MS Patch Day, 4chan Hacked, and Password Security
If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.
Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.
Enjoy your weekend, and stay safe out there.
(Episode Runtime: 7:32)
Direct YouTube Link: https://www.youtube.com/watch?v=fKU3Qoaj_Dw
Episode References:
- Adobe and Microsoft Patch Day is coming – WGSC
- 4chan admin console hacked; Moot shares details – Moot’s blog
- World Password Day 2014 – Passwordday.com
- Bud Logs In; A WatchGuard password security video – WatchGuard
Extras:
- Alleged “nuclear black hat” hacker is a Navy sysadmin for aircraft carrier – The Register
- Latest Microsoft SIR report says infect computers raise threefold – PCWorld
- Half of stolen cars in the UK due to electronic fob hacking – Huffington Post
- French Orange site breached again – NASDAQ
- Ransomware making a move to Android devices – ZDNet
- Dropbox fixes a small shared link search engine vulnerability – Collaborista Blog
- Latest iOS lockscreen bypass flaw – NBC News
- Hackback video; hacking a botnet (potentially illegal) – Spgedwards.com
- SNMP the next protocol exploited for DDoS? – SANS
- Bitly breach; change your password – Mashable
- Twitter adds SMS to bolster password reset process – ZDNet
- What’s your stance on Net Neutrality? Watch to learn – Youtube
— Corey Nachreiner, CISSP (@SecAdept)
Dave Cowman says
Hi,
This account is no longer monitored.
Please unsubscribe this email address.
Regards,
Strettons
Strettons, Chartered Accountants
44 Heuheu Street, P O Box 214, Taupo 3351, New Zealand
Direct Dial +64 (7) 376 1700, Facsimile +64 (7) 376 1711
Alexander Kushnarev says
Here are a lot of interesting and curious news in this post!
1. The technical substance of MS14-025 was really striking for me, since I’ve considered AD Group Policy mechanism is HIGHLY reliable and trusted…Don’t even thought, that passwords can be stored/cached insecurely inside Group Policy Objects. And if Microsoft’s technicians will “grayed out” fields for CPassword attribute inside standard GUI (!) configuration windows for 5 described functions – then it’s more than just “important” (the rating they provide for this issue)…
https://support.microsoft.com/kb/2962486
2. Next is short but fabulous (!) Chris Hate’s article. As always for me, the technical details are most exciting. Attacker, to reach the goal, combines:
– source code analyze,
– PHP- authentication issue exploitation,
– forged cookie (similar to XSS) method,
– SOL-injection due to vulnerability in ONLY ONE parameter
This guy was more than serious, and very skilful.
Anyway – separate professional respect should be sent to Chris Hate for publishing this story.
3. An the last note is about a Rotbrow plug-in. Tricky and well thought-out approach to distribute malware. I would like to say, that such “postpone downloaders” without any doubt, can be classified as element of APT-campaign.
Corey Nachreiner says
Awesome additional materials as always, Alex. I bet you and I would have a lot to chat about over a few beers (or vodka!)