Mega Patch Day, Password Hijack, and WireLurker

What new security updates do I need? Are attackers exploiting new zero day attacks that affect me? Should I be concerned with any new attack campaigns? What can I learn from the latest network breaches? If you’ve asked yourself these questions, but don’t have time to find the answers, this is the weekly video for you. In it, I summarize the biggest security news from the week and explore what we might learn from it.

Today’s episode talks about the upcoming humongous Microsoft Patch day, explores a password hijack that succeeded despite good security practices, and covers two major threats that affect Apple’s OS X and iOS devices. Watch the video for details, and check out the links below for other interesting stories.

Have a safe and fun weekend!

(Episode Runtime: 11:20)

Direct YouTube Link: https://www.youtube.com/watch?v=PXJ1t23K5hY

Episode References:

• Expect a crazy big Microsoft Patch Tuesday next week – Microsoft
• Very interesting password hack, despite good password practices – @gb on Ello
• Rootpipe: Local elevation of privilege flaw in OS X Yosemite – Macworld
  • Video of Rootpipe in action – YouTube
• WireLurker – New malware infects iOS devices via OS X – Seattle Times
  • Full research whitepaper on WireLurker [PDF] – Palo Alto
  • Apple updates mitigate WireLurker – ZDNet
  • UPDATE: WireLurker now affects Windows machines – CNR Onlinb

Extras:

• Flaw found in “chip-n-pin” credit cards that allows million dollar fraudulent transactions – Wired
• Alleged Silk Road 2.0 administrator arrested; site downed – Krebs on Security
  • Actually, multiple “Darkweb” market sites seized – DeepDotWeb
• Five most Common FaceBook scam bait topics – Security Affairs
• How can Verizon customers defeat their ISP’s super tracking cookie? VPN. – The Register
• Detailed writeup on a buffer overflow found in a consumer Belkin router – Integrity Labs
• Smuggler: Using 802.11 wireless traffic as a covert communication backchannel – Spider Labs
• New phishing attack in Japan is even more advanced and stealthy – Softpedia
• Chinese attacker allegedly attacking fracking firms for IP – Slashdot
• More than half of home routers use the manufacturer’s default password – BetaNews
• I’ve said it before, but MD5 is very dead (crypto weakness) – Ars Technica
• Hilton Honor rewards points stolen via four pin brute force attack – The Register
• Banks collaborate to launch cyber attack intelligence sharing (Soltra Edge) – Reuters
• More watering hole attacks; popular music site redirects to exploit kit – Symantec
• Web site links to all the insecure, default password IP webcams – Network World
• Google paper on manual account hacking/hijacking [PDF] – Google
• 158 malware variants born a minute (likely not new but recrypted variants) – The Register
• Information Commissioner’s Office (ICO) suffered a SQL injection (SQLi) breach – v3.co.uk
• A DHS “background check” contracter suffered a breach (chain-of-trust attack) – The Register
• Backoff PoS malware continues to evolve – SC Magazine
• Australian spear phishing campaign baits with fake speed trap fines – Naked Security
• Also, E-Z Pass spear phishing campaigns target US drivers – Network World
• Researchers say Apple’s iWorm fix is insufficient – Network World
• Home Depot breach due to a chain-of-trust attack – Network World
• China building “secure” private networks – Telegraph
• US government wants more “hacking” powers – TechDirt
• Speaking of social engineering, this is a good example – YouTube

— Corey Nachreiner, CISSP (@SecAdept)

You Can Learn More About the WatchGuards’ Product Line By Going to www.FirewallShop.com/WatchGuard.

The original article/video can be found at WireLurker – WSWiR Episode 128