Previous Gnews All images scavenged without permission

Patch Tuesday Jun – 50 CVE / 41 KB Articles with 777 unique downloads Reports of 5 Critical Internet Explorer Microsoft Edge Microsoft Windows Microsoft Office and Microsoft Office Services and Web Apps ChakraCore Adobe Flash Player Microsoft Office 2016 for Mac Sources: https://portal.msrc.microsoft.com/en-us/security-guidance https://technet.microsoft.com/en-us/security/advisories No longer working http://technet.microsoft.com/en-us/security/bulletin/ms17-may Doublekill ie 0-day https://nakedsecurity.sophos.com/2018/04/25/mysterious-double-kill-ie-zero-day-allegedly-in-the-wild/ win 10 april update https://venturebeat.com/2018/04/30/how-to-force-windows-10-to-download-the-april-2018-update/ Windows 10 GPO tricks https://decentsecurity.com/customizing-windows-10-user-experience/

Holes / Patches VMWare Oracle Adobe Apple Cisco Google VMSA-2018-0011 ( 1 CVE ) VMware NSX SD-WAN Command Injection VMSA-2018-0012 ( 1 CVE ) vSphere, Workstation and Fusion VMSA-2018-0013 ( 2 CVE ) Workstation and Fusion DoS VMSA-2018-0014 ( 1 CVE ) Horizon Client Privilege Escalation VMSA-2018-0015 ( 1 CVE ) AirWatch Agent RCE Cisco Digital Network Architecture (DNA) Center platform ( 7 CVE ) Auth bypass Google Android 11 Fixes Chrome 34 Fixes Re-CAPTACH bypass fixed Oracle Due out in July Adobe APSB18-09 Acrobat / Reader ( 47 CVE ) APSB18-17 Photoshop CC ( 1 CVE ) APSB18-19 Flash Player ( 4 CVE ) Apple Xcode 9.4.1 ( 2 CVE) iCloud for Windows 7.5 ( 15 CVE ) Safari 11.1.1 ( 13 CVE) Security Update 2018-003 ( 32 CVE) iOS 11.4 ( 35 CVE) watchOS 4.3.1 ( 20 CVE) iTunes 12.7.5 for Windows ( 16 CVE) tvOS 11.4 ( 24 CVE) Sources: ## Oracle Patches http://www.oracle.com/technetwork/topics/security/alerts-086861.html ##Adobe Patches https://helpx.adobe.com/security.html https://helpx.adobe.com/security/products/acrobat/apsb18-09.html https://helpx.adobe.com/security/products/photoshop/apsb18-17.html https://helpx.adobe.com/security/products/flash-player/apsb18-19.html ##Apple patches http://support.apple.com/kb/HT1222 security-updates-for-macos-10-13-4/ ##Cisco patches http://tools.cisco.com/security/center/home.x https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=100#~Vulnerabilities -Cisco https://threatpost.com/cisco-warns-of-three-critical-bugs-in-digital-network-architecture-platform/132057/ ## VMWare http://www.vmware.com/security/advisories/ https://www.vmware.com/security/advisories/VMSA-2018-0011.html https://www.vmware.com/security/advisories/VMSA-2018-0012.html https://www.vmware.com/security/advisories/VMSA-2018-0013.html https://www.vmware.com/security/advisories/VMSA-2018-0014.html https://www.vmware.com/security/advisories/VMSA-2018-0015.html ## Android https://source.android.com/security/bulletin/index.html -Google 11 fixes in June https://threatpost.com/google-patches-11-critical-android-bugs-in-june-update/132512/ -Google fixes re-captch bypass https://threatpost.com/google-patches-recaptcha-bypass/132335/ -Chrome gets 34 bug fixes https://threatpost.com/google-patches-34-browser-bugs-in-chrome-67-adds-spectre-fixes/132370/

Holes PGP issues (email/mime) Samsung s9 Redhat DHCP Client Windows 10 1803 Windows 10 SSH broken 0365 to block flash Xfinity patch Dell/SMC recoverypoint bugs Git vulns steam, finally patches 10 yr bug Adobe 0-day wireshark RCE bootloader on OnePlus 6 Holes Sources: PGP issues https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now https://www.hackread.com/pgp-and-s-mime-protected-emails-prone-to-exposure/ Samsung s9 https://threatpost.com/samsung-patches-six-critical-bugs-in-flagship-handsets/131940/ Redhat DHCP Client https://bugzilla.redhat.com/show_bug.cgi?id=1567974 Windows 10 1803 https://www.howtogeek.com/340688/whats-coming-in-windows-10s-redstone-4-update-available-march-2018/ https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1803 Windows 10 SSH broken Extract private keys in Win10 https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/ Xfinity patch https://threatpost.com/comcast-patches-router-bug-that-leaked-some-wi-fi-passwords/132183/ Dell/SMC recoverypoint bugs https://threatpost.com/six-vulnerabilities-found-in-dell-emcs-disaster-recovery-system-one-critical/132179/ 0365 to block flash https://www.bleepingcomputer.com/news/microsoft/microsoft-to-block-flash-in-office-365/ Git vulns https://threatpost.com/bug-in-git-opens-developer-systems-up-to-attack/132395/ steam, finally patches 10 yr bug https://www.hackread.com/steam-fixes-10-year-old-remote-code-execution-vulnerability/ Adobe 0-day https://threatpost.com/adobe-patches-critical-flash-player-bug-with-active-exploit/132595/ wireshark RCE http://www.securityorb.com/vulnerability/wireshark-security-advisory/ bootloader on OnePlus 6 https://www.hackread.com/oneplus-6-bootloader-vulnerability-device-control/

Hacking TreasureHunter POS Malware source code leaked upnp ddos amplification voice-squatting (phonetic similarity) VPN Filter bitgoin gold loses 18mil in double spend attack zwave downgrade attack SQL as a C&C Sonic HDD attack AMD SEV attack BMW, latest car to hack FB side-channel attack jscript 0-day Conatiner ships still easy Zip Slip bug Hacking Sources: TreasureHunter POS Malware source code https://threatpost.com/pos-malware-treasurehunter-source-code-leaked/131891/ upnp ddos amplification https://threatpost.com/attackers-use-upnp-to-sidestep-ddos-defenses/131981/ voice-squatting https://threatpost.com/voice-squatting-turns-alexa-google-home-into-silent-spies/132068/ VPN Filter https://arstechnica.com/information-technology/2018/05/hackers-infect-500000-consumer-routers-all-over-the-world-with-malware/ bitgoin gold - 18mil in double spend attack https://www.hackread.com/bitcoin-gold-loses-over-18-million-after-hack-attack/ zwave downgrade attack https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/ SQL as a C&C https://threatpost.com/brazilian-banking-trojan-communicates-via-microsoft-sql-server/132325/ Sonic HDD attack https://threatpost.com/sonic-tone-attacks-damage-hard-disk-drives-crashes-os/132343/ AMD SEV attack https://threatpost.com/severed-attack-extracts-the-memory-of-amd-encrypted-vms/132359/ BMW, latest car to hack https://www.hackread.com/internet-connected-bmw-vehicles-vulnerable-to-getting-hacked/ FB side-channel attack https://threatpost.com/browser-side-channel-flaw-de-anonymizes-facebook-data/132465/ jscript 0-day https://threatpost.com/researchers-warn-of-microsoft-zero-day-rce-bug/132473/ https://www.zerodayinitiative.com/advisories/ZDI-18-534/ Conatiner ships still easy https://securityledger.com/2018/06/container-ships-easy-to-hack-track-send-off-course-and-even-sink-security-experts-say/ www.marinevesseltraffic.com Zip Slip bug https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/

Corp ATT / Time Warner merger MS to buy Github? adobe to buy magneto still more spectre pornhub vpn is free for all Google drone AI doc leaked Google Drone contract, non-renewal Sources: ATT / Time Warner merger http://money.cnn.com/2018/06/12/media/att-time-warner-ruling/index.html MS to buy Github? https://www.bloomberg.com/news/articles/2018-06-03/microsoft-is-said-to-have-agreed-to-acquire-coding-site-github adobe to buy magneto https://risnews.com/adobe-acquire-magento-commerce still more spectre https://threatpost.com/intel-responds-to-news-of-spectre-like-flaw-in-cpus/132169/ https://threatpost.com/intels-virtual-fences-spectre-fix-wont-protect-against-variant-4/132246/ pornhub vpn is free for all https://www.hackread.com/pornhub-vpnhub-is-a-free-vpn-for-everyone/ Google drone AI doc leaked https://theintercept.com/2018/05/31/google-leaked-emails-drone-ai-pentagon-lucrative/ Google Drone contract, non-renewal https://theintercept.com/2018/06/01/google-drone-ai-project-maven-contract-renew/ Corp

Corp breaches don't matter Chili's popped Securus popped LocationSmart leaks location data TeenSafe leak, unsecured servers appleid passwords coke data breach TicketFly popped Honda Connect S3 bucket, unsecured (50K users) Fortune 500s leak data via G-Suite Groups MyHeritage, popped (92mil) syndicate wallet popped (10mil) coinrail popped (40mil) Weigthwatchers s3 bucket Sources: breaches don't matter https://www.healthcareinfosecurity.com/do-data-breaches-permanently-affect-business-reputations-a-11048 Chili's popped http://brinker.mediaroom.com/ChilisDataIncident https://www.healthcareinfosecurity.com/blogs/chilis-speed-question-to-notify-or-to-notify-quickly-p-2628 Securus popped https://www.hackread.com/securus-cops-track-cellphone-users-has-been-hacked/ LocationSmart leaks location data https://www.hackread.com/locationsmart-vulnerability-leaking-tracking-data/ TeenSafe leak, unsecured servers https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/ appleid passwords https://www.hackread.com/teen-monitoring-app-exposes-plaintext-apple-id-passwords/ coke data breach https://www.hackread.com/cola-cola-breach-ex-employee-stole-hard-drive-with-8000-workers-data/ TicketFly popped https://www.marketwatch.com/story/ticketfly-breach-may-have-exposed-data-of-26-million-customers-2018-06-03 Honda Connect S3 bucket, unsecured (50K users) https://www.hackread.com/hackers-compromise-tesla-cloud-server-to-mine-cryptocurrency/ Fortune 500s leak data via G-Suite Groups https://threatpost.com/public-google-groups-leaking-sensitive-data-at-thousands-of-orgs/132455/ https://gsuiteupdates.googleblog.com/2018/06/configure-your-google-groups-settings.html MyHeritage, popped (92mil) https://www.hackread.com/dna-testing-website-myheritage-hacked-user-accounts-stolen/ syndicate wallet popped (10mil) https://www.hackread.com/syndicate-wallet-hacked-10-million-dollars-stolen/ coinrail popped (40mil) https://www.hackread.com/bitcoin-falls-korean-exchange-hack-attack/ Weigthwatchers s3 bucket https://threatpost.com/unprotected-server-exposes-weight-watchers-internal-it-infrastructure/132713/ Corp

Govt Senate repeals net neutrality repeal FB / Equifax lawyer to run Bureau of consumer protection CA congressional debate, now with gay porn AZ modifies notification law, from timely notice to 45 day notice shocker, disparate rules won't work CA S.B.822 for net neutrality Email Privacy Act amendment via NDAA rider DOE to step up security efforts COPPA deletion rules, Like GDPR but only for kids EU copyright proposal Oregon data breach law modifications Louisiana data breach law modifications Colorado data breach law modifications Sources: Senate repeals netneutrality repeal https://www.eff.org/deeplinks/2018/05/senate-voted-stand-net-neutrality-now-tell-house-do-same FB / Equifax lawyer to run Bureau of consumer protection https://theintercept.com/2018/05/17/ftc-bureau-of-consumer-protection-director-andrew-smith/ CA congressional debate, now with gay porn https://www.hackread.com/someone-hacked-live-congressional-debate-with-gay-porn/ AZ modifies notification law, from timely notice to 45 day notice https://www.huntonprivacyblog.com/2018/05/24/arizona-amends-data-breach-notification-law/ shocker, disparate rules won't work https://www.esecurityplanet.com/compliance/gdpr-will-change-security-and-privacy-everywhere.html CA S.B.822 for net neutrality https://www.eff.org/deeplinks/2018/05/today-tell-californias-senate-defend-net-neutrality-and-pass-sb-822 Email Privacy Act amendment via NDAA rider https://www.eff.org/deeplinks/2018/05/email-privacy-act-comes-back-hopefully-stay DOE to step up security efforts https://www.huntonprivacyblog.com/2018/05/30/department-energy-announces-new-efforts-energy-sector-cybersecurity/ COPPA deletion rules, Like GDPR but only for kids https://www.ftc.gov/news-events/blogs/business-blog/2018/05/under-coppa-data-deletion-isnt-just-good-idea-its-law EU copyright proposal https://www.eff.org/deeplinks/2018/06/eus-copyright-proposal-extremely-bad-news-everyone-even-especially-wikipedia Oregon data breach law modifications https://www.huntonprivacyblog.com/2018/06/07/oregon-amends-data-breach-notification-law/ Louisiana data breach law modifications https://www.huntonprivacyblog.com/2018/06/11/louisiana-amends-data-breach-notification-law-eliminates-fees-security-freezes/ Colorado data breach law modifications https://www.healthcareinfosecurity.com/colorados-tougher-breach-law-healthcare-incidents-included-a-11071 Govt

Papers PCI v3.2.1 dropped DHS Cybersecurity Strategy 2018 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf DHS Cybersecurity Strategy 2018 https://info.publicintelligence.net/DHS-CybersecurityStrategy-2018.pdf FIFA public Wireless Guidelines https://securelist.com/fifa-public-wi-fi-guide/85919/ Sources: PCI v3.2.1 dropped https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf DHS Cybersecurity Strategy 2018 https://info.publicintelligence.net/DHS-CybersecurityStrategy-2018.pdf FIFA public Wireless Guidelines https://securelist.com/fifa-public-wi-fi-guide/85919/

WTF plano now with terrorists 15 years for buying a ddos campaign ICANN GDPR Lawsuit Trump can pardon himself WTF Sources: plano now with terrorists https://theintercept.com/2018/05/23/texas-teen-isis-mall-shooting/ 15 years for buying a ddos campaign https://www.hackread.com/15-years-prison-for-man-who-hired-attackers-to-ddos-his-ex-employer/ ICANN GDPR Lawsuit https://threatpost.com/icann-launches-gdpr-lawsuit-to-clarify-the-future-of-whois/132427/ Trump can pardon himself https://twitter.com/realDonaldTrump/status/1003616210922147841

Tools Privacy Bandger now with less FB wifi hackling round-up InfosecInstitute launches subscription training library Tools Sources: Privacy Bandger now with less FB https://www.eff.org/deeplinks/2018/05/privacy-badger-rolls-out-new-ways-fight-facebook-tracking wifi round-up https://www.hackread.com/wifi-hacker-best-android-desktop-wifi-hacking-apps-free-download/ InfosecInstitute launches subscription training library https://resources.infosecinstitute.com/infosec-institute-unveils-largest-security-awareness-training-library

Past Cons HackMiami 18-20 May 2018 miami $125+ CircleCity 1-3 Jun 2018  indy  $150 ShowMeCon 7-8 Jun St.Charles MO Past Cons Sources:

Future Cons 614Con 14-15 Jun Colombus OH BSidesSATX 16 Jun 2018  san antonio  $??? Shakacon 11-12 Jul Honolulu HOPE 20-22 Jul NYC BlackHat 4-9 Aug Vegas BSidesLV 7-8 Aug Vegas DefCon 9-12 Aug Vegas Future Cons Sources: https://infosec-conferences.com/events-in-2018/ http://www.securitybsides.com/w/page/12194156/FrontPage

Where DHA @Dallas_Hackers TX2600 @dallas2600 The Lab.MS @TheLab_ms ( 1st Wednesday / Family Karaoke, Dallas ) TX2600 @dallas2600 ( 1st Fri / Wild Turkey 35&WalnutHill, Dallas ) The Lab.MS @TheLab_ms ( 2nd Saturday + random events / TheLab.ms, Plano ) ISSA Fort Worth @ISSAFortWorth ( 2nd Tuesday / location varies ) Hack Ft Worth @Hack_FtW ( 3rd-ish Tuesday / Buffalo West, Fort Worth) OWASP Dallas @OWASPDallas ( 3rd Tuesday / location varies ) Crypto Party DFW @CryptoPartyDFW ( 3rd Thursday / TheLab.ms, Plano ) North Texas Cyber Security Group @ntxcsg ( Last Thursday, Jakes, Frisco ) Dallas MakerSpace @dallasmakers ( Random events / Carrollton ) 0-day All Day @0Dayallday ( Quarterly / DFW) Sources: https://www.google.com/calendar/embed?src=c4ervam9s3ep79dtdjd1k9kgbk%40group.calendar.google.com&ctz=America/Chicago Where

Sources: All images scavenged without permission