asw134

Application Security Weekly Episode #134 – December 14, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Freedom From Computing Environments – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/teleport for more information!

Announcements

  • We have officially wrapped up all of the recordings for our 2020 webcasts & technical trainings! Stay tuned as we build out our schedule for next year! Visit https://securityweekly.com/ondemand to view all of our 2020 webcasts & trainings!

Description

We built OSS Teleport to provide a Unified Access Plane that consolidates access controls and auditing across all environments – infrastructure, applications, and data.

This segment is sponsored by TelePort.

Visit https://securityweekly.com/teleport to learn more about them!

Guest(s)

Ev Kontsevoy

Ev Kontsevoy –

CEO at Teleport

Ev Kontsevoy is Co-Founder and CEO of Teleport. An engineer by training, Kontsevoy launched Teleport in 2015 to provide other engineers solutions that allow them to quickly access and run any computing resource anywhere on the planet without having to worry about security and compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun, which he successfully sold to Rackspace. Prior to Mailgun, Ev has had a variety of engineering roles. He holds a BS degree in Mathematics from Siberian Federal University, and has a passion for trains and vintage-film cameras.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

 MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

 MikeShema

Mike Shema –

Product Security Lead at Square

2. Atheris Python Fuzzer, Bronze Bit Attack, & FireEye Highlights – 01:00 PM-01:30 PM

Announcements

  • Do you always end up missing our live streams? Need somewhere to flag Security Weekly podcasts that you want to listen to? Subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server to stay in the loop on all things Security Weekly! Visit: https://securityweekly.com/subscribe

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

FireEye shares supply chain subterfuge, researchers show repeated mistakes in TCP/IP stacks, Google open sources Python fuzzing, Cisco and Microsoft patch their patches for vulns in Jabber and printer modules.

Hosts

JohnKinsella

John Kinsella –

  1. Fuzzing makes finding issues easy – but then what? – There’s an interesting thread on oss-security about what do you do with the issues found from fuzzing? It’s easy to let the fuzzer rip, but do you just patch, or do you attempt to validate each issue, and create/disclose CVEs as you process the findings?
  2. Open-source developers say securing their code is a soul-withering waste of time – A survey of 1200 OSS contributors found that they spend 2.27% of their time on appsec, their average ideal time to spend is 2.33%. They want clear, non-noisy results so they can fix them, not to audit, and find security to be “a procedural hindrance” “best left for the lawyers and process freaks.”

    Less than 3% of time spent on appsec, yet close to 50% are paid by their employers to work on OSS.

    Security subsection pages 31-33.
MattAlderman

Matt Alderman –
MikeShema

Mike Shema –

  1. Amnesia 33: How TCP/IP Stacks Breed Critical Vulnerabilities in IoT, OT and IT Devices – IoT is notorious for insecure designs, especially in default configurations and poor authentication, so why is it also recreating vulns in well-understood protocols, especially when so much of it is reusing open source components?
  2. How the Atheris Python Fuzzer Works – Google brings fuzzing to Python, taking advantage of new language features in Python 3.8 and taking the time to make libFuzzer work for as many distributions as possible — an effort that takes the tool beyond a research effort and into a useful DevOps capability.
  3. Researcher Developed New Kernel-Level Exploits for Old Vulns in Windows – Old print driver plus user mode code in the kernel makes for a flaw reaching from Windows 10 back to Windows 7. Some interesting research revealed in Black Hat Europe that sheds light on the trade-off between maintaining legacy code vs. rearchitecting code into isolated modules.
  4. OPAQUE: The Best Passwords Never Leave your Device – Passwords have been threatened with extinction for years, yet remain the most pervasive proof of identity within apps. WebAuthn is trying to bring a new generation of hardware-backed identity proofs. Here’s another example of trying to redirect the asteroid to the dinosaurs of authentication.
  5. FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community – At first glance, it might feel like an indirect relation to AppSec, but if you’re talking with a DevOps team about conducting postmortems and providing transparency on issues — whether security or stability — this is another good example to reference. Plus, it’s a reminder that you can’t prevent all breaches, so having mature detection and response capabilities should always be a part of your secure development lifecycle.
    Yet a followup from FireEye highlights the supply chain aspect of this compromise, firmly placing the threat into appsec territory. (https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html)
    Some more technical details on responding are available from CISA at https://cyber.dhs.gov/ed/21-01/.
  6. Cisco 9.9/10-severity bug: Patch these dangerous Jabber flaws for Windows, macOS – This is another case where a company needs a second go-around to fortify it’s first fix for a vuln. It’s also another case where a company is using an embedded browser variation that ends up being less secure than just using a browser in the first place. We’ve gone from Java as the promised write-once run anywhere to bastardizing the browser so JavaScript can become the write-once XSS anywhere.
  7. Proof-of-concept exploit code published for new Kerberos Bronze Bit attack – Another bug that was patched and needed a patch for the patch. The flaw itself stems from a subtle nuance in the interplay of encryption and signing — and even worse when they don’t have any interplay at all.

    Read a more detailed background of Kerberos and how this flaw affects it at https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/.