- 1 Paul's Security Weekly Episode #652 - May 21, 2020
- 2 1. Interview - Building An InfoSec Career - 06:00 PM-06:45 PM
- 3 2. Technical Segment - HTTP Security Headers In Action - Sven Morgenroth - 07:00 PM-07:45 PM
- 4 3. News - Stuxnet, RCE's Everywhere, & Breach Chaos - 08:00 PM-09:30 PM
- 4.1 Announcements
- 4.2 Description
- 4.3 Hosts
- 4.4 Jeff Man's Content:
- 4.5 Joff Thyer's Content:
- 4.6 Larry Pesce's Content:
- 4.7 Lee Neely's Content:
- 4.8 Paul Asadoorian's Content:
- 4.9 Tyler Robinson's Content:
Paul's Security Weekly Episode #652 - May 21, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Interview - Building An InfoSec Career - 06:00 PM-06:45 PM
- Join us at InfoSecWorld 2020 - June 22nd-24th now a fully virtual event! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code!
The guests on Trust Me I'm Certified have dropped some real knowledge and I'd like to distill that down as well as talk about building technical skills, looking at your career as a 'thing' that needs care and feeding, and the BSidesNH conference.
Jason Nickola is COO, Senior Security Consultant at Pulsar Security
Jason is a Senior Security Consultant and COO at Pulsar Security, specializing in penetration testing and red teaming, and a SANS instructor for Network Penetration Testing & Ethical Hacking. Equally passionate about enabling others in their journeys as he is about security and technology, Jason is an organizer of the BSides NH conference, a frequent speaker and trainer at both local and national events, and a founder of TechRamp, a nonprofit which aids in the transition to technical careers. He is a three-time Core Netwars Tournament champion and one of just 23 people in the world named by the SANS Institute as both a Red Team and Blue Team Cyber Guardian for both offensive and defensive security expertise. Jason is also the host of the "Trust Me, I'm Certified" podcast produced by GIAC Certifications.
2. Technical Segment - HTTP Security Headers In Action - Sven Morgenroth - 07:00 PM-07:45 PM
- Join the Security Weekly Mailing List & receive your invite to our community Discord server by visiting securityweekly.com/subscribe and clicking the button to join the list!
HTTP security headers are an easy and effective way to harden your application against all kinds of client side attacks. We'll discuss which security headers there are, what functions they have and how to use them properly.
To learn more about Netsparker, visit: https://securityweekly.com/netsparker
Security Header Whitepaper: https://www.netsparker.com/whitepaper-http-security-headers/
Sven Morgenroth is Security Researcher at Netsparker
Sven Morgenroth is a security researcher at Netsparker. He found filter bypasses for Chrome's XSS auditor and several web application firewalls. He likes to exploit vulnerabilities in creative ways and has hacked his smart TV without even leaving his bed. Sven writes about web application security and documents his research on the Netsparker blog.
3. News - Stuxnet, RCE's Everywhere, & Breach Chaos - 08:00 PM-09:30 PM
- Layer 8 is Going Virtual! The conference will still be held on Saturday June 6th. Security Weekly listeners save $20 on their ticket by visiting layer8conference.com and using the promo code "SecurityWeekly" before selecting your ticket type! Please consider supporting Layer8 or one of their partner organizations when purchasing your ticket! Some of the Security Weekly team will be in our own channel on the Layer8 Discord server answering questions and possibly doing some contests!
- Learn how hidden vulnerabilities lead to application compromise in our next webcast with Snyk! Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. Or visit securityweekly.com/ondemand to view our previously recorded webcasts!
In the Security News, Hackers target the air-gapped networks of the Taiwanese and Philippine military, Stored XSS in WP Product Review Lite plugin allows for automated takeovers, Remote Code Execution Vulnerability Patched in VMware Cloud Director, Shodan scan of new preauth RCE shows 450k devices at risk including all QNAP devices, and The 3 Top Cybersecurity Myths & What You Should Know!
Jeff Man's Content:
- Ukraine Nabs Suspect in 773M Password ‘Megabreach’
- Toll Group data dumped on dark web 200GB of files stolen by ransomware group
- Private info exposed in data breach of new Illinois online unemployment system
- Israeli Sites Hacked in Coordinated Cyber Attack
- easyJet Says Details of Nine Million Customers Accessed in Data Breach
Joff Thyer's Content:
Larry Pesce's Content:
- Verizon’s 2020 DBIR
- Marcus Hutchins Wired Interview
- Death via PrintDemon
- Microsoft Terminal
- Windows Package manager - This and Terminal have made me really re-evaluate how I need to consider Windows use day to day.
Lee Neely's Content:
- Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source The move is an attempt to help organizations and individuals better protect against a growing number of COVID-19 themed cyber threats by allowing the community a more complete view of attackers’ tactics, techniques, and procedures (TTPs). The information is being provided via threat intelligence sharing feeds for Azure Sentinel Customers, and for the public on GitHub.
- Scam alert: Text message offering free groceries from Target amid coronavirus pandemic is fake The scam text message, claiming to be from Target, includes a link that can install a virus, malware, spyware, or ransomware on victims’ devices that enables hackers to obtain personal information.
- COVID-19 contact tracing text message scams Contact tracers are usually hired by a state’s department of public health and only notify individuals that they will be contacted by a phone call.
- Microsoft warns of 'massive' phishing attack pushing legit RAT COVID-19-themed phishing campaign that installs a NetSupport Manager remote administration tool (RAT). The attack is spoofing an email from the Johns Hopkins Center providing an update on the Coronavirus-related deaths in the United States, with an attached Excel file titled ‘covid_usa_nyt_8072.xls.’
- Hackers Target the Air-Gapped Networks of the Taiwanese and Philippine Military Air-gap jumping technology is often more of a thought exercise, because of reliability and complexity of emissions capture. The most effective method is humans doing media transfers. This technique had been previously reported as WHITEFERRY malware in July 2019.
- iPhone Hacks No Longer Worth Any Money Because There Are Just Too Many Zerodium, a company that’s willing to pay up to $2 million for exploits in Apple’s iOS operating system, says it’s actually lowering its prices because the number of hacks aimed at this platform has increased substantially lately.
- Edison Mail Flaw Granted Users Access to Other People's Inboxes Bug in email client allowed thousands of users to gain full access to other users' email accounts after it released a new account syncing feature on May 15, 2020, that caused "technical issues" resulting in individuals' inboxes to syncing with other users' accounts.
- 'Mandrake' Android Spyware Remained Undetected for 4 Years "Mandrake" has been identified being used in targeted attacks to take complete control of infected devices, turn down the volume, block calls and messages, steal user credentials, exfiltrate data, transfer funds, record the screen, and blackmail victims.
- Database of Russian Car Owners Is Sold for Bitcoins database containing some 129 million leads that was likely taken from the Russian traffic police register or insurance companies that includes vehicle registration information collected since the 1990s. Those behind the sales are reportedly selling the entire database for .3 BTC (~$2,900 USD) or 1.5 BTC (~$14,500 USD) to obtain "exclusive use" of the data.
- My Health Record System Hit by Hack Attempt The Australian Digital Health Agency (ADHA) has revealed that its My Health Record system was targeted by attackers over an 11-month period, resulting in two "potential data breaches" since July 2019.
- New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks Israeli cyber security researchers have disclosed details about a new vulnerability dubbed "NXNSAttack" affecting the DNS protocol that can be exploited by attackers to conduct large-scale, amplified distributed denial-of-service (DDoS) attacks in order to take down websites.
- Apple Releases iOS/iPadOS 13.5 Security content not published, but many new features, including COVID-19 related features, from contact tracing support to more rapid mask detection which then fails over to passcode entry.
Paul Asadoorian's Content:
- vBulletin 5.6.1 - 'nodeId' SQL Injection - And it has been released! Please use it responsibly (and patch your systems).
- Online Healthcare Patient Record Management System 1.0 - Authentication Bypass - Wow, just wow: The login.php file allows a user to just supply ‘ or 1=1 – as a username and whatever password and bypass the authentication. Looks like this is a small project from an individual. We need to take the time to educate...
- Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit) - Interesting exploit, it does require authentication (but then allows for a root shell).
- SANS ISC - Malware Triage with FLOSS: API Calls Based Behavior | /dev/random - Really cool article, using FLAME to analyze potential malware samples.
- Hackers target the air-gapped networks of the Taiwanese and Philippine military | ZDNet - Interesting, see my other point below: Trend Micro's USBferry report is the third report of its kind published this week detailing malware developed by state-sponsored hackers that can jump across the air gap to isolated networks. The other two reports are ESET's report on the Ramsay malware and Kaspersky's report on COMpfun. All three reports show an increased interest from nation-state hacking groups into developing malware capable of breaching air-gapped networks.
- Stored XSS in WP Product Review Lite plugin allows for automated takeovers
- 'Mandrake' Android Spyware Remained Undetected for 4 Years | SecurityWeek.Com
- The 3 Top Cybersecurity Myths & What You Should Know - Let's debate: Myth No. 1: The security team is going to protect me. Myth No. 2: IT professionals don't fall for cyberattacks. Myth No. 3: Cyberattacks are confined to the digital world. Also, on physical security: There are other examples, too — the Stuxnet worm that ravaged Iran's Natanz nuclear facility was delivered via a flash drive that was plugged straight into one of the facility's computers. Yea, they did that, however, it was in collaboration with US and Israeli spy agencies. They also likely had an insider if you factor in the infection times with the compile times and compare them across different Stuxnet version. Also, they infected Step 7 project files that were being copied on USB flash drives across the air gap. So, yes physical attacks are in play, however, they are not likely to go to this length very often, unless you overtake a middle eastern country and start enriching Uranium...
- Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices | SecurityWeek.Com
- Enhanced Safe Browsing Protection now available in Chrome
- EasyJet data breach: 9 million customers affected - Help Net Security - Comment from a security vendor: Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade. Agree?
- Vulnerability in Qmail mail transport agent allows RCE - Help Net Security - Regarded as one of the most secure pieces of software out there, Qmail is well regarded in the security community. However, this is an interesting story! 3 vulnerabilities were disclosed in 2005, Qualys finds they can be exploited today, all of it depends on memory, some processes are not memory restricted, and so it goes.
- Remote Code Execution Vulnerability Patched in VMware Cloud Director | SecurityWeek.Com
- Israel is suspected to be behind the cyberattack on Iranian port
- Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices to Attacks | SecurityWeek.Com
- ISC Releases Security Advisory for BIND | CISA
- Stealing Secrets from Developers using Websockets
- Chrome 83 adds DNS-over-HTTPS support and privacy tweaks
- Signal fixes location-revealing flaw, introduces Signal PINs - Help Net Security
- XSS, Open Redirect Vulnerabilities Patched in Drupal | SecurityWeek.Com - This could be so much fun: a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
- The Need for Compliance in a Post-COVID-19 World
- Zoom to Provide Detailed Info on Upcoming End-to-End Encryption Feature | SecurityWeek.Com
- Google Begins Encrypting Domain Name Lookups
- Microsoft: we were wrong about open source - How things change: Former Microsoft CEO Steve Ballmer famously branded Linux “a cancer that attaches itself in an intellectual property sense to everything it touches” back in 2001.
- Official reminds public to avoid touching other people's balls as crowd giggles
Tyler Robinson's Content:
- Shodan scan of new preauth RCE shows 450k devices at risk including all QNAP devices
- Easyair suffers a data breach that could cost them 4% of annual revenue (British Airways 2018 breach is still costing them as much as $3B ouch
- Cisco and Palo Alto Authentication bypass
- Unattributable data breach you say.... hmm Keep an eye out for new strand of SMAUG an Ransomware-as-a-Service (RaaS) that is very affordable at only .2BTC and 20% of ransoms
- Hackers leak over 20,000 unemployment applicants bank information
- Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed
- ‘Glitch’ In New Illinois Unemployment System Made Private Information Public
- Mercedes-Benz onboard logic unit (OLU) source code leaks online Daimler allowed anyone to register on one of its on-premise GitLab servers.
- Windows 10 has a secret network packet sniffer -- here's where to find it and how to use it Released in the Oct 2018 release - pktmon.exe
- Supercomputers hacked across Europe to mine cryptocurrency Confirmed infections have been reported in the UK, Germany, and Switzerland. Another suspected infection was reported in Spain.
- U.K. power administrator acknowledges its IT system suffered a cyber attack.
- China ready to target Apple, Qualcomm, Cisco and Boeing in retaliation against US' Huawei ban
- Huawei ban drags China, US into tech cold war