Security Snacks #6 – 12 Cisco bugs, 200 most common passwords, Weird bounties & SAD DNS

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

As if 2020 wasn’t scary enough, DNS cache poisoning is back from the dead! 123456 is still the most common password. A researcher dropped 12 severe Cisco exploits you need to stop everything and go patch ASAP. A company is offering a bounty to criminals who hacked it, and another one paid a bounty to ethical hackers who helped it find the criminals who hacked it…

Notable Security News

NordPass’s Top 200 most common passwords of the year 2020

NordPass analyzed passwords leaked in recent data breaches and published this list of the 200 most common passwords of 2020. 123456 is disappointingly first, followed by 123456789 then picture1. So, this is that yearly reminder to use a password generator. It is also interesting to see the worst passwords by category (names, sports, random letters…).

Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now

Florian Hauser responsibly disclosed to Cisco 12 vulnerabilities, all unauthenticated and almost all resulting in Remote Code Execution. Since they weren’t patched 120 days later, he published his research. Attackers will probably start using his exploits in the coming days to take control of vulnerable systems. If you are using Cisco Security Manager, you need to patch as soon as possible!

SAD DNS: Researchers pull source code as DNS cache poisoning technique deemed ‘too dangerous’

The DNS cache poisoning attack was discovered in 2008 and fixed, but researchers found a way to bypass mitigations. Attackers can again poison the cache of DNS resolvers and cause them to return a malicious spoofed IP address instead of the real IP of a domain. It is so severe that the source code to reproduce it was pulled after its publication and DNS providers like Cloudflare are working on new mitigations.

Binance awar;ds $200,000 bounty after cyber-attackers indicted in US

A team of unnamed investogators helped Binance identify the cyber criminals behind phishing attacks against its users. So, Binance rewarded them with a $200,000 bounty, plus $50,000 that will be paid after the crooks are in custody. Contemporary bounty hunters, just like bounty hunters of the Old West!

Crypto company offers bounty to hackers that stole $2M – a slap in the face to threat researchers

Akropolis.io, a cryptocurrency company, lost $2 million to cyber criminals. Instead of going to law enforcement, they are now offering a $200,000 bounty to the hackers if they return the stolen funds. A sort of compensation for having found an exploit, except that this is not how bug bounties work! It sets a dangerous precedent for both companies and hackers.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.

Intigriti News

Yesterday, our CEO Stijn Jans and Intigriti were chosen as the winner in the Scale-Up category of De Bertjes. Congratulations!