Episode596

From Paul's Security Weekly
Jump to: navigation, search

Recorded February 28, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Lee Neely
    is the Sr Cyber Analyst at LLNL,SANS Analyst
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.


  • Announcements

    • Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!

    • OSHEAN is hosting RI Cybersecurity Exchange Day on March 13th at the O'Hare Academic Building at Salve Regina in Newport, RI! Register Now @ OSHEAN.org/events.

    • SecureWorld Boston is hosting their 15th annual conference March 27-28 @ the Hynes Convention Center. Security Weekly Listeners save $100 off a full conference pass by visiting secureworldexpo.com and using the code 'SecurityWeekly'.


    • We just released our 2019 Security Weekly 25 Index Survey. Please go to securityweekly.com and click the Survey link to help us understand who's evaluating, using, or formerly used any of the Security Weekly 25 companies. The results will be summarized and presented back to all responders in a private webcast.

    Catching Up On The Hype: Threat Intelligence - Allan Liska, Recorded Future - 6:00-6:30PM

    Allan Liskais the Senior Solutions Architect at Recorded Future
    Allan Liska is a solutions architect at Recorded Future. Allan has more than 15 years experience in information security and has worked as both a security practitioner and an ethical hacker. Through his work at Symantec, iSIGHT Partners, FireEye, and Recorded Future, Allan has helped countless organizations improve their security posture using more effective and integrated intelligence. He is the author of The Practice of Network Security, Building an Intelligence-Led Security Program, and Securing NTP: A Quickstart Guide and the co-author of DNS Security: Defending the Domain Name System and Ransomware: Defending Against Digital Extortion.

    Threat intelligence – no longer just for the secret squirrels among us. While the term can elicit reactions ranging from exasperated sigh to flashbacks of security buzzword bingo circa 2015, Recorded Future is delivering on the industry promise – actionable intelligence for all security pros.

    The All New Recorded Future Browser Plugin - This new plugin helps you gather information on domains and IP addresses in your browser. It's cool, I'm using it, you should too!

    If you'd like a free trial, Security Weekly listeners can go here: https://www.recordedfuture.com/securityweeklytrial


    Interview: David Marble, OSHEAN - 6:30 - 7:30PM

    David Marble
    is the President & CEO at OSHEAN.
    David Marble is the President and CEO of OSHEAN Inc. in North Kingstown, Rhode Island. David brings over 30 years of experience in technology companies. He is experienced in operations planning, budget development and management as well as technical planning and project management. David is also on the Board of Directors and Secretary for the Northeast Research and Education Network (NEREN) as well as on the Board of Directors and Chair of the CEO Roundtable for The Quilt (The National REN coalition). David was the co-founder and director of operations of the Association for Authentic, Experiential and Evidence-Based Learning (AAEEBL). AAEEBL established affiliations and collaborations with nearly all worldwide ePortfolio initiatives and cultivated membership of over one hundred academic institutions. He is also the founding member of MetaLearning, a strategic consulting group working in the use of technology for advanced learning environments. From 2001- 2007, David was the Chief Operating Officer and VP of Business Development for TAZZ Networks working in policy networking and prior to that was VP of Optical Networks for Lucent.



    Security News - 7:30PM-8:30PM

    Paul's Stories

    YouTube Controversy

    The examples in this post https://pedimom.com/youtube-kids-inappropriate-videos/ are enough to make anyone want to turn off YouTube in your house and for your children. There are benefits to watching YouTube (my son developed a love for Marvel super heroes, which is awesome). However, when does the negative outweigh the positive? Most importantly, what will YouTube do about this? What can we as the security community do to help? (I promised my 5-year-old son that I'd ask all my hacker friends to track down the "bad people" on YouTube, and there are few things that are more upsetting than an disappointed child).

    1. Harassment, hate and bile, suicide instructions for kids... anything else social media's good at? Ah yes, cybercrime
    2. YouTube loses advertisers over "wormhole into pedophilia ring" - The companies pulled advertising days after YouTuber Matt Watson posted a video detailing what he calls "a wormhole into a soft-core pedophilia ring on YouTube." "YouTube's recommended algorithm is facilitating pedophiles' ability to connect with each other, trade contact info, and link to actual CP [child pornography] in the comments," Watson reported. "I can consistently get access to it from vanilla, never-before-used YouTube accounts via innocuous videos in less than ten minutes, in sometimes less than five clicks."
    3. Cyber expert says deleting Momo 'is not as straight forward as we think'
    4. Parents: don't panic about Momo – worry about YouTube Kids instead - YouTube’s key failing here is that it relies on a “flagging” system to find and purge inappropriate content, which means someone has to actually see the video in question and report it before anything can be done. Pre-moderation, where videos don’t make it on to YouTube Kids until they’ve been watched in full by a human being, is realistically the only way to keep the platform safe from malicious pranksters. But YouTube has shown no appetite for this, instead emphasizing its “robust” content-reporting features in its responses to these continual controversies. Also, I hate the flagging system as what happens when a group of people has a bone to pick with someone or some channel?

    Vulnerabilities

    1. A Case Study in Wagging the Dog: Computer Takeover
    2. Cloudborne IaaS Attack Allows Persistent Backdoors in the Cloud - Far from a targetted attack: “While physical servers are dedicated to one customer at a time, they don’t stay that way forever,” researchers explained in a Tuesday posting. “Servers are provisioned and reclaimed over time and naturally move from customer to customer. The issue is that all too often, the servers’ firmware is not re-flashed (overwritten to factory settings, essentially) when a server is reclaimed by the cloud provider to be moved on to a new user. This allows the firmware to persist from customer to customer, including any changes a malicious user might make to it. In the Cloudborne scenario, an attacker can first use a known vulnerability in Supermicro hardware (present in many cloud providers’ infrastructure, the firm said), to overwrite the firmware of a Baseboard Management Controller (BMC). BMCs are a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting.
    3. PDF zero-day samples harvest user data when opened in Chrome - Exploit detection service EdgeSpot spotted several PDF documents that exploit a zero-day vulnerability in Chrome to harvest data on users who open the files through the popular web browser. The experts initially detected the specially-crafted PDF files in December 2018.
    4. Cisco SOHO wireless VPN firewalls and routers open to attack - This is still happening: The flaw is in the devices’ web-based management interface and arose due to improper validation of user-supplied data. By sending a malicious HTTP requests to a vulnerable device, an attacker may be able to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.
    5. Researchers and businesses need to work together to expose IoT vulnerabilities - Don't mess with my coffee, there is no tech in my french press coffee maker: Two new vulnerabilities have been unocovered within connected devices that allow hackers access to the personal lives of consumers, according to McAfee researchers. A vulnerability within BoxLock smart padlock enables hackers to unlock the device within a few seconds, and a vulnerability within the Mr. Coffee brand coffee maker with Wemo grants hackers access to home networks.
    6. Thunderclap: Apple Macs at risk from malicious Thunderbolt peripherals - DMA strikes again, balancing security and performance is tricky.
    7. Ring Doorbell Flaw Opens Door to Spying - However, BullGuard researchers found that audio and video footage sent from the doorbell to the app was transmitted in plaintext – meaning that an attacker could extract that data. “The data seems sensible, and therefore we might be able to extract it,” they said. “Using our handy videosnarf [VoIP Sniffer and security tool] utility, we get a viewable MPEG file. This means anyone with access to incoming packets can see the feed! Similarly, we can also extract the audio G711 encoded stream.”
    8. Bots Plague Ticketing Industry
    9. Vulnerability exposes the location of thousands of malware C&C servers - LOVE this: Over the past few years, Cobalt Strike slowly became the go-to toolkit for many threat actors, such as the FIN6 and FIN7 (Carbanak) cyber-criminal gangs, but also nation-state hackers such as APT29 (Cozy Bear) But unbeknownst to all these hacker groups was that Fox-IT researchers discovered a bug in the Cobalt Strike server component. Built on NanoHTTPD, a Java-based web server, crooks didn't know that it contained a bug that allowed Fox-IT to track them since 2015. According to Fox-IT researchers, the NanoHTTPD server accidentally added an additional space in the server's HTTP responses, like in the image below. This extra whitespace allowed Fox-IT to detect Cobalt Strike communications between beacons and their C&C servers across the years, until January 2, 2019, when Cobalt Strike developers patched the bug and removed the extra space in version 3.13.

    Discussions

    1. A basic question about TCP - From the time the phone system was created in the 1800s up until the 2007 release of the iPhone, phone companies wanted to control the applications that users ran on their network. The OSI Model that you learn as the basis of networking isn't what you think it is: it was designed with the AT&T phone network and IBM mainframes being in control over your applications. The creation of TCP/IP and the Internet changed this, putting all the power in the hands of the ends of the network. The version of the OSI Model you end up learning is a retconned model, with all the original important stuff stripped out, and only the bits that apply to TCP/IP left remaining.
    2. LDAP for AWS without Servers - Could Amazon (and other) become viable alternatives to MS Active Directory?
    3. Becoming Better At RSA - Becoming better appears to be the theme, what can we do better as a security community and/or industry?
    4. The Huawei controversy: Everything you need to know - The Chinese telecom giant may have run into its biggest trouble yet in late January when the US Justice Department unsealed indictments that included 23 counts pertaining to the theft of intellectual property, obstruction of justice and fraud related to its alleged evasion of US sanctions against Iran. But the core issue with Huawei has been concerns over its coziness with the Chinese government and fears that its equipment could be used to spy on other countries and companies. It's the reason why the US banned companies from using Huawei networking equipment in 2012.
    5. Security Firm to Offer Free Hacking Toolkit

    Lee's Stories

    1. TurboTax accounts compromised, Intuit offers credit monitoring Attackers use compromised credentials to access TurboTax Accounts, Intuit locks down affected accounts
    2. Blockchain security issues discoverd Implementation flaws and algorythmic weakesses (such as a 51% attack) revealed as more blockchains created
    3. Sandia supercharges the Honeypot Vince Urias from SNL works to create honeypots that emulate full environment
    4. SEDC customer passwords stored in the clear Web sites offered password recovery by emailing clear text passwords were storing them in the clear. Passwords being converted to salted hashes.
    5. All chips inherently vulnerable to Spectre/Meltdown FUD aside, Google researchers say that fundamental chip design cannot distinguish good and bad commands, meaning meltdown and spectre are here to stay.

    Jeff's Stories

    I've got a busy week coming up - mostly surrounding RSA Conference next week:

    1. I'm presenting 'Spies, Ciphers, Symbols, & Secret Writings' at BSidesNoVa
    2. Tribe of Hackers Panel at MACH37 & CIT Launch Lounge at RSA Conference
    3. Presenting 'The Art of the Jedi Mind Trick' Workshop during Peerlyst trainings during RSA Conference 2019