Two weeks ago, the Black Hat and DEF CON conferences unveiled tons of new security research, which means last week was packed with interesting security stories. If you find yourself falling behind on security news, and need a “one stop shop” to keep you up to date, this weekly video does just that.
Last week’s stories included many car hacks, a OS X firmware worm, a big UK breach, tons of patches, and more. If you don’t watch my Daily Bytes, you can catch up all at once with the weekly video below. More importantly, I couldn’t cover many other interesting stories from last week, so if you are interested in those, check out the Reference section below.
(Episode Runtime: 15:10)
Direct YouTube Link: https://www.youtube.com/watch?v=AAIiPp3os1k
EPISODE REFERENCES:
- Monday: Carphone Warehouse Gets Robbed – Daily Security Byte EP.122
- Attackers steal 2.4M records from Carphone Warehouse – BBC
- Carphone Warehouse releases breach FAQ for customers – CarPhone Warehouse
- Talk Talk stored unprotected passwords – Computing
- Tuesday: Thunder Strikes Mac Firmware Again – Daily Security Byte EP.123
- A new Black Hat 0day can brick your Mac – TechCrunch
- Thunderstrike 2 infects Mac firmware – Ars Technica
- Researcher’s post on Thunderstrike 2 – TRMM.net
- ThunderStrike 2 detailed presentation – TRMM.net
- Wednesday: Piles of August Patches – Daily Security Byte EP.124
- Thursday: Car Hacking Revolution – Daily Security Byte EP.125
- The full detailed white paper on the Uconnect hack – Illmatics
- After 2yrs, researchers can finally release a vulnerability Volkswagen sued to suppress – Ars Technica
- Text message hacks a Corvette via an “insurance dongle” – Wired
- Tesla Model S hackable [Link removed due to reports of malicious ads] – Mashable
- Tesla already fixed this – Bloomberg
- The OwnStar attack allows hackers to unlock many cars – Engadget
- Friday: Cisco iOS ROMMON hacks – Daily Security Byte EP.126
EXTRAS:
- My episode 8 analysis of Mr. Robot’s Hacking accuracy – GeekWire
- Hacktivists deface Trump site to say Goodbye to Jon Stewart
- Watch out for Windows 10 related social engineering scams – Tech Radar
- Windows 10 spies on you unless you Opt-Out
- Attackers exploiting the Mac DYLD vulnerability in the wild – Fox News
- Def Con is cancelled again(regular joke) – Motherboard
- ICANN was breached again – Motherboard
- A “Fed” does a Def Con talk right – Motherboard
- Rolljam plays back codes to hack keyless entry systems – BGR
- ApplePay is more security than US Chip & Pin? – PCMag
- WiFi Sense makes no sense! – CNet
- Hackers pull of real Oceans 11 heist at Def Con – Gizmodo
- The gas pump honeypots – Motherboard
- Pentagon email hacked (again) allegedly by Russia – The Register
- Zeus author associated with Russian nation state actors – Forbes
- Faceplant: An Electronic skateboard hack – Time
- How a popular author dealt with his hijacked account – Ars Technica
- Quick news video on DEF CON – NBC News
- Patch for serious Android flaw now sufficient – Ars Technica
- More news of foreign nation-states hacking UK gov email – The Guardian
- The Hacking Team was using the old iOS Masque attack – Silicon Republic
- Attacker’s hacked early press releases to get a leg up on trades – BGR
- ATM skimmers get smaller and stealthier – Tech Crunch
- Black Hat founder thinks vendor liability for flaws is inevitable – Threat Post
- Oracle’s CSO tell white hat’s that vulnerability research breaks EULA – Mashable
- Archived copy of the offending post – Archive.org
- Researchers turn Square into CC skimmer – Mashable
- Blackhat researcher pokes at GPS satellites – Time
- CISA/CISPA keeps coming back, and getting tweaked – The Guardian
- Researchers awarded for finding a new class of vulnerability in browsers – Phys.org
- A pen-testing drone previewed at DEF CON – PDDNet
- Using sound for two-factor auth – Wired
- Hacker steals $46M from Ubiquiti – Krebs on Security
- ProxyHAM: DEF CON hackers extend WiFi via radio proxies – TechHive
- Researchers turn a computer into a cellular antenna to leak info – Computer World
- Kaspersky accused of faking malware to weaken competitors – Reuters
- Lenovo is still using tricks to install bloatware – Ars Technica
- Stock hacker ring busted for insider trading – Reuters
- Highlights article for DEF CON 23 – Wired
- Malicious Ads on Weather.com – Ars Technica
- The Android Stagefright patch doesn’t work – Ars Technica
- Android vulnerabilities could leak fingerprints – Ars Technica
— Corey Nachreiner, CISSP (@SecAdept)
The Tesla article on Mashable hosts some malware in the form of a bad flash advertisement. My IE just reported a zillion:
SecurityError: Error #2060: Security sandbox violation: ExternalInterface caller http://static.adsafeprotected.com/detector3.pix cannot access .
at flash.external::ExternalInterface$/_initJS()
at flash.external::ExternalInterface$/addCallback()
at detector3_fla::MainTimeline/registerExternalCallbacks()
Yeah, Flash!
Jacob,
Thanks so the head up. It must be “dynamic ad” related as I scanned a few times with a few URL scanners (including our own) and I didn’t get any hits. However, since ads are dynamic to the visitor, perhaps I didn’t receive the Flash ad in question. In either case, I’ll kill the link for safety. Thanks for pointing it out!
Corey