Episode592

From Security Weekly Wiki
Revision as of 18:17, 28 January 2019 by Wheat Loaf (talk | contribs) (Created page with "''Recorded January 24, 2019 at G-Unit Studios in Rhode Island!'' ==Episode Audio== <!-- <div align="center"> {{#widget:SoundCloud |id=496965687 |width=75% |height=100 |color=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Recorded January 24, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor


  • Announcements

    • RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
    • Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Interview: Benjamin Daniel Mussler, Acunetix - 6:00-6:30PM


    Tech Segment: - 6:30 - 7:30PM



    Security News - 7:30PM-8:30PM

    Paul's Stories

    1. 5 Tips for Access Control Cybersecurity from an Ethical Hacker - Not all that different from security tips for your "regular" IT infrastructure: No Default Passwords – Take them out, everywhere. They’re in the documentation, they’re easy to find on the internet and the script to compromise them is easy to write. Keep Testing – Not interoperability testing. As a hacker, it doesn’t matter if you can integrate with different equipment. These devices need to be locked down, with strong passwords and proper equipment. If you don’t have the right staff, it’s alright. You can hire a consultant for what you need, and be safe moving forward with your typical staff once they leave. Vulnerability Tracking and Reporting – If you don’t have a process for this, there are many resources on the IT side on how to do this. You don’t have to reinvent the wheel. There will be vulnerabilities in everything — there is no shame in reporting them, but there is shame in keeping quiet about them. Know Your Hardware’s Software – A lot of hardware platforms ride on code from something else. Your engineer didn’t write them, they’re open source or free. The problem with this — although it saves you money on development — it also means you inherit the vulnerabilities from the code the engineer borrowed. Update Awareness Programs – If they’re the same slides you’ve made your employees look at every year, update them. Employees are your biggest vulnerability. They will be targeted. If you don’t properly train them, they will pose a risk to your organization regardless of what you do with the technology.
    2. Ready for DNS Flag Day? - Security Boulevard - The minimal working setup which will allow your domain to survive 2019 DNS flag day must not have a timeout result in any of the plain DNS and EDNS version 0 tests implemented in the ednscomp tool. Failures of the EDNS(1) tests will not cause any immediate problem.
    3. Cheating Attempts and the OSCP - When most people think of cheating, they think of having an answer sheet. Most often, individuals resort to buying the answers from someone else and just apply them to the exam. When this happens, we have a series of controls to deal with it. The other, less thought about, type of cheating is individuals simply claiming that they have the certification when they don’t. This one is easier to deal with as individuals just need to validate the certification. Last year, we rolled out our Acclaim Digital Badges, which have been very well received in the community. We also have a documented process on how to work directly with us to validate certifications.
    4. The Problem with Throwing Away a Smart Device Hackster Blog - In a very short space of time the teardown established that if you’ve connected the bulb to your Wi-Fi network then your network password will be stored in plain text on the bulb, and can be easily recovered just by downloading the firmware and inspecting it using a hex editor.
    5. Japan to Hunt Down Citizens Insecure IoT Devices - The country’s National Institute of Information and Communications Technology (NICT) has been tasked by the Ministry of Internal Affairs and Communications to carry out a “survey” of 200 million deployed IoT devices, starting with routers and web cams. A team of NICT white-hats will try to log into internet-discoverable devices using default credentials and a list of overused and easy-to-guess passwords. When insecure devices are uncovered, ISPs and local authorities will be notified, so they can work with impacted consumers and businesses to lock them down.
    6. Kid-Tracking Watches Allow Attackers to Monitor Real-Time Location Data - This was much worse than I tought: At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control. An attacker with access to the watch’s credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information. gator tracking watchMore specifically, the Gator works with a web login panel. Using a simple web proxy, the Pen Test Partners team was able to review requests being sent to the website – which included a “User[Grade]” parameter. Stykas simply guessed that this designates the level of privilege for the user and decided to play around with it. “I changed the value to two and nothing happened, BUT change it to zero and you get platform admin,” he said.
    7. Prepare to Defend Your Network Against Swarm-as-a-Service - For example, a new methodology was announced by scientists in Hong Kong that uses natural swarm behaviors to control clusters of nano-robots. These micro-swarms can be directed to perform precise structural changes with a high degree of reconfigurability, such as extending, shrinking, splitting and merging. Lots of hype in this one, but I can't help but think about Black Mirror.
    8. Exclusive: spreading CSV Malware via Google Sheets - Interesting as using Google Sheets to share it bypasses many protections: Finally an attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box. Also, the ability to execute DDE in a .csv is interesting.
    9. Researchers published the PoC exploit code for Linux SystemD bugs - Nick and the team at Capsule8 are awesome, check out their blog for the PoC code that Qualys didn't publish!
    10. Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever - Earlier this month, the cyber security software and services company Imperva mitigated an attack against one of its clients that exceeded 500 million packets per second. This attack was a SYN flood DDoS and it is the largest DDoS attack by packet volume ever observed.
    11. New Mac malware steals cookies, cryptocurrency and computing power - Help Net Security
    12. 8 Cybersecurity Myths Debunked - Myth 1: You're Too Small to Be Attacked Myth 2: Passwords Are Good Enough Myth 3: Antivirus Is Good Enough Myth 4: It's IT's Problem Myth 5: BYOD is Safe Myth 6: Total Security Is Possible Myth 7: You Don't Need Assessments and Tests Myth 8: Threats Are Only External
    13. Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory

    Lee's Stories