In the news, Bitcoin mining ban considered by China’s economic planner, Yahoo strikes $117.5 million data breach settlement, Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords, WikiLeaks Founder Julian Assange arrested and charged in US with computer hacking conspiracy, and How HTML5 Ping Is Used in DDoS Attacks.
- Patch blues-day: Microsoft yanks code after some PCs are rendered super secure (and unbootable) following update – It’s all a bit unfortunate, since the patches include security fixes that administrators should really install sooner rather than later. And yes, both the security-only updates and monthly roll-ups are affected. Ugh. Also, your system crashes if you have Sophos (and other) endpoint protection software installed. I am curious how the update broke these systems, could this be an exploit?
- Bitcoin mining ban considered by China’s economic planner – A notice published online in Mandarin by the country’s economic planning agency added “virtual currency mining activities [including] the production process of Bitcoin” to a list of industries that could be shut down. The suggestion is that the power consumed by the industry contributes to pollution and wastes resources. Pollution and waste resources, riiiight.
- Yahoo strikes $117.5 million data breach settlement after earlier… – Yahoo has struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. So, 3 billion accounts were affected in this breach, meaning $0.04 per user? Or do I suck at math? Or is that not how it works?
- Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords – These attacks will be around for a while: There are two ways to perform such a downgrade hack. The first is to perform a man-in-the-middle attack that modifies the wireless beacons in a way that makes a WPA3-enabled router represent itself as being able to only use WPA2. While a WPA3 client device will eventually detect the spoofed beacons and abort the handshake, this security mechanism isn’t tripped until after the attacker has captured the four-way handshake. A variation of this downgrade attack—usable if the SSID name of the targeted WPA3 network is known—is to forgo the man-in-the-middle tampering and instead create a WPA2-only network with the same name. As long as clients are in transitional mode, they will connect to the WPA2-only access point. As soon as that happens, attackers have the four-way handshake.
- Regulating the IoT: Impact and new considerations for cybersecurity and new government regulations – Help Net Security – Not too helpful: Last year, California became the first state in the U.S. to pass a cybersecurity law covering IoT devices: SB-327, set to be put into law in 2020. The law requires that manufacturers of a device that connects directly or indirectly to the internet must be equipped with “reasonable” security features that are designed to prevent unauthorized access, modification or information disclosure. The bill aims to protect consumers as a first step, but could also potentially be applied to larger, enterprise solutions with future revisions.
- Docker, Nginx & Letsencrypt: Easy & Secure Reverse Proxy – If you are looking for an easy project to learn Docker, this article is helpful.
- WikiLeaks Founder Julian Assange arrested and charged in US with computer hacking conspiracy – But why? According to a note released by London’s Metropolitan Police Service, the arrest has happened just after the Ecuadorian government today withdraws the political asylum.
- CIOs and CISOs hold off on crucial updates due to potential impact on business operations – Help Net Security – This is actually the most interesting stat in the article: the majority (80%) of CIOs and CISOs having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result. And this problem is only going to get worse as it becomes easier to deploy new technology and applications, along with the cost going down.
- DMSniff POS Malware uses DGA to stay active DMSniff malware uses DGA techniques to avoide detection searches direct memory for card numbers and send them to the C2. Includes 11 variants of DGA.
Follow us on Twitter: https://www.twitter.com/securityweekly
- Register for our upcoming webcasts with LogRhythm and Recorded Future by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
- We just released our 2019 Security Weekly 25 Index Survey. Please go to securityweekly.com and click the Survey link to help us understand who’s evaluating, using, or formerly used any of the Security Weekly 25 companies. The results will be summarized and presented back to all responders in a private webcast.