- 1 Paul's Security Weekly Episode #655 - June 11, 2020
- 2 1. Interview - Enhancing Vulnerability Management By Including Penetration Testing Results - 06:00 PM-06:45 PM
- 3 2. News - OSS Vulnerabilities, UPnP Flaws, & 0-Days for Bad People - 07:00 PM-08:30 PM
- 4 3. Interview - New Web Technology & Impact on Automated Security Testing - 08:30 PM-09:15 PM
Paul's Security Weekly Episode #655 - June 11, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Interview - Enhancing Vulnerability Management By Including Penetration Testing Results - 06:00 PM-06:45 PM
- We are looking for high-quality guest suggestions for all of our podcasts to fill our Q3 recording schedule! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!
We’ll discuss how organizations can improve their vulnerability management life cycle and demo some quick ways to get started with vulnerability management and combining penetration test results. Then walking through the whole life cycle of a vulnerability.
To learn more about PlexTrac, visit: https://securityweekly.com/plextrac
Dan DeCloss is President / CEO at PlexTrac
Dan DeCloss is the Founder and CEO of PlexTrac and has over 15 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies including serving as a Principal Consultant for Veracode on the penetration testing team. Dan's background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. He has also served as a Principal Security Engineer for the Mayo Clinic and a Sr. Security Advisor for Anthem. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that there is a good understanding of how to reduce their overall risk.
Jeff Man - Sr. InfoSec Consultant at Online Business Systems
2. News - OSS Vulnerabilities, UPnP Flaws, & 0-Days for Bad People - 07:00 PM-08:30 PM
- Join us at InfoSecWorld 2020 - June 22nd-24th now a fully virtual event! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code!
- Join the Security Weekly Mailing List & receive your invite to our community Discord server by visiting securityweekly.com/subscribe and clicking the button to join the list!
Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, 3 common misconceptions about PCI compliance, SMBleed could allow a remote attacker to leak kernel memory, Kubernetes Falls to Cryptomining via Machine-Learning Framework, and The F-words hidden superpower: How Repeating it can increase your pain threshold!
Jeff Man's Content:
Lee Neely's Content:
- Facebook Slaps Labels on 'State-Controlled' Media Outlets Facebook began its efforts to label media organizations (e.g., China's Xinhua News and Russia's Sputnik) that were "wholly or partially" under government editorial control on June 4, 2020.
- Ongoing eCh0raix Ransomware Campaign Targets QNAP NAS Devices Flaws have been fixed which neutralized the free decryptor. Fix by updating software, using stronger passwords, enable network access protection and disable SSH & Telnet.
- SMBGhost Attacks Spotted Following Release of Code Execution PoC First POC not super stable, expect improvements to follow. Patch for Windows 10 and Windows Server released March 12, 2020 - apply the patch.
- Hackers Target Senior Executives at German Company Procuring PPE These were credential stealing phishing attacks. Consider - implement MFA, work with users to slow down and think - today's climate is ripe for social engineering.
- Nintendo Hack Was Twice as Big as First Reported 300,000 accounts compromised. Nintendo advising enable 2FA and disabled NNID login.
- Babylon Health Admits to Leak of GP Video Consultations Coding error allowed users to access/view videos stored by other patients. While resolved quickly, remember to fully test code.
- Drinks Maker Lion Shuts IT Systems after 'Cyber Incident' Manufacturing operations at Sydney, Australia-based beverage maker Lion were disrupted after the company suffered a cyber incident that forced it to shut down its IT systems, resulting in disruptions to suppliers and customers. Unofficial indications are this was a ransomware attack
- What Government Contractors Need to Know About NIST, DFARS Password Reqs Interesting read about passwords vs MFA, trade-offs and where opportunities lie for improvement.
- How LoveBug changed malware forever This month marks the 20th anniversary of the LoveBug malware, the catalyst to ransomware as we know it today. The AIDS Trojen was the first ransomware, albeit much smaller scope. What was critical with LoveBug, was the shift of malware from limited exposure to mass destruction. 45 million compromised devices a day, could equal 45 million daily payments.
Paul Asadoorian's Content:
- The F-words hidden superpower: Repeating it can increase your pain threshold - hrmm For that 2009 study, Stephens and his colleagues asked 67 study participants (college students) to immerse their hands in a bucket of ice water. They were then instructed to either swear repeatedly using the profanity of their choice or chant a neutral word. Lo and behold, the participants said they experienced less pain when they swore and were also able to leave their hands in the bucket about 40 seconds longer than when they weren't swearing. It has been suggested (by Harvard psychologist Steven Pinker, among others) that it is a primitive reflex that serves as a form of catharsis.
- 2019 was a record year for OSS vulnerabilities - Help Net Security
- Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers
- Security Drift The Silent Killer - Not so silent though: A high-tech company that had a robust (or so they thought) A/V solution allowed for a three-week patch drift for 2% of its systems. This was because some systems required testing before patching (due to OS and application concerns), and others were delayed due to operational constraints. The company was hit by a worm that was propagated to almost all unpatched systems, close to 3,000 machines.
- Adobe fixes critical flaws in Flash Player and Framemaker
- 3 common misconceptions about PCI compliance - Help Net Security - Differences between 1 and 2? Misconception #1: You believe a certain product or system is out of PCI scope and Misconception #2: You’ve accurately scoped your CDE
- GnuTLS patches huge security hole that hung around for two years worse than Heartbleed, says Google cryptoboffin
- Bot or Not? a game to train us to spot chatbots faking it as humans
- The Telehealth Attack Surface - Although targeted attacks on patients are certainly possible, they are unlikely. What is more realistic is that criminals will target the back-end infrastructure and third-party technology ecosystems that support telehealth and telemedicine services in order to gain scale and access to large datasets of highly monetizable information.
- What Happened When I Leaked My Server Password on GitHub.com - Craig Hays
- SMBleed could allow a remote attacker to leak kernel memory - Technical details: https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/
- Cisco discloses technical details for Firefox code execution flaw
- GitLab Acquires Security Companies Peach Tech and Fuzzit | SecurityWeek.Com
- WordPress Releases Security and Maintenance Update | CISA
- Nintendo Switch hack nearly twice as bad as first reported | SC Media - Nintendo, which admitted Tuesday that 300,000 of the Nintendo Switch accounts were hacked, not the 160,000 initially reported in April.
- UPnP flaw exposes millions of network devices to attacks over the Internet - Neat stuff, can't wait to play around with this some more. Find upnp on your network: https://charlesreid1.com/wiki/Nmap/UPnP
- The Hitchhiker's Guide to Web App Pen Testing - Nice list of free resources.
- Kubernetes Falls to Cryptomining via Machine-Learning Framework
Scott Lyons's Content:
Tyler Robinson's Content:
- [State Sponsored hackers target Austrias largest ISP https://androidrookies.com/state-sponsored-chinese-hackers-hacked-into-austrias-largest-isp-a1-telekom/]
- [Zoom closes Chinese user account Tiananmen Square https://www.axios.com/zoom-closes-chinese-user-account-tiananmen-square-f218fed1-69af-4bdd-aac4-7eaf67f34084.html]
- [Facebook hired cybersecurity firm to develop a 0-day for the FBI to take down a very evil person https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez]
- [Ninetendo Switch accounts hacked https://www.google.com/amp/s/www.businessinsider.com/nintendo-switch-account-hack-update-2020-6%3famp]
- [India Cyber firm hacks to spy on political candidates https://www.reuters.com/article/us-india-cyber-mercenaries-exclusive/exclusive-obscure-indian-cyber-firm-spied-on-politicians-investors-worldwide-idUSKBN23G1GQ?il=0]
- [Honda hacked shutting down plants https://www.telegraph.co.uk/business/2020/06/08/honda-could-victim-ransomware-cyber-attack/]
3. Interview - New Web Technology & Impact on Automated Security Testing - 08:30 PM-09:15 PM
- Learn how to prevent account takeover attacks in our next June webcast with Google Cloud! In our first July webcast, you will learn how to stitch and enrich flow data for security with VIAVI Solutions! Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. Or visit securityweekly.com/ondemand to view our previously recorded webcasts!
As web applications have evolved from static HTML pages into fully-fledged applications with a native feel to them, web browsers continue to provide developers with truly novel functionality. The resulting paradigm shift from merely rendering web pages to acting as an OS-agnostic abstraction layer poses unique challenges to everyone involved with web application security, including automated web application security scanning solutions.
Here's a quick intro: https://web.dev/fugu-status/
A list of related APIs that are either planned or already available: https://goo.gle/fugu-api-tracker
Benjamin Daniel Mussler
Benjamin Daniel Mussler is Senior Security Researcher at Acunetix
Web Application Security Researcher at Acunetix
Matt Alderman - CEO at Security Weekly