- 1 Paul's Security Weekly Episode #653 - May 28, 2020
- 2 1. Interview - 2020 MITRE ATT&CK Malware Trends - 06:00 PM-06:45 PM
- 3 2. News - Ed Skoudis & Security News - 07:00 PM-08:30 PM
- 3.1 Announcements
- 3.2 Description
- 3.3 Guest(s)
- 3.4 Hosts
- 3.5 Jeff Man's Content:
- 3.6 Joff Thyer's Content:
- 3.7 Larry Pesce's Content:
- 3.8 Lee Neely's Content:
- 3.9 Paul Asadoorian's Content:
- 3.10 Tyler Robinson's Content:
- 4 3. Interview - "Burn-In: A Novel of the Real Robotic Revolution" - 09:30 PM-10:15 PM
Paul's Security Weekly Episode #653 - May 28, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Interview - 2020 MITRE ATT&CK Malware Trends - 06:00 PM-06:45 PM
- Join us at InfoSecWorld 2020 - June 22nd-24th now a fully virtual event! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code!
The MITRE ATT&CK framework has had a major impact on the cybersecurity industry and has given a defenders a haystack in which to focus their defensive efforts. What’s most interesting, perhaps, is where and how these TTPs intersect and how we can use that information to determine patterns and disrupt attacks by analyzing historical datasets.
Greg Foss is Senior Threat Researcher at VMware Carbon Black
Greg Foss is a Senior Threat Researcher with VMware Carbon Black's Threat Analysis Unit (TAU) where he focuses on detection engineering, security efficacy, and bypasses across the diverse product line. In previous roles, Greg led a Threat Research team, built and ran a Global Security Operations program, consulted in penetration testing, and worked as a security analyst for the federal government. Greg is a very active member of the Denver information security community who loves to give back and support the industry.
Jeff Man - Sr. InfoSec Consultant at Online Business Systems Joff Thyer - Security Analyst at Black Hills Information Security Larry Pesce - Senior Managing Consultant and Director of Research at InGuardians Tyler Robinson - Managing Director of Network Operations at Nisos, Inc
2. News - Ed Skoudis & Security News - 07:00 PM-08:30 PM
- Join the Security Weekly Mailing List & receive your invite to our community Discord server by visiting securityweekly.com/subscribe and clicking the button to join the list!
- Learn how hidden vulnerabilities lead to application compromise in our next webcast with Snyk! Our second June webcast will be with Google Cloud teaching you how to prevent account takeover attacks! Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. Or visit securityweekly.com/ondemand to view our previously recorded webcasts!
In this week's Security News, NSA warns Russia-linked APT group is exploiting Exim flaw since 2019, Hackers Compromise Cisco Servers Via SaltStack Flaws, OpenSSH to deprecate SHA-1 logins due to security risk, all this and more with Special Guest Ed Skoudis, Founder of Counter Hack and Faculty Fellow at SANS Institute!
To check out the SANS Pen Test HackFest and Cyber Range Summit, visit: https://www.sans.org/event/hackfest-ranges-summit-2020
Ed Skoudis is Faculty Fellow at SANS
Ed Skoudis has taught cyber incident response and advanced penetration testing techniques to more than 12,000 cybersecurity professionals. He is a SANS Faculty Fellow and the lead for the SANS Penetration Testing Curriculum. His courses distill the essence of real-world, front-line case studies he accumulates because he is consistently one of the first experts brought in to provide after-attack analysis on major breaches where credit card and other sensitive financial data is lost.
Jeff Man's Content:
- Data Breach at Bank of America wait, now the "mature" security organizations are being breached?
- Another Day, Another Significant Data Breach – What We Know About the EasyJet Cyber-attack Ho-hum.
- Verizon report analysis: Money not espionage at the heart of cyber-crime breaches Follow the money.
- Cybersecurity: Half of employees admit they are cutting corners when working from home
- Cloud security: 'Suspicious superhumans' behind rise in attacks on online services As more people work remotely, attackers are trying to gain access to cloud-based services.
- Cloud security and data protection: What enterprises need to know
- Did You Know eBay Is Probing Your Computer? Here’s How To Stop It Listener requested article from our Discord channel.
Joff Thyer's Content:
Larry Pesce's Content:
- Github C2 and Open Source supply chain attacks
- Contact tracing COVID-19 with BLE
- Debunking the 5G usb protector
Lee Neely's Content:
- FTC COVID-19 Complaints By Wednesday, 20 May, the U.S. Federal Trade Commission (FTC) received more than 50,000 coronavirus related complaints, with about 44.7% of complaints reporting a loss totaling over $37million. Complaints involved fraud, identity theft, and violations of the Do Not Call law.
- How the pandemic upended crime patterns Crime data from 8 large U.S. cities for the month of April show that crime generally has declined during COVID-19 stay-at-home orders, however cities that restricted movement the most experienced more pronounced changes in types of crime. Data indicated that violent crime decreased more sharply than property crime, which decreased an average of 16% across the cities examined.
- DHS’s cyber division has stepped up protections for coronavirus research, official says CISA is regularly scanning devices of top pharmaceutical companies and working to get those issues resolved quickly.
- New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data Turla Group is leveraging a new, "advanced" version of the "ComRAT" backdoor that exploits Google's web interface in order to receive covert commands and exfiltrate sensitive information.
- A New Android Bug, Strandhogg 2.0, Lets Malware Pose as Real Apps and Steal User Data Strandhogg 2.0, which affects Android 9.0 and earlier, tricks victims into believing they are submitting their passwords to a legitimate app while they are instead submitting the information to a malicious overlay.
- Israeli Cyber Chief: Major Attack on Water Systems Thwarted Israel's national cyber chief Thursday officially acknowledged the country had thwarted a major cyber attack last month against its water systems, an assault widely attributed to arch-enemy Iran, calling it a “synchronized and organized attack” aimed at disrupting key national infrastructure.
- How Windows 10 Goes Passwordless in Version 2004 Windows May update brings many changes including the use of Windows Hello for authentication. This requires a dedicated camera.
- RagnarLocker Ransomware Deploys Oracle VirtualBox VM to Hide Itself In May 2020, the operators started using a VirtualBox install, albeit from 2009, to hide their malware. The VB instance is granted access to all shares - so, it is able to encrypt - and it is projected they exfiltrate data for ransom too.
- Just turning your phone on qualifies as searching it, court rules Tanks to the Fourth Amendment of the US Constitution and all the case law built upon it, police generally need a warrant to search your phone—and that includes just looking at the lock screen, a judge has ruled
Paul Asadoorian's Content:
- Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
- NSA warns Russia-linked APT group is exploiting Exim flaw since 2019
- Meet unc0ver, the new jailbreak that pops shelland much moreon any iPhone
- OpenSSH to deprecate SHA-1 logins due to security risk | ZDNet
- Attack Pattern Detection and Prediction - I'm not buying it: It is believed that security researchers can use attack pattern recognition or detection methods as an approach that can provide precautions to prevent future attacks.
- Computer science student discovers privacy flaws in security and doorbell cameras - Help Net Security
- Thermal Imaging as Security Theater - Schneier on Security
- New fuzzing tool for USB drivers uncovers bugs in Linux, macOS, Windows - Help Net Security
- (99+) Six musts for building secure software | LinkedIn - This is so much more difficult today: Escaping rules are specific to the tech you’re working with. Four ways to ensure your code meets requirements to protect against XSS are a) never insert untrusted data into your database; b) don’t try to write your own escaping code and add the HttpOnly flag wherever you set cookies; c) set up a content security policy. For more on encoding and escaping, I recommend OWASP’s Cross-Site Scripting Prevention Cheat Sheet. Its not just "user input", its any data that can be changed that ends up getting passed to the server. The DOM, cookies, XML entities, etc... all have the potential to lead to XSS. Many of these vulnerabilities will not be uncovered by scanning, of any kind. They require a human to test the app and determine the implications. Sure, you can get rid of many of the vulnerabilities, but I believe some will remain unless testers are extremely diligent.
- House pulls vote on FISA bill | SC Media
- Hacking Team Founder: Hacking Team is Dead - Wow, analogies: A former employee previously told Motherboard that Hacking Team without Vincenzetti is “like Nirvana without Kurt Cobain.”
- NSA warns of new Sandworm attacks on email servers | ZDNet - Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability tracked as CVE-2019-10149, the NSA said in a security alert [PDF] shared today with ZDNet. And NSA is making a big deal about this now because, cats out of the bag. Tin foil hat theory: NSA knew about this vulnerability long before it was made public either by acquiring it by some means, developing it themselves, or by observing GRU using it and, in turn, using it as well until such time the vulnerability was made public.
- Vulnerability Disclosures Drop in Q1 for First Time in a Decade
- Israel s national cyber chief warns of rising of cyber-warfare - OMG! Really: Unna pointed out that the attempt to hack into Israel’s water systems marked the first time in modern history that “we can see something like this aiming to cause damage to real life and not to IT or data. So we can just leave out all other previous hacks that caused damage in real life, like, uh, for one Stuxnet, which is well-known to be partly developed by Isreal. Or how about hacks to the phone systems in the 1960's? None of those caused any damage in the real world? People will say the same thing about Stuxnet, its just not true. In fact, the first hack ever recorded actually made an impact (audio conversations over wireless) in the real world, okay not physical damage, but affected the real world as audio was injected into the stream.
- 3 SMB Cybersecurity Myths Debunked - Lots of Myth debunking going on, meh: No. 1: Only large organizations face public scrutiny. No. 2: After a cyberattack, big businesses have less downtime and recover faster. No. 3: SMB leaders are lax about security and data privacy. Look, admitting your care about security in a survey is vastly different than actually doing it (or even knowing how).
- Hackers Compromise Cisco Servers Via SaltStack Flaws - Two Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco’s network operating systems. Hackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.
Tyler Robinson's Content:
- Games are Dangerous! Chinese games have full permissions on many devices
- Pretty sure we said Deep Fakes will have big implications, glad you caught up Forbes
- Facebook Execs shut down efforts to make the site less divisive
- Hackers pivot to medical espionage
- Ankura Aquires UnitedLex managed detection and response business
- Turla hacker group stealing logs from AV to see if they are detected... OH ya well played
- Ragnar ransomware using virtual machines to do evasion
- Hacking group on a data breach spree
3. Interview - "Burn-In: A Novel of the Real Robotic Revolution" - 09:30 PM-10:15 PM
- Layer 8 is Going Virtual! The conference will still be held on Saturday June 6th. Security Weekly listeners save $20 on their ticket by visiting layer8conference.com and using the promo code "SecurityWeekly" before selecting your ticket type! Please consider supporting Layer8 or one of their partner organizations when purchasing your ticket! Some of the Security Weekly team will be in our own channel on the Layer8 Discord server answering questions and possibly doing some contests!
"Burn-In: A Novel of the Real Robotic Revolution" (May 26 release) is a new kind of novel+nonfiction. It uses the technothriller format as a way to share real research on the ways that AI+automation will shape our future, but also leave it vulnerable to a new scale of risks. That is, it is a fictional story following an FBI agent as she and a new partner hunt a new kind of terrorist bent on holding the entire city hostage in a way previously impossible. But baked into the story are some 300 macro and micro predictions of the tech and trends that will change our tomorrow, drawn from the latest nonfiction studies to show that it could/will come true (IE, it is a novel, but with endnotes on everything). Think of it as the veggies hidden in the smoothie, to give people a fun/scary read, but also to understand key terms and ideas soon to shape their lives.
To get a discounted copy of Burn-In: A Novel of the Real Robotic Revolution, visit: https://800ceoread.com/securityweekly
Peter Singer is Author of Burn-In: A Novel of the Real Robotics Revolution at New America
Peter Warren Singer is Strategist at New America. He has been named by the Smithsonian as one of the nation’s 100 leading innovators, by Defense News as one of the 100 most influential people in defense issues, by Foreign Policy to their Top 100 Global Thinkers List, and as an official “Mad Scientist” for the U.S. Army’s Training and Doctrine Command. Peter is the author of multiple best-selling, award winning books. No author, living or dead, has more books on the professional military readings lists.
Matt Alderman - CEO at Security Weekly