PSWEpisode654

From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly Episode #654 - June 04, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Technical Segment - Lightweight Vulnerability Management Using NMAP - 06:00 PM-06:45 PM


Announcements

  • Learn how hidden vulnerabilities lead to application compromise in our next webcast with Snyk! Our second June webcast will be with Google Cloud teaching you how to prevent account takeover attacks! Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. Or visit securityweekly.com/ondemand to view our previously recorded webcasts!

Description

Paul delivers a Technical Segment on Lightweight Vulnerability Management using NMAP!



Hosts

2. Technical Segment - PCAPS Or It Didn't Happen- Corey Thuen - 07:00 PM-07:45 PM


Visit https://securityweekly.com/gravwell for more information!


Announcements

  • Layer 8 is Going Virtual! The conference will still be held on Saturday June 6th. Security Weekly listeners save $20 on their ticket by visiting layer8conference.com and using the promo code "SecurityWeekly" before selecting your ticket type! Please consider supporting Layer8 or one of their partner organizations when purchasing your ticket! Some of the Security Weekly team will be in our own channel on the Layer8 Discord server answering questions and possibly doing some contests!

Description

Threat hunting activities often require packet capture analysis but capturing and storing PCAP at scale is rough. This segment covers open source tools for collecting packet captures on demand within a threat hunting use case in Gravwell.

To learn more about Gravwell, visit: https://securityweekly.com/gravwell To check out Packet Fleet, visit: https://github.com/gravwell/ingesters/tree/master/PacketFleet


https://github.com/gravwell/ingesters/tree/master/PacketFleet

https://github.com/google/stenographer

https://www.gravwell.io/blog/pcap-collection-and-analysis-on-demand-with-gravwell-packet-fleet


Presenter(s)

Corey Thuen

Corey Thuen is a founder of Gravwell and has spent over a decade doing cybersecurity at places like Department of Energy national labs, Digital Bond, and IOActive. That experience is now driving development of a full-stack analytics platform built to alleviate pain points he personally experienced from inflexible tools.


Hosts

3. News - Root Cert Chaos, Octopus Scanner, & RobbinHood & the Merry Men - 08:00 PM-09:30 PM


Announcements

  • Join us at InfoSecWorld 2020 - June 22nd-24th now a fully virtual event! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code!
  • Join the Security Weekly Mailing List & receive your invite to our community Discord server by visiting securityweekly.com/subscribe and clicking the button to join the list!

Description

Octopus Scanner Sinks Tentacles into GitHub Repositories, RobbinHood and the Merry Men, Zoom Restricts End-to-End Encryption to Paid Users, Hackers steal secrets from US nuclear missile contractor, and Had a bad weekend? Probably, if you're a Sectigo customer, after root cert expires and online chaos ensues!


Hosts

Doug White's Content:

Articles

  1. Cybersecurity Spending hits temporary pause amid pandemic.
  2. Abandoned apps may pose security risk to mobile devices.
  3. 4 out of 5 business suffered a cloud data breach in past year and a half.

Joff Thyer's Content:

Articles

Larry Pesce's Content:

Articles

Lee Neely's Content:

Articles

  1. Michigan State University Network Breached in Ransomware Attack Netwalker relies on files in public code repositories, custom PowerShell scripts, and several programs (e.g., Team Viewer, AnyDesk) to gain remote access to targeted systems. Attackers threaten to publish "secret" data from the University.
  2. Amtrak Guest Rewards Breach Affects Personal Info Amtrak IT security team stopped the unauthorized access "within a few hours," reset passwords for all impacted accounts, and engaged outside security experts to help contain the breach and implement better safeguards.
  3. Image bricks some Android phones when used as Wallpaper An innocuous landscape photo is “soft-bricking” some Android phones when it’s used as a background.Dylan Roussel from 9to5Google discovered that the source image uses the RGB color space instead of Android’s preferred sRGB, and Android 10 doesn’t convert it where the Android 11 preview does — that causes problems any time an incompatible phone has to display the picture.
  4. Spotting zero-day ransomware to stop ransomware before it locks up files, researchers at Southern Methodist University (SMU) have developed software that uses sensors to detect ransomware – even variants that have not been previously identified. The detection uses the devices sensors to detect unusual spikes in activity.
  5. Hardening smartphones for secure facilities DISA is testing SafeCase, which physically blocks both cameras and emits white noise into the microphone.
  6. OMB is Standardizing Cloud Contracting Language to Clarify Security Liability The Office of Management and Budget plans to standardize language in all government contracts with cloud vendors that would update liability terms regarding security, according to the official in charge of leading federal agencies’ move to the shared-responsibility ecosystems.
  7. Hacker Used £270 of TV Equipment to Eavesdrop on Sensitive Satellite Communications James Pavur will detail the attack in a session at the Black Hat security conference. It appears to boil down in large part to the absence of encryption-in-transit for satellite-based broadband communications.
  8. Nuclear missile contractor hacked in Maze ransomware attack Information exfiltrated is being leaked. Not clear how sensitive the information is.
  9. Sodinokibi Ransomware Gang Launches Auction Site to Sell Stolen Data They try to collect ransom for the exfiltrated data, if that doesn't work - they created an auction site.
  10. Twitter Silences Anonymous Hackers Threatening to Dish the Dirt on Trump The @AnonNewz account was repurposed to be an Anonymous-affiliated account. Which then threatened to leak documents. Interesting action by Twitter.
  11. A Vulnerability in Zoom Client Could Allow for Arbitrary Code Execution Update to 4.6.12 or later.

Paul Asadoorian's Content:

Articles

  1. Deepstar: An Open Source Deepfake Detection Toolkit | PenTestIT
  2. No password required! Sign in with Apple account takeover flaw patched - Oops: Unfortunately, Jain found an unexpected URL that was accessible on Apple’s login servers (he has redacted it to https://appleid.apple.com/XXXX/XXXX) to which he could send just the email address from the reply described above… …and he’d get back a current, valid authentication token to use with the third party site, just as though he’d gone through the entire login process and proved who he was.
  3. Had a bad weekend? Probably, if you're a Sectigo customer, after root cert expires and online chaos ensues
  4. IP-in-IP Vulnerability Affects Devices From Cisco and Others | SecurityWeek.Com - An attacker could cause the impacted device to decapsulate the IP-in-IP packet and then forward the inner IP packet, thus causing IP packets to bypass input access control lists (ACLs) on the device or other security boundaries on the network.
  5. Octopus Scanner Sinks Tentacles into GitHub Repositories - “It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” GitHub researchers noted, in a posting this week. “If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed.”
  6. RobbinHood and the Merry Men - even a rudimentary analysis of the malware by others at the time revealed a level of juvenile naivety that was difficult to ignore. It was littered with childish references to a “CoolMaker” function, an “EnableShadowFucks” variable, and a debugging message: Done, Enjoy buddy :) - Smoke and mirrors, could have been a nation-state posing as a juvenile hacking group, at least if I were tasked with unleashing ransomware on an enemy country, that would be part of my cover.
  7. Linus Torvalds rejects 'beyond stupid' AWS-made Linux patch for Intel CPU Snoop attack | ZDNet
  8. Hackers steal secrets from US nuclear missile contractor
  9. Chinese Hackers Target Air-Gapped Systems With Custom USB Malware | SecurityWeek.Com
  10. Zoom Restricts End-to-End Encryption to Paid Users - Yikes: Zoom’s CEO says he won’t encrypt free calls so Zoom can work more with law enforcement: “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said. I mean they have to re-coupe the bill from the purchase of Keybase somehow, but this isn't it, except it is...
  11. Have I Been Pwned breach report email pwned entire firm's helldesk ticket system - Problems arose when Matt received that email. While he looked at it and took the relevant actions, GLPi had encountered an issue. “I and the other techs quickly noticed that every single ticket description had been deleted and replaced with partial header data from the HIBP email,” wrote Matt.

Tyler Robinson's Content:

Articles