Security Roundup - 2016-02-26

Using a default password for your device sucks. TP-LINK chose not to do this, but ended up using a unique password that their device broadcasts. I actually have one of these, and did not make the connection when originally setting it up.

Default app on LG G3 phone doesn’t validate data, allowing arbitrary Javascript to run code, including system code. Demonstrates the importance of validating user supplied data.

Patchwork Security tries monitoring Heroku dynos for security upgrades. Initial findings are things are not upgraded quickly, but overall observation window is quite small.

Norse Corp seems to be imploding, and Krebs has a some details, including a History of Norse Corp. Some fun comments on this Hacker News thread.

NSA TAO Chief talks about Disrupting Nation State Hackers at Engima 2016. He goes into ways at which they will exploit networks, which he generalizes as ‘knowing a network better than the people who set it up’, ‘Poke and prod it, just like an adversary would do’

User figures out how is discovering and scanning IPv6 addresses. Looks like they have added nodes to the NTP pool, and are harvesting IP addresses for requesting servers to figure out what ones to scan. Looks like Check Point has classified Shodan as a threat and has made attempts to thwart scans.

Written on February 26, 2016