psw679

Paul’s Security Weekly Episode #679 – January 07, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Automated Vulnerability Remediation – The Good, the Bad and the Ugly – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/vicarius for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

The way we identify, prioritize, and mitigate software vulnerabilities was built in the reverse order. Why did it happen? Could a new remediation strategy finally form an alliance between IT and security teams?

This segment is sponsored by Vicarius.

Visit https://securityweekly.com/vicarius to learn more about them!

https://www.vicarius.io/blog/automated-vulnerability-remediation-the-good-the-bad-and-the-ugly

Presenter(s)

Clayton Fields

Clayton Fields –

Vice President at Vicarius

For 15 years, Clayton has been a technologist and client advocate. He helped launch the first intrusion prevention system for Active Directory. Clayton brings a breadth of acquisition experience focused on market truths and buyer languages.

Michael Assraf

Michael Assraf –

CEO & Co-Founder at Vicarius

Michael has more than ten years of experience in the startup world. He has been part of six different startups, filling out several positions up to VP R&D, both on the tech and operational sides. In his last position at Atlis, Michael built and managed an R&D department. He led the Israeli team of the startup on a daily basis from day one to the release of the product’s GA. In his professional experience, Michael filled multiple positions from Network Engineer at Deltathree, Automation Engineer at Secure Islands (later acquired by Microsoft), Software Developer at Idomoo to VP R&D at Cellxpert and Atlis. Michael holds an MBA from Tel Aviv University and a BSc from the Jerusalem College of Engineering.

Hosts

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

2. What Has Changed (or Not) Since Our Last Visit? – 07:00 PM-07:45 PM

Announcements

Description

-What are we seeing from infosec graduates as they come into the enterprise to begin their careers?

-How has data privacy changed since 2014?

-Is the cloud a solution, or creates more problems?

-How does the changing model of application architecture and security testing improve things? (DevOps, “shift left” testing, IAST, etc.)

Guest(s)

Ming Chow

Ming Chow –

Associate Teaching Professor at Tufts University

Ming Chow is an Associate Teaching Professor at the Tufts University Department of Computer Science. He has served as a mentor to a BSides Las Vegas Proving Ground track speaker since 2014, a track focused on helping new speakers in the information security and hacker communities acclimate to public speaking.

Hosts

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

3. Custom Python Encryption, Shady 0-Days, & The Great iPwn – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

In the Security News, Nissan Source code leaked, how the shady 0-Day sales game is evolving, Hack the Army 3.0 announced, creating your own custom encryption in python, FBI warns of swatting attacks targeting your smart device, & the rise of Uncaptcha3!

Hosts

JeffMan

Jeff Man –

LarryPesce

Larry Pesce –

  1. Nissan Source Code Leaked Online After Git Repo Misconfiguration – Slashdot
  2. Widely Used Software Company May Be Entry Point for Huge U.S. Hacking
  3. Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again – Check Point Software
  4. 81,000 UK-owned .eu domains suspended as Brexit transition ends
  5. Telegram Triangulation Pinpoints Users’ Exact Locations
  6. DHS Looking Into Cyber Risk from TCL Smart TVs
  7. Let’s Encrypt comes up with workaround for abandonware Android devices
  8. The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit – The Citizen Lab
LeeNeely

Lee Neely –

  1. Ticketmaster fined $10 million for breaking into rival’s systems – Former employees of a competitor provided Ticketmaster with URLs of ticketing web pages and stolen passwords that were used to unlawfully collect business intelligence by repeatedly accessing the competitor’s systems without authorization.
  2. Malware uses WiFi BSSID for victim identification – New malware strain that relies on obtaining victims’ Basic Service Set Identifier (BSSID) in addition to stealing their IP addresses, and then checking the BSSID against Alexander Mylnikov’s free BSSID-to-geo database in order to obtain victims’ last geographical locations.
  3. Activists Publish a Vast Trove of Ransomware Victims’ Data – Distributed Denial of Secrets (DDoSecrets) transparency collective published a new data set containing approximately 1TB of data that includes more than 750,000 emails, photos, and documents belonging to five companies. The groups is also reportedly offering to privately share another 1.9TB of data lifted from more than 12 other organizations with academic researchers and/or journalists.
  4. Babuk Locker is the first new enterprise ransomware of 2021 – Babuk targets victims using executables customized for each victim that contain a hard-coded extension, ransom note, and a Tor victim URL. Once executed on targeted systems, attackers can use command-line arguments (i.e., lanfirst, lansecond, nolan) to control how the ransomware encrypts network shares and whether to encrypt them before the local file system is encrypted.
  5. Russian Software Company May Be Entry Point for Huge U.S. Hack – American intelligence agencies and private cybersecurity investigators are examining the role of a widely used software company, JetBrains, in the far-reaching Russian hacking of federal agencies, private corporations and United States infrastructure. Hackers allegedly exploited TeamCity to compromise networks.
PaulAsadoorian

Paul Asadoorian –

  1. Telecommunication Use Cases
  2. How the Shady Zero-Day Sales Game Is Evolving – “”What we’re really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities,” he says.

    That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there’s been an important shift toward access-as-a-service where the hacker or hacking group doesn’t steal data themselves. He compares it to specialized teams of thieves targeting a house.” I interviewed Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future, great dude, well trusted.

  3. Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws – “What we’re really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities,” he says. That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there’s been an important shift toward access-as-a-service where the hacker or hacking group doesn’t steal data themselves. He compares it to specialized teams of thieves targeting a house.” – This comes from Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future. I’ve interviewed Roman in the past, awesome dude, and trust his analysis and research.
  4. Multiple flaws in Fortinet FortiWeb WAF could allow corporate networks to hack – “A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.”
  5. What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn’t document updates? Let’s find out – More supply chain: “The issue with Great Suspender appears to have been the use of an open-source analytics package, Open Web Analytics (OWA), in conjunction with remote scripts and a CDN – the concern was that user information was being spirited away.”
  6. Create Your Own Custom Encryption in Python – I read the title and was like “Oh man, this is bad”. However, this article is awesome. It walks you through how to create a custom encryption algorithm in Python for your C2, evading detection by not using anything standard that may be picked up by security tools. Two thumbs up!
  7. FBI Warns Users Of Swatting Attacks By Hacking Smart Devices – “Carry-out” is a stretch, supplement is a better term here: “Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks…”
  8. Remote Code Execution Through Cross-Site Scripting In Electron – “A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user’s computer. Disabling Node.js integration helps prevent an XSS from being escalated into a so-called “Remote Code Execution” (RCE) attack.”
  9. unCAPTCHA3 evades Google Audio reCAPTCHA with Speech-to-Text API – Use Google to hack Google! “The idea of the attack is very simple: You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API. Google will return the correct answer in over 97% of all cases.”
  10. The dilemma of Wi-Fi DFS Channels
  11. U.S. Government Announces ‘Hack the Army 3.0’ Bug Bounty Program – “The program, conducted by the Defense Digital Service (DDS), is invitation-only, so not everyone can participate, but the Department of Defense does have an ongoing vulnerability disclosure program through which anyone can report security holes at any time in exchange for “thanks.””
  12. Understanding And Exploiting Zerologon – 22-page document on Zerologon, good stuff. I can’t help but think though, of all the companies breached recently, how many spent a significant amount of time dealing with this issue, but were still breached by some other means? Time better spent on other issues leads to a stronger security posture?
  13. JetBrains’ build automation software eyed as possible enabler of SolarWinds hack – “…investigators appear to be concerned that a poorly secured, improperly configured, or vulnerable TeamCity instance may have helped the attackers plant their malicious code somewhere in the software supply chain. TeamCity, like other software, is regularly patched for vulnerabilities.”
TylerRobinson

Tyler Robinson –