi-Fi enabled or not? Digital or analog? Here are the features to look for, and how to secure your baby monitor out of the box.
ISC StormCast for Tuesday, October 16th 2018
3 days agoProof Of Concept Exploit for Microsoft Edge Vulnerability CVE-2018-8495 https://leucosite.com/Mic
rosoft-Edge-RCE/Fake Mining Apps https://www.fortinet.com/
blog/threat-research/fort
inet-discovers-new-androi
d-apps-that-mine-the-unmi
nable.htmlFake Google Pho ...
Facebook opens up about data breach details
3 days agoTwo weeks after Facebook's first serious data breach, and the social network has shared what it has figured out so far.
Beware sextortionists spoofing your own email address
3 days agoIn the past, they've pretended to have your passwords - now they're pretending to send email from your "hacked" account, too.
Literary-minded phishers are trying to pilfer publishers’ manuscripts
3 days agoIn a twist on Business Email Compromise, they're spoofing literary agents and going after manuscripts at Penguin Random House and Pan Macmillan.
Monday review – the hot 23 stories of the week
3 days agoFrom the Whatsapp hack to the world's most expensive USB stick, and everything in between. Catch up with everything we've written in the last 7 days - it's weekly roundup time.
ISC StormCast for Monday, October 15th 2018
4 days agoMany Large Websites Affected by Branch.io XSS Flaw https://www.vpnmentor.com
/blog/dom-xss-bug-affecti
ng-tinder-shopify-yelp/Me
dtronics Pacemakers Disable Remote Update https://www.medtronic.com
/content/dam/medtronic-co
m/us-en/corporate/documen
ts/REV-Medtr ...
Get the Wagyu - Paul's Security Weekly #578
5 days agoThis week, we welcome Lee Neely, Senior Cyber Analyst at Lawrence Livermore National Lab for an interview! In the Technical Segment, Omer Yair from Javelin Networks brings us through his talk he presented at DerbyCon entitled: “Goodbye Obfuscation, Hell ...
What Kanye West can teach us about passcodes
6 days agoPulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.
35 state attorney generals tell FCC to pull the plug on robocalls
6 days agoThe AGs want the FCC to adopt SHAKEN and STIR.
Experian credit-freeze PINs could be revealed by a simple trick
6 days agoThe credit bureaus' struggles with PINs continue...
Payment skimmers sneaking on to websites via third party code
6 days agoWhatever Magecart is, it’s been blamed for several high-profile payment card breaches this summer.
The Land Down Under - Enterprise Security Weekly #110
6 days agoThis week, in the Enterprise News, Paul is joined by Joff Thyer to discuss WhiteHat Security's single page application scanning, Palo Alto Networks acquires RedLock to build out Cloud Security, KnowBe4 boosts security awareness training, Symantec brings w ...
ISC StormCast for Friday, October 12th 2018
1 week agoNew Campaign Using Old Equation Editor Vulnerability https://isc.sans.edu/foru
ms/diary/New+Campaign+Usi
ng+Old+Equation+Editor+Vu
lnerability/24196/Root Access Vulnerability in SONY Smart TVs https://www.fortinet.com/
blog/threat-research/sony
-smart-tv-explo ...
Instagram tests sharing your location history with Facebook
1 week agoInstagram is testing Facebook Location History - which allows the tracking of precise locations from your device - in its app.
Millions at risk from default webcam passwords
1 week agoHangzhou Xiongmai Technology Co.,Ltd (Xiongmai), the Chinese manufacturer that made many of the devices left vulnerable to Mirai, is back with another vulnerability that puts millions of devices across the world at risk yet again.
Jailbroken PS4 seller sued by Sony
1 week agoThe consoles allegedly sold on eBay by the California man were packed with over 60 pirated games.
Update now! Microsoft fixes 49 bugs, 12 are critical
1 week agoMicrosoft’s October Patch Tuesday update made its scheduled appearance on Tuesday with fixes for 49 security flaws across its family of products, 12 of which are listed as ‘critical’.
ISC StormCast for Thursday, October 11th 2018
1 week agoRemote Code Execution Vulnerability in WhatsApp https://bugs.chromium.org
/p/project-zero/issues/de
tail?id=1654Salesforce Releases hashh Library https://github.com/salesf
orce/hasshCVE-2018-8453 Details from Kaspersky https://securelist.com/cv
e-2018-8453-us ...
How a WhatsApp call could have taken over your phone
1 week agoA WhatsApp buffer overflow that crashed your phone due to audio data sent by a caller meant that just answering a call could spell trouble.
Google+ wakes up to what the rest of us already knew
1 week agoGoogle's closing down the platform nobody uses and might face a class-action lawsuit over a G+ spawned breach it took 7 months to report.
291 records breached per second in first half of 2018
1 week agoOver 4.5 billion data records were breached in the first half of this year, according to Gemalto's Breach Level Index released this week.
Cyber tormentor leaves a trail that lands him 17.5 years
1 week agoRyan S. Lin pleaded guilty to cyberstalking, distribution of child abuse imagery, hoax bomb threats, computer fraud and abuse, and ID theft.
Airport mislays world’s most expensive USB stick
1 week agoIn October 2017, a member of the public found a USB stick containing a trove of data on security systems and procedures at one of the world’s busiest airports.
ISC StormCast for Wednesday, October 10th 2018
1 week agoMicrosoft Patch Tuesday https://isc.sans.edu/foru
ms/diary/October+2018+Mic
rosoft+Patch+Tuesday/2418
6/Adobe Updates https://helpx.adobe.com/s
ecurity.htmlMagecart Infects "Shopper Approved" Plugin https://www.riskiq.com/bl
og/labs/magecart-shopper-
approved/
SN 684: The Supply Chain
1 week agoAn October Surprise of a different sort - Windows 10 update deletes users' filesA security researcher has massively weaponzied the existing MicroTik vulnerability and released it as a proof-of-conceptA clever voicemail WhatsApp OTP bypassWhat happened wit ...
Risky Business #517 -- Bloomberg's dumpster fire lights up infosec
1 week agoThis edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Bloomberg’s shaky, disputed report on hardware back doors A look back on other false reports about imaginary incidents published by Bloomberg GRU ...
Hack Naked News #192 - October 9, 2018
1 week agoThis week, Tenable researcher reveals extended MikroTik Router Vulnerability, Wi-Fi versions will get names people can actually understand, don't accept Facebook's 2nd friend request, Google Plus exposed 500,000 users data, weak passwords are being banned ...
Apple and Amazon hacked by China? Here’s what to do (even if it’s not true)
1 week agoAre major US companies really under attack from Chinese "zombie microchips" - and what should we do, whether it's true or not?
TrustedSec Podcast Episode 3.3 – Live From DerbyCon 8.0!
1 week agoTS Podcast 3.3 SHOW NOTES Live from DerbyCon 8.0! Welcome to the Trusted Security Podcast – a podcast dedicated to bringing the latest news on information security and the industry. This episode features the following members: Geoff Walton, Rob Simon, ...
Microsoft hits the brakes on latest Windows 10 update – what to do
1 week agoMicrosoft has paused the Windows 10 October 2018 update while it investigates reports of deleted profiles and missing files.
Don’t fall for the Facebook ‘2nd friend request’ hoax
1 week agoCloned accounts are a real thing, but this viral message isn't. Don't forward it!
Hey Portal, what’s that Facebook device in my kitchen?
1 week agoThe company that wants to move fast and break things is moving in!
Google ramps up G Suite protections against government-backed attacks
1 week agoSecurity alerts become opt-out by default from 10 October because so few admins opted in.
ISC StormCast for Tuesday, October 9th 2018
1 week agoApple Updates iOS and iCloud for Windows https://support.apple.com
/en-ca/HT209162 https://support.apple.com
/en-ca/HT209141Intel Adds Spectre/Meltdown Mitigation to 9th Generation CPUs https://www.bleepingcompu
ter.com/news/security/spe
ctre-and-meltdown-har ...
Risky Business Feature: Named source in "The Big Hack" has doubts about the story
1 week agoIn this podcast hardware security expert Joe Fitzpatrick, a named source in Bloomberg’s “Big Hack” piece, explains why he felt uncomfortable reading the story when it was published. He also provided Risky.Biz with emails he sent to Bloomberg, prior ...
DerbyCon Keynote 2018
1 week agoKeynote Keynote, Panel Discussion: At a Glance: Information Security Panelists: Ed Skoudis, John Strand, Lesley Carhart. Moderated by David Kennedy. Welcome to DerbyCon VIII! This year we have panelists from a number of different areas around INFOSEC. We ...
DerbyCon Ceremonies 2018
1 week agoOpening Ceremony 2018 Closing Ceremony 2018 The post DerbyCon Ceremonies 2018 appeared first on TrustedSec.
Adam Compton
1 week agoAdam Compton Track 3: Hillbilly Storytime: Pentest Fails Whether or not you are just starting in InfoSec, it is always important to remember that mistakes happen, even to the best and most seasoned of analysts. The key is to learn from your mistakes and ...
David Boyd
1 week agoDavid Boyd Track 2: Just Let Yourself In Everyone loves the ‘shiny blinky security hardware’. However, they don’t work as well if a user or your physical security is compromised. In this talk, I will be discussing three (3) different Security Awar ...
Jason Lang
1 week agoJason Lang Track 4: Victor or Victim? Strategies for Avoiding an InfoSec Cold War Is your internal red team withholding their TTPs from the defense? Defenders, are you constantly trying to “win” your pentests by fixing vulns on the fly? Have you be ...
Carlos Perez
1 week agoCarlos Perez Track 4: Disaster Strikes: A Hacker’s Cookbook Go back in time to September 21, 2017, after Hurricane Maria passed over Puerto Rico and two guys flew from Louisville Kentucky back to a disaster-stricken home island. No communications, no ...
Oddvar Moe
1 week agoOddvar Moe Track 1: #LOLBins – Nothing to LOL about! You have probably heard the term LOLBin, LOLSCript or LOLLib by now. Want to get more insights on that? Then this is the talk you want to attend. This talk will cover the Living Off The Land Binaries ...
DerbyCon 8.0 EVOLUTION TrustedSec Talks
1 week agoTrustedSec 2018 Speaker Line-Up Watch the recordings of all our consultants’ talks here: Oddvar Moe Carlos Perez Jason Lang David Boyd Adam Compton Founder and CEO David Kennedy also moderated the Keynote and was on the Opening and Closing Ceremony pan ...
DerbyCon 8.0 EVOLUTION TrustedSec Talks
1 week agoTrustedSec 2018 Speaker Line-Up Watch the recordings of all our consultants’ talks here: Oddvar Moe Carlos Perez Jason Lang David Boyd Adam Compton Founder and CEO David Kennedy also moderated the Keynote and was on the Opening and Closing Ceremony pan ...
Unpatched routers bad, doubly unpatched routers worse – much, much worse!
1 week agoTwo bugs can be four times the trouble! If you missed the last Microtik router patch, you're at risk, but if you're *two* patches behind ...
Attackers use voicemail hack to steal WhatsApp accounts
1 week agoThe Israeli National Cybersecurity Authority issued an alert warning that WhatsApp users could lose control of their accounts.
Phantom Secure CEO sold encrypted phones to drug cartels
1 week agoThe CEO of “uncrackable” phone seller, Phantom Secure, has pleaded guilty to helping drug sellers keep their business locked away from the eyes of law enforcement.
Seven Russian cyberspies indicted for hacking, wire fraud, ID theft
1 week ago"Bungling" Russian GRU operatives picked up by Dutch police, linked to OPCW and World Anti-Doping Agency hacks.
Fitbit data leads to arrest of 90-year-old in stepdaughter’s murder
1 week agoHer device recorded her heart rate slowing rapidly, then stopping about five minutes before her stepfather left the house.
Monday review – the hot 19 stories of the week
1 week agoFrom the iOS lockscreen bypass to Facebook using your 2FA phone number to target market you, and everything we wrote in between. Catch up with the news from the last seven days - it's weekly roundup time.
Ep. 110 – From SECTF to Pro SE with Whitney and Rachel
1 week agoSo many times we get asked how can you become a professional social engineer. This month we talk to two amazing women who where never in the industry, took a huge risk and it paid off. Join us in this fascinating conversa ...
ISC StormCast for Monday, October 8th 2018
1 week agoWPA2 Karck Attack Update https://www.krackattacks.
com/followup.html#overvie
wCisco Updates https://tools.cisco.com/s
ecurity/center/publicatio
nListing.x?product=Cisco&
amp;sort=-day_sir#~Vulner
abilitiesSeattle Police Tries to Stop SWATing https://www.seattle.gov ...
Risky Biz Soap Box: What's up with the ZDI these days?
1 week agoThe Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This soap box edition is brought to you by Trend Micro. And in this edition we’re speaking with Dustin Childs who works for the Zer ...
Prison smuggler busted by his own drone camera
1 week agoIt turns out that drones advertised off the back of beautiful aerial shots also take great videos of murky drug dens.
Wi-Fi versions to get names people can actually understand
1 week agoThe high priests of Wi-Fi just made your life - and the lives of wireless network equipment vendors everywhere - a little easier.
Facebook doubles cooling off period to cash in on your FOMO
1 week agoFacebook has doubled its grace period because so many leavers are getting cold feet.
Google’s Intra app secures older Androids with encrypted DNS
1 week agoDNS encryption is the Next Big Thing in web encryption and Google doesn't want Android users to miss out.
ISC StormCast for Friday, October 5th 2018
1 week agoDoes the Chinese Military Manipulate Supermicro Motherboards? https://www.bloomberg.com
/news/articles/2018-10-04
/the-big-hack-amazon-appl
e-supermicro-and-beijing-
respondCloudflare IPFS Gateway Used For Phishing https://www.bleepingcompu
ter.com/news/securi ...
Risky Business feature: A podcast on Bloomberg's absolutely wild Supermicro story
2 weeks agoIn this podcast I interview Stephen Ridley about Bloomberg’s blockbuster – but so far uncorroborated – story about possible hardware supply chain subversion by the Chinese government. I also lay out some facts I’ve learned since the story broke. ...
Setting up a Mac for young children
2 weeks agoA step-by-step guide to preparing a Mac for young children.
Cop charged with selling phone tracking service on dark web
2 weeks agoA French police officer has been charged with using police intelligence data to power a mobile phone tracking service sold via the dark web.
Facebook finds “no evidence” attackers accessed third-party apps
2 weeks agoTo play it safe, it's building a tool to let developers manually identify any of their users who may have been affected by the big breach.
Super Evil - Enterprise Security Weekly #109
2 weeks agoThis week, Paul and John Strand interview Mike Gordover, iSenior Solutions Architect at ObserveIT! They discuss the current perception in the market of DLP, how ObserveIT’s solutions differ from traditional DLP, what challenges he faces when combating i ...
ISC StormCast for Thursday, October 4th 2018
2 weeks agoIdentifying a Phisher https://isc.sans.edu/foru
ms/diary/Identifying+a+ph
isher/24164/Phishing via Azure Blob Storage https://www.netskope.com/
blog/phishing-in-the-publ
ic-cloudZoho Domains Used for Phishing and Keyloggers https://cofense.com/stagg
ering-amou ...
Hack Naked News #191 - October 2, 2018
2 weeks agoThis week, Robocallers get huge fines for spoofing phone numbers, 100,000 home routers used for Brazilian hacking scam, 85 reasons to update your Adobe PDF software, 9 NAS bugs open LenovoEMC, 5 major Security updates for Chrome extensions, and Twitter ba ...
NSA staffer takes top-secret hacking tools home ‘to study’, gets 66 months
2 weeks agoNghia Hoang Pho may not have had malicious intent, but removal of the materials forced the NSA to abandon years of signals collection work.
Update now: Adobe fixes 85 serious flaws in Acrobat and Reader
2 weeks agoAdobe has released updates fixing a long list of security vulnerabilities discovered in the Mac and Windows versions of Acrobat and Reader.
Hacked Fortnite accounts and rent-a-botnet being pushed on Instagram
2 weeks agoThe gaming and hacking communities overlap: Some of the hacker accounts are offering botnet access as well as Fortnite accounts.
Google’s new rules for developers make Chrome extensions safer for all
2 weeks agoGoogle has announced a range of security changes to its Chrome browser that will make the use of extensions more secure.
Bring Yoga Pants - Application Security Weekly #34
2 weeks agoThis week, Keith and Paul talk about landing a job in Application Security! They discuss attending local meetups and conferences, practicing your coding skills, getting educated by World Class security researchers, doing your homework, and much more! In t ...
ISC StormCast for Wednesday, October 3rd 2018
2 weeks agoHow to Write Yara Rules https://isc.sans.edu/foru
ms/diary/Developing+YARA+
Rules+a+Practical+Example
/24158/GhostDNS DNS Changer Malware https://blog.netlab.360.c
om/70-different-types-of-
home-routers-all-together
-100000-are-being-hijacke
d-by-ghostdns-en/Fox ...
SN 683: The Facebook Breach
2 weeks agoThis week we discuss yet another treat from Cloudflare, the growing legislative battle over Net Neutrality, the rise of Python malware, Cisco's update report on the VPNFilter malware, still more Chrome controversy and some placating, the rapid exploitatio ...
Risky Business #516 -- The Facebook breach, e2e VOIP court verdict, Uber's record fine and more
2 weeks agoThis edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news: Facebook breach impacts 50m accounts US courts deny authorities’ attempted FB messenger wiretap Uber fined $148m for nondisclosure of 2016 breach ...
The Facebook dilemma – stick it out or pack it in? [PODCAST]
2 weeks agoIt's been a while but we're back at the microphone - here's Episode 5 of the Naked Security podcast.
Hackers demand ransom from hijacked Instagram influencers
2 weeks agoHackers are taking over high-profile Instagram users’ accounts and holding them to ransom, revealed reports this week.
Lock screen bypass already discovered for Apple’s iOS 12
2 weeks agoApple’s iOS 12 is barely out of the gates and already someone has found a way to beat its lock screen security to access a device’s contents.