psw689

Paul’s Security Weekly Episode #689 – April 01, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. The Intersection of Cybersecurity & Cryptocurrency – 06:00 PM-06:45 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

With an uptick in malware scams and email compromises, the best thing we can do is educate the cryptocurrency community about risks and security best practices.

https://www.youtube.com/playlist?list=PL1fKlftNZ_xGh8AFVy46suO193IIQ7lnq

https://www.kraken.com/en-us/features/security/kraken-security-labs

https://www.canisecure.com/ https://blog.kraken.com/security-labs/

Guest(s)

Nick Percoco

Nick Percoco – Chief Security Officer at Kraken

@c7five

Nick Percoco, Chief Security Officer at Kraken, has been an active member of the security industry for over two decades, working as both a security practitioner and advisor. He’s presented research on targeted malware, iOS and Android vulnerabilities, and IoT security at events such as DEF CON, Black Hat, RSA Conference and SXSW. He’s also designed, led and advised in the development of security products and services used by millions of people and businesses while working for Internet Security Systems, VeriSign, Trustwave and Rapid7. Nick founded SpiderLabs and led global teams of hackers that discovered real-world 0-day vulnerabilities to help secure the most targeted businesses such as Las Vegas casinos, global financial institutions, major retail brands and video game companies to ensure their facilities, products, employees and clients were kept safe and secure.

Hosts

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Cybersecurity Journalist – 07:00 PM-07:45 PM

Announcements

Description

Paul, and the rest of the PSW Hosts, will talk to Robert about how he got his start in InfoSec.

Guest(s)

Robert Lemos

Robert Lemos – Cybersecurity and Data Journalist at Undisclosed

@roblemos

Writes for DarkReading and TechBeacon. Veteran technology journalist of more than 25 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R.

Hosts

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Ubiquiti Breach, Tesla, PHP, & More Sagas – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

npm netmask library has a critical bug, when AI attacks, firmware attacks on the rise, Microsoft Hololens and order 66, a real executive order 13694, The Ubiquity breach saga, the FreeBSD and wireguard saga, is the cloud more secure? Hopefully for PHP it is, software updates limit muscle car to 3 HP, a brand new Windows 95 easter egg just in time for, well, easter, and aging wine in space, does it make a difference?

Hosts

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

  1. Police say they found mafia fugitive on YouTube, posting cooking tutorials
  2. Update on campaign targeting security researchers
  3. Child tweets gibberish from US nuclear-agency account
  4. Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
  5. Activision Forces Online Check DRM Into New Game, Which Gets Cracked In One Day
  6. SpaceX seemingly takes steps to protect telemetry data after leak
  7. Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security
  8. Recovering a full PEM Private Key when half of it is redacted
  9. PHP Compromised: What WordPress Users Need to Know
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military – Charleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.
  2. China Bans Tesla Cars From Entering Military Locations and Housing Compounds – China has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk’s cars from entering any Chinese military complexes or housing compounds.
  3. PHP’s Git server hacked to add backdoors to PHP source code – Malicious actors pushed two malicious commits to the “php-src” Git repository maintained by the PHP team on its “git.php.net” server Sunday in an attempt to add backdoors to and compromise the PHP code base. PHP maintainers have migrated the official PHP source code repository to GitHub.
  4. Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’ – The whistleblower said that attackers were able to obtain administrative access to AWS Ubiquiti databases using credentials stored in and stolen from an employee’s LastPass account, which allowed them to access AWS accounts, S3 buckets, app logs, SSO cookie secrets, and all databases, including those containing user credentials.
  5. OpenSSL fixes severe DoS, certificate validation vulnerabilities – OpenSSL has released an advisory about two high-severity vulnerabilities (CVE-2021-3449 and CVE-2021-3450) affecting its products that could be leveraged by attackers to create a denial-of-service (DoS) condition or prevent the Certificate Authority (CA) from issuing certificates.
  6. This Android malware hides as a System Update app to spy on you – A new, “sophisticated” Android spyware app disguising itself as a software update has been discovered by researchers. Once installed on a device, the compromised device is registered with a Firebase C&C server that issues commands while a dedicated C&C server manages data exfiltration. Information collected by the RAT is said to include GPS data, SMS messages, contact lists, call logs, images and video files, and microphone audio.
  7. Tax scammers hack government-run facial recognition system – A group of tax scammers has been identified leveraging manipulated personal information, high-definition photos, and a fake video to hack the government-run facial recognition system used by the State Taxation Administration, which allowed their registered shell company to issue bogus tax returns to clients. $500M Yuan ($76.2M USD)
  8. FBI published a flash alert on Mamba Ransomware attacks – “Mamba” ransomware has been identified abusing the “DiskCryptor” (HDDCryptor, HDD Cryptor) open-source tool to encrypt entire hard drives.
  9. Evil Corp switches to Hades ransomware to evade sanctions – The “Evil Corp” cybercrime gang has been spotted using the “Hades” ransomware to evade sanctions levied in December 2019 by the U.S. Department of Treasury’s (Treasury) Office of Foreign Assets Control (OFAC).
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Critical netmask networking bug impacts thousands of applications – “The root cause of the problem turned out to be Netmask’s incorrect evaluation “of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound” (https://portswigger.net/daily-swig/ssrf-vulnerability-in-npm-package-netmask-impacts-up-to-279k-projects), “For example, a remote unauthenticated attacker can request local resources using input data 0177.0.0.1 (127.0.0.1), which netmask evaluates as public IP 177.0.0.1. Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 (87.0.0.1) as localhost, yet the input data is a public IP and potentially cause local and remote file inclusion (LFI/RFI)” (https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md)
  2. Will AI Short Circuit Cybersecurity? – Basically, how do we prevent creating Skynet? – “The article describes how engineers discovered a surprising feature relating to the now defunct Google Project Loon, which was intended to make the Internet universally available using balloons rather than satellites. They observed that, on a trip from Puerto Rico to Peru, the balloon began tacking, which is the method used with sailboats for changing direction. Not that that is particularly startling, except that they had never taught the AI how to do that—it did it all by itself! While this was a “gee whiz moment,” it portends what might be one of the greatest dangers of AI (artificial Intelligence) systems, namely, acting autonomously in unanticipated and possibly dangerous ways.”
  3. Alan Turing, WWII Cryptanalyst and Computer Pioneer, on New £50 Note – Security Boulevard – “Turing was selected to appear on the note?…?in recognition of his groundbreaking work in mathematics and computer science, as well as his role in cracking the Enigma code?…?in World War II. … [It] incorporates a number of designs linked to Turing’s life and legacy. These include technical drawings for the bombe, a decryption device used during WWII; a string of ticker tape with Turing’s birthday rendered in binary?…?a green and gold security foil resembling a microchip; and a table and mathematical formulae taken from one of Turing’s most famous papers.” Also: “It’s a way to let the UK honor historic people. But don’t pretend like it’s some big feat or victory for oppressed people. Pardoning and putting a him on a note doesn’t undo that.”
  4. The Importance of Cybersecurity to SEO – Recovering from the SEO hits you take from a website compromise could be impactful: “When a business website become a victim of hackers, it can have below mentioned impacts, Website traffic can be redirected to third party servers., Error 50X, internal server error can be generated., Massive 404 errors, content not found can be caused across the website.,Websites can be infected with malicious code, which can spread infections to all visitors., Websites can be infected by phishing attacks to trick visitors.”
  5. Serious Vulnerability In Netmask npm Package Risked 270K+ Projects
  6. Two Linux Vulnerabilities Could Allow Bypassing Spectre Attack Mitigations – So many privilege abuses in the Linux Kernel: “Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel.”
  7. Blind XPath Injections: The Path Less Travelled – Awesome article explaining XPath injections, with examples from a CTF.
  8. 83% of Businesses Hit With a Firmware Attack in Past Two Years – “Microsoft last year released a line of “Secured-Core” Windows 10 PCs as part of a partnership with Intel, Qualcomm, and AMD, to help businesses better defend against attacks that attempt to interfere with the boot process. Last June, it added a UEFI scanner to Microsoft Defender Advanced Threat Protection to assess the security posture inside of a firmware file system. However, even though Microsoft working to expose firmware visibility, “I don’t think we yet have the total picture,” he says, and it’s a challenge to observe attacks taking place below the operating system. What’s more, not all businesses can shift to new hardware in the near term, and many security teams are juggling too many other issues to prioritize firmware.”
  9. President Biden extended Executive Order 13694 regarding cyberattack sanctions
  10. Microsoft Wins $22 Billion Deal Making Headsets for US Army – Interesting to think about hacking these, like in a battle, executing order 66! – “The technology is based on Microsoft’s HoloLens headsets, which were originally intended for the video game and entertainment industries. Pentagon officials have described the futuristic technology — which the Army calls its Integrated Visual Augmentation System — as a way of boosting soldiers’ awareness of their surroundings and their ability to spot targets and dangers.”
  11. Top 5 Attack Techniques May Be Easier to Detect Than You Think
  12. How I “Hacked” a Popular Illicit Website Accidentally. – Interesting story, crime doesn’t pay (though as a criminal you may have to pay): “Hey, it’s been a while, but Sammy just got sent a cease and desist from Chick-Fil-A. He has to pay restitution.”
  13. DD-WRT 45723 Buffer Overflow – Exploitalert
  14. Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security – Holy crap, what a saga…
  15. Buffer overruns, license violations, and bad code: FreeBSD 13’s close call – Holy crap, what another saga!
  16. Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forg
  17. PHP’s Git server hacked to add backdoors to PHP source code – So, moral of the story, the cloud is more security?
  18. OpenSSL fixes severe DoS, certificate validation vulnerabilities
  19. Dodge Offers Software Update For Chargers And Challengers That Limits Them To 3 HP Of Raw Hemi Power – “The way the engine manages to restrict the power so effectively from 485 HP/475 pound-feet or 707 HP and 650 lb of torque is by limiting the engines to a 675 rpm idle.”
  20. Google’s unusual move to shut down an active counterterrorism operation being conducted by a Western democracy
  21. Windows 95 Easter egg discovered after being hidden for 25 years – “You have to open its About window, select one of the files, and type MORTIMER. Names of the program’s developers will start scrolling”
  22. Tasting experts sample wine aged for a year in space – I feel like this is a hacker thing like someone asked the question: “What would wine taste like if it were aged in zero gravity?”.
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security