“Dunkin” Donuts, Microsoft, & Marijuana – Paul’s Security Weekly #584

Hackers breach Dunkin Donuts, how insiders are serious threats to security in an organization, the return of email flooding, Microsoft helps police shut down fake tech support in India, and how Las Vegas police are cracking down on Black Market marijuana sales!

Paul’s Stories

  1. Insiders Are Serious Threats to Cybersecurity in an Organization – Workforce – No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who wants to cause harm to do damage.
  2. Kubernetes SecurityAre your Container Doors Open?
  3. Netflix Information Security: Preventing Credential Compromise in AWS
  4. Hackers Breach Dunkin Donuts Accounts in Credential Stuffing Attack
  5. The Return of Email Flooding – In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.
  6. Researchers Introduce Smart Greybox Fuzzing | SecurityWeek.Com – In coverage-based greybox fuzzing, the fuzzer is provided a seed file and it randomly flips, deletes, copies or adds bits in order to generate new files that can be parsed by the tested library in order to find potential vulnerabilities. The problem, however, is that in the case of complex file formats, bit flips do not generate valid files. The researchers have overcome this challenge by defining what they call “innovative mutation operators” that work on the virtual file structure rather than the bit level, which helps ensure that files remain valid.
  7. Announcing the Google Security and Privacy Research Awards
  8. Sennheiser Debacle: The Consequences of Poorly Secured Certificates – Security Boulevard – The Sennheiser software in question was used to set up and manage softphones that allow users to make phone calls on a computer instead of using a physical phone. To do this, the company needed its headphones and speaker phones to work seamlessly with computer. And the way they did that was by establishing an encrypted Websocket with a browser. That process involved installing a self-signed TLS certificate in the operating system’s trust store, the central place where browser-trusted root CA certificates are stored.
  9. Las Vegas police crack down on black market pot sales – Hrm… Calhoun did not immediately have the statistics to compare illegal activity related to marijuana before and after the start of recreational sales. However, police said in the last year, detectives seized 457 pounds of THC oil which is up 65 percent from the year before. Detectives also seizes 300 pounds of marijuana wax which is up 60 percent.
  10. 5 ways open source software companies make money Timescale – From analyzing successful open-source companies today, five common business models emerge: Support, Hosting, Restrictive licensing, Open-core, Hybrid licensing
  11. 5 ways to better educate developers on application security | TechBeacon – Yet, with most schools teaching advanced computer science concepts in years three and four, getting students up to speed in security is difficult, because a security focus can quickly turn digestible lessons into major projects. “You can make things massively more complicated. Even the typical ‘Hello, World’—your basic application—turning that into ‘Hello, Secure World’ is hundreds of lines. You have turned a very simple introduction into a massive process.” —Jeff Williams
  12. Chinas pornography laws are a backdoor for censorship
  13. Massage app data breach reveals which clients asked for sexual favors – This will not be a happy ending: A massage app recently left its database containing 309,000 customer profiles exposed to the public, including information about clients who have been accused of sexual misconduct. (and yes, I really added this story just so I could make that joke…)
  14. Autonomous cyber defences are the future: Richard Stiennon | ZDNet – That means autonomous security orchestration handling everything from detecting an intrusion as early as possible, deciding how to respond, identifying and isolating infected machines, and pushing out updates for firewall rulesets, network segmentation, and access controls. “That’s a scary prospect for most us. Most of our processes we don’t trust that much, but we have to, to get to the point where we can trust that we can defend ourselves in that automatic way.”
  15. Microsoft Helps Police Shut Down Fake Tech-Support Centers in India – The company also told the Times that Microsoft spots about 150,000 pop-up ads related to the scams every day. To fight back, the company has been dedicating resources to help authorities track down fake call centers in India, where the company says many of fake tech support scams are based.
  16. Home Routers Under Attack by NSA-Spawned Malware: What to Do – Cybercriminals have learned how to take advantage of the UPnP protocols on older routers and get past the routers to directly attack Windows PCs on home and small-business networks. Akamai has dubbed this flaw “UPnProxy.” The most recent slew of attacks comes from an exploit that Akamai calls “EternalSilence” in a nod to the NSA-developed “Eternal” family of malicious code injections.

Larry’s Stories

  1. Data Exfil via Smart Bulbs
  2. Italian authorities have no idea who hacked Hacking Team
  3. From the “No Shit, Really?” Department, Russian hackers haven’t stopped probing the US Power Grid…
  4. Two Iranians indicted in SanSan attacks on the city of Atlanta
  5. Microsoft fesses up about what caused their MFA outage

Jeff’s Stories

  1. Amazon Suffered a Data Breach Before Black Friday

Full Show Notes

Follow us on Twitter: https://www.twitter.com/securityweekly

Jeff Man
Jeff Man – Sr. InfoSec Consultant, Online Business Systems.
Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research, InGuardians.
Not Kevin
Not Kevin – Senior Sales Engineer, Barkly.
Lee Neely
Lee Neely – Senior Cyber Analyst , Lawrence Livermore National Laboratory.
Carlos Perez
Carlos Perez – Principal Consultant, Team Lead for Research, TrustedSec.
Paul Asadorian
Paul Asadorian – CEO, Security Weekly.