psw695

Paul’s Security Weekly Episode #695 – May 20, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Unplugging the Internet, Bombing Hackers, Cyber NTSB, & Best Practices – 06:00 PM-06:45 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

This week in the Security News: Is the cyber NTSB a good thing?, Russian virtual keyboard for the win, information should be free, hang on while I unplug the Internet, security MUST be taken seriously, poison the water hole to poison the water, bombing hackers, how industry best practices have failed us?, publishing exploits is still a good thing regardless of what the studies say, and more!

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Emerson Patches Several Vulnerabilities in X-STREAM Gas Analyzers – Emerson says it has released firmware updates to address six vulnerabilities rated as high or severe affecting its Rosemount X-STREAM gas analyzer. In the case of CVE-2021-27459, arbitrary code execution is possible, but it requires a high privilege level and the code only executes in a limited context.
  2. Knopp Resigns as Wyoming CIO After Major Health Data Leak – A Wyoming Health Department (WHD) employee appeared to have improperly handled the data by uploading it to public and private repositories on GitHub
  3. Recruiter’s Cloud Snafu Exposes 20,000 CVs and ID Documents – An unsecured AWS S3 bucket belonging to Primrose Hill, London-based recruitment firm FastTrack Reflex Recruitment (now TeamBMS) containing some 5GB of data that includes 21,000 files containing CVs and PII
  4. New Zealand’s hospitals battle daily cyber attacks: Ministry of Health – NZ Herald – According to Waikato DHB chief executive Kevin Snee, it appears that attackers managed to breach the health provider’s networks via a malicious email attachment.
  5. Student health insurance carrier Guard.me suffers a data breach – Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders’ PII
  6. Herff Jones Credit Card Breach: College Students Across the US Affected – According to reports, the credit card breach affects students attending Purdue, IU, Boston, Towson University, University of Houston, Lehigh, Misericordia, Cornell, Wake Forest, Florida State University, and Sonoma State university.
  7. Irish health service hit by cyber attack – Irelands’ Health Service Executive (HSE) says it was forced to temporarily shut down its IT systems in an effort to protect those systems from further compromise after experiencing a “significant cyber attack” on May 13.
  8. Expert released PoC exploit code for Windows CVE-2021-31166 bug – A security researcher has published a working proof-of-concept exploit code for a wormable Windows IIS server vulnerability tracked as CVE-2021-31166.
  9. Two flaws could allow bypassing AMD SEV protection system – AMD has issued guidance to customers for dealing with two new vulnerabilities (CVE-2020-12967 and CVE-2021-26311) affecting its Secure Encrypted Virtualization (SEV) protection technology that could be exploited by attackers to completely bypass SEV and execute arbitrary code on targeted systems.
  10. Eufy security cameras suddenly start showing live feeds to strangers – Owners of security cameras from smart device maker Eufy have reported on Reddit and Twitter that they were able to access video cameras belonging to complete strangers rather than their own video feeds.
  11. Insurer AXA hit by ransomware after dropping support for ransom payments – Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack. Avaddon operators stated on their website that they had stolen 3TB of sensitive customer information from AXA branches in Thailand, the Philippines, Hong Kong and Malaysia, and encrypted these entities’ systems with ransomware.
  12. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data – Researchers say they have identified ransomware operators encrypting victims’ data twice (i.e., double-encrypting) at the same time during ransomware attacks in an effort to get the most money possible from targeted organizations.
  13. Popular Russian hacking forum XSS bans all ransomware topics – According to a forum post from XSS forum owner “Admin” announcing the move, all “Ransomware affiliate programs,” “Ransomware rental,” and the “sale of lockers (ransomware software)” are prohibited, and any existing ransomware topics will be deleted.
  14. Suspected Pakistani spies use catfishing, stealthy hacking tools to target Indian defense sector – CyberScoop – Pakistani government-linked APT group “Transparent Tribe” has spent the past 18 months using its hacking tool in cyber espionage campaigns leveraging catfishing that are designed to steal data from and take screenshots of compromised systems in India as well as to target Indian military personnel, defense contractors, and individuals attending Indian government-sponsored conferences and events.
  15. Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack – Rapid7 disclosed that unauthorized third-party had access to source code and customer data as result of Codecov supply chain attack.
MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. The Establishment of a Cyber Safety Review Board – Security Boulevard – Yea, except cybersecurity, hacking and cyber crime is nothing like investigating airplane crashes in the sense that everything changes all the time, incidents happen at a far greater rate, and we’re dealing with digital incidents, not physical (for the most part, unless they intersect, which happens).
  2. Try This One Weird Trick Russian Hackers Hate – Krebs on Security – Russian virtual keyboard for the win?
  3. Apple sent my data to the FBI, says boss of controversial research paper trove Sci-Hub – Information should be free (free like free beer and free like running naked through a field)
  4. CISA: Disconnect Internet for 3-5 Days to Evict SolarWinds Hackers From Network – Oh yea, let me just go unplug the Internet for a few days…
  5. Biden calls for $22 billion in cyber security funding – Throwing money at the problem does not fix cybersecurity issues, if it did, the companies who spend the most on cybersecurity would not have breaches, except they do.
  6. New open source scanning tool is built for ethical hackers
  7. The basics of security code review – Help Net Security
  8. Wind River’s enhancements deliver cybersecurity and anti-tamper protection – Help Net Security – “Security must be taken seriously – the only way to do that is to be proactive. With billions of new devices constantly connecting locations around the world, the attack surface is staggering. It will be important for solution builders, both hardware and software, to be thoughtful stewards and strong advocates for cybersecurity in order to deliver trustworthy compute infrastructure.” – I read this as “our customers told us security is important to them now, so now security is important to us.” Also, not necessarily a bad thing…
  9. Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws
  10. Watering Hole Attack Was Used to Target Florida Water Utilities – “An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what’s known as a watering hole attack. “This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event,”” – The irony of poisoning the watering hole to poison the watering hole is not lost…
  11. Israel Says Its Fighter Jets Bombed Buildings Used by Hamas Cyber Unit
  12. Lessons Learned From High-Profile Exploits
  13. Exploit released for wormable Windows HTTP vulnerability
  14. PeterM on Twitter – When availability ranks way higher than confidentiality.
  15. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data – Just don’t use XOR. However, attackers will double encrypt, maybe not all, but some of your data, so you have to pay twice.
  16. Our cybersecurity ‘industry best practices’ keep allowing breaches – “”Industry best practices,” for instance, dictate that network administrators should be boxed in administratively. They should not be able to see what is happening on workstations, servers or storage resources.” – Actually, we do not dictate this at all. “Implement a “one strike and you are out” hiring policy for information security employees. When they fail, do not let it happen twice.” – This is just wrong on so many levels, such as how do you measure failure? And so we all have to be perfect because no one makes mistakes, in any profession, right? Somehow we are different because we deal with cybersecurity? “Also, never hire an information security employee who has ever worked for a firm that has had a security incident.” – Wow, you have really hit the crack pipe hard by this point in the article. I will let you in on a not-secret: 99% of us in information security have worked at a company that has had a security incident. Maybe we should just all quit? Maybe we should just all turn to the darkside and take over the galaxy? Just how is this a solution? “Embrace “holistic” approaches to information security.” – You took a huge bong rip before you wrote that, then said it out loud when you typed it, and it sounded really good huh? And then you try to cover your ass: ” The author, Professor Gwinn, states that his column included “what is likely to have been the worst wording I have ever used in my life” in the 19th and 20th paragraphs, which suggested that he favored the “willy-nilly firing of a whole staff of people after a security incident. My intent was to hold leadership accountable.” He now states that businesses and industries should “implement a ‘one strike and you are out’ hiring policy for information security leadership whose job it was to secure systems and networks after a major, expensive breach. Rotate leadership and do not let it happen twice. Also, weed out and avoid hiring that former information security leader.”” Guess what? You are still wrong, on basically all points. Also, we will be looking at all of your future publications and I hope you have better suggestions in the future, because this article…sucks.
  17. Samba arbitrary file access vulnerability attack
  18. Why Is There a Lack of Women in Cyber? – This was a great article and did not get into finger-pointing, blaming people, or other such nonsense. For example, the media has continued the notion that the hacker/cybersecurity persona is a male, typically wearing a hoodie, alone, using a computer in the dark: “In general, Cybersecurity in the media typically has a very masculine look. As you can see in the above screenshot, eight of the nine images have the same blue/black color scheme. While this may seem trivial, it’s something that can subconsciously impact perception. Much of these images align with what’s referred to as masculine colors.” This is also a great point: “Second, many of the images in my search showed lines of code, which can lead people to come to the conclusion that coding experience is a requirement for a cybersecurity career, which isn’t true.” – Again the media is reinforcing the notion that not only should you be male, alone, in the dark, but you also better be super technical and able to write code. All just not true!
  19. “Those aren’t my kids!” – Eufy camera owners report video mixups
  20. Expert released PoC exploit code for Windows CVE-2021-31166 bug
  21. Google makes a big security change, but other companies must follow
  22. Dumping Plaintext RDP credentials from svchost.exe – n00py Blog
  23. FIN7 Backdoor Masquerades as Ethical Hacking Tool
  24. Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
  25. Publishing exploits early doesn’t encourage patching or help defense, data shows – I am challenging this one, I don’t believe this is what the data shows: “The report found that network defenders were almost exactly as likely to mitigate a problem when an exploit had been released before the patch. If an exploit was released first, a median of 46.3% of systems were patched in the first three months, a cumulative 57.5% after six months and 67.8% after 12 months. Patches were actually more common when the first exploit was released after the patch, although only marginally so, and remediation followed the same curve (49.1% at three months, 59.3% at six and 70.6% at 12 months).” – There is a HUGE difference between an exploit being released, and an exploit being used in the wild, and this data did not represent that aspect. There is also a huge difference between a PoC and the overall effectiveness of an exploit. Was the exploit a DoS or restricted to RCE? Also, what if an exploit does not have a patch? Or, what if the patch is REALLY hard to apply and rollout, vs. other vulnerabilities that are easier to remmediate? Also, what if I didn’t apply a patch but I turned off the service, created a firewall rule or implemented some other compensating control? What if I do that more often when an exploit is released than I do patch a system? What if an exploit being release actually helps me with compensating controls rather than applying a patch? What if exploits are released for software that is not popular or I just don’t have in my environment, therefore I don’t have to patch?
  26. I Mailed an AirTag and Tracked Its Progress; Here’s What Happened – The Mac Security Blog
  27. AirTag Used to Successfully Track a Mailed Package Across the UK
  28. Send My: Arbitrary data transmission via Apple’s Find My network
  29. CVE?2021?1079 – NVIDIA GeForce Experience Command Execution – VoidSec
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Five by Five: Why the Cyber Defense Matrix Gets Great Reception – 07:00 PM-07:45 PM

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

Description

Five years after Sounil Yu originally introduced the Cyber Defense Matrix at the 2016 RSA conference, he just wrapped up the third workshop based on the framework. CDM has its own website, is an official OWASP project and has a forthcoming book. We talk to Sounil today to learn more about where the CDM came from, why people find it so useful and where it might be headed in the future.

Presenter(s)

Adrian Sanabria

Adrian Sanabria – Senior Research Engineer at CyberRisk Alliance

@sawaba

Adrian is an outspoken researcher that doesn’t shy away from uncomfortable truths. He loves to write about the industry, tell stories and still sees the glass as half full.

Sounil Yu

Sounil Yu – CISO & Head of Research at JupiterOne

@sounilyu

Sounil Yu is the CISO and Head of Research at JupiterOne. Previously, he was CISO-in-Residence at YL Ventures and Chief Security Scientist at Bank of America. He created the Cyber Defense Matrix and the DIE Triad, which are reshaping approaches to cybersecurity. He’s a Board Member of the FAIR Institute and SCVX; co-chairs Art into Science: A Conference on Defense; is a visiting fellow at GMU Scalia Law School’s National Security Institute; teaches at Yeshiva University; and advises many startups.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. 21 Nails: Behind the Scenes Discussion of Qualys Exim Vulnerability Discovery – Wheel – 08:00 PM-08:45 PM

Announcements

  • In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. In our June 3 webcast at 11am ET, you will learn about pen testing tools and why every organization should be using them regularly. Then join us June 10 at 11am ET for our webcast on insider risk to learn how to quickly mitigate data exposure risks. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Join Qualys researcher Wheel for a discussion on the team’s recent discovery and disclosure of multiple critical vulnerabilities in the Exim mail server. This includes discussion of the vulnerabilities that can be chained together to obtain full remote unauthenticated code execution and gain root privileges.

Segment Resources:
https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

Presenter(s)

. Wheel

. Wheel – Researcher at Qualys

“Wheel” is a member of the Qualys Research Team responsible for finding zero-days.

Hosts

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security