Inside | Real news, curated by real humans
Inside Security

Inside Security (Dec 1st, 2017)

David’s Take

If you aren't yet a Premium subscriber, you missed yesterday's analysis about new Webex vulnerabilities and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

I am glad to promote one woman’s efforts to highlight female coders and their contributions to our industry. Check out graphics engineer Stephanie Hurlburt’s Twitter feed for some of the stories.

Finally, my favorite year-end security report today is “The State of Open Source Security,” the results of a survey of 500 open source users combined with internal data from Snyk and scanning various GitHub repositories. Sadly, almost half of the code maintainers never audit their code, and less than 17 percent feel they have high security knowledge. Code vulnerabilities are on the rise for open source projects but not for Red Hat Linux. Last year, two-thirds of Red Hat vulnerabilities were fixed within a day of public disclosure.  

-- David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Top Story: MacOS vulnerability 

The week’s top story certainly is a nasty bug in the latest version 10.13 (also called High Sierra) of MacOS that allows attackers to create a root account with an empty password. It was discovered on Tuesday by Lemi Ergin, a security researcher in Turkey and announced via this Tweet. This account is disabled by default and it is only relevant to this OS version. Early reports incorrectly stated that the vulnerability was only limited to users who had physical access to the computer. Apple issued instructions on how to avoid this flaw here. And Tenable researchers found that you could execute the flaw using SSH and VNC remote access protocols. Many corporate Macs have enabled these protocols, so it is worth reviewing what they found and how to prevent the attack. One thing this flaw highlighted is that there are numerous system-level accounts that are not immediately visible (see screencap) in the System Preferences/Users&Groups dialogs. Another issue: how this vulnerability was disclosed (see our “Just for fun” entry below.)

  • Email gray
  • Permalink gray

Attacks and vulnerabilities

Researchers are tracking a new remote access Trojan dubbed UBoatRAT that is targeting individuals linked to South Korea or the video game industry. Threats are evolving and new variants are being frequently created that adopt new evasion techniques. It distributes itself through Google Drive and uses the Windows Background Intelligent Transfer Service to remain after rebooting. -- PALO ALTO UNIT42

  • Email gray
  • Permalink gray

HP has issued firmware patches to fix a security flaw which allowed attackers to perform remote code execution attacks on enterprise-grade printers. Researchers found flaws in MFP 586 and M553 model printers so that they could upload their own firmware.  -- ZDNET

  • Email gray
  • Permalink gray

There are over 1,300 cryptocurrencies today with a wide range of mobile apps to use them, with 2,000 of them listed in the Google Play Store. High-Tech Bridge used one of their analysis tools to test these apps for OWASP risks, and found almost all of them had several vulnerabilities. A majority of the 30 apps with more than 100k installs didn’t have any backend security and could jeopardize private information. – HIGH-TECH BRIDGE BLOG

  • Email gray
  • Permalink gray

Tools

Some handy tips for those of you that will be traveling in the near future to beware of RFID hacks, especially when it comes to physical access controls. This post describes how easily some of these scams can happen, and how to avoid them. – SECURITY INTELLIGENCE

  • Email gray
  • Permalink gray

The Docket

Aussie researcher Troy Hunt was testifying in Congress this week about data breaches. His written testimony can be read along with watching the questioning from Congress here. He mentions that there is an active trading scene in exchanging data from these breaches. – TROY HUNT BLOG

  • Email gray
  • Permalink gray

Reports

Kaspersky’s “story of the year” should have been itself, but instead they dub ransomware for the slot, saying it has suddenly and spectacularly evolved. A look back on how things have changed with WannaCry, Petya and BadRabbit. --SECURELIST

  • Email gray
  • Permalink gray

Here is a very cogent analysis of what Uber did wrong with its breach response: delayed notification, implemented stronger access controls, better approval workflows, not storing access credentials in GitHub, and compartmentalizing data access. – DARK READING

  • Email gray
  • Permalink gray

This first of a potential three-part series looks promising on exploring the impact of people on cybersecurity. As the cost to launch malware attacks drops and the skills required become minimal, “pretty much anyone who is motivated can get into the cybercrime business." We need to start thinking about people as part of the solution, not part of the problem. – CA BLOG

  • Email gray
  • Permalink gray

If you are looking for a set of IoT baseline security recommendations, this report is a great starting place. Along with a IoT threat timeline (shown below), It provides insight into the security requirements of IoT, mapping critical assets and relevant threats, assessing possible attacks and identifying potential good practices and security measures to protect IoT systems. – ENSIA REPORT

  • Email gray
  • Permalink gray

Just for fun

Yes, perhaps this would have been a better way to go about telling the world about the MacOS password issue. – TODD MOREY @ TWITTER

  • Email gray
  • Permalink gray

Subscribe to Inside Security

MORE NEWSLETTERS

Drone news for hobbyists, professionals, and investors

Inside Drones

Drone news for hobbyists, professionals, and investors

TWICE WEEKLY
Drone news for hobbyists, professionals, and investors

Inside Drones

TWICE WEEKLY

SUBSCRIBED!

Share via

The news, trends and tech that is reshaping the rapidly changing world of retail

Inside Retail

The news, trends and tech that is reshaping the rapidly changing world of retail

TWICE WEEKLY
The news, trends and tech that is reshaping the rapidly changing world of retail

Inside Retail

TWICE WEEKLY

SUBSCRIBED!

Share via

Everything you need to know about the resurgence of the spoken word

Inside Podcasting

Everything you need to know about the resurgence of the spoken word

TWICE WEEKLY
Everything you need to know about the resurgence of the spoken word

Inside Podcasting

TWICE WEEKLY

SUBSCRIBED!

Share via

Tracking trends, news, and analysis around Bitcoin and cryptocurrencies

Inside Bitcoin

Tracking trends, news, and analysis around Bitcoin and cryptocurrencies

DAILY
Tracking trends, news, and analysis around Bitcoin and cryptocurrencies

Inside Bitcoin

DAILY

SUBSCRIBED!

Share via