Psw672

From Security Weekly Wiki
Revision as of 06:07, 30 October 2020 by Ppworks (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Paul's Security Weekly Episode #672 - October 29, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Determining Vulnerability Exploitation With Real Software Activity - 06:00 PM-06:45 PM


Announcements

  • Security Weekly, in partnership with CyberRisk Alliance, is excited to present Security Weekly Unlocked on December 10, 2020. This 1 day virtual event wraps up with the 15th anniversary edition of Paul’s Security Weekly live on Youtube! Visit https://securityweekly.com/unlocked to view the agenda and register for free!

Description

Only integrating vulnerability characteristics to determine risk leaves half the prioritization canvas empty. Observing and analyzing user interaction and other surrounding software characteristics provide the rich contextual clues to complete the picture.

This segment is sponsored by Vicarius.

Visit https://securityweekly.com/vicarius to learn more about them!


Prioritizing Vulnerabilities: A Holistic Approach: https://www.vicarius.io/blog/prioritizing-vulnerabilities


Presenter(s)

Roi Cohen

Cybersecurity expert with over 15 years of experience. Former research team leader at CyberArk, Penetration tester, and graduate of and elite technology unit @IDF

Shani Dodge

Shani has 10 years of experience working as a cyber security researcher and a data scientist. Her malware research has led to the development of the industry’s most advanced analysis tools. Shani holds a B.Sc. in Computer Science and a M.B.A specializing in finance, strategy and entrepreneurship, both from the Hebrew University of Jerusalem.


Hosts

2. How Computer Vision Balances Thoroughness & Speed - 07:00 PM-07:45 PM


Announcements

  • Join Amit Bareket, Co-founder & CEO of Perimeter 81 & Paul Asadoorian for a technical deep-dive into the problems inherent in legacy VPN technology. Together they will explore solutions for the modern workforce & how momentum toward perimeter-less architecture is helping redefine the future of cybersecurity. Register Now by visiting https://securityweekly.com/perimeter81

Description

Polarity uses computer vision that works like augmented reality for your data. It's not a new dashboard to search or a new portal to manage. Polarity augments your existing workflows, enriching your view as you do your work so you can see the story in your data without sacrificing thoroughness or speed. We'll be talking about how analysts are using Polarity to balance thoroughness and speed.

This segment is sponsored by Polarity.

Visit https://securityweekly.com/polarity to learn more about them!


Try the Free Community Edition of Polarity at https://polarity.io/sw


Presenter(s)

Paul Battista

Former intelligence officer for the Central Intelligence Agency’s Information Operation Center; participated in all elements of the intelligence cycle from planning operations through dissemination to senior policy makers in the White House. Before his government service, Paul was a senior engineer for Aetna Inc., a penetration tester, and incident responder for multiple Fortune 100 customers.


Hosts

3. JavaScript Web Tokens, NVIDIA GeForce Experience Vulns, & Hacking Coffee Pots - 08:00 PM-09:30 PM


Announcements

  • Would you like to have all of your favorite Security Weekly content at your fingertips? Do you want to hear from Sam & Andrea when we have upcoming webcasts & technical trainings? Have a question for one of our illustrious hosts, someone from the Security Weekly team, or wish you could “hang” out with the Security Weekly crew & community? Subscribe on your favorite podcast catcher, sign up for our mailing list, and join our Discord Server to stay in the loop on all things Security Weekly! Visit: https://securityweekly.com/subscribe

  • In our webcast on November 5th, we’ll show you how to build proper metrics and KPIs! Learn why you should stop trying to discover and classify data in our webcast on November 12th! Learn how to thwart attackers using deception in our November 19th technical training! Visit https://securityweekly.com/webcasts to see what we have coming up! Or visit securityweekly.com/ondemand to view our previously recorded webcasts!

Description

In the Security News, the KashmirBlack botnet is behind attacks on CMSs such as WordPress, Joomla, and Drupal, Cybercriminals are Coming After Your Coffee, irriation systems and door openers are vulnerable to attacks, if you have Oracle WebLogic exposed to the Internet you are likely already pwned, who needs Internet Explorer any longer? and why isn't MFA more popular?!




Guest(s)

Paul Battista

Former intelligence officer for the Central Intelligence Agency’s Information Operation Center; participated in all elements of the intelligence cycle from planning operations through dissemination to senior policy makers in the White House. Before his government service, Paul was a senior engineer for Aetna Inc., a penetration tester, and incident responder for multiple Fortune 100 customers.


Hosts

Doug White's Content:

Articles

  1. Researchers extract secret key used to encrypt Intel CPU Code
  2. Spy agency ducks questions about back doors in tech products
  3. KashmirBlack botnet is in hundreds of thousands of CMS websites
  4. 10 healthcare malware, ransomware, and phishing incidents just this month

Jeff Man's Content:

Articles

Joff Thyer's Content:

Articles

Lee Neely's Content:

Articles

  1. Oregon Retailer Suffers Sustained Data Breach retailer Made in Oregon has disclosed it was hit by six-month-long data breach during which an unidentified hacker managed to gain access to its e-commerce site, exposing customers' personally identifiable information (PII) and financial information.
  2. NVIDIA patches high severity GeForce Experience vulnerabilities NVIDIA released a security update for the Windows NVIDIA GeForce Experience (GFE) app to address vulnerabilities.
  3. US sanctions Russian government institution tied to malware
  4. Dr. Reddy Labs discloses cyberattack soon after getting ok for final COVID vaccine trial Dr. Reddy shutdown services to stop spread and rebuild. Impacts to US may include delays on generic prescriptions.
  5. Harvest Finance Places Bounty on Hacker $100K reward for help in contacting cyber-attacker who stole some $24 million USD in value from one of its decentralized finance (DeFi) protocols in less than seven minutes.
  6. Sopra Steria Hit by New Ryuk Variant External security firm hired, new IOCs released for detection engine use. Sopra Steria stated that it had not identified any compromised data or damage caused to its customers’ information systems.
  7. KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others A highly sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying content management system (CMS)
  8. Ransomware attack disabled Georgia County Election database Reportedly disabled a database used to verify voter signatures
  9. A Different Perspective: Cyber Security Through the Eyes of a Journalist Sean Lygaas ( @Snlyngaas ), Senior Reporter at CyberScoop provides his perspectives about writing it without introducing hype or hysteria.
  10. HPE fixes maximum severity remote auth bypass bug in SSMC console Complicated to exploit - no evidence of exploitation in the wild.
  11. Steelcase Office Furniture Giant Hit by Ryuk Ransomware Attack Steelcase stated in the 8-K form that it was not aware of any sensitive or customer data loss from its systems, or any other loss of assets as a result of this attack.
  12. New Windows RAT Can Be Controlled Via a Telegram Channel dubbed "T-RAT" that can control infected systems and purportedly provides buyers with easier and faster access to infected systems from any location. T-RAT, which is being sold for a mere $45 USD, also reportedly allows attackers to activate data-stealing functionality as soon as targeted systems are infected and before T-RAT's presence is discovered.

Paul Asadoorian's Content:

Articles

  1. Cybercriminals Could be Coming After Your Coffee - From the article: When it comes to whether you should get an IoT device or not, the general rule is to first ask yourself this question: Do I really need my light bulb/coffee pot/washing machine/doorbell/other household items to be smart? The real question is "When will I no longer have a choice?".
  2. JWT Tokens: The What, How, and Why - This helped me understand things: The main difference to notice here is that with cookies, the information is stored server-side, while with JWT, since the information is stored in the actual token, the information is stored client-side. Since the server doesn’t need to remember anything, this simplifies things a lot, especially when working with multiple servers and having different sessions. Some JWT attacks rely on poor key management....
  3. Attackers finding new ways to exploit and bypass Office 365 defenses - Help Net Security - Oh, all we need is Zero Trust: Zero-trust email: ​Adhere to a zero-trust-email approach, which should serve as a baseline for an email security strategy. All email, especially ongoing interactions with external partners and suppliers, should be considered areas of compromise.
  4. Oracle VM VirtualBox Buffer Overflow - A buffer overflow vulnerability in Oracle VM VirtualBox was privately reported to Oracle on September 22, 2020 and was silently patched in VM VirtualBox version 6.1.16r140961. Not-so-silent (though no exploit example was provided, I didn't look further).
  5. Microsoft IE Browser Death March Hastens - Most users are running Chrome, Chrome has plenty of vulnerabilities, do we need IE any longer?
  6. 78% of Microsoft 365 admins don't activate MFA - Help Net Security - 99% is a lot... According to SANS, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely.
  7. Humans are Bad at URLs and Fonts Dont Matter - This is why you need more than awareness training.
  8. Hackers Can Open Doors by Exploiting Vulnerabilities in Hrmann Device | SecurityWeek.Com - In one attack scenario described by SEC Consult for SecurityWeek, an attacker who is able to connect to the local network can open doors connected to the Hörmann gateway by executing a small script. The attack does not require authentication and it can be conducted from a mobile phone.
  9. URL and website scanner - urlscan.io
  10. Over 100 irrigation systems left exposed online without protection
  11. Microsoft Introduces New Password Spray Detection for Azure | SecurityWeek.Com
  12. Anonymous Authentication: How to Secure Public APIs
  13. Back to the future: What the Jericho Forum taught us about modern security - Microsoft Security - Truth: While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).
  14. Nagios XI 5.7.3 Remote Command Injection
  15. StackRox Releases Open Source Tool for Finding Kubernetes Misconfigurations | SecurityWeek.Com
  16. Can automated penetration testing replace humans? - Help Net Security - The speed of the test and reporting is many magnitudes faster, and the reports are actually surprisingly readable (after verifying with some QSA’s, they will also pass the various PCI DSS pentesting requirements). and The second advantage is the entry point. A human pentester may be given a specific entry point into your network, while an automated pentesting tool can run the same pen test multiple times from different entry points to uncover vulnerable vectors within your network and monitor various impact scenarios depending on the entry point..
  17. KashmirBlack Botnet Hijacks Thousands of Sites Running On Popular CMS Platforms
  18. Oracle WebLogic Server RCE Flaw Under Active Attack - Love this: “At this point, we are seeing the scans slow down a bit,” said Ullrich in a Thursday post. “But they have reached ‘saturation’ meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.”
  19. Tracking Users on Waze - Schneier on Security
  20. Microsoft Introduces Device Vulnerability Report in Defender for Endpoint | SecurityWeek.Com
  21. Redirect Detective - Discover where those redirects really go to
  22. Hackers may have been of its time, but it was also ahead of it

Tyler Robinson's Content:

Articles

  1. Iran and Russia Seek to Influence Election in Final Days, U.S. Officials Warn Iran is behind threatening, spoofed emails sent to voters, the officials said, but there was no indication that any votes themselves had been altered.
  2. Spammers and scammers using U.S. election to turn profit online, Facebook says Fraudsters from Albania to Vietnam are posting about U.S. politics and the upcoming presidential election to build fake audiences, maximise clicks and make money online, Facebook Inc said on Wednesday. https://about.fb.com/wp-content/uploads/2020/10/Inauthentic-Behavior-Report-October-2020.pdf
  3. Russia’s Clandestine Chemical Weapons Programme and the GRU’s Unit 29155 - bellingcat On October 15, 2020, the European Union imposed sanctions on six senior Russian officials and a leading Russian research institute over the alleged use of a nerve agent from the Novichok family in the poisoning of opposition leader Alexey Navalny. Russia dismissed as baseless the EU’s allegations that it had not complied with its obligations,
  4. Russian Vehicle Registration Leak Reveals Additional GRU Hackers - bellingcat A leaked database reveals the identities of dozens of hackers who registered vehicles to a non-existent address used by GRU operatives
  5. Removing Coordinated Inauthentic Behavior - About Facebook Today we removed three separate networks for violating our policy against coordinated inauthentic behavior – two targeted the US, among other countries, and one originated in and targeted audiences in Myanmar.
  6. Several hospitals targeted in new wave of ransomware attacks Several hospitals across the United States have been targeted in a ransomware attack in what appears to be an escalation and expansion of similar attacks previously launched on other hospitals and medical facilities
  7. What happened over the summer? They're not sure, but the data clearly shows RYUK has returned. But does that mean UNC1878 has returned? Maybe, but DON'T ATTRIBUTE BASED ON MALWARE FAMILY ALONE. AGAIN FOR THE FOLKS IN BACK....DON'T. ATTRIBUTE. ON. MALWARE. FAMILY. ALONE.
  8. Is The Cybersecurity Industry Selling Lemons? Apparently Lots Of Important CISOs Think it Is And what do these highly qualified professionals think about the cybersecurity products their industries have been buying? I’d like to say this is a shock, but the answer is not a lot.
  9. Amazon Fired Employee for Leaking Customer Emails The employee leaked customer email addresses to an unnamed third party, according to disclosure emails obtained by Motherboard.
  10. Zero-hour auto purge (ZAP) - Office 365 Admins can learn about how zero-hour auto purge (ZAP) can retroactively move delivered messages in an Exchange Online mailbox to the Junk Email folder or quarantine that are retroactively found to be spam or phishing.
  11. In a first, researchers extract secret key used to encrypt Intel CPU code Hackers can now reverse-engineer updates or write their own custom firmware.
  12. An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and national parliament. @CNMF_CyberAlert continues to disclose #malware samples on: https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/ https://pbs.twimg.com/media/Elgz43rWMAMbwLx.jpg