Seven Exchange 0-days, Firefox Enhanced Tracking Protection, SolarWinds Password.
• Chrome to default to trying HTTPS first when not specified.
• Firefox’s “Enhanced Tracking Protection” just neutered 3rd-party cookies!
• As easy as “SolarWinds123”.
• Rockwell Automation’s CVE-2021-22681 is a CRITICAL 10 out of 10.
• VMware’s vCenter troubles.
• SpinRite update.
• Microsoft issues emergency patches for 4 exploited 0-days in Exchange.
• CNAME Collusion.
Pwn2Own, the Future of Passwords.
— All the action at last week’s Pwn2Own Mobile hacking contest
— The final word on processor mis-design in the Meltdown/Spectre era
— A workable solution for unsupported Intel firmware upgrades for hostile environments
— A forthcoming Firefox breach alert feature
— The expected takeover of exposed Docker-offering servershe recently announced successor to recently ratified HTTP/2
— 1.1.1.1 errata
— The future of passwords: a thoughtful article written by Troy Hunt, the creator of the popular “Have I Been Pwned” web service We invite you to read our show notes.
Hosts: Steve Gibson, Leo Laporte
Jason Howell and Megan Morrone talk to Ed Bott from the Ed Bott Report on ZDNet about what every Windows Admin needs to know about Spectre and Meltdown and four steps to keeping a level head during this vulnerability and the next. Plus, what might have happened if the update had been able to come out on Microsoft’s Patch Tuesday as planned, instead of being rushed because of the embargo breach.
The best explanation for the Meltdown and Spectre computer flaws comes from a comic strip. Apple eats crow over slowing iPhones. Magic Leap might not be vaporware after all – will this lead to the death of smartphones? CES 2018 predictions. Prediction #1: no Ajit Pai. SWATting death: who is to blame? Border agents phone searches are way up just as new rules limiting searches are drafted. Please stop giving this man money: Juicero founder now hawking bacteria-filled “raw water.”
Apple pays $506 million and €1.7 billion for patent infringements. Trump says that Apple will build 3 big plants in the US; Apple declines to comment. Apple kills the iPod Nano and Shuffle. Coders aren’t happy about the new spaceship campus. Amazon, Alphabet, and Twitter stocks slide after earning reports, but Facebook is flying high. Your Roomba is NOT spying on you. Sweden leaks private info of all its citizens. Hackers crack safes, pwn voting machines, and inject code into mice at DEF CON. Flash is finally dying – in 2020. Everything you ever wanted to know about the upcoming Bitcoin split but were afraid to ask.
–Alex “Will” Wilhelm sleeps in Leo’s parents’ bedroom.
–Mike Murphy was NOT bought by Steve Job’s widow this week.
–Steve Kovach can see the Empire State Building right now.
Denise Howell and Matt Curtis talk with Andrew Rossow, cyberspace and technology lawyer about whose fault is WannaCry and what can be done about it?
The WannaCry ransomware attack is far from over. Amazon introduces the Echo Show – will the touchscreen voice assistant/videophone flop? Microsoft announces their own voice assistant, the Cortana Speaker. The US plans to ban laptops on flights from Europe. Comcast and Charter agree not to compete on wireless. Russian hackers pwned by French presidential campaign
–Christina Warren needs friends in Seattle.
–Father Robert Ballecer just got back from Malta.
–Roberto Baldwin got hung up on by AT&T customer service.
–Alex Wilhelm’s name will not set off your Amazon Voice Assistant.
Of the top 10 vulnerabilities found in the exploit kits, eight of them were targeted at Adobe’s Flash plugin, used on millions of computers to play multimedia content, according to Recorded Future, a cybersecurity intelligence firm based in Somerville, Massachusetts.
To arrive at its conclusions, Recorded Future looked at software vulnerabilities known to be used in popular exploit kits such as Angler, Neutrino and Nuclear Pack as well as in cybercrime forums between January and September.
Echoing the conclusion of many other security experts, Recorded Future said the findings call “into question Flash’s place in a secure operating environment.”
“While the role of Adobe Flash vulnerabilities as a regular in-road for criminals and malware should come as no surprise to information security professionals, the scale is significant,” the report said.
Adobe has been working for years to make Flash more secure through code reviews, but it has proven to be a mighty task for an application that’s nearly two decades old.
Monthly patches are almost always released by Adobe, and emergency patches come out for zero-day flaws that cybercriminals are actively using.
Apple founder Steve Jobs famously forbid the iPhone from running Flash. This year, other companies have taken steps to reduce the risk of zero-day Flash flaws.
Facebook’s CSO, Alex Stamos, wrote on Twitter in July that it’s “time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”
In September, Google stopped automatically playing some extraneous Flash content on Web pages. The move was aimed at improving performance in the Chrome browser, but it also has security benefits.
Perhaps the most humorous campaign against the application is the ”Occupy Flash” movement. The group advocates moving everything to HTML5, the latest specification of the Web’s vernacular that has a host of multimedia capabilities.
Occupy Flash’s manifesto reads in part: “It’s time has passed. It’s buggy. It crashes a lot. It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology.”
By Rob Thubron
In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers to self-aiming sniper rifles. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit, which has sold more than 20 million devices worldwide, can theoretically be hacked in just ten seconds and used to spread malware to any computer it syncs with.
According to The Register, an attack on a FitBit via Bluetooth would only require an attacker to be a few feet from a target for around ten seconds after the devices connect. Any computer that later connects with the wearable can be infected with a backdoor, trojan, or some other form of malware used by the hacker.
An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. [When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile […] the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).
Apvrille will be presenting a proof-of-concept demonstration video at the Hack.Lu conference taking place in Luxembourg today. “The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”
FitBit have apparently been aware of the problem since March when Apvrille contacted the company about it. FitBit says it believes the vulnerability, which the first instance of a fitness wearable shown to be potentially hackable, is a low-severity issue and unrelated to malicious software. The researcher has pointed out that the attack is a proof of concept and not something that’s in the wild.
concerning that scenario of infecting a fitness tracker, it’s important to read the slide on limitations 1/ it’s a PoC, no malicious code
— Axelle Ap. (@cryptax) October 21, 2015
This isn’t the first instance of FitBit making headlines due to security failings. In 2011, blogger Andy Baio tweeted that Fitbit fitness band users’ sexual activity was showing up in Google search results by accident, revealing whether they had engaged in “vigorous” or “passive and light” efforts.
Hackers have been demonstrating for years that vehicles are just as susceptible to hacking as any other electronic gadget yet it wasn’t until the recent hack of a Jeep Cherokee’s infotainment system and Chrysler’s subsequent recall that people started to take notice.
According to Kelley Blue Book’s recent Vehicle Hacking Vulnerability Survey, 72 percent of respondents said they were aware of the Jeep hack in question while 41 percent said the incident will be of consideration when buying or leasing their next vehicle.
But just how big of a problem could vehicle hacking pose?
The survey found that a third of those questioned see vehicle hacking as a serious problem while 78 percent believe it will be a frequent problem over the next three years. Much like PC hacking, most believe vehicle vulnerabilities will become a permanent fixture moving forward with an overwhelming majority – 81 percent – citing vehicle manufacturers are most responsible for securing a vehicle from hacking.
Given the recent Chrysler recall, it’s little surprise that those surveyed felt the automaker’s vehicles were most susceptible to hacking (70 percent). General Motors was ranked as the second most susceptible in the eyes of survey-takers at 47 percent followed by Ford with 30 percent.
Karl Brauer, senior analyst for Kelley Blue Book, said cyber-security is still a relatively new area of specialization for automakers but it’s one they need to take seriously to ensure they are ahead of the curve.
via Jeep hacking raises fears over vehicle vulnerabilities – TechSpot.