psw698

Paul’s Security Weekly Episode #698 – June 10, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. OpenWRT for Enterprise and Labs – 06:00 PM-06:45 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

OpenWRT is a mature and well supported project. It is supported on many hardware platforms and available as production-level products. OpenWRT has developed into a platform that is filled with enterprise level features, making it a successful product for enterprise uses. Due to the fact that it will run on many IoT platforms, including home gateways, and has an easy-to-use web interface, it is also a great platform to use to start building a lab.

Segment Resources:
Company Website Link: xcapeinc.com

Topic Link: openwrt.org

Commercial Product for Topic Link: gl-inet.com

Personal CI/CD Projects Link: gitlab.com/fossdevops

Personal GitLab Link: gitlab.com/geneerik

Guest(s)

Gene Erik

Gene Erik – Senior Product Officer at Xcape, Inc.

@GeneErik

Gene is an experienced security professional whose work history runs the gamut of IT, from red teaming and tools development, to DevSecOps and working on the blue team, to engineering, development, and automation. He has worked for several Fortune 500 companies, as well as start-ups, from security companies to Fin-tech to medical device manufacturers. Gene is a long time hacker community member and enjoys contributing to the community.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Protecting the Attack Surface – 07:00 PM-07:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/cycognito for more information!

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

Description

What does it mean to protect the attack surface? What’s the difference between attack surface protection vs. attack surface management? Rob Gurzeev, CEO and Founder at Cycognito, joins us to discuss why attack surface monitoring needs to run across the entire infrastructure. It’s not just about open ports, but finding the assets that are exposed or exploitable, or abandoned, that create the greatest risk.

This segment is sponsored by CyCognito.

Visit https://securityweekly.com/cycognito to learn more about them!

Guest(s)

Rob Gurzeev

Rob Gurzeev – CEO and Co-Founder at CyCognito

@CyCognito

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies. Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence Corps. Honors that he received as an Israel Defense Forces Officer included Award for Excellence, the Creative Thinking Award and the Source of Life Award.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. ANOM Bust, Ransomware Solutions, NAC, & A PCI Deathmatch! – 08:00 PM-09:30 PM

Announcements

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!

Description

This week, In the Security News Paul & the crew discuss: Microsoft Patches 6 Zero-Days Under Active Attack, US seizes $2.3 million Colonial Pipeline paid to ransomware attackers, the largest password compilation of all time leaked online with 8.4 billion entries, How to pwn a satellite, One Fastly customer triggered internet meltdown, and I got 99 problems, but my NAC ain’t one, and more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. Hackers Steal Wealth of Data from Game Giant EA
  2. Summary of June 8 outage
  3. Getting Ahead of Mandatory Cybersecurity Guidelines for Critical Industries – Security Boulevard
  4. Ransomware Is Not the Problem
  5. Updates to our policies regarding exploits, malware, and vulnerability research
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Australian cops, FBI created backdoored chat app, told crims it was secure – then snooped on 9,000 users’ plots – The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets.
  2. New Kubernetes malware backdoors clusters via Windows containers – Attackers have been identified leveraging the new “Siloscape” malware for more than a year in attacks designed to compromise Windows containers in order to then compromise Kubernetes nodes and backdoor clusters, which allows them to later abuse the compromised clusters to conduct other malicious attacks.
  3. WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes – Researchers have uncovered two vulnerabilities (CVE-2021-21000 and CVE-2021-21001) affecting WAGO industrial controllers that could be exploited by attackers to disrupt technological processes, which could result industrial accidents.
  4. RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries – RockYou2021, the largest password compilation of all time has been leaked on a popular hacker forum, it contains 8.4 billion entries of passwords.
  5. Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang – Krebs on Security – The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. 63.7 of 75 Bitcoins. DarkSide got 15%, Affiliate got 85% of the 75, this represents the affiliate’s share.
  6. US to give ransomware attacks similar priority as terrorism, official says – DOJ has announced it will prioritize ransomware attacks similar to the way it prioritizes terrorism
  7. Researchers Warn of Critical Bugs Affecting Realtek Wi-Fi Module – A new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges and hijack wireless communications on vulnerable devices.
  8. UF Health Florida hospitals back to pen and paper after cyberattack – UF Health The Villages Hospital UF Health Central Florida has suffered a reported ransomware attack that forced two hospitals to shut down portions of their IT.
  9. ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack – Hackers have been spotted actively scanning the Internet in search of VMware vCenter servers that have not been patched against a critical remote code execution (RCE) vulnerability (CVE-2021-21985) that could be exploited to execute commands on the system hosting the targeted vCenter Server.
  10. TikTok just gave itself permission to collect biometric data on U.S. users, including ‘faceprints and voiceprints’ – TechCrunch – A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information. (Faceprints and Voiceprints)
  11. India’s Finance Software Powerhouse NSE Blown By EpsilonRed Ransomware – Financial software maker NSE has disclosed it suffered a ransomware attack during which attackers breached its internal networks and encrypted “essential business data.”
  12. Microsoft June 2021 Patch Tuesday fixes 6 exploited zero-days, 50 flaws – Microsoft’s June 2021 Patch Tuesday, comes fixes for seven zero-day vulnerabilities, six of which are known to be exploited, and a total of 50 flaws, so Windows admins will be busy.
  13. Feds Say Imprisoned Hacker Ran a Drone Smuggling Ring – A San Francisco hacker already serving a 13-year prison term has been charged with using a smuggled cell phone to loot consumer debit card accounts, then channeling the profits into smuggling which used a remotely-piloted drone to drop contraband into the prison yard.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. The Workforce Shortage in Cybersecurity Is a Myth – “We don’t have a workforce shortage problem. What we have is an automation-in-the-wrong-place problem. It’s not about training people to do traditional network security. What we need are mathematical models that meaningfully predict risk and provide pathways to reduce it. This lesson is easily seen in vulnerability management, but it’s applicable to other fields. Think of it this way: The typical enterprise network has millions of vulnerabilities. On median, our research found that out of about 500 enterprises, IT teams fix 10% of those vulnerabilities, though some exceptional performers patch 25% on a monthly basis. If companies were to hire enough people to eliminate every vulnerability from their systems, they’d need to at least quadruple their workforce devoted to the task.” – I disagree with Michael Roytman on all points. We do have a workforce shortage problem, as there is not enough talent across the board to fill roles IN ALL aspects of cybersecurity. Cybersecurity needs people in IT, development, policy, HR, legal and more. We need a fundamental structure that defines what roles need to be created and curated, then a system to develop talent in those areas. Yes, we need technical people, but more importantly we need people that understand cybersecurity (and that does not mean that your are a technical wizard per se). Also, the entire narrative that there are so many vulnerabilities and we should only focus on the ones that are weaponized does not represent the entire picture. Attackers don’t always rely on vulnerabilities and exploits, that ship sailed a long time ago. Successful attacks are about targeted weaknesses. These weaknesses could be people, processes, technologies, or even better a combination of all three. Security is not just about patching your shit (but you must patch your shit). Security is not all about educating your employees (though you should do that too). Its more about building resilient systems and monitoring said resilient systems to enure they are working properly. Patching, configuration management, event monitoring, data security, etc.. are all part of that. You can patch all your shit, okay even patch all your shit that has exploits that are being used, and still get hacked because of authentication, social engineering, the fact that you just installed AD and did nothing else to secure it, configured cloud services and didn’t apply any controls, etc…
  2. Hacking space: How to pwn a satellite – Valid point? – “Speaking of cryptography, it’s not just about using proven technologies, but since your flying metal might be up there for decades, using beginning-of-life cryptography algorithms that are more resistant to quantum cryptographic cracking is a good idea. Large number AES (Advanced Encryption Standard) is quantum resistant, for example, while RSA isn’t.”
  3. Microsoft Patches Six Zero-Day Security Holes – Krebs on Security
  4. Microsoft Patches 6 Zero-Days Under Active Attack
  5. How Can You Prevent Ransomware? – This is actually a good article (based on title alone I was ready to shread it). I love this: “So, what is needed, say CIOs, are three things: Good security operations, Good security policy, Good security engineering and testing”
  6. Hackers can mess with HTTPS connections by sending data to your email server
  7. One Fastly customer triggered internet meltdown
  8. Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning – “Cisco describes Smart Install as a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. Smart Install can be very useful for organizations, but it can also pose a serious security risk.” – I actually have never seen Smart installs being used by enterprises, other than to allow people to hack your shit.
  9. Ransomware has become a cost of doing business – Help Net Security
  10. GitHub Starts Scanning for Exposed Package Registry Credentials
  11. Meat giant JBS pays $11m in ransom to resolve cyber-attack
  12. With Single Factor Authentication You’re One Step Away from Being the Next Colonial Pipeline – Entrust Blog
  13. Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy – A few thoughts on this: While Phil was not a hardcore mathematician or cryptographer, his application of public-key systems was a notable change in computing history. His first attempt at cipher suite was called “Bass-o-matic” in PGP 1.0, and it was horrible. The article seems to leave this out! TO Phil’s credit, he got with actual crypto people and swapped it out in version 2. The fact that we can all use cryptosystems today is amazing when prior to 2001 the US Government was not keen on allowing everyone to encrypt communications.
  14. Hackers Force Iowa College to Cancel Classes for Four Days
  15. My Favorite Pentest Tools (Top 15) – This is a great list.
  16. How the Military Might Expand Its Cyber Skills
  17. US seizes $2.3 million Colonial Pipeline paid to ransomware attackers
  18. Vulnerabilities in Weapons Systems – Schneier on Security
  19. President Biden: Secure the Software Supply Chain
  20. I got 99 problems but my NAC ain´t one – “Using a transparent bridge. This is the implementation of Skip´s idea, which involves a device that – simply spoken – in a first instance just lets all the traffic traverse it by means of forwarding rules, being totally transparent to the network and all the participants. Next it does some tcpdump magic to sniff traffic like ARP, NetBIOS but also Kerberos, Active Directory, web etc., extracting the needed info to spoof the victim and the networks gateway to stay under the radar. With this info the needed rules in ebtables, iptables etc. are automatically created, and will allow an attacker to interact with the network mimicking the victim.”
  21. Farsight Security DNSDB Transforms for Maltego Enable Threat Hunters to Significantly Expand Cybersecurity Investigations
  22. Colonial Pipeline hacked with single password leaked on dark web
  23. Hacktivist Campaign Spreads Manifesto through Router Configuration Files – Lumen
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security