2019 Week 1 and 2 Security Summary
It turns out if you are willing to pay, most cell carriers besides Verizon are willing to sell your location data including real time. The idea is that they sell it to aggregators, but they include the code for the phone, meaning it is trivial to recombine the data and figure out who is who and where they go.
- Latest issue of Motherboard magazine had a write up: https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile
- Evidently it shook up several people, groups, and now companies: http://www.philly.com/news/nation-world/att-says-itll-stop-selling-location-data-amid-calls-federal-investigation-20190111.html
- And the calls to investigate: https://www.cnet.com/news/senators-call-for-investigation-on-phone-companies-selling-location-data/https://www.infosecurity-magazine.com/news/phone-carriers-selling-customer/
- https://www.wired.com/story/carriers-sell-location-data-third-parties-privacy/
Microsofts monthly patch had several issues:
- https://www.zdnet.com/article/microsofts-killer-windows-7-patch-breaks-networking-bricks-legit-not-genuine-pcs/
- https://www.scmagazine.com/home/network-security/microsoft-updates-brick-windows-7-devices/
- https://threatpost.com/unprecedented-dns-hijacking-attacks-linked-to-iran/140737/
- https://www.infosecurity-magazine.com/news/global-dns-hijacking-blamed-on/
- https://cyware.com/news/dns-hijacking-campaign-traced-back-to-iran-c988e669
Several of us have noticed that the government did some pretty strange things with their web servers. Not sure if the idea was to make things so inconvenient that pressure was put on politicians. For me it was frustrating as I was wanting to link a vendors suggestions to the NIST document it was based on and was unable because the documents were taken offline. Another thing that did happen of greater concern to the wider world was that security certificates were allowed to expire or were disabled. This has allowed hackers to engage in man in the middle attacks on government web sites. Looks like mostly it was payment stuff, but might be wise to be aware of any data sent to federal agencies right now.
- https://www.infosecurity-magazine.com/news/us-shutdown-plays-into-hackers/
- https://www.scmagazine.com/home/security-news/wall-inspired-shutdown-threatens-federal-cybersecurity-workforce-effectiveness/
- https://cyware.com/news/us-government-websites-stop-working-after-tls-certificates-expire-c4c1b7bc
There were several articles about how 2 factor was able to be bypassed in a phish attack exploit.
Yubikey evidently released the idea of a token for the iPhone at CES. Most articles were the same PR stuff, but here is the Wired version.
Saw several articles about new flaws in the core code of Linux that will affect most all distros.
- https://cyware.com/news/linux-systemd-affected-by-three-critical-vulnerabilities-that-can-be-exploited-to-leak-data-8c59037e
- https://www.bleepingcomputer.com/news/security/linux-systemd-affected-by-memory-corruption-vulnerabilities-no-patches-yet/
Only saw this mentioned in one place, but evidently a flaw in Office allows ActiveX to get local machine information to include local passwords.
I have talked with several people involved with this and it appears it made at least regional news. Tulsa has started working towards creating their own version of silicone valley and they are making Cyber Security one of the corner stones. Hopefully it will take off better than the Stillwater/OSU/Meridian efforts.
- https://finance.yahoo.com/news/commissioner-doak-applauds-university-tulsa-001600622.html
- https://www.prnewswire.com/news-releases/commissioner-doak-applauds-university-of-tulsa-effort-to-create-tulsa-cyber-district-300776659.html
Pylocky Unlock code shared by Ciso. (Hopefully we don’t have to use it…)
Comments
Post a Comment