- 1 Paul's Security Weekly Episode #666 - September 10, 2020
- 2 1. The Patchless Horseman - Roi Cohen & David Asraf - 06:00 PM-06:45 PM
- 3 2. Building Security Into the DevOps Lifecycle - 07:00 PM-07:45 PM
- 4 3. Chrome Sandbox Exploit, Cisco Jabber CVE, & Lea Snyder w/ BSides Boston - 08:00 PM-09:30 PM
Paul's Security Weekly Episode #666 - September 10, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. The Patchless Horseman - Roi Cohen & David Asraf - 06:00 PM-06:45 PM
Join the Security Weekly Mailing List for webcast/virtual training announcements and to receive your personal invite to our Discord server by visiting https://securityweekly.com/subscribe and clicking the button to join the list!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Every time you deploy a patch nothing has ever gone wrong, right? Most of us have been burned by deploying a patch, causing downtime in your environment, getting in trouble with users and management for causing an outage and having to back out a patch, then re-deploy. The team at Vicarious has a way to apply in-memory virtual patches that mitigate exploitation and do not require binaries to be altered. Tune-in for the full description and demo! This segment is sponsored by Vicarius.
Visit https://securityweekly.com/vicarius to learn more about them!
David is a graduate of an elite technology unit in the Israeli army and holds a BSc in computer science. He has worked in various security roles and was a lead developer at Checkpoint. Currently, he is a C++ developer @Vicarius, leading multiple research projects.
Cybersecurity expert with over 15 years of experience. Former research team leader at CyberArk, Penetration tester, and graduate of and elite technology unit @IDF
2. Building Security Into the DevOps Lifecycle - 07:00 PM-07:45 PM
Security Weekly is ramping up our webcast/technical training schedule for the rest of 2020! In September you can Find out Why Traditional Data Security Can’t Be Zero Trust, and Learn how to reduce the blast radius of your cloud infrastructure. Visit https://securityweekly.com/webcasts to see what we have coming up! Or visit securityweekly.com/ondemand to view our previously recorded webcasts!
DevOps has gained momentum over the years as its methods have been used by teams worldwide to accelerate application delivery. But where we continue to struggle is in integrating security into this workflow. In this discussion, Sumedh Thakar, president and chief product officer at Qualys, will talk with the Security Weekly Team about the importance of building security into the CI/CD pipeline to ensure the quality of code and to protect the application and data infrastructure. He'll talk about Qualys' own DevOps strategy and the lessons learned as his team built out the DevOps toolchain and how it integrated security best practices within the DevOps lifecycle. This segment is sponsored by Qualys.
Visit https://securityweekly.com/qualys to learn more about them!
DevOps solutions: https://www.qualys.com/solutions/devops/
Qualys Security Conference, Feb 2020: https://www.qualys.com/qsc/2020/san-francisco/
"Ancestry: On the Vanguard of DevOps Security" Blog Post: https://blog.qualys.com/news/2019/04/10/reducing-aws-risk-footprint-through-the-use-of-amis-at-ancestry
Sumedh Thakar is President and Chief Product Officer at Qualys
As Chief Product Officer at Qualys, Sumedh oversees worldwide engineering, development and product management for the Qualys software-as-a-service (SaaS) platform and integrated suite of security and compliance applications. A core systems and database engineer, Sumedh started at Qualys in 2003, architecting and delivering Qualys' PCI compliance platform to meet the Payment Card Industry (PCI) Data Security Standard (DSS) requirements. Today, more than 69 percent of ASVs and 50 percent of QSAs worldwide use Qualys PCI to perform PCI DSS certification.
Joff Thyer - Security Analyst at Black Hills Information Security
3. Chrome Sandbox Exploit, Cisco Jabber CVE, & Lea Snyder w/ BSides Boston - 08:00 PM-09:30 PM
BSides Boston is back in action for their 10 year anniversary! The conference will be held on Saturday, September 26th & tickets are only $10! You can get yours at https://bsidesbos.org! Some of the Security Weekly team will be in our own channel on the BSides Boston Discord server answering questions and possibly doing some contests!
We welcome special guest Lea Snyder, BSides Boston Organizer, to talk all things BSides Boston 2020 for its 10 year anniversary! In the Security News, Cisco Patches Critical Vulnerability in Jabber for Windows, Expert found multiple critical issues in MoFi routers, TeamTNT Gains Full Remote Takeover of Cloud Instances, Bluetooth Bug Opens Devices to Man-in-the-Middle Attacks, Former NSA chief General Keith Alexander is now on Amazon’s board, and the Legality of Security Research is to be Decided in a US Supreme Court Case!
Lea Snyder is BSides Boston Organizer at BSides Boston
Lea Snyder is the lead organizer for BSides Boston. She helped organize the conference in 2014 & 2015 and was the lead organizer for 2016 & 2017. She started volunteering for BSides Seattle in 2016 and quickly joined the organizing team. She is the co-founder of Layer 8 Conference with Patrick Laverty. Lea is passionate about giving back to the security community, creating an atmosphere that is welcoming to all participants, and learning something new along the way.
Jeff Man's Content:
- Former NSA chief General Keith Alexander is now on Amazon’s board When Worlds Collide
- NIST and PCI SSC Find Common Ground in Development of Software Frameworks What could possibly go wrong?
Joff Thyer's Content:
Larry Pesce's Content:
- [https://taosecurity.blogspot.com/2020/09/the-fbi-intrusion-notification-program.html Some history of the FBI notification program. Good, bad or ugly? Discuss.
- Dancho is back?! Neat stuff he’s working on…
- US Space Cyber Security program - …with language that is so vague as to be largely useless. Maybe just because it is the unclassified version?
- This months windows update can break things…VPN and Linux subsystem
- Defender User Agent sting - By default Windows Defender downloads (even from the command line) can be fingerprinted with a specific User Agent string.
- BLURtooth - Bluetooth eavesropping for BLE4 and BLE5 and Classic
- Giggle has laughable security
Paul Asadoorian's Content:
- More Attackers Using Zero Day Exploits - But since about 2017, the field has substantially diversified, at least partially due to the role of vendors offering offensive cyber threat capabilities. Examples of such vendors include the Hacking Team of Italy, NSO Group based in Israel, and Gamma International in the UK. Such firms have been observed selling cyber espionage and intrusion software and services — including zero-day exploits to governments and other entities for several years.
- Hacking Node.js legacy url API
- Cisco Patches Critical Vulnerability in Jabber for Windows - the flaw can be exploited remotely without authentication through sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) message to a vulnerable application. The issue exists because the software fails to properly validate message contents. An attacker able to successfully exploit the vulnerability could execute arbitrary programs on the target system, likely gaining code execution capabilities Original research post: https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/
- "Biggest webmaster forum" Digital Point exposes trove of user data
- Expert found multiple critical issues in MoFi routers - “The authentication function contains undocumented code which provides the ability to authenticate as root without having to know the actual root password. An adversary with the private key can remotely authenticate to the management interface as root.” reads the advisory published by the expert. “Technical details are not included at this time because the vendor has not released a patch and disclosing this would provide enough details for the unpatched CVE-2020-15836 Unauthenticated Command Injection.” That alone should make it easy to figure out how to exploit this...
- Legality of Security Research to be Decided in US Supreme Court Case - With the appeal accepted by the US Supreme Court, security researchers and technology companies are concerned with the potential for the case to turn independent vulnerability research into unauthorized access and, thus, a prosecutable offense. If the US Supreme Court rules that Van Buren's actions are a violation of the CFAA, it will undermine software and cloud security, says Casey Ellis, chief technology officer and founder of crowdsourced bug bounty firm Bugcrowd.
- How to Find Those Old Online Accounts You Dont Remember
- Don't be BlindSided: Watch speculative memory probing bypass kernel defenses, give malware root control - "Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects," the paper stated. "Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectre-like attacks." Original research paper: https://download.vusec.net/papers/blindside_ccs20.pdf
- My Take on Chrome Sandbox Escape Exploit Chain - the sandbox bypass is made possible because of an Out-of-bound read and write bug in renderer process, chained with a Use-After-Free (UAF) bug in the browser process, triggered via Mojo IPC connection. Great article!
- TeamTNT Gains Full Remote Takeover of Cloud Instances - Weave Scope is a powerful utility, giving the attackers access to all information about the victim’s server environment with the ability to control them including: installed applications, connection between the cloud workloads, use of the memory and CPU, and a list of existing containers with the ability to start, stop, and open interactive shells in any of these containers. By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware.
- Bluetooth Bug Opens Devices to Man-in-the-Middle Attacks - “Devices… using [CTKD] for pairing are vulnerable to key overwrite, which enables an attacker to gain additional access to profiles or services that are not restricted, by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key,” according to a security advisory on Wednesday by the Carnegie Mellon CERT Coordination Center.
Tyler Robinson's Content:
- Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties TL;DR A malicous attacker could control the content of push notifications to any application that runs the FCM SDK and has it’s FCM server key exposed & at the same time send these notifications to every single user of the vulnerable application!
- Tesla falls 21%, worst single-day loss in its history The S&P 500 Index Committee added Etsy, Teradyne and Catalent to the index, but stopped short of including Tesla.
- Russian internet trolls hired U.S. journalists to push their news website, Facebook says Facebook said the website is run by people affiliated with the Internet Research Agency, which inflamed political tensions in the 2016 election through social media.
- ‘There Were A Few Red Flags’: Journalists Explain How They Were Duped To Work On A Russian Disinformation Campaign It’s kind of a surreal experience to think you’re caught up in a Russian intelligence operation.