Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello, and welcome to the Tuesday,
0:02
May 9 2023 edition of the Sands and Stormcast. My
0:09
name is Johannes Ulrich, and I
0:11
am recording from Jacksonville, Florida.
0:16
We've got more news about QR codes. Overall,
0:19
I'm not really considering QR
0:21
codes of the huge threats that some people
0:24
consider them, but there are
0:26
certainly some issues where the
0:29
ease of use of QR codes also
0:32
helps attackers. With that,
0:34
there are two distinct cases where recently
0:36
QR codes have been used maliciously.
0:40
One apparently in Singapore.
0:42
Now in this case, the victim
0:45
scanned a QR
0:46
code in a restaurant, believing
0:48
that it led to a survey, which of course
0:51
offered some kind of price. The
0:53
first thing that should probably
0:55
have triggered sort of a little bit an
0:57
alarm here is that in order to participate
1:00
in a survey, you first have to download
1:02
a mobile app on your Android phone.
1:05
Okay, and these days, everything sort of is
1:07
its own app, maybe not really all
1:09
that suspicious to require the
1:11
download of an app in order to participate
1:14
in this simple restaurant
1:16
survey. But then
1:18
once the app was installed, it did
1:20
require quite excessive
1:23
privileges to accessibility features,
1:26
microphone, camera, essentially
1:28
gaining full access to the
1:31
device. The app then used
1:33
this access in order to
1:35
take over financial applications
1:38
and train victims bank
1:40
accounts. The other case
1:42
was here in the United States and a little bit of more
1:44
traditional sort of QR code
1:46
abuse. Apparently in San Francisco,
1:49
someone is handing out fake parking
1:51
tickets which conveniently come
1:53
with a QR code that allows the
1:56
victim to pay. These
1:58
are then good old.
1:59
phishing websites that basically just steal
2:02
payment data from the victim.
2:05
The tickets were not only dated in the future
2:07
but they were also issued apparently
2:10
by the city of San Francisco
2:12
where usually San Francisco tickets
2:15
are issued by the San Francisco
2:17
Municipal Transport Agency. Of
2:19
course, something that maybe someone who is
2:22
not receiving a lot of parking tickets may
2:24
not notice. Of course, these
2:27
are all tricks that may have
2:29
worked
2:29
with a URL shortener or just by
2:32
tricking the user into typing
2:34
a particular URL but
2:36
by making it a QR code, you
2:39
give the victim just a couple
2:42
of seconds to think about and
2:44
maybe discover that this is a scam.
2:49
And it's still a week until patch
2:51
Tuesday for May but
2:54
we did already get an update for
2:57
Microsoft Edge. Microsoft
2:59
Edge of course based on the Chromium
3:02
browser does update
3:04
whenever Chromium updates and we
3:06
are now at version 113. There
3:10
are a number of security improvements
3:13
that come with this version like
3:15
for example sort of a better definition of
3:18
the different security modes
3:20
that you have between balanced
3:23
and strict. Also some
3:25
vulnerabilities that are specific to
3:28
Edge that don't necessarily affect
3:30
Chromium were also patched. One
3:33
affects the content security policy
3:36
implementation only a CFS score
3:38
of 4.7 or medium and privilege escalation
3:44
vulnerability with a CFS
3:46
score of 7.5.
3:49
And the latest Facebook security
3:52
report hits a familiar theme
3:54
with a flat off fake
3:57
chat GPT.
3:59
here and this is something I think I mentioned
4:02
a couple times this is not just affecting
4:04
Facebook this is sort of across
4:06
multiple platforms like all the
4:08
different app stores and such are affected
4:11
by this that hackers are releasing
4:14
fake software that claims to be chat
4:16
GPT it may
4:18
offer sort of an interface for
4:21
chat GPT but often
4:23
does also a number of malicious
4:26
things. So just like QR codes are
4:28
being used to trick users
4:29
into installing various
4:32
malicious software while the
4:34
label chat GPT on some software
4:37
may do the same thing and that's of course
4:39
not unexpected given
4:42
that whenever we have big news
4:44
items like this there are scammers
4:46
like this jumping on the bandwagon
4:49
and using it to trick users to
4:51
install malicious software.
4:54
Then we got a couple of miscellaneous vulnerability
4:57
one is an Apache's BRPC where
4:59
B stands for better so
5:02
better RPC. Vulnerability
5:04
CVE 2023 3103 9 does
5:08
allow for arbitrary remote
5:11
code execution. There is
5:13
an update available so make
5:15
sure you patch and
5:17
talking about RPC pentest
5:20
partners disclosed a vulnerability
5:23
in cyberghost that is
5:25
exploited by sending a crafted
5:28
JSON payload to the RPC
5:30
service and again it can lead to
5:32
command line injection in
5:35
the open VPN process
5:37
cyberghost VPN is based out of one
5:39
of those wrappers around
5:41
open VPN and again
5:44
patches are available
5:47
and if you don't have enough of me I'll
5:49
actually participate on q-state
5:52
morning at 10 a.m eastern
5:55
in sans podcast it's sort
5:57
of a new thing that sans is starting it's
5:59
a
5:59
weekly podcast, but also YouTube
6:02
live stream, 10 a.m. Eastern. I'll
6:06
add a link to the show notes and
6:09
well, let me know if you like that
6:11
as well. And maybe I'll participate
6:13
in that more frequently. Thanks
6:16
and talk to you again tomorrow.
6:18
Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More