- 1 Paul's Security Weekly Episode #667 - September 17, 2020
- 2 1. Key Findings From The Newly Released BSIMM11 Report - 06:00 PM-06:45 PM
- 3 2. Elastic Security Opens Public Detections Rules Repo - 07:00 PM-07:45 PM
- 4 3. Zerologon Attack, CrimeOps, & BLESA Bluetooth Flaw - 08:00 PM-09:30 PM
Paul's Security Weekly Episode #667 - September 17, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Key Findings From The Newly Released BSIMM11 Report - 06:00 PM-06:45 PM
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
BSIMM11, the latest version of the Building Security In Maturity Model (BSIMM), was created to help organizations plan, execute, measure, and improve their Application Security program/initiatives. BSIMM11 reflects the software security practices observed across 130 firms from industries such as finserv, independent software vendors, cloud and healthcare.
This segment is sponsored by Synopsys.
Visit https://securityweekly.com/synopsys to learn more about them!
Mike Ware is the senior director of technology within the Synopsys Software Integrity Group and a co-author of the Building Security In Maturity Model (also commonly known as the BSIMM).
2. Elastic Security Opens Public Detections Rules Repo - 07:00 PM-07:45 PM
BSides Boston is back in action for their 10 year anniversary! The conference will be held on Saturday, September 26th & tickets are only $10! You can get yours at https://bsidesbos.org! Some of the Security Weekly team will be in our own channel on the BSides Boston Discord server answering questions and possibly doing some contests!
Following the release of our detection engine, Elastic opened up a new GitHub repo of our public detection rules. See: https://github.com/elastic/detection-rules. This is where our security intelligence and analytics team develops rules, creates issues, manages PR's - and by making the repo public we're inviting external contributors into the workflow. This gives contributors visibility into our development process and a clear path for rules to be released with the detection engine. If time allows, James can also talk about the preview we recently released of Event Query Language (EQL) in Elasticsearch. This is the correlation query language that Elastic adopted through the acquisition of Endgame last year to support threat hunting and threat detection use cases. It's a feature that users have been asking for for years and an exciting step toward natively integrating EQL into the Stack.
This segment is sponsored by Elastic.
Visit https://securityweekly.com/elastic to learn more about them!
James Spiteri is Solutions Architect, Cyber Security Specialist Global Solutions Lead at Elastic
James Spiteri is a solutions architect for Elastic, where he also serves as the company's cybersecurity specialist for Europe, the Middle East and Africa. Prior to that he gained extensive experience as an Elasticsearch user, including at RS2 Software, as well as while serving as the security architecture manager for Invinsec. He's also served as a Linux systems administrator at Arvato Financial Solutions, among other roles.
3. Zerologon Attack, CrimeOps, & BLESA Bluetooth Flaw - 08:00 PM-09:30 PM
Join the Security Weekly Mailing List for webcast/virtual training announcements and to receive your personal invite to our Discord server by visiting https://securityweekly.com/subscribe and clicking the button to join the list!
Security Weekly is ramping up our webcast/technical training schedule for the rest of 2020! In our next webcast you will learn how to reduce the blast radius of your cloud infrastructure! Visit https://securityweekly.com/webcasts to see what we have coming up! Or visit securityweekly.com/ondemand to view our previously recorded webcasts!
Three Cybersecurity Lessons from a 1970s KGB Key Logger, MFA Bypass Bugs Opened Microsoft 365 to Attack, How Hackers Can Pick Your LocksJust By Listening, U.S. House Passes IoT Cybersecurity Bill, Most compliance requirements are completely absurd, Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software, and more!
Jeff Man's Content:
- Why does this have to be so hard? The tradeoff between speed and security Data security. Yasss!
- AES Finder - Utility To Find AES Keys In Running Processes
- Blackbaud hack: US healthcare organizations confirm data breach impacted 190,000 patients
- What Airports Need to Know About PCI DSS Compliance to Protect Against Data Breaches not that anybody flies anymore
- VA data breach also hit 17,000 community care providers, senators say
- Mapping the MITRE ATT&CK® Framework to the PCI DSS I'm speaking at the 2020 PCI North American Community Meeting!
- Tribe of Hackers Blue Team: Tribal Knowledge from the Best in Defensive Cybersecurity Latest Tribe of Hackers edition is out. Honored to be included.
Joff Thyer's Content:
Larry Pesce's Content:
- Chinese database with 2.4 million influential people, families and how to make them squirm
- Courts reveal NSA spying program outed by Snowden was illegal
- Yet more BLE attacks…BLESA
- How WiFi almost didn't happen
Lee Neely's Content:
- Billions of Devices Vulnerable to New 'BLESA' Bluetooth Security Flaw Security flaw dubbed "Bluetooth Low Energy Spoofing Attack" (BLESA) (CVE-2020-9770) that affects devices running the Bluetooth Low Energy (BLE) protocol. While some vendors such as Apple have released vendor specific fixes, not all vendors are expected to release a fix for this vulnerability.
- DOJ Says Five Chinese Nationals Hacked into 100 U.S. Companies Members of APT41 whose activities are aligned with China's 5 year economic development plans.
- Even cybersecurity companies spill data and passwords It seems that cybersecurity companies suffer from the same password problems that other organizations have to deal with – in that some systems might just be forgotten about or they have simple passwords for some accounts.
- Travel Industry Giants Failed to Secure their Websites Despite High-Profile Data Breaches Major airlines and hotel chains have failed to secure their online platforms even after previous data breaches and cyber-attacks exposed information of millions of customers’ and drew fines from privacy regulators.
- CISA Warns Election-Related Entities to Be on Watch for Phishing Attacks In an insight piece published on September 10 link, CISA highlighted malicious actors’ preference for phishing attacks in their efforts to target political parties, think tanks and other entities that might be involved in an election.
- Leaky server exposes users of dating site network Leaky database from Mailfire taken down after discovery. The leaky database stored more than 882 GB of log files pertaining to push notifications sent via Mailfire's service, with the logs being updated in real-time, as new notifications were being sent out.
- Researchers Uncover 89 Zero-Days in CMS Platforms The team uncovered 89 zero-day vulnerabilities in platforms such as WordPress, Joomla, Drupal and Opencart — and their plugins.
Paul Asadoorian's Content:
- Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software - Literally giving Windows the finger: Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443. Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified.
- 5 Security Lessons Humans Can Learn From Their Dogs - Somewhat interesting points, a bit of a strech though I do like the concept: When you hire a dog trainer, you need to be open about the issues and challenges you have with your puppy. The same goes for your corporate culture, where too often no news is good news.
- CrimeOps: The Operational Art of Cyber Crime - Why was FIN7 so amazingly successful using only stodgy “Top 10 Infosec Risks” TTP? The answer is FIN7’s sophisticated organisation and management capabilities. They adopted agile processes and a DevOps methodology. Good team coordination and project management tools were combined with rapid iteration on their toolchain and TTP to maintain efficacy and operational capability. Let's explore CrimeOps. THIS: Using JIRA, FIN7 created an issue ticket for each victim. As the attack progressed through reconnaissance, infiltration, lateral traversal, and target exploitation (by collecting data into "loot"), the issue was updated. Usernames and passwords, output from security tools, screenshots and video captures, everything relevant to increasing their access and control over the victim, was added to JIRA.
- Nozomi Networks Becomes CVE Numbering Authority - There are currently over 130 CVE Numbering Authorities across 24 countries, but Nozomi says it’s the first OT and IoT cybersecurity firm to become a CNA.
- U.S. House Passes IoT Cybersecurity Bill - If it becomes law, the IoT Cybersecurity Improvement Act will require NIST to issue standards and guidelines for secure development, patching, identity management, and configuration management for IoT products. All IoT devices acquired by the federal government will have to comply with these recommendations. (https://www.house.gov/the-house-explained/the-legislative-process for those struggling to remember how a bill becomes law from grade school, like me ;)
- Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version? - So is it looking for a 20-year-old version? Possibly not. Why is it looking for backup clients? There are many possibilities...
- Meet the Computer Scientist Who Helped Push for Paper Ballots - This was a great article, here are Simmons concerns on electronic voting summed up: Just about everything. I'm especially worried about an attack on our voting technology: the electronic poll books, the voting machines, and the scanners that tabulate the ballots. If folks share the concerns of our intelligence community - and they should - that Russia wants to mess with our election, then allowing Internet voting, which is the most insecure form of voting possible, would be a gift to Russia, or China, or Iran, or North Korea, or indeed any nation/state or organization that wants to steal our elections.
- Largest Hacking Campaign Since 2015 Targeted Magento Stores Via Unpatched Bug - Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest documented campaign to date. Dubbed “CardBleed”, it was a typical Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers. Inspected stores were found running Magento version 1, which was announced End-Of-Life last June.
- NSA publishes guidance on UEFI Secure Boot customization
- Three Cybersecurity Lessons from a 1970s KGB Key Logger - It turns out, what may very well be the first keylogger was built by the Soviet Union and used on IBM Selectric typewriters in the U.S. Embassy way back in the 1970s. What the NSA learned back then can still apply to cybersecurity today. Annoying, but funny: The NSA removed about 11 tons of equipment from the embassy, and about 10 tons were shipped in covertly. The Russians had shut down the elevator for preventive maintenance (remember, this is during the cold war when both sides would do things to annoy the other), so most of the gear was moved through the building by stairs.
- Suspicious Endpoint Containment with OSSEC - I wrote a Windows command line script that temporarily replaces the existing local firewall rules by a very restricted new set: Communication with the OSSEC server is still allowed, An IP address is allowed on all ports TCP/UDP, All remaining traffic is blocked
- Padlocks, Phishing and Privacy; The Value Proposition of a VPN - HTTPS & SSL doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan. (Quote from https://twitter.com/shanselman/status/187572289724887041)
- Zerologon hacking Windows servers with a bunch of zeros - The "key" to understanding this attack is here in the NetLogon spec: If AES support is negotiated between the client and the server, the Netlogon credentials are computed using the AES-128 encryption algorithm in 8-bit CFB mode with a zero initialization vector.
- Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale - Microsoft Security
- Windows Exploit Released For Microsoft Zerologon Flaw
- Bluetooth Spoofing Bug Affects Billions of IoT Devices - Another one? Original research: https://friends.cs.purdue.edu/pubs/WOOT20.pdf
- MFA Bypass Bugs Opened Microsoft 365 to Attack - The vulnerabilities were a result of the “inherently insecure protocol” (WS-Trust) as described by Microsoft combined with various bugs in its implementation by the IDPs. In some cases, an attacker could spoof his IP address to bypass MFA via a simple request header manipulation. In another case, altering the user-agent header caused the IDP to misidentify the protocol and believe it to be using Modern Authentication. In all cases, Microsoft logs the connection as “Modern Authentication” due to the exploit pivoting from legacy protocol to the modern one. Unaware of the situation and the risks involved, the administrators and security professionals monitoring the tenant would see the connection as made via Modern Authentication.
- German Hospital Hacked, Patient Taken to Another City Dies | SecurityWeek.Com
- Kubernetes Goat
- flAWS - Pretty cool CTF that lets you sharpen your cloud hacking skills.
- Zerologon Windows exploit lets attackers instantly become admins on enterprise networks
- Linux users beware - you could be facing more cyber threats than ever before
- How Hackers Can Pick Your LocksJust By Listening - The hacking technology would go something like this: from a few centimeters away, the person conducting the attack records audio of the victim unlocking their door. For these purposes, a smartphone works just fine, the researchers found, but other microphone equipment could also suffice if it’s strong enough. With proprietary software, the team removed noise from the audio file and calculated the distance between each ridge in the key, known as the "bitting depth."
- An overview of targeted attacks and APTs on Linux
- Most compliance requirements are completely absurd - Help Net Security - Jeff will love this: However, I think those who write requirements should take the Payment Card Industry Data Security Standard (PCI DSS) as an example. The PCI DSS applies to all organizations that store cardholder data and the requirements are clear, regularly updated, and you can find everything you need in one place. The way PCI DSS compliance is structured (in terms of requirement, testing procedures and guidance) is a lot clearer than anything else I’ve seen. It contains very little room for subjectivity, and you know exactly where you stand with it.
Tyler Robinson's Content:
- Trump Is Wrong About TikTok. China’s Plans Are Much More Sinister.The West still doesn’t understand the scale of Beijing’s soft-power ambitions.
- "I Have Blood On My Hands": A Whistleblower Says Facebook Ignored Global Political Manipulation A 6,600-word internal memo from a fired Facebook data scientist details how the social network knew about specific examples of global political manipulation — and failed to act
- How One Man Conned the Beltway The billion-dollar “Black Budget” demands secrecy. That made it a perfect target.
- Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry
- Nvidia will buy Arm for up to $40 billion, combining smartphone, GPU powerhouses Nvidia is set to buy Arm for as much as $40 billion, the largest semiconductor deal ever. Nvidia says that it will use Arm's CPUs to bolster its AI technology.
- Chinese firm harvests social media posts, data of prominent Americans and military The Zhenhua database purports to offer insights into foreign political, military and business figures, and details about countries’ infrastructure
- QAnon Website Shuts Down After N.J. Man Identified as Operator A popular website for posts about the conspiracy group QAnon abruptly shut down after a fact-checking group identified the developer as a New Jersey man.
- Hackers attack Fairfax County Public Schools network, FBI investigating FCPS said ransomware had been placed on their technology systems. They believe they are the victim of 'cyber criminals connected to dozens of ransomware attacks.'