Inside | Real news, curated by real humans
Inside Security

Inside Security (Dec 1st, 2017)

David’s Take

If you aren't yet a Premium subscriber, you missed yesterday's analysis about new Webex vulnerabilities and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

I am glad to promote one woman’s efforts to highlight female coders and their contributions to our industry. Check out graphics engineer Stephanie Hurlburt’s Twitter feed for some of the stories.

Finally, my favorite year-end security report today is “The State of Open Source Security,” the results of a survey of 500 open source users combined with internal data from Snyk and scanning various GitHub repositories. Sadly, almost half of the code maintainers never audit their code, and less than 17 percent feel they have high security knowledge. Code vulnerabilities are on the rise for open source projects but not for Red Hat Linux. Last year, two-thirds of Red Hat vulnerabilities were fixed within a day of public disclosure.  

-- David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Top Story: MacOS vulnerability 

The week’s top story certainly is a nasty bug in the latest version 10.13 (also called High Sierra) of MacOS that allows attackers to create a root account with an empty password. It was discovered on Tuesday by Lemi Ergin, a security researcher in Turkey and announced via this Tweet. This account is disabled by default and it is only relevant to this OS version. Early reports incorrectly stated that the vulnerability was only limited to users who had physical access to the computer. Apple issued instructions on how to avoid this flaw here. And Tenable researchers found that you could execute the flaw using SSH and VNC remote access protocols. Many corporate Macs have enabled these protocols, so it is worth reviewing what they found and how to prevent the attack. One thing this flaw highlighted is that there are numerous system-level accounts that are not immediately visible (see screencap) in the System Preferences/Users&Groups dialogs. Another issue: how this vulnerability was disclosed (see our “Just for fun” entry below.)

  • Email gray
  • Permalink gray

Attacks and vulnerabilities

Researchers are tracking a new remote access Trojan dubbed UBoatRAT that is targeting individuals linked to South Korea or the video game industry. Threats are evolving and new variants are being frequently created that adopt new evasion techniques. It distributes itself through Google Drive and uses the Windows Background Intelligent Transfer Service to remain after rebooting. -- PALO ALTO UNIT42

  • Email gray
  • Permalink gray

HP has issued firmware patches to fix a security flaw which allowed attackers to perform remote code execution attacks on enterprise-grade printers. Researchers found flaws in MFP 586 and M553 model printers so that they could upload their own firmware.  -- ZDNET

  • Email gray
  • Permalink gray

There are over 1,300 cryptocurrencies today with a wide range of mobile apps to use them, with 2,000 of them listed in the Google Play Store. High-Tech Bridge used one of their analysis tools to test these apps for OWASP risks, and found almost all of them had several vulnerabilities. A majority of the 30 apps with more than 100k installs didn’t have any backend security and could jeopardize private information. – HIGH-TECH BRIDGE BLOG

  • Email gray
  • Permalink gray

Tools

Some handy tips for those of you that will be traveling in the near future to beware of RFID hacks, especially when it comes to physical access controls. This post describes how easily some of these scams can happen, and how to avoid them. – SECURITY INTELLIGENCE

  • Email gray
  • Permalink gray

The Docket

Aussie researcher Troy Hunt was testifying in Congress this week about data breaches. His written testimony can be read along with watching the questioning from Congress here. He mentions that there is an active trading scene in exchanging data from these breaches. – TROY HUNT BLOG

  • Email gray
  • Permalink gray

Reports

Kaspersky’s “story of the year” should have been itself, but instead they dub ransomware for the slot, saying it has suddenly and spectacularly evolved. A look back on how things have changed with WannaCry, Petya and BadRabbit. --SECURELIST

  • Email gray
  • Permalink gray

Here is a very cogent analysis of what Uber did wrong with its breach response: delayed notification, implemented stronger access controls, better approval workflows, not storing access credentials in GitHub, and compartmentalizing data access. – DARK READING

  • Email gray
  • Permalink gray

This first of a potential three-part series looks promising on exploring the impact of people on cybersecurity. As the cost to launch malware attacks drops and the skills required become minimal, “pretty much anyone who is motivated can get into the cybercrime business." We need to start thinking about people as part of the solution, not part of the problem. – CA BLOG

  • Email gray
  • Permalink gray

If you are looking for a set of IoT baseline security recommendations, this report is a great starting place. Along with a IoT threat timeline (shown below), It provides insight into the security requirements of IoT, mapping critical assets and relevant threats, assessing possible attacks and identifying potential good practices and security measures to protect IoT systems. – ENSIA REPORT

  • Email gray
  • Permalink gray

Just for fun

Yes, perhaps this would have been a better way to go about telling the world about the MacOS password issue. – TODD MOREY @ TWITTER

  • Email gray
  • Permalink gray

Many thanks to Inside Security's corporate supporters.  Please go check them out!

 

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 

[YOUR LOGO HERE – click for details]
 
   

Invest in Ring4, the 2nd phone number startup that was voted best product on ProductHunt. 

 

HackerOne is the #1 hacker-powered security platform for finding critical vulnerabilities.

Subscribe to Inside Security

MORE NEWSLETTERS

News, people, culture, events and the trends shaping the Bay area

Inside San Francisco

News, people, culture, events and the trends shaping the Bay area

DAILY
News, people, culture, events and the trends shaping the Bay area

Inside San Francisco

DAILY

SUBSCRIBED!

Share via

Digging into the Trump Presidency, issue by issue

Inside Trump

Digging into the Trump Presidency, issue by issue

DAILY
Digging into the Trump Presidency, issue by issue

Inside Trump

DAILY

SUBSCRIBED!

Share via

Essays and musings from Inside.com founder Jason Calacanis

The Jason Calacanis Newsletter

Essays and musings from Inside.com founder Jason Calacanis

WEEKLY
Essays and musings from Inside.com founder Jason Calacanis

The Jason Calacanis Newsletter

WEEKLY

SUBSCRIBED!

Share via

Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

Inside Automotive

Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

TWICE WEEKLY
Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

Inside Automotive

TWICE WEEKLY

SUBSCRIBED!

Share via