Press "Enter" to skip to content

Security On The Bayou

Wednesday, May 1st, 2019

Phone and laptop searches at US border ‘quadruple’

Plan to secure internet of things with new law

A ‘Cyber Event’ Disrupted the Power Grid in California and Wyoming, But Don’t Panic Just Yet

Hackers went undetected in Citrix’s internal network for six months

Transcript:a

 [00:00:00] Hello folks it is Wednesday May 1st twenty And here’s today’s security news.

First from BBC News. Phone and laptop search at U.S. border quadruple. That’s a lot quadrupling that’s four times that’s a lot in 2018. There were three thirty-three thousand two hundred ninety-five searches at the border. So this is all coming out because of the NFF and the ACLU ACLU have filed a lawsuit alleging that these are warrantless and unconstitutional searches. So this is what I would call this a pretty big deal in the privacy world. One of the things that we know is that when you go through the border there’s a lot of things that can happen to you physically enter your stuff right. I don’t think anybody likes having their cell phone touch or their laptop. It sucks right. It’s no fun you don’t know. I don’t have anything to hide. But the last thing I want is somebody else going through my stuff. So obviously there is a spot for this and quote-unquote protecting the country and it’s needed at certain points. But how far is too far as I really think was what the crux of the issue is here. So an interesting article here from the BBC. I’ll try and keep up with it it seems like it’s in its infancy. But I’ll see if I can’t keep track of it and give you guys some updates on it next.

Also from the BBC in the UK they have proposed a piece of legislation to regulate IO T manufacturers a title that article is “plan to secure Internet of Things with the new law”. So I don’t know the full process of you know law in the UK or something becoming a law. But I do like the basis of this. It’s a start. It’s not perfect but it will get where we need to go. It’s three things they want to implement. First, every I.T. device comes with a unique password by default. So no more default passwords of default or password or password with a capital P.. Right. That’s one of the big issues we see in the hacking of all these routers is every links us device out there has the same default password a password right. Well not necessarily IO T. You get the point right. No more default passwords second state clearly for how long security updates would be made available. This is great. This means you’re not going to buy a product and then it’s going to go out of warranty or no more support after a year. Right. What does that timeline look like in the enterprise world this helps big time with scheduling tech refreshes. Right. We don’t want to buy a product that’s going to not be supported in two years. If we can get the same thing for the same price for five years so on and so forth. Third one offering a public point of contact to whom any cybersecurity vulnerabilities may be disclosed. This is also big because a lot of these smaller companies don’t have that out there available. So now if a researcher finds a vulnerability it just doesn’t go and float in the wind on Reddit or Twitter right. They can go to report these things in proper fashion so that they can be fixed. These all seem like no brainers but apparently, they’re not because they’re going to have to enact a law in the UK to fix some of these things hopefully this moves across the pond. We’ll see. Time will tell

Next. From motherboard “a cyber event disrupted the power grid in California and Wyoming. But don’t panic just yet.” So the Department of Energy has a program called the O E 417 its electric emergency and disturbance report. So these electric or providers are required to report anytime that they have an emergency or a disturbance. So this was listed in one of those. And there’s really no detail at all it just says a cyber event in California Khem County Los Angeles County Utah Salt Lake County Wyoming Converse County. So something happened in those three counties. We’re not really sure cyber event that causes interruption of electrical system operations. So the key here is that there wasn’t an interruption. But what. While this is all good Well they’re they reported what I find the most interesting thing about this article is my new discovery that o e 417 is a thing and everybody has access to it. So in this article go click on the link and you’ll see there is a link to the Department of Energy’s o e 417 forms and submarines page which anytime one of these are filed you can go and look at. So it’s just an interesting item to add your tool box of knowledge right. If you have a question or you think something may have happened. Well, here you go. Here you go look now there is some stuff around what they it’s some gray area about what they will and will report. Obviously, if it’s you know the critical infrastructure and it’s super important to the plant and you know it’s a vulnerability it’s probably not going to be on here. But in any case it’s some visibility into what goes on. So this is a good thing.

Last but not least from Tech Crunch and Zach Whitaker hackers went undetected in Citrix’s internal network for six months. All right. Nobody freak out. It was Citrix because internal network nothing to do with their products. So as bad as this may sound it’s just another breach. The employee’s information was stolen at this point. This has run of the mill every day. This is caught my eye because it’s Citrix. This is not just some random little company. This is Citrix. This is I would be hard pressed to find an enterprise in this country that does not have some form of a Citrix product. So even the people we think that is the most secure and that we can trust the most in the products we use all the time even they are vulnerable to bad things happening. It’s just part of the world we live in this day. All right folks. That’s it for today Wednesday, April 1st. Everybody have a wonderful day.

Tuesday, April 30th, 2019

People Are Clamoring to Buy Old Insulin Pumps

Malware Infests Popular Pirate Streaming Hardware

Chinese dev jailed and fined for posting DJI’s private keys on Github

Transcript:

[00:00:01] Good morning friends It is Tuesday, April 30th and here is today’s security news. [00:00:05][4.5]


[00:00:06] First off from the Atlantic dot.com not your traditional security article that we’ll discuss here but the title is “People are clamoring to buy old insulin pumps.” Written by Sarah Zhang on the Atlantic. So this is an interesting article, and there’s a lot of you know sort of medical terminology, and you know a lot about insulin and type 1 diabetes. But it’s interesting because it has to do with hacking of a Medtronic insulin pump. So essentially what they’ve done is they’ve used this pump to create a process that they call looping so that this software that runs on an artificial pancreas can then talk to this insulin pump and regulate the amount of insulin that is put into the person’s body. This is interesting because they stopped making these Medtronic pumps I think in 2014. So you have all these people running around on eBay and Craigslist and Facebook trying to grab these things so that they can build these systems and use them instead of having to count everything all day and do all kinds of different insulin shots and it makes their life a little bit easier so much. This is used across the industry quite a bit so much so that the CEO of JD RF the Jew Juvenile Diabetes Research Foundation actually does this himself. So a very interesting article. Not your usual security but hey it’s hacking. So we’re going to talk about it. [00:01:41][94.3]


[00:01:42] All right. Next from the threat post dot com Malware infests popular pirate streaming hardware. This should come as no surprise to anybody. So some researchers have gone and grabbed a Cody streaming box and essentially determined that every one of the add ons that is on there was to take it back. Not everyone. A large majority of the pieces of software an add on that are in this Cody box contain malware. Some of the things that it’s doing it is taking all of the wireless information your SS I.D. password and such from that box and sending it to a server in another country. Somebody had one point five terabytes of data was uploaded from a device that shared the same network of the Kodi box. So they were able to move laterally on the network and extract one point five terabytes of data. I know what you guys but that would flag my ISP pretty quick as going over my limit. So that just a lot of interesting things here. I mean this should not be a surprise at all. I mean why would if you were developing free quote unquote apps that allowed you to stream illegally wouldn’t you try and take advantage of that to all these people trying to do that. So apparently it’s quite a bit of talk about it on the dark web. I mean they’re the developers of these things literally discuss this with each other on how to do this effectively. So an interesting thing. Stay away from it. I mean at the end of the day I mean at least make sure you’re protected somehow if you’re going to use this stuff. [00:03:22][100.5]


[00:03:23] All right. Next one A. This one I when I first started reading it. I got a bit of a chuckle then it got pretty serious pretty quick. So this one from the registered Kota U.K. Chinese Dev jailed and fined for posting DGA. Excuse me. D.J. I’s private keys on GitHub so DGI makes drones for those that don’t know. So he ended up posting two extremely important keys on get hub one of them was the ASG for the firmware. So that’s why I saw it first got a little bit of a chuckle. You know people were allowed to go. You know they can now modify the firmware to their needs but the second one this was a big deal. He dropped a wildcard SSL key for star dot DJI dot com and oh I can’t say that. And that’s a big deal. I mean in the world of keys. That’s a big one especially an SSL keys. So you know any subdomain of D.J. icon. Now hopefully they’ve gone and revoked that key. And you know they’ve gone through that process but who knows at this point that’s a that’s pretty dangerous. So he ended up getting fined just under 23000 pounds two hundred thousand. You on what I end up being so he, of course, is very sorry. “I was born in a very poor village I studied hard all the time I finally gotten to university was very happy thing to me and my parents. But now all the things are done I am done. I will go to jail. I have to take this stain in my life. My girlfriend began to break up with me. Wow. Woo. My family are broken. F bomb. What are terrible things. Maybe the only thing I can do now is to die. It is so hard I need to be free.” I feel for this guy. That’s a pretty big deal. Sound. People who say those kinds of things about how we want to die and girlfriend breaking up don’t sound like it was intentional to me so. [00:05:26][122.9]
Chris Adkins: [00:05:29] All right. Normally we do for, but we’re already over our time for the day. So thank you for joining us. It is what day is it’s Tuesday Tuesday, April 30th 2019. Everybody have a wonderful day. [00:05:29][0.0]
[322.3]

Monday, April 29th, 2019

A Crash Course In Card Shops

Lime Scooter Hacked in Australia

Google boots major Android app developer from store for conducting massive ad fraud

Credential stuffing: Bigger and badder than ever

Transcript:

 [00:00:01] Good morning friends It is Monday, April 29th and this is security on the bayou.

 [00:00:05] Let’s get things kicked off today with an article from SC Magazine U.S. by Doug Olynyk credentials stuffing bigger and better than ever. Obviously credential stuffing has been around for a long time but Recorded Future issued a report this week talking about the resurgence of it for a few reasons. One of them is automation which makes perfect sense we’re automating everything these days and not just the automation here but they have developed not they procure Recorded Future has not but the bad guys have vellum some tools that can do multiple sites at once. So not only are you just hitting one you’re hitting a bunch and you’re doing it very fast and you’re automating it. So you’ve seen a resurgence in it so much so that a single account that used to sell for ten dollars is now down to a mere one or two dollars. It’s very interesting that this has come back and this has been seen in the wild if you will so go check out this article recorded feature also called out a few different tools that have been used some interesting names of these tools obviously you can tell where they came from by the names but also some prices. There is one on here, private keeper that sells for forty-nine rubles Russian rubles which is a approximately 64 cents. So not exactly a high barrier to entry on this.

 [00:01:26] OK next from ZDnet we have an article entitled Google boots major Android app developer from the store from conducting massive ad fraud. This one is by Charlie Osborn. So they kicked out over 40 apps by a Chinese developer over the weekend. And here let me get I want to make sure I get this right. The name of the company or the developer is Deo global which is in part owned by Baidu so a very big connection there for this developer. So they ripped a bunch of their applications off the Google Play store for using adware and you know essentially click fraud within the adware within the application so it was quite a few it ended up being at the end of the day over 100 applications that were they removed with 600 million installs. That’s quite a few. I’m sure they made a few bucks on that deal. Global released a statement, of course, they’re quote-unquote sorry and you know they’re going to look into their practices. But we know how that goes.

 [00:02:27]  So next a crash course in card shops by Josh. I apologize Jeff. Josh I to get this wrong Lefkowitz this is an interesting article this isn’t necessarily going to make you a expert on carding and how the underground card shops work but it’s a great primer. You’re all human so you understand good customer service that that part won’t come as a surprise here they do refunds you know there are all kinds of different things but I think what I really enjoyed about this article is some of the terminology and abbreviations and tallies that are used for instance B I N bank identification number and then also like the difference between a dump versus a card. So and then obviously CSP which I previously knew. Card not present fraud which is very common. And so it’s in some good detail here I recommend you read this as all sort of prime you on you know some things that are going on especially in the financial services or you know you work for one of these companies. Take a look at this it should be hopefully something you already know but added to your toolbox of tools.

 [00:03:38] And then the last one for the day on a bit of a lighter note this one actually came up last week chose to skip over it but I think it came back up on my feed so I had to bring it back up. This one’s by Matt Novak on Gizmodo dot com. Lime scooters hacked to say sexual things to riders in Australia. Obviously lime is not very happy about this but frankly, I find it pretty funny. Like here’s one of the sayings. “Don’t take me around because I don’t like to be ridden” which is you know a little silly. Let’s see here. When customers ended a ride with the hacked scooters the voice box said “no where you go” according to yet another video posted before lime learned about the hack and then this is what they said. It’s not smart it’s not funny and it’s akin to changing a ringtone. I also find changing people’s ringtones very funny so nice try and then they tried to play to the maturity of people which we all know will not work. So very interesting article once again on Gizmodo to calm your laugh of the day in the hacking world. Thank you for joining us.

 [00:04:45] This is his man security on the bayou April twenty ninth. Monday.