PSWEpisode646

From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly Episode 646 - 2020-04-09

Episode Audio

Paul's Security Weekly Episode 646

Announcements

  • Is your Open Source code secure? Learn how to verify your code during development, not after the build in our next webcast with Synopsys. Going cloudnative? See how to integrate application security in our webcast with Signal Sciences! Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts/trainings by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.
  • We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your "interests" so that we can grow with you as you progress through your journey in InfoSec!
  • We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We're committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!
  • Join Qualys for VMDR Live on April 21 at 2pm ET for a live demonstration of the game-changing Vulnerability Management, Detection & Response offering - a unified solution that integrates vulnerability management, threat prioritization and patching in a single app. Register at securityweekly.com/VMDR2020

Fullaudio - None

Description:

This week, we bring you one of Security Weekly's very own, Tyler Robinson, Managing Director of Network Operations at Nisos, for a Technical Segment titled: To Hunt or Not To Hunt: Using offensive tooling to obtain OSINT and Real-Time Intelligence on a subject of interest for hunting or targeting! In our second segment, we talk Security News, to discuss Vulnerabilities in B&R Automation Software Facilitate Attacks on ICS Networks, Using AWS to secure your web applications, Serious Vulnerabilities Patched in Chrome & Firefox, Email Provider that got Hacked & Data of 600,000 Users is Now being Sold on the Dark Web, and As if the world couldn't get any weirder, this AI toilet scans your anus to identify you! In our final segment, we air a pre recorded interview with Jeff Man, entitled "Tales from the Crypt...Analysts pt.2", discussing many myths, legends and fables in hacker history!

Visit https://www.securityweekly.com/psw for all the latest episodes! To view ngrok, visit: https://www.ngrok.com/ To check out the Trape tool, visit: https://github.com/jofpin/trape

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly



Joff Thyer's Content:

Joff Thyer-0.jpg


Template:PSW646FullaudioJoff Thyer

Larry Pesce's Content:

Larry headshot-0.jpg


Template:PSW646FullaudioLarry Pesce

Lee Neely's Content:

Lee Neely-0.jpg


Template:PSW646FullaudioLee Neely

Paul Asadoorian's Content:

Paul Asadoorian-0.png


Template:PSW646FullaudioPaul Asadoorian

Tyler Robinson's Content:

Tyler Robinson-0.png


Template:PSW646FullaudioTyler Robinson


Interview: Tales From The Crypt...Analyst - Part 2 - 6:00-6:45PM

Description:

In the second part of our interview series with the legend Jeff Man, he continues his discussion with Paul, Matt, and Lee, about the many myths, legends and fables in hacker history. One of the themes of these legends surrounds some of the first red team hackers working for the US Government out of NSA. The building where they worked was called "The Pit". Jeff Man sits with us for this segment to talk about, where he can, the history and events that transpired during his tenure with the NSA.

Guest: Bio:
Jeff Man is Information Security Evangelist at Online Business Systems
Respected Information Security advocate, advisor, evangelist, international speaker, keynoter, host of Security & Compliance Weekly, co-host on Paul's Security Weekly, Tribe of Hackers, TOH Red Team, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty years, has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies.

Hosts

Larry Pesce - Senior Managing Consultant and Director of Research at InGuardians
Lee Neely - Senior Cyber Analyst at Lawrence Livermore National Laboratory
Paul Asadoorian - Founder & CTO at Security Weekly
Tyler Robinson - Managing Director of Network Operations at Nisos, Inc

Technical Segment - To Hunt or Not To Hunt; This is Never a !=? - Tyler Robinson

Description:

We welcome Security Weekly's own Tyler Robinson for a Technical Segment, to talk about using offensive tooling to obtain OSINT and Real-Time intelligence on a subject of interest for hunting or targeting!


Guest: Bio:
Tyler Robinson is Managing Director of Network Operations at Nisos, Inc.
As Managing Director of Network Operations Tyler leads a team of high-performance security professionals within the offensive security field by simulating sophisticated adversaries, & creating scalable offensive security platforms using the latest techniques as seen in the wild.

Tyler serves as a highly technical operator on client engagements while managing & leading technical operations within Nisos. In addition to providing strategic guidance & advice to Nisos leadership along with new & existing clients, Tyler will help guide product development, offensive capabilities, & infrastructure to ensure future proof resiliency & excellence within the market space.


Larry Pesce's Content:

Larry headshot-0.jpg


Template:PSW646Technical SegmentLarry Pesce

Lee Neely's Content:

Lee Neely-0.jpg


Template:PSW646Technical SegmentLee Neely

Paul Asadoorian's Content:

Paul Asadoorian-0.png


Template:PSW646Technical SegmentPaul Asadoorian


News - Zoom, Kubernetes, and Hacking

Description:

A little about Zoom vulnerabilities and data leaks and Cisco Webex vulnerabilities. We talk about security Kubernetes and how the same security principals apply, vulnerabilities in ICS systems and how hackers can help improve society. Oh, and smart toilets that scan your, er, logs.


Content:

As if the world couldn't get any weirder, this AI toilet scans your anus to identify you - This is amazing, I was like "Holy crap": In fact, it will capture both your pee and your stools on video and process them with algorithms that Stanford News says “can distinguish normal ‘urodynamics’ (flow rate, stream time and total volume, among other parameters) and stool consistencies from those that are unhealthy.” Also, I did not know this: In fact, the toilet has a built-in identification system that scans your anus: a biometric that turns out to be like fingerprints or iris prints, Gambhir said: We know it seems weird, but as it turns out, your anal print is unique.

Vulnerabilities in B&R Automation Software Facilitate Attacks on ICS Networks | SecurityWeek.Com - “A malicious attacker could hijack the initial DNS request to the B&R update server and direct the update utility to retrieve the updates from his own site. Since there was no proper verification of the update server or the update package, at this point the attacker could exploit the path traversal through the update vulnerability, and execute their own code on the Automation Studio host in SYSTEM privileges.” If the updates are not signed, you don't even need the traversal vulnerability.

Schneier on Hacking Society - Schneier's big idea boils down to this: "Can we hack society and help secure the systems that make up society?" he explains. One component of hacking society is what Schneier calls the public-interest cybersecurity technologist, a role for security experts that he has been advocating over the past year or so.


Joff Thyer's Content:

Joff Thyer-0.jpg


Template:PSW646NewsJoff Thyer

Larry Pesce's Content:

Larry headshot-0.jpg


  1. bypassing fingerprint authentication with 80% success rate
  2. Privesc with Windows Magnifier DDL search order hijacking
  3. Thousands of zoom calls leaked online - this article is VERY weak on technical details and feels more fear mongering than anything; no timeframe, alludes to Amazon s3 bucket problems, etc.

Lee Neely's Content:

Lee Neely-0.jpg


  1. Hacker has wiped/defaced more than 15,000 elasticsearch serviers. Between March 24th and 27th, 15,000 elastic servers were wiped and replace with an empty inbox "nightlionsecurity.com." Secure your servers. Have backups.
  2. Mimecaset discovers rise in LimeRAT malware using read-only Excel spreadsheets Read-only Excel spreadsheets are encrypted but with no password (used default of "VelvetSweatshop.") LimeRAT modules include a keylogger, cryptocurrency and password stealers, file manager, Monero miner, USB spreader, ransomware, and a DDoS plugin among others.
  3. CISA AA20-099A: COVID-19 Exploited by Malicious Cyber Actors Lists of attacks, IOCs, resources and mitigations for current COVID-19 related activities.
  4. Hackers are scanning for vulnerable VPNs in order to launch attacks against remote workers Rapid adoption of remote working capabilities has resulted in less secure configurations and hackers are taking advantage.
  5. Docker Users Targeted with Crypto Malware via Exposted APIs. Misconfigured Docker API ports used to install cryptominer. Secure the API ports.
  6. Mozilla fixes two zero-days being actively exploited Update Desktop to 74.0.1 or ESR 68.6.1, Android to 68.6.0, iOS to 24.1. Addresses CVE-2020-6819 and CVE-2020-6820.
  7. Map shows global spread of Zero-Day hacking Techniques While the FireEye research relies on identification of Zero-Day use, even so it indicates more use by countries known or suspected to be customers of companies that supply offensive cyber capabilities.
  8. Email Provider Got Hacked, Data of 600,000 Users Now Sold on the Dark Web When Email.it refused to pay the "bounty" and contacted the Italian Postal service for help, their data was put up for sale.
  9. Dark Nexus: A New Emerging IoT Botnet Malware Spotted in the Wild Appears at least partly based on Marai source code.

Paul Asadoorian's Content:

Paul Asadoorian-0.png


  1. 10 security tips for frontend developers
  2. As if the world couldnt get any weirder, this AI toilet scans your anus to identify you - This is amazing, I was like "Holy crap": In fact, it will capture both your pee and your stools on video and process them with algorithms that Stanford News says “can distinguish normal ‘urodynamics’ (flow rate, stream time and total volume, among other parameters) and stool consistencies from those that are unhealthy.” Also, I did not know this: In fact, the toilet has a built-in identification system that scans your anus: a biometric that turns out to be like fingerprints or iris prints, Gambhir said: We know it seems weird, but as it turns out, your anal print is unique.
  3. Feline Secure?
  4. Secure Your Docker Images With Signatures - DOCKER_CONTENT_TRUST=1 is important, use it.
  5. Vulnerabilities in B&R Automation Software Facilitate Attacks on ICS Networks | SecurityWeek.Com - “A malicious attacker could hijack the initial DNS request to the B&R update server and direct the update utility to retrieve the updates from his own site. Since there was no proper verification of the update server or the update package, at this point the attacker could exploit the path traversal through the update vulnerability, and execute their own code on the Automation Studio host in SYSTEM privileges.” If the updates are not signed, you don't even need the traversal vulnerability.
  6. Using AWS to secure your web applications
  7. PowerPoint Weakness Opens Door to Malicious Mouse-Over Attack - yes, mouse-over, but it looks like the user has to click twice for the attacker to gain execution.
  8. How to Harden Your Kubernetes Cluster for Production - Most of these tips are things we already know, just applied to Kube. Good article though that has concepts that can be applied to many systems and applications.
  9. Serious Vulnerabilities Patched in Chrome, Firefox | SecurityWeek.Com - Interesting: “Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent,”
  10. Privilege Escalation Via Cron - File system permissions are important, always have been, especially on UNIX/Linux systems. Don't allow non-root users to edit scripts that run on cron! (And no, I meant cron, not corn, damn autocorrect).
  11. Cisco Critical Update Phishing Attack Steals Webex Credentials - We knew this was coming, the problem is many of the warnings fall on deaf ears. I'd imagine that these are pretty easy to filter though...
  12. Bugcrowd Raises $30 Million in Series D Funding Round | SecurityWeek.Com - Congrats to Casey and team!
  13. Schneier on Hacking Society - Schneier's big idea boils down to this: "Can we hack society and help secure the systems that make up society?" he explains. One component of hacking society is what Schneier calls the public-interest cybersecurity technologist, a role for security experts that he has been advocating over the past year or so.

Tyler Robinson's Content:

Tyler Robinson-0.png


Template:PSW646NewsTyler Robinson