Patch and Notify | TechSNAP 197

Patch and Notify | TechSNAP 197

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

Data thieves target parking lots

  • “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
  • “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
  • “ reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for and its customers, the company put off applying that Joomla update because it broke portions of the site.”
  • “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
  • “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
  • Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

  • Microsoft and Adobe both released critical patches this week
  • “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
  • Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
  • This is the result of too many vendors take far too long to resolve bugs after they are notified
  • Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
  • Microsoft also patched a critical telnet vulnerability
  • “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
  • There is also a new Adobe flash to address multiple issues
  • Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
  • Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

  • Safe: cannot be guessed or researched
  • Stable: does not change over time
  • Memorable: you can remember it
  • Simple: is precise, simple, consistent
  • Many: has many possible answers
  • It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
  • Some examples:
  • What is the name of the first beach you visited?
  • What is the last name of the teacher who gave you your first failing grade?
  • What is the first name of the person you first kissed?
  • What was the name of your first stuffed animal or doll or action figure?
  • Too many of the more popular questions are too easy to research now
  • Some examples of ones that might not be so good:
    • In what town was your first job? (Resume, LinkedIn, Facebook)
    • What school did you attend for sixth grade?
    • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
  • Sample question scoring


Round Up:

Question? Comments? Contact us here!