- 1 Paul's Security Weekly Episode #658 - July 16, 2020
- 2 1. Artificial Intelligence and Machine Learning in Cybersecurity - 06:00 PM-06:45 PM
- 3 2. Welcome Our Newest Host! - 07:00 PM-07:45 PM
- 4 3. Twitter Mega Hack, 3rd Party IoT Vulns, & Windows DNS SIGRed RCE - 08:00 PM-09:30 PM
Paul's Security Weekly Episode #658 - July 16, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Artificial Intelligence and Machine Learning in Cybersecurity - 06:00 PM-06:45 PM
Join the Security Weekly Mailing List for webcast/virtual training announcements and to receive your personal invite to our Discord server by visiting <a href="https://securityweekly.com/subscribe" rel="nofollow">https://securityweekly.com/subscribe</a> and clicking the button to join the list!
With advent of Internet of Things (IoT) and emerging cloud technologies, ensuring continued cybersecurity at scale is a challenging task. An ever growing increase in demand of cybersecurity workforce makes the problem even more challenging. In this talk we will explore how autonomous solutions based on Artificial Intelligence (AI) and Machine Learning (ML) can help in bridging the gap, by automating current cybersecurity tools and techniques. We will also discuss if current AI solutions can be practical at scale or simply marketing/media hype.
1. How did you get your start in information security?
2. What is Moving Target Defense?
3. We use the words AI and ML, but what do they really mean?
Ankur Chowdhary is Security Consultant at Bishop Fox
Ankur is a PhD candidate at Arizona State University, and Security Consultant at Bishop Fox. His research interests include Cloud Security, Software Defined Networks, and application of Artificial Intelligence and Machine Learning in the field of cybersecurity. Ankur has co-authored over 25 research papers and one textbook in the field of cybersecurity. Ankur co-founded cybersecurity startup CyNET LLC (2017). Ankur has been quite active in cybersecurity education. Ankur was ASU’s National Cybersecurity Defense Competition (NCCDC) captain (2015-2018), and he is current team coach (2018-). He co-founded hacking club DevilSec in 2019 to teach offensive and defensive security to students at ASU.@ lucifer8931
2. Welcome Our Newest Host! - 07:00 PM-07:45 PM
Security Weekly is an official media partner for Virtual BlackHat 2020! To register and save $200, visit <a href="https://securityweekly.com/summercamp2020" rel="nofollow">https://securityweekly.com/summercamp2020</a> and click the register button. Discount code: “20SecWeekbh” Alongside Virtual BlackHat, we will be running our conference micro-interviews, you guessed it, virtually, in an event called Security Weekly Virtual Hacker Summer Camp, August 3 – August 6, 2020. Options, pricing and availability are all listed on the same page! Reserve your slot now to get your message out to BlackHat attendees!
The guys welcome our newest host to the family. John Snyder will replace Matt Alderman on Security and Compliance Weekly. Tune in to hear about how John made the jump from being a trial lawyer in New York to founding AGNES Intelligence, a forensic AI firm that has perfected the application of unsupervised machine learning!
John Snyder is CEO at AGNES Intelligence
John H. Snyder is co-founder and Chief Executive Officer of AGNES Intelligence, a forensic AI firm that has perfected the application of unsupervised machine learning. He is a pioneer of the Law & Data Science movement, which focuses on merging data science tools with legal procedure. Together with Judge Thomas Vanaskie, Mr. Snyder has created “tech-enabled” procedures for adjudicating cases with massive volumes of audio/video data. Before founding AGNES in 2018, he was a prominent New York trial lawyer known as “The Engineer’s Lawyer” for his zealous representation of tech geniuses. Mr. Snyder is a graduate of Harvard Law School and Brown University.
Scott Lyons - CEO at Red Lion
3. Twitter Mega Hack, 3rd Party IoT Vulns, & Windows DNS SIGRed RCE - 08:00 PM-09:30 PM
We are looking for high-quality guest suggestions for all of our podcasts to fill our Q3 recording schedule! Submit your suggestions for guests by visiting <a href="https://securityweekly.com/guests" rel="nofollow">https://securityweekly.com/guests</a> and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Learn how to keep your “internet self” safe in our next webcast on August 13th! Register for our upcoming webcasts or virtual trainings by visiting <a href="https://securityweekly.com/webcasts" rel="nofollow">https://securityweekly.com/webcasts</a>. Or visit <a href="http://securityweekly.com/ondemand" rel="nofollow">securityweekly.com/ondemand</a> to view our previously recorded webcasts!
Microsoft fixes critical wormable RCE SigRed in Windows DNS servers, Zoom Addresses Vanity URL Zero-Day, Docker attackers devise clever technique to avoid detection,a massive DDoS Attack Launched Against Cloudflare in Late June, Critical Vulnerabilities Can Be Exploited to Hack Cisco Small Business Routers, and what you need to know about the Twitter Mega Hack!
Jeff Man's Content:
- Who’s Behind Wednesday’s Epic Twitter Hack? Krebs breaks down the details of the attack that have come to light so far.
- Man vs. Machine: IBM Brings Science Fiction to Life With Cognitive Security A little light reading to follow-up on our first interview this evening.
- Enigma code-breaking machine rebuilt at Cambridge
John Snyder's Content:
Lee Neely's Content:
- Huge DDoS Attack Launched Against Cloudflare in Late June attackers directed traffic from more than 316,000 different IP addresses at one Cloudflare address. According to Cloudflare, attackers leveraged ACK floods, SYN floods, and SYN-ACK floods to achieve sustained rates of more than 400-to 600 million PPS for hours with peaks above 700 million.
- Hacker Breaches Security Firm in Act of Revenge According to reports, DataViper, which is managed by Vinny Troia of Night Lion Security, was hacked by a hacker using the moniker "NightLion" (the name of Troia's company) who claims to have spent some three months inside DataViper servers exfiltrating databases that were indexed for the firm's leak monitoring service.
- Trump Confirms US Cyber Attack on Russia Election Trolls President Trump has confirmed that his administration conducted a successful attack against Russia's "Internet Researcher Agency" ahead of the 2018 midterm elections that prevented Russia from meddling in those elections.
- Apple releases updates 7/15/20 Updates released for iOS, iPadOS, WatchOS, XCode, MacOS, TvOS, etc.
- F-Secure Uncovers Counterfeit Cisco Network Devices Two counterfeit Cisco 2960-X series network switches discovered, but without backdoor capabilities. Possibly only for monitory gain.
- Twitter Accounts of Obama, Biden, Musk and Others 'Hacked' in Apparent Bitcoin Scam Captured Twitter verified accounts, tweets instructed followers to send $1,000 USD worth of cryptocurrency to specific wallets, noting that they would receive $2,000 USD worth of cryptocurrency in return, some were COVID-19 themed.
- Ghost Squad Hackers Defaced European Space Agency (ESA) Site Ghost Squad Hackers said they exploited a "server-side request forgery (SSRF) remote code execution vulnerability" in the server, which gave them access to the "business.esa.int" domain and allowed them to deface it. The defacement was done to show the site was vulnerable.
- Microsoft Issues Patch for Wormable Windows DNS Server Flaw Microsoft patch for CVE-2020-1350 is out. Patch or apply mitigation to limit DNS query size. CISA Releases Emergency Directive on Critical Microsoft Vulnerability
- LiveAuctioneers Data Breach Impacts 3.4 Million Users A database purportedly from LiveAuctioneers.com containing approximately 3.4 million user records including e-mail addresses, usernames, passwords (including cracked passwords) and other contact information was advertised online July 10th.
- New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers Exploiting CVE-2020-6287, "RECON" vulnerability allows command execution as privileged users. See also CISA notice Alert (AA20-195A) Critical Vulnerability in SAP NetWeaver AS Java
- New Mirai Variant Includes Exploit for a Flaw in Comtrend Routers Exploit for an authenticated command injection vulnerability (CVE-2020-10173) impacting Comtrend VR-3033 routers. Total of nine vulnerabilities leveraged to exploit.
- Secret Trump order gives CIA more powers to launch cyberattacks The Central Intelligence Agency has conducted a series of covert cyber operations against Iran and other targets since winning a secret victory in 2018 when President Trump signed what amounts to a sweeping authorization for such activities.
Paul Asadoorian's Content:
- Microsoft fixes critical wormable RCE SigRed in Windows DNS servers - NSA and Israel's 8200 must be PISSED: “SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.”
- Zoom Addresses Vanity URL Zero-Day - File this in the "Why didn't I think of that?" bucket: “In other words, if the original link was https://zoom.us/j/##########, the attacker could change it to https://<organization’s name>.zoom.us/j/##########,” according to an analysis from Check Point issued Thursday. “Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization.”
- Docker attackers devise clever technique to avoid detection - This is misleading FOR SO MANY REASONS, article states: “Normally, attacks against misconfigured Docker API are initiated by pulling an image from a public registry (i.e. Docker Hub) and spinning up the container on the targeted host environment,” explains Morag. But by building an original image on the host, scanners likely won’t detect a problem “since the image is built upon a standard Alpine base image and would most probably be marked as benign.”. Where do I begin, first, you should have tools and process in place to 1) look for expose Docker API services and 2) Use certificates to authenticate to the Docker API. Also, this attack is not new, in fact we responded to an incident here years ago using the same technique. Also, it should not matter what image is being executed on your Docker instances, you should scan all the images, know which images are yours, which ones are from Dockerhub, and then flag anything else as suspect or malicious, and eradicate it automatically! You basically have to have no idea about Docker security basics to fall for this attack. Heck, a simple firewall rule will protect you.
- Twitter silences some top accounts after internal systems hacked - Opsec for your admins is crucial: Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency. Chief Executive Jack Dorsey earlier said the company was diagnosing the problem and pledged to share “everything we can when we have a more complete understanding of exactly what happened.” My guess is that the admins were targeted, and that 2-factor was not the issue, these users were pwned with a highly targeted attack.
- Critical Vulnerabilities Can Be Exploited to Hack Cisco Small Business Routers | SecurityWeek.Com - This is a much better attack than last week: Another critical flaw, CVE-2020-3323, affects Small Business RV110W, RV130, RV130W, and RV215W routers. It allows a remote hacker to execute arbitrary code on the targeted device with root privileges by sending it a specially crafted HTTP request. Exploitation does not require authentication. Full RCE baby! Gotta patch those switches.
- Third-Party IoT Vulnerabilities: We Need a Cybersecurity Paradigm Shift - Can't wait for the details on this one, a vulnerability in a TCP/IP stack: CVE-2020-11896 10 This vulnerability can be triggered by sending multiple malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration. It can allow a stable remote code execution and has been demonstrated on a Digi International device. Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset. See, RFCs are interpreted by developers in different ways, my guess is the Treck stack made some assumptions, some of which lead to compromise (e.g. poor bounds checking?). From the Treck website: Since 1997 Treck has been designing distributing and supporting real-time embedded internet protocols for worldwide technology leaders. The Treck TCP/IP stack designer and Treck co-founder has more than 20 years experience and is a leading expert of embedded internet protocols. They probably should have had much better code review and security testing as now millions of devices are vulnerable according to the report.
- The Twitter mega-hack. What you need to know - Graham's theory is interesting: One question. They hacked so many high profile people’s accounts. Why not Donald Trump? It’s surprising isn’t it? He is perhaps Twitter’s most famous user. Maybe Twitter has additional protections in place specifically related to the @realdonaldtrump account after it was deleted by a rogue employee a few years ago.
- An Analysis of Emotet Malware: PowerShell Unobfuscation
- More Countries Waking up to Huawei Threats, US Say | SecurityWeek.Com
- Web Browser Security (WBS) - Overview NSS Labs, Inc. - I found it interesting that this report shows that Edge was the best at blocking malware...
- Industrial Cybersecurity Firm Claroty Releases Open Source Database Parser | SecurityWeek.Com
- Twitter Confirms it was Hacked in an Unprecedented Cryptocurrency Scam
- 17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers