ES Episode58

From Paul's Security Weekly
Jump to: navigation, search

Enterprise Security Weekly #58

Recorded August 23, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • John Strand
    Security analyst, Founder of Black Hills Information Security, and CTO of Offensive Countermeasures.

  • Enterprise News

    1. Beyond Feeds: A Deep Dive Into Threat Intelligence Sources - Straight away, we saw something interesting. A very high proportion of organizations were already using threat intelligence to block malicious domains and IP addresses, with many also using it to add context to investigations or compromise assessments. - I'd argue this is not "threat intelligence". First, the domain and/or IP is not really a threat. Its the source of a threat, but does not speak to the threat itself. I'd also argue this is not really intelligence, but merely a reporting system based on scoring and observing behavior. Simply stating "this is bad" without some type of context as to why it is bad, is not intelligence.
    2. Oracle Wants to Give Java EE to the Open-Source Community - Kind of a big deal for many enterprises that still rely on Java, now there will not be a commercial entity in charge of the software development. What will this mean for security?
    3. How to Secure Personal Mobile Devices (Without Making Your Employees Hate You) - They may not hate you, but they will certainly hate having their devices managed, and user education is not enough, esp. on Android.
    4. Using Containers to Make Software Tests Faster and More Secure | Twistlock - Great article! And really just one reason why we will continue to see a shift to containers. Like it or not, they are here to stay and have security benefits.
    5. GeoGuard and Skyhook have announced a collaboration - Okay, this is creepy, and not really enterprise related: GeoGuard, the Vancouver-based geo-location piracy prevention experts and Skyhook, the world’s behavioural location intelligence company, have announced a collaboration to provide the content industry with the first solution that ensures viewers are verifiably watching films and TV at home.
    6. Studies Show Ways Organizations Struggle with Cybersecurity - yep: Second, a Gigamon study found that nearly two-thirds of the companies surveyed don’t have visibility into all aspects of their IT infrastructure and almost half of respondents who don’t have visibility into their network do not possess information on what is being encrypted.
    7. Cisco Moves to Secure Collaboration Across Cisco Spark Platform - I think anything is better than Skype for Business: The latest Cisco Spark update, among other capabilities, adds the ability to encrypt all communications occurring across the platform alongside a variety of new compliance controls, including support for assigning a personal identification number (PIN) to devices accessing the service regardless of who own the device being employed.
    8. Illumio Applies Policies to Advance Data Center Microsegmentation - Illumio today added a set of visualization and discovery tools to an Illumio Adaptive Security Platform for microsegmenting traffic in a data center that makes it possible to both identify dependencies in an IT environment and then generate the appropriate management or IT security policy. Dream big: The basic idea is that by controlling the flow of east-west traffic inside the data center, IT organizations can provide higher levels of security by potentially limiting the damage any malware infestation can cause, while also improving application performance.
    9. One Identity Debuts Identity Analytics and Risk Intelligence Service - Saying a lot without really saying anything: One Identity today announced the official debut of its new Starling Identity Analytics and Risk Intelligence (IARI) service, providing organizations with cloud-delivered security and risk analysis capabilities.
    10. Gartner sets fire to all the cyber things | ZDNet - Thanks for the new acronym: This year, Gartner wants us to go beyond "adaptive", and they've got a new word for it: CARTA, which stands for continuous adaptive risk and trust assessment.
    11. Respond Software Launches Analyst Platform to Help Security Staff - And yet another new category is created: Respond Software emerged from stealth on Aug. 16 to introduce general availability of its Respond Analyst platform along with $12 million in Series A funding. The promise of the Respond Analyst platform is to help solve the IT security staffing challenge with technology that can identify and escalate potential security threat alerts.

    Topic: Security Training: Developer Awareness

    Technical Segment: Vulnerability Tracking & Reporting

    commercial vendors in this space:

    iDefense (Now part of Accenture): https://www.accenture.com/t20170721T105740Z__w__/us-en/_acnmedia/PDF-57/Accenture-IDefense-Vulnerability-Intelligence.pdf

    Symantec Deep Sight: https://www.symantec.com/services/cyber-security-services/deepsight-intelligence/technical-intelligence

    And two open-source projects if you want to customize your own:

    https://github.com/cve-search/cve-search - Pure open-source

    https://github.com/toolswatch/vFeed - Free community edition available (requires registration)

    Demo

    $ ./vfeedcli.py -e json_dump CVE-2016-3074

    {
      "exploits": {
        "edb": [
          {
            "file": "platforms/linux/remote/39736.txt", 
            "id": 39736, 
            "url": "http://www.exploit-db.com/exploits/39736"
          }
        ], 
        "elliot D2": null, 
        "metasploit": null, 
        "saint": null
      }, 
      "information": {
        "capec": null, 
        "category": null, 
        "cpe": [
          {
            "id": "cpe:/a:libgd:libgd:2.1.1"
          }, 
          {
            "id": "cpe:/o:debian:debian_linux:8.0"
          }, 
          {
            "id": "cpe:/o:debian:debian_linux:7.0"
          }
        ], 
        "cve": [
          {
            "id": "CVE-2016-3074", 
            "modified": "2017-06-30T21:29:41.920-04:00", 
            "published": "2016-04-26T10:59:01.207-04:00", 
            "summary": "Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.", 
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074"
          }
        ], 
        "cwe": [
          {
            "id": "CWE-189", 
            "title": "Numeric Errors", 
            "url": "https://cwe.mitre.org/data/definitions/189.html"
          }
        ], 
        "wasc": null
      }, 
      "patches": {
        "cisco": null, 
        "debian": [
          {
            "id": "DSA-3556", 
            "url": "https://security-tracker.debian.org/tracker/DSA-3556"
          }, 
          {
            "id": "DSA-3602", 
            "url": "https://security-tracker.debian.org/tracker/DSA-3602"
          }
        ], 
        "fedora": [
          {
            "id": "FEDORA-2016-0c57b12c7b", 
            "url": "https://admin.fedoraproject.org/updates/FEDORA-2016-0c57b12c7b"
          }, 
          {
            "id": "FEDORA-2016-5f91f43826", 
            "url": "https://admin.fedoraproject.org/updates/FEDORA-2016-5f91f43826"
          }
        ], 
        "gentoo": [
          {
            "id": "GLSA-201607-04", 
            "url": "https://security.gentoo.org/glsa/201607-04"
          }, 
          {
            "id": "GLSA-201611-22", 
            "url": "https://security.gentoo.org/glsa/201611-22"
          }
        ], 
        "hp": null, 
        "ibm": null, 
        "mandriva": null, 
        "microsoft": null, 
        "redhat": null, 
        "suse": [
          {
            "id": "openSUSE-SU-2016:1274", 
            "url": "https://www.suse.com/security/cve/CVE-2016-3074.html"
          }
        ], 
        "ubuntu": [
          {
            "id": "USN-2987-1", 
            "url": "http://www.ubuntu.com/usn/USN-2987-1"
          }
        ], 
        "vmware": null
      }, 
      "references": {
        "bid": [
          {
            "id": 87087, 
            "url": "http://www.securityfocus.com/bid/87087"
          }
        ], 
        "certvn": null, 
        "iavm": null, 
        "osvdb": null, 
        "other": {
          "links": [
            {
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183263.html", 
              "vendor": "FEDORA"
            }, 
            {
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183724.html", 
              "vendor": "FEDORA"
            }, 
            {
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html", 
              "vendor": "SUSE"
            }, 
            {
              "url": "http://packetstormsecurity.com/files/136757/libgd-2.1.1-Signedness.html", 
              "vendor": "MISC"
            }, 
            {
              "url": "http://seclists.org/fulldisclosure/2016/Apr/72", 
              "vendor": "FULLDISC"
            }, 
            {
              "url": "http://www.debian.org/security/2016/dsa-3556", 
              "vendor": "DEBIAN"
            }, 
            {
              "url": "http://www.debian.org/security/2016/dsa-3602", 
              "vendor": "DEBIAN"
            }, 
            {
              "url": "http://www.securityfocus.com/archive/1/archive/1/538160/100/0/threaded", 
              "vendor": "BUGTRAQ"
            }, 
            {
              "url": "http://www.securityfocus.com/bid/87087", 
              "vendor": "BID"
            }, 
            {
              "url": "http://www.securitytracker.com/id/1035659", 
              "vendor": "SECTRACK"
            }, 
            {
              "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.383127", 
              "vendor": "SLACKWARE"
            }, 
            {
              "url": "http://www.ubuntu.com/usn/USN-2987-1", 
              "vendor": "UBUNTU"
            }, 
            {
              "url": "https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19", 
              "vendor": "CONFIRM"
            }, 
            {
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", 
              "vendor": "CONFIRM"
            }, 
            {
              "url": "https://security.gentoo.org/glsa/201607-04", 
              "vendor": "GENTOO"
            }, 
            {
              "url": "https://security.gentoo.org/glsa/201611-22", 
              "vendor": "GENTOO"
            }, 
            {
              "url": "https://www.exploit-db.com/exploits/39736/", 
              "vendor": "EXPLOIT-DB"
            }
          ]
        }, 
        "scip": [
          {
            "id": 82844, 
            "url": "http://www.scip.ch/?vuldb.82844"
          }
        ]
      }, 
      "risk": [
        {
          "cvss2": [
            {
              "accessComplexity": "low", 
              "accessVector": "network", 
              "authentication": "none", 
              "availability": "partial", 
              "base": "7.5", 
              "confidentiality": "partial", 
              "exploitability": "10.0", 
              "impact": "6.4", 
              "integrity": "partial", 
              "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
            }
          ], 
          "severity": "high", 
          "topAlert": false, 
          "topVulnerable": false
        }
      ], 
      "rules": {
        "snort": null, 
        "suricata": null
      }, 
      "scanners": {
        "nessus": [
          {
            "family": "Amazon Linux Local Security Checks", 
            "file": "ala_ALAS-2016-698.nasl", 
            "id": "90867", 
            "name": "Amazon Linux AMI : php56 / php55 (ALAS-2016-698)"
          }, 
          {
            "family": "Debian Local Security Checks", 
            "file": "debian_DSA-3556.nasl", 
            "id": "90688", 
            "name": "Debian DSA-3556-1 : libgd2 - security update"
          }, 
          {
            "family": "Debian Local Security Checks", 
            "file": "debian_DSA-3602.nasl", 
            "id": "91615", 
            "name": "Debian DSA-3602-1 : php5 - security update"
          }, 
          {
            "family": "Fedora Local Security Checks", 
            "file": "fedora_2016-0c57b12c7b.nasl", 
            "id": "90948", 
            "name": "Fedora 24 : gd-2.1.1-7.fc24 (2016-0c57b12c7b)"
          }, 
          {
            "family": "Fedora Local Security Checks", 
            "file": "fedora_2016-5f91f43826.nasl", 
            "id": "90812", 
            "name": "Fedora 23 : gd-2.1.1-5.fc23 (2016-5f91f43826)"
          }, 
          {
            "family": "Fedora Local Security Checks", 
            "file": "fedora_2016-7d6cbcadca.nasl", 
            "id": "92118", 
            "name": "Fedora 22 : gd (2016-7d6cbcadca)"
          }, 
          {
            "family": "FreeBSD Local Security Checks", 
            "file": "freebsd_pkg_5764c63410d211e694fa002590263bf5.nasl", 
            "id": "90844", 
            "name": "FreeBSD : php -- multiple vulnerabilities (5764c634-10d2-11e6-94fa-002590263bf5)"
          }, 
          {
            "family": "Gentoo Local Security Checks", 
            "file": "gentoo_GLSA-201607-04.nasl", 
            "id": "92348", 
            "name": "GLSA-201607-04 : GD: Multiple vulnerabilities"
          }, 
          {
            "family": "Gentoo Local Security Checks", 
            "file": "gentoo_GLSA-201611-22.nasl", 
            "id": "95421", 
            "name": "GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)"
          }, 
          {
            "family": "SuSE Local Security Checks", 
            "file": "openSUSE-2016-576.nasl", 
            "id": "91071", 
            "name": "openSUSE Security Update : php5 (openSUSE-2016-576)"
          }, 
          {
            "family": "SuSE Local Security Checks", 
            "file": "openSUSE-2016-703.nasl", 
            "id": "91585", 
            "name": "openSUSE Security Update : php5 (openSUSE-2016-703)"
          }, 
          {
            "family": "CGI abuses", 
            "file": "php_5_5_35.nasl", 
            "id": "90920", 
            "name": "PHP 5.5.x < 5.5.35 Multiple Vulnerabilities"
          }, 
          {
            "family": "CGI abuses", 
            "file": "php_5_6_21.nasl", 
            "id": "90921", 
            "name": "PHP 5.6.x < 5.6.21 Multiple Vulnerabilities"
          }, 
          {
            "family": "CGI abuses", 
            "file": "php_7_0_6.nasl", 
            "id": "90922", 
            "name": "PHP 7.0.x < 7.0.6 Multiple Vulnerabilities"
          }, 
          {
            "family": "Misc.", 
            "file": "securitycenter_php_5_6_21.nasl", 
            "id": "91814", 
            "name": "Tenable SecurityCenter < 5.3.2 Multiple Vulnerabilities (TNS-2016-09)"
          }, 
          {
            "family": "Slackware Local Security Checks", 
            "file": "Slackware_SSA_2016-120-02.nasl", 
            "id": "90801", 
            "name": "Slackware 14.0 / 14.1 / current : php (SSA:2016-120-02)"
          }, 
          {
            "family": "Ubuntu Local Security Checks", 
            "file": "ubuntu_USN-2987-1.nasl", 
            "id": "91423", 
            "name": "Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : libgd2 vulnerabilities (USN-2987-1)"
          }
        ], 
        "nmap": null, 
        "openvas": [
          {
            "family": "Fedora Local Security Checks", 
            "file": "gb_fedora_2016_5_gd_fc23.nasl", 
            "id": "103085", 
            "name": "Fedora Update for gd FEDORA-2016-5"
          }, 
          {
            "family": "Amazon Linux Local Security Checks", 
            "file": "alas-2016-698.nasl", 
            "id": "14611", 
            "name": "Amazon Linux Local Check: alas-2016-698"
          }, 
          {
            "family": "Debian Local Security Checks", 
            "file": "deb_3556.nasl", 
            "id": "703556", 
            "name": "Debian Security Advisory DSA 3556-1 (libgd2 - security update)"
          }, 
          {
            "family": "Debian Local Security Checks", 
            "file": "deb_3602.nasl", 
            "id": "703602", 
            "name": "Debian Security Advisory DSA 3602-1 (php5 - security update)"
          }, 
          {
            "family": "Fedora Local Security Checks", 
            "file": "gb_fedora_2016_7d6cbcadca_gd_fc22.nasl", 
            "id": "867773", 
            "name": "Fedora Update for gd FEDORA-2016-7d6cbcadca"
          }, 
          {
            "family": "SuSE Local Security Checks", 
            "file": "gb_suse_2016_1553_1.nasl", 
            "id": "850584", 
            "name": "SuSE Update for php5 openSUSE-SU-2016:1553-1 (php5)"
          }, 
          {
            "family": "Ubuntu Local Security Checks", 
            "file": "gb_ubuntu_USN_2987_1.nasl", 
            "id": "841810", 
            "name": "Ubuntu Update for libgd2 USN-2987-1"
          }, 
          {
            "family": "Mageia Linux Local Security Checks", 
            "file": "mgasa-2016-0152.nasl", 
            "id": "12024", 
            "name": "Mageia Linux Local Check: mgasa-2016-0152"
          }
        ], 
        "oval": [
          {
            "class": "patch", 
            "id": "oval:org.cisecurity:def:560", 
            "title": "DSA-3556-1 -- libgd2 -- security update", 
            "url": "https://oval.cisecurity.org/repository/search/definition/oval:org.cisecurity:def:560"
          }, 
          {
            "class": "patch", 
            "id": "oval:org.cisecurity:def:955", 
            "title": "DSA-3602-1 -- php5 -- security update", 
            "url": "https://oval.cisecurity.org/repository/search/definition/oval:org.cisecurity:def:955"
          }
        ]
      }, 
      "vFeed": {
        "Contact": "@vfeed_io", 
        "author": "vFeed IO", 
        "id": "VFD-2016-3074", 
        "product": "vFeed - The Correlated Vulnerability and Threat Intelligence Database Wrapper", 
        "url": "https://vfeed.io", 
        "wrapper": "0.7.2"
      }
    }