Cisco Patch, Twitch Breach, and BitWhisper – WSWiR Episode 145

If you want to be the best woodchopper, you need to sometimes sharpen your tools. In information security, this mean keeping track of the latest threats, vulnerabilities, attack methods, and news. Yet, most IT folks barely have the time to go home and sleep. If you struggle to follow security news yourself, my weekly video summarizes the big stuff for you.

In this week’s episode, I cover a new unlikely attack technique, warn you about dangerous documents, and notify you of the latest router patches. See all this and more in the video below, or just follow the links in the Reference section if you prefer.

(Episode Runtime: 11:18)

Direct YouTube Link: https://www.youtube.com/watch?v=ydnP5dZCeGA

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Cisco Routers Need Patching – Daily Security Byte EP.54

This week, Cisco released an advisory telling IOS device users to patch. The latest IOS update fixes three vulnerabilities, which specifically affect administrators who use Cisco’s Autonomic Networking Infrastructure (ANI). Watch today’s video to learn more about these flaws, especially if you have ANI enabled.

 

(Episode Runtime: 1:21)

Direct YouTube Link: https://www.youtube.com/watch?v=PMOESrmT8qU

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Business is booming for bug bounty hunters

Editor’s Note: A few months ago, I shared an article and video from a new InfoSec related site, Third Certainty. This security news and analysis site isn’t just a great professional resource, but one I think appeals to normal consumers as well. It’s lead by pulitzer prize winning journalist,  Byron Acohido, who excels at breaking down complex topics into stories that everyone can understand. Sign up for the free weekly newsletter, and recommend the site to your less technical friends.

In any case, Acohido recently published an article talking about bug bounty programs, which includes a video where I talk about the underbelly of the zero day vulnerability market. Check out Acohido’s article in full below, and visit his site for more great content.

Business is booming for bug bounty hunters

By Byron Acohido, ThirdCertainty

Corporate-sponsored bug bounty programs have become an indispensible means of tempering new forms of cyber attacks.

It is now routine for Google, Mozilla, Adobe, Facebook and Microsoft to pay five- and six-figure fees to hackers who make a living ferreting out fresh security holes in the software applications consumers and companies use every day.

Hackers are continually on the hunt for overlooked flaws in popular operating systems, such as Windows, Mac OS, and Android, as well as in ubiquitous software applications — all of the major Web browsers and any software that runs on browsers, such as Adobe Flash and Java.

The more widely the operating system or app is used, the more hackers probe it for flaws. These flaws are referred to as zero-day vulnerabilities, or zero days. There are endless zero days yet to be discovered. And each one discovered, has to be patched.

Security & Privacy News Roundup: Stay informed of key patterns and trends

There is an entire cottage industry of white hat hackers who do little else but search for zero days. When one is discovered, the tech company responsible for the OS or app gets notified of the new bug. And the white hat gets paid handsomely. The tech company then develops a patch and seeks to get it widely deployed.

Black hat hackers hunt for bugs, too, and also are compensated well. The difference is that they sell to the top cyber crime rings that then use the zero days for thievery and spying.

There also is a third major group paying out bug bounties: governments, including the United States.

Like organized crime rings, governments don’t want the zero days patched, because they have something very specific in mind for them, Corey Nachreiner, director of security strategy at WatchGuard Technologies, tells ThirdCertainty.

Governments are seeking to stockpile zero days, and hold them in reserve to use against rival nations. In modern cyber warfare, no superpower wants to be on the short side of a zero-day gap.

“Governments need an arsenal, so it’s in their advantage not to get the vulnerability fixed,” Nachreiner says.

In harm’s way

American companies are aware of this potential to be hacked by a government-backed hackers, armed with the best-available zero-days, and many are seeking to strengthen their encryption systems. And they are resisting government efforts to ensure that U.S. intelligence agencies can still crack into their communications, according to a recent report in The New York Times. While the government’s request seems reasonable, it also leaves businesses more vulnerable.

The problem is, of course, there are a lot of busy, motivated bug hunters out there.

So it is very plausible that sooner or later someone else will discover a flaw that’s stockpiled in a government cyber war chest, Nachreiner says.

If a black hat hacker finds a security hole that, say, the U.S. government has had in its stockpile for a long time, that’s not a good thing.

A crime group could put the zero day to work for an extended period, doing wide damage, before anyone notices.

“Not fixing these vulnerabilities as quickly as we know about them, in the long term, harms everyone’s security because we’re all using the same software,” Nachreiner argues.

More on security concerns

3 steps for figuring out if your business is secure

5 data protection tips for SMBs

6 steps for stopping hacks via a contractor or supplier

 

Win2003 EoL Danger – Daily Security Byte EP.53

First Windows XP and now Server 2003. A number of articles this week reminded the IT community that Microsoft will discontinue Windows Server 2003 in July. Learn how this affects your security, and what you should do about it in today’s Daily Byte.

 

(Episode Runtime: 2:09)

Direct YouTube Link: https://www.youtube.com/watch?v=YCqn9YPjESA

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Disregard Dangerous Documents – Daily Security Byte EP.52

According to Trend Micro (and others), Office document macro malware is making a comeback. Watch today’s video to learn why your users should be concerned with all document-based malware in general.

 

(Episode Runtime: 2:36)

Direct YouTube Link: https://www.youtube.com/watch?v=0bEB6QWj_XI

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

BitWhisper: Hacking with Heat – Daily Security Byte EP.51

An Israeli research lab has figured out how to use CPU heat as a new computer communication channel. Bitwhisper is an interesting potential attack backchannel, but in today’s video I argue why the old TEMPEST techniques are more concerning. If you’re interested in that, or the origins of the term “tinfoil hat,” check out today’s video.

 

(Episode Runtime: 3:32)

Direct YouTube Link: https://www.youtube.com/watch?v=SFhwzVnnzQ4

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Twitch Account Breach – Daily Security Byte EP.50

A popular video streaming site, Twitch, warned of a site-wide account reset. If you’re a Twitch user, learn how to protect your passwords in today’s InfoSec video.

 

(Episode Runtime: 1:43)

Direct YouTube Link: https://www.youtube.com/watch?v=PMLCpo8G0pE

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Premera, CISA, and OpenSSL – WSWiR Episode 144

This week’s security news covered topics from biometrics, to nation-state cyber teams, to big data breaches, to new vulnerabilities. How’s the average network Joe to keep up? Let my weekly video help by quickly summarizing the important stuff.

Today’s show covers a US healthcare data breach, a new OpenSSL update, and the US CISA law. You’ll find it all in this week’s video, and more in the Reference section below.

(Episode Runtime: 11:23)

Direct YouTube Link: https://www.youtube.com/watch?v=nigzxITwPvI

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

CISA Passes Committee- Daily Security Byte EP.49

A US Senate intelligence committee quietly passed the Cybersecurity Intelligence Sharing Act (CISA) last week with a landslide vote of 14 to 1. While the bill is supposed to support security intelligence sharing between the government and private organizations, many think it’s more about surveillance. Watch the video to learn my thoughts, and share yours before the bill becomes law.

 

(Episode Runtime: 1:51)

Direct YouTube Link: https://www.youtube.com/watch?v=aRvkDdM1vX8

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,868 other followers