psw680

Paul’s Security Weekly Episode #680 – January 14, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Beyond Phishing Blockers – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/materialsecurity for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Ryan Noon joins Paul, and the rest of the PSW team, this week to chat through the importance of resilience in everything companies do to protect cloud-stored data and IP, unpack growing enterprise demand for a “digital seatbelt,” and explain why Material takes a fresh approach to email security: building products with the assumption that bad actors will successfully hack inboxes.

This segment is sponsored by Material Security.

Visit https://securityweekly.com/materialsecurity to learn more about them!

https://material.security/blog

Guest(s)

Ryan Noon

Ryan Noon –

Co-Founder and CEO at Material Security

Ryan Noon is a serial entrepreneur and an expert on cloud security. He is the founder and CEO of Material Security, a company that protects the email of high-risk VIPs and top global organizations. Previously he ran infrastructure teams at Dropbox after it acquired his last company, Parastructure. Before that he helped build a company spun out of Stanford by the Department of Defense. He holds bachelors and masters degrees from Stanford in Computer Science and Computer Security.

Hosts

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

2. Hacking Ubiquiti Devices – 07:00 PM-07:45 PM

Announcements

  • Learn how to conquer cloud complexity in our first webcast of 2021, this Thurs, Jan 28th 11am ET! Next Thurs, Feb 4th 11am ET, in our first technical training of 2021, you’ll Learn How to Manage Insider Risks in the Work-from-Anywhere World! Register at https://securityweekly.com/webcasts. If you missed any of our 2020 webcasts or technical trainings, they are available at https://securityweekly.com/ondemand

Description

Ubiquiti network gear has become a favorite among tech enthusiasts, but various Ubiquiti products have had some serious vulnerabilities in recent history. Listen in as we discuss hack, secure, and learn with Ubiquiti gear. We’ll also discuss Ubiquiti’s data breach announced Jan. 11and what that could mean to the security of your network.

Guest(s)

Jon Gorenflo

Jon Gorenflo –

Founder, Principal Consultant at Fundamental Security, LLC

Jon is the Founder and Principle Consultant of Fundamental Security, a small consulting firm focused on penetration testing, incident response, and strategic security consulting. He started working with technology in High School as a student of the Cisco Networking Academy, and has focused on Information Security since 2006. In addition to his role as a security consultant, he also travels the world as an instructor for the SANS Institute. Currently, he teaches two of SANS’s seminal courses, SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC560: Network Penetration Testing and Ethical Hacking. He is proud to have served in the Army Reserve for 11 years, where he became a Warrant Officer and served one tour in Afghanistan. He currently maintains the GCIH, GPEN, GAWN, GMOB, CISSP, and Security+ certifications.

Hosts

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

3. WRT54G Hacking History, 70 Unpatched Cisco Vulns, & Bypassing MFA – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

In the Security News, How two authors became part of WRT54G hacking history, European police and German law enforcement have taken down the illegal “DarkMarket” online marketplace, 70 unpatched Cisco vulnerabilities and why these are not a big deal, Adobe is blocking Flash content, most containers still run as root, watching private videos on YouTube is more like silent films, and get a free bag of weed when you get your vaccine!

Enterprise Attacker Emulation and C2 Implant Development w/ Joff Thyer: https://bit.ly/JoffsC2Class

Hosts

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

  1. Investigating Transit – Part 1 :: xerbo.net
  2. Email security firm Mimecast says hackers hijacked its products to spy on customers
  3. WRT54G History: The Router That Accidentally Went Open Source
  4. Credential harvesting campaign targets government, military, and private sector organisations ? Cyjax
  5. Man arrested for counterfeiting 25 popsicle sticks to claim prize
LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks – Fortinet identified four serious vulnerabilities (CVE-2020-29015, CVE-2020-29016, CVE-2020-29018, and CVE-2020-29019) affecting the FortiWeb administration interface that Fortinet describes as a “SQL injection issue and two buffer overflows” – Likely low to medium risk due to limited impacts of exploitation.
  2. US Announces Controversial State Department Cyber-Bureau – The US government has announced the creation of a new cybersecurity agency to align with the country’s diplomatic efforts. The Bureau of Cyberspace Security and Emerging Technologies (CSET) will lead U.S. government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect U.S. foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber-conflict, and prevailing in strategic cyber-competition.
  3. This Android malware claims to give hackers full control of your smartphone – Attackers have combined the “Cosmos” and “Hawkshaw” Android remote access Trojans (RAT) to create the “Rogue RAT.” Which also monitors victims’ GPS locations, takes screenshots, uses the camera to snap photos, and secretly records audio all while remaining hidden.
  4. Networking giant Ubiquiti alerts customers of potential data breach – Ubiquiti has announced a security incident that may have exposed its customers’ data. Ubiquiti is asking users to enable MFA and change passwords.
  5. Hackers Compromise Mimecast Certificate For Microsoft Authentication – A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, tenants using Mimecast need to delete and re-add the connection using the new certificate.
  6. SolarLeaks site claims to sell data stolen in SolarWinds attacks – A website named ‘SolarLeaks’ is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. The solarleaks.net domain containing the data was registered with “NJALLA,” which is used by Russian hacking groups “Fancy Bear” and “Cozy Bear.”
  7. Illegal marketplace “DarkMarket” taken offline – European police and German law enforcement have taken down the illegal “DarkMarket” online marketplace, seized some 20 servers hosting the site in Moldova and Ukraine, and arrested an Australian man who is believed to be the site’s operator. DarkMarket underground community was one of the more prominent and largest underground marketplaces that threat actors used to trade malicious tools and illegal goods on the dark web.
  8. Accellion hack behind Reserve Bank of NZ data breach – The Reserve Bank of New Zealand, which yesterday disclosed it had suffered a data breach, now says it was caught up in a hack targeting an unpatched Accellion file transfer appliance (FTA). The replacement is Kiteworks.
  9. Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services – The analysis report has a great summary of attack vectors and solutions/mitigations. Make sure that you’re adequately securing cloud environments, at a minimum make sure you’re following the service’s security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires MFA. Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.
  10. Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments – CISA has become aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices in cloud services. CISA released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services.
PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

  1. Hackers used 4 zero-days to infect Windows and Android devices – One of the bugs was described as the following (which I found interesting): “One of the features that make JavaScript code especially difficult to optimize is the dynamic type system. Even for a trivial expression like a + b the engine has to support a multitude of cases depending on whether the parameters are numbers, strings, booleans, objects, etc. JIT compilation wouldn’t make much sense if the compiler always had to emit machine code that could handle every possible type combination for every JS operation. Chrome’s JavaScript engine, V8, tries to overcome this limitation through type speculation. “
  2. Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers – This sounds bad, except: “The security bugs exist because user-supplied input to the web-based management interface of the affected router series is not properly validated, thus allowing an attacker to send crafted HTTP requests to exploit these issues. An attacker able to successfully exploit these vulnerabilities would be able to execute arbitrary code with root privileges on the underlying operating system. A mitigating factor, however, is that valid administrator credentials are required for exploitation.” Uhm, if I have administrator credentials already, why would I need an exploit?
  3. Most containers are running as root, which increases runtime security risk – “Among its findings, the report states that while 74 percent of customers are scanning before deployment, still 58 percent of containers are running as root. There are some containers that should run as root—security and system daemons for example—but this is a small portion of total containers.” Report here: https://sysdig.com/blog/sysdig-2021-container-security-usage-report/ and it looks like it was a report based on Sysdig customers, who have implemented a container security platform, yet still, run containers as root? WTH?
  4. Google reveals high-profile attack targeting Android, Windows users
  5. Understanding TCP/IP Stack Vulnerabilities in the IoT – If it were only that easy: “Experts point to three foundational steps for dealing with TCP/IP stack vulnerabilities: identifying all devices on a network to understand which are vulnerable; assessing the risks introduced by these devices, which include their business context, criticality, and Internet exposure; and mitigating the assessed risks.”
  6. Larger CyberBunker investigation yields shutdown of DarkMarket – CyberScoop – “German police raided the CyberBunker’s headquarters in September 2019 in Traben-Trarbach, a small town close to the Luxembourg border. Eight defendants — four Dutchmen, three Germans and one Bulgarian — stood trial beginning in October for allegedly aiding and abetting 249,000 transactions involving drugs, money laundering, stolen information and pornographic images of children.”
  7. Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content – But, if its not updating Flash, how will Flash Player block content? ““Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems,” according to Adobe.”
  8. How I found a bug in YouTube that let me watch private videos I wasn’t allowed to, says compsci student
  9. RCE Vulnerability Affecting Microsoft Defender
  10. Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender – Microsoft Security – See my story number 9 above…
  11. Minimizing cyberattacks by managing the lifecycle of non-human workers – It’s important to manage the lifecycle of alien workers (from outer space), not just humans…
  12. Criminals are Bypassing MFA to Access Organisation’s Cloud Services
  13. Get A Free Bag Of Marijuana With Your Covid-19 Vaccine – Literally called “Joints For Jabs”. They gave out joints in 2016 at the presidential inauguration, but this year thought it was a bad idea because 1. They licked all the joints and 2. People lit them up immediately…
  14. User successfully runs Ubuntu on a jailbroken iPhone 7 – 9to5Mac
TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc