Episode602

From Paul's Security Weekly
Jump to: navigation, search

Recorded May 2, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.


  • Announcements

    • Register for our upcoming webcasts with ObserveIT & Kaseya by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
    • Security Weekly is returning to Vegas this August for BlackHat and DefCon! If you would like to request a briefing or sponsor an interview on-site at BlackHat, please go to securityweekly.com/booking and submit your request!
    • Some of you told us that you are overwhelmed by the amount of content we distribute! In an attempt to make it a little easier for you to find what you’re interested in, we’ve created our new listener interest list! Sign up for list and select your interests by visiting: securityweekly.com/subscribe\ and clicking the button to join the list! You can also now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
    • Attending KubeCon and CloudNativeCon Europe 2019 in Barcelona May 20-23, 2019? Join your peers at the Cloud-Native Transformation Summit 2019 hosted by Sysdig on May 20th. Our very own Matt Alderman will be emceeing the event. Pre-registration is required. You can add it on during your KubeCon + CloudNativeCon registration.

    Interview: Philip Niedermair, National Cyber Group - 6:00-6:30PM

    Philip Niedermair is CEO of the National Cyber Group (NCG.) The National Cyber Group’s mission is to develop and launch a National Cyber Education Program (the Program) which inspires students at all education levels, creates awareness of job opportunities, provide students with skills immediately applicable to the cyber workforce, and connects students to careers.

    Mr. Niedermair serves as the managing director of strategic alliances for Whiteford, Taylor & Preston (WTP), a large law firm. Prior to joining WTP, Philip was one of the founders and served as managing partner of The Bridge Alliance, an alliance of complementary professional services firms. Prior to that, he was CEO of Metrum Group, a marketing and strategic planning firm with expertise in national and global business operations, research, strategic planning, and project management. Clients served over the years on a global basis include BP Oil, The United States Post Office, MasterCard, Citibank and Coca-Cola.

    Philip sits on and advises many boards and organizations, including the Economic Round Table for Maryland Federal Reserve Bank of Richmond, The University of Baltimore’s Merrick School of Business, the DEA (Drug Enforcement Administration) Education Foundation, the Army Cyber Institute of West Point, and the Cyber Security Round Table of Maryland, The Royal Scottish Conservatoire, Historic Ships in Baltimore and the National Law Enforcement Officers Museum.

    Topic: National Cyber Education Program - NCEP


    Technical Segment: Joshua Abraham, Praetorian - 6:30 - 7:30PM

    Joshua Abraham
    does tactical and strategic service offerings for Praetorian.
    Josh is a key member of the technical execution team. In this capacity, he is responsible for leading, directing, and executing client-facing engagements that include Praetorian’s tactical and strategic service offerings. Prior to joining Praetorian, Josh spent six years at Rapid7 where he helped build the company’s professional services division, defined the firm’s core methodologies, and trained new employees on the latest hacking techniques.

    Over the years, Josh has become a well-known resource for his contributions to the information security space. An avid researcher and presenter, Josh has spoken at numerous conferences including BlackHat, Def Con, ShmooCon, Derby Con, BSides, The SANS Pentest Summit, Infosec World, SOURCE Barcelona, CSI, OWASP, LinuxWorld and Comdex.

    Josh has a contributed to numerous open source security projects and is a respected security resource to the media and has been quoted by news outlets such as ComputerWorld, DarkReading, and SC Magazine. Josh holds a BS in Computer Science from Northeastern University.


    Contributed a good deal to Metasploit in the past.

    References:

    Vulcan code release

    ATT&CK Automation video:

    MITRE ATT&CK April release:



    Security News - 7:30PM-8:30PM

    Paul's Stories

    1. Open source security: The risk issue is unpatched software, not open source use - Some selection bias here: The 2019 Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,200 audits of commercial applications and libraries, performed by the Black Duck Audit Services team. The report highlights trends and patterns in open source use, as well as the prevalence of both insecure open source components and license conflicts. However, the bias could mean the problem is even worse. The survey is based on organizations who, perhaps, believed the problem was so bad they paid for an audit. You could also theorize that some were forced to have an audit, either for compliance reasons or someone had evidence to believe the problem was so bad that they needed external auditors to tell everyone how bad the problem is...
    2. Tenable experts found 15 flaws in wireless presentation systems - “Tenable found multiple vulnerabilities while investigating a Crestron AM-100. Tenable also discovered that the Crestron AM-100 shared a code base with the Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly others.” This type of IoT gear especially is lacking security controls in our experience. The connectivity provided typically does not take into account any security measures or consider any threats. I believe much of the AV industry is in the "why would anyone want to hack these devices?" camp.
    3. Is a sticky label the answer to the IoTs security problems? - Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general. 1) “IoT device passwords must be unique and not resettable to any universal factory setting.” 2) “Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.” 3)“Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.” In fact, he is the subject of an extradition warrant, despite what we may have said in a previous show.
    4. Assange Refuses Extradition to US; Long Legal Fight Expected - We did not communicate all of the details on this story, and even mis-spoke on a previous episode as this news was breaking: A defiant Julian Assange told a London court Thursday he will fight extradition to the United States to face charges of conspiring to hack into a Pentagon computer, arguing that his work as WikiLeaks founder has benefited the public.Speaking by video link from Belmarsh Prison in southeast London, Assange said: “I do not wish to surrender myself for extradition for doing journalism that has won many awards and protected many people.”
    5. PoC Exploits for Old SAP Configuration Flaws Increase Risk of Attacks | SecurityWeek.Com - Shits going down according to Onapsis: n 2005, SAP released a security note (8218752) providing instructions on how users can properly set up an ACL for the Message Server. Four years later, the company released another security note (14080813) with instructions on how to properly configure the access list for Gateway. Then, in 2010, it released another note (14210054) reinforcing the importance of properly configuring the Message Server ACL. However, Onapsis, a company that specializes in securing SAP and Oracle business applications, discovered that many organizations have still failed to properly configure their installations. The company warned last year that most SAP systems were vulnerable to attacks due to these misconfigurations. Exploits designed to target improperly configured systems were made public for the first time last month by two researchers who had a session on SAP configuration and architecture issues at the OPCDE cybersecurity conference in Dubai
    6. 50,000 companies exposed to hacks of 'business critical' SAP...
    7. Evaluating the GDPR experiment | SC Media
    8. Security Doesn't Trust IT - and IT Doesn't Trust Security - The survey is almost too easy to pick on: Most (93%) practitioners polled say they face challenges. Securing new technologies is at the top of the list, with 48% of respondents saying it was an issue, followed by restrictive budgets (39%) and a lack of understanding between IT operations and security (35%), which tied with legacy systems. Eighty percent of those surveyed say digital transformation drives cybersecurity risk, with 73% reporting they are now more dependent on software than they were 12 months ago.
    9. Docker Hub database access compromises 190,000 accounts | SC Media
    10. Dell laptops and computers vulnerable to remote hijacks | ZDNet
    11. Attackers actively exploiting Atlassian Confluence and Oracle WebLogic flaws - Help Net Security
    12. Why Are We Still Celebrating World Password Day? - I like Frank a lot: Frank Dickson, a research vice president at IDC who covers security, says companies have relied on passwords for decades, plus they are easy and inexpensive to create. Moving to a system where developers bake more security into applications slows down time-to-market and takes a lot more planning and effort, he adds. But Dickson also says the industry tends to miss a really important point: "Better security is about 50% of the equation," Dickson says. "We tend to forget that we can create a better user experience by eliminating the password."
    13. Hackers lurked in Citrix systems for six months | ZDNet
    14. Why You Should Say Goodbye to Password Vaults - Ha! Looks like this article was taken down before I had a chance to read it (and pulled from the Google cache).
    15. Stop using free VPNs for privacy and security
    16. World's first laser radio transmitter/receiver paves way for ultra-high-speed Wi-Fi
    17. Wisconsin church distributes marijuana as sacrament - This is just really funny: church co-founder Jesse Schworck considers it a religious sacrament and part of the worship at a Rastafarian church in an old storefront near the University of Wisconsin-Madison campus. and Its members use and distribute marijuana freely. That's really the only requirement for membership. "We all have to agree that we all break bread and use this one sacrament: cannabis," Schworck said. The church doesn't try to hide the marijuana use there. It is very open about it, even smoking right in the window for anyone on the street to see.

    Larry's Stories

    1. Selling 0-day to groups like Fancy Bear, SandCat, and FruityArmor
    2. critical security issues with Cisco Nexus switches
    3. RCE on most Dell computers
    4. Cartoon Network streaming services hacked to stream male strippers
    5. Retail hacks for CC data more lucrative than ever with card not present transactions
    6. DHS changes policy; now agencies must patch critical flaws found in systems in 15 days, not 30.
    7. The Citrix hack goes deeper than previously thought…and Equifax comes in to "help"

    Lee's Stories

    1. "Virus Infection" Prevents access to patient records Malware or Ransomware? 190K records not accessible due to attack. DR Plan recovered data.
    2. $1.75M Stolen by Crooks in Church BEC attack St. Ambrose Catholic Parrish in Cleveland was compromised through phishing attack convincing staff one of their contractors had a new bank account.
    3. Data Breach exposes data of 80 Million US Households The origin of the breach is unknown, Microsoft has contacted the owner of the Azure cloud DB and removed public access. Yet another unsecured cloud database.
    4. CUNA calls for Substantial Data Security Legislation Credit Union National Association calls for congress to treat data privacy as a national security issue; fix the weak links in the system; and set a strong federal data standard that preempts state laws.
    5. Tiwan Military holds 'Anti-Fake News' Exercises This week, April 22-26, Tiwaneese military began simulation of the 35th Han Kuang exercises that include exercises to combat disinformation and "fake news" online to thwart disinformation campaigns from the Communist Party of China (CCP.)
    6. Fingerprint Errors on over 200,000 Danish Passports Danish authorities find errors in over 200,000 Danish Passports. Apparently right and left hand fingerprints were swapped. Authorities looking for a fix without making citizens pay for new passports. The Danish passport offers visa-free access to over 187 countries making it one of the most attractive in the world.
    7. Nokia 9 bug allows unlock with - anything Android 9 Pie update 4.22 likely introduced bug that allows any fingerprint (or other ojbects) to unlock the device once one is configured.
    8. Hackers are stealing millions in Bitcoin Thieves use SIM swapping to get access to email and other data that allows access to cryptocurrency wallets, laundering millions.
    9. Online thief cracks private keys to steal $54m in ETH Weak private keys used in the ETH blockchain allowed thieves to steal $54M, highlighting the need for tested, verified good key management practices versus rolling your own.

    Jeff's Stories

    1. How the Boeing 737 Max Disaster looks to a Software Developer An examination of the 737 Max problem, origin and hardware issues the MACS attempts to solve, and the deficiencies of that solution by a software designer and private pilot.

    Johnny's Stories

    1. Cartoon Network Hacked Worldwide to Show Brazilian Stripper Videos Apparently, a pair of Brazilian hackers exploited a vulnerability in Cartoon Network's website management platform. They streamed footage of a Brazilian stripper named Ricardo Milos, "known for wearing a red bandana on his head and an American flag thong", from April 25 until the channel was notified on April 28, across 16 different regions. From what I can see, I don't think the videos were explicit, but when people went to stream content, they were faced by a Brazilian male stripper. Interesting.