Chrome OS to block USB access while the screen is locked

Google takes steps to protect Chromebooks from some types of physical access attacks.

Know Where You're Putting Your Tool - Paul's Security Weekly #587

This week, we welcome Vaughn Adams, Enterprise Sales Engineer at LogRhythm! Vaughn will be talking about using freely available tools and logs you are already collecting to detect attacker behavior! In our second segment, we have a Round Table discussion entitled "What the Heck Are Security Basics?", to talk about what should organizations be doing to meet the basic security requirements, and much more! In our final segment, we air a pre-recorded interview with Mandy Logan on "Hacking the Brainstem", her trip through recovery, and how she came to love Information Security!

 

Full Show Notes: https://wiki.securityweekly.com/Episode587

Visit https://www.securityweekly.com/psw for all the latest episodes!

To get involved with LogRhythm, go to: www.securityweekly.com/logrhythm

Support Mandy by going to her GoFundMe Page: https://www.gofundme.com/hacking-recovery-brainstem-stroke

 

Visit https://www.activecountermeasures/psw to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Researcher publishes proof-of-concept code for creating Facebook worm

One group has already been abusing this issue to post spam on users' Facebook walls.

India authorizes 10 agencies to intercept, monitor, and decrypt citizens' data

Order sparks outrage in India with citizens, privacy advocates, and political opponents accusing the government of trying to establish a "surveillance state."

Chinese websites have been under attack for a week via a new PHP framework bug

PoC for ThinkPHP security flaw sparks furious scans for vulnerable sites, most of which are based in China.

My Comfort Blanket - Enterprise Security Weekly #120

This week, Paul, John Strand, and Matt Alderman talk the Enterprise News, which includes TPG in early talks to sell McAfee to Thoma Bravo, Bitdefender offers new managed threat monitoring service, Symantec and Fortinet partner to deliver robust and comprehensive Cloud Security Service, and Untangle partners with Malwarebytes to bring Layered Security to SMBs! In our final segment of the year, Paul brings you his personal Top Ten List for 2018 including his favorite acquisitions, breaches, vulnerabilities, interviews, attack tools, news articles, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode120

Visit https://www.securityweekly.com/esw for all the latest episodes!

Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Five other countries formally accuse China of APT10 hacking spree

Australia, Canada, Japan, New Zealand, and the UK also point the finger at the Beijing government. Germany expected as well.

Caribou Coffee chain announces card breach impacting 239 stores

Almost 40 percent of the company's coffee stores impacted by breach of its POS system.

Law enforcement shut down DDoS booters ahead of annual Christmas DDoS attacks

Law enforcement launch preemptive strike to shut down some of the DDoS services that may be abused to attack gaming services over the Christmas holiday.

US charges two Chinese nationals for hacking cloud providers, NASA, the US Navy

The two Chinese nationals were members of the infamous APT10 cyber-espionage group, DOJ said.

Nokia denies leaking internal credentials in server snafu

Security researcher finds treasure trove of passwords and API keys on an internet-accessible etcd database.

Researcher publishes PoC for new Windows zero-day

This is the third Windows zero-day the researcher dumps online in the last five months.

Hacker spoofing bypasses 2FA security in Gmail, targets secure email services

Updated: Google, Yahoo, and ProtonMail accounts are being targeted in a new wave of phishing attacks.

Microsoft releases security update for new IE zero-day

Microsoft releases out-of-band security update for Internet Explorer zero-day discovered by Google threat analysts.

Chinese hackers tap into EU diplomatic communications network

The critical COREU network in the bloc has been reportedly compromised by a state-sponsored Chinese hacking group, leading to the theft of internal cables.

Shamoon data-wiping malware believed to be the work of Iranian hackers

Researchers say the Iranian hacker group APT33 is responsible for recent attacks in the Middle East and Europe.

New attack intercepts keystrokes via graphics libraries

Attack can guess text input from both hardware and on-screen keyboards alike.

This business email scam spreads Trojans through Google Cloud storage

Financial firms and services are being actively targeted in the UK and US.

Hackers have earned $1.7 million so far from trading data stolen from US gov payment portals

User payment data was stolen from local Click2Gov government systems in US cities.

Facebook defends giving tech giants access to extensive user data

In a story which unfortunately just keeps giving, Facebook has yet again awarded us with a privacy scandal worthy of note.

Watch researchers remotely brick a server by corrupting its BMC and UEFI firmware

Attack is only a proof-of-concept, but one that can be as damaging as ransomware or disk-wiping malware.

In Flames - Application Security Weekly #44

This week, Keith and Paul interview Harry Sverdlove, CTO and Founder of Edgewise! Harry joins us to discuss what Edgewise does in the AppSec world, segmentation, cloud migration, trying different architectures, and more! In the Application Security News, Facebook bug exposed private photos of 6.8 million users, thousands of Jenkins servers will let anonymous users become admins, Signal app can't include a backdoor for the Australian government, WordPress plugs bug that led to Google indexing some user passwords, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode44

To get involved with Edgewise, go to: https://www.edgewise.net/securityweekly

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

Visit our website: https://www.securityweekly.com

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Follow us on Twitter: https://www.twitter.com/securityweekly

NASA discloses data breach

Hack took place in October 2018. Agency still doesn't know the number of impacted employees.

Hack Naked News #201 - December 18, 2018

This week, when meme's attack, how Google's taking steps to secure Kubernetes, suggestions for last minute Holiday IT gifts, Twitter fixes bug that exposed data, and how WordPress was targeted with clever SEO Injection Malware! Ed Sattar from Quickstart joins us for expert commentary on how to optimize your cyber security investment to maximize ROI, and more!

 

Full Show Notes: https://wiki.securityweekly.com/HNNEpisode201

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Visit https://www.activecountermeasures/hnn to sign up for a demo or buy our AI Hunter!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

DOD doesn't keep track of duplicate or obsolete software

July 2018 memorandum says DOD has yet to report over 30 percent of its software inventory.

Researchers slam Hola VPN over absent encryption, user IP leaks

Updated: Trend Micro users will now receive a warning over the use of Hola as "unwanted" and risky software.

The Mistake People Make - Business Security Weekly #111

This week, Matt and Paul interview Bob Ackerman, a legend in venture capital investing, and is referred to as one of "Cyber's Money Men". Bob is also the Founder and Managing Director of venture capital firm AllegisCyber! In the Leadership Articles, Matt and Paul discuss how to be productive during the holiday season, how to work from home without losing your mind, how to talk to your boss when you’re underperforming, selling your product as you build it, and more!

 

Full Show Notes: https://wiki.securityweekly.com/BSWEpisode111

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Visit https://www.activecountermeasures/bsw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nuggets of Learning - Paul's Security Weekly #586

This week, how Taylor Swift used Facial Recognition to thwart stalkers, unlocking Android phones with a 3D printed head, Ticketmaster fails to take responsibility for malware, and it's December of 2018, to Hell with it, just patch your stuff already! In our first interview, we welcome back Ed Skoudis, Founder of the Counter Hack Challenge and Kringle Con 2018! Ed joins us on the show to talk about this years challenge and what's in store! In our final interview, we welcome back Don Murdoch, the Assistant Director at Regent University Cyber Range! Don joins us this week to discuss his book, "Blue Team Handbook: Incident Response Edition", and more!

 

Full Show Notes: https://wiki.securityweekly.com/Episode586

Visit https://www.securityweekly.com/psw for all the latest episodes!

Join KringleCon 2018: www.kringlecon.com

 

Visit https://www.activecountermeasures/psw to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

New machine learning algorithm breaks text CAPTCHAs easier than ever

Algorithm tested against the text CAPTCHA systems used on 33 popular websites.

Google announces crackdown on Play Store ratings and reviews

Company said it removes millions of Play Store reviews and ratings on a weekly basis.

WSJ website defaced by PewDiePie fan in ongoing YouTube subscribers battle

Hacker posts apology on WSJ site and then urges users to follow the YouTube star.

Twitter discloses suspected state-sponsored attack

Twitter says data leak occurred after an attack targeting a vulnerability in its support form system.

Insider awarded $10,000 bounty for reporting enterprise software piracy

It is no longer just the average consumer that might wind up in court for using pirated software.

PewDiePie printer hacker strikes again: subscribe and sort out your security

The attacker told users to sort out their printer security -- and subscribe to the vlogger "overlord," too.

US ballistic missile systems have very poor cyber-security

DOD report finds no antivirus, no data encryption, no multifactor authentication.

Thousands of Jenkins servers will let anonymous users become admins

Two vulnerabilities discovered and patched over the summer expose Jenkins servers to mass exploitation.

'Bomb threat' scammers are now threatening to throw acid on victims

Bomb threat extortion campaign yielded less than $1 for the spammers.

SQLite bug impacts thousands of apps, including all Chromium-based browsers

New 'Magellan' vulnerability will haunt the app ecosystem for years to come.

Bing recommends piracy tutorial when searching for Office 2019

Oh, Bing! Not again!

Facebook bug exposed private photos of 6.8 million users

Up to 1,500 apps built by 876 developers could have had accessed the private photos of 6.8 million users.

Signal: We can't include a backdoor in our app for the Australian government

The Signal app's design and open source code policy makes this impossible.

Fancy Bear exploits Brexit to target government groups with Zebrocy Trojan

A number of former USSR nation states are also on the target list.

Cigarettes & Malleable Toothbrushes - Enterprise Security Weekly #119

This week, Paul and John Strand interview John Bradshaw, Senior Director and Solutions Engineer at Acalvio Technologies, to talk about 5 Tenets of Enterprise Deception! In the Enterprise News this week, NopSec announces the latest release of its flagship product, Minerva Labs Anti-Evasion Platform Achieves VMware Ready Status, SecurityScorecard Announces Partnership with Cybernance to Drive Holistic View of Cyber Risk Across the Enterprise, and we have some acquisition and funding updates from Venafi, WhiteFox, and Pindrop!

 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode119

Visit https://www.securityweekly.com/esw for all the latest episodes!

Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Trump, Google, United Nations are among 2018's worst password offenders

Some of the biggest names in politics and tech are responsible for this year's worst security gaffes.

Save the Children Foundation duped by hackers into paying out $1 million

The fraudsters broke into an email account to launch an elaborate scheme designed to scam the charity.

Logitech app security flaw allowed keystroke injection attacks

Google security researchers shame Logitech into releasing security update for insecure app.

Extortion emails carrying bomb threats cause panic across the US

Police in New York, Chicago, Detroit, San Francisco, and Washington tell Americans to stay calm.

Twitter says it receives half a million of spam reports per month

Twitter's latest Transparency Report also shows a rise in government requests for user data.

Shamoon malware destroys data at Italian oil and gas company

About a tenth of Saipem's IT infrastructure infected with infamous data-wiping Shamoon malware.

AriseBank execs forced to pay $2.7 million to settle SEC charges of cryptocurrency fraud

The organization claimed to operate a unique, decentralized bank via the blockchain.

WordPress plugs bug that led to Google indexing some user passwords

WordPress 5.0.1 also fixes seven security vulnerabilities.

Bug allowed full takeover of Samsung user accounts

Samsung awards researcher a $13,300 reward for finding three CSRF issues on its user portal.

Rhode Island sues Google after latest Google+ API leak

Google sued within a day after announcing latest Google+ API leak.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Bypassing passcodes, malware-laden apps, and inherent design flaws exposing almost all known mobile devices made up part of the security problems found in iOS and Android.

Ships infected with ransomware, USB malware, worms

Ships are the victims of cyber-security incidents more often than people think. Industry groups publish cyber-security guidelines to address issues.

Former Mt. Gox CEO could face 10 years behind bars in embezzlement case

Prosecutors are gunning for a lengthy prison sentence. Mark Karpeles has denied stealing investor funds.

Top Secret - Application Security Weekly #43

This week, Keith and Paul interview Chris Elgee, the Technical Engineer at Counter Hack Challenges! Chris joins Keith and Paul this week to talk about the Counter Hack Challenge, how it’s been working on the challenge vs. playing it, and more! In the Application Security News, Kubernetes instances are being hijacked worldwide, malicious sites abuse 11-year old Firefox bug that Mozilla failed to fix, Google is on a Witch Hunt for Internal Leakers, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode43

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

China blamed for Marriott data breach

500 million customers were impacted. Investigators believe that state-sponsored Chinese hackers are to blame.

Firefox 64 released with a Windows-like task manager

Firefox 64 also comes with support for multi-tab selections and final distrust of all Symantec SSL certificates.

US border agents aren't deleting travelers' data after device searches

In addition, CBP agents also didn't carry out any software-assisted searches for more than seven months because a manager forgot to renew a license agreement.