1. OpenWRT for Enterprise and Labs – 06:00 PM-06:45 PM
Announcements
Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!
Join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand
Description
OpenWRT is a mature and well supported project. It is supported on many hardware platforms and available as production-level products. OpenWRT has developed into a platform that is filled with enterprise level features, making it a successful product for enterprise uses. Due to the fact that it will run on many IoT platforms, including home gateways, and has an easy-to-use web interface, it is also a great platform to use to start building a lab.
Segment Resources:
Company Website Link: xcapeinc.com
Gene is an experienced security professional whose work history runs the gamut of IT, from red teaming and tools development, to DevSecOps and working on the blue team, to engineering, development, and automation. He has worked for several Fortune 500 companies, as well as start-ups, from security companies to Fin-tech to medical device manufacturers. Gene is a long time hacker community member and enjoys contributing to the community.
Hosts
Adrian Sanabria
@sawaba
Senior Research Engineer at CyberRisk Alliance
Jeff Man
@MrJeffMan
#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems
Larry Pesce
@haxorthematrix
Principal Managing Consultant and Director of Research & Development at InGuardians
Lee Neely
@lelandneely
Senior Cyber Analyst at Lawrence Livermore National Laboratory
Paul Asadoorian
@securityweekly
Founder at Security Weekly
Tyler Robinson
@tyler_robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
2. Protecting the Attack Surface – 07:00 PM-07:45 PM
Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!
Description
What does it mean to protect the attack surface? What’s the difference between attack surface protection vs. attack surface management? Rob Gurzeev, CEO and Founder at Cycognito, joins us to discuss why attack surface monitoring needs to run across the entire infrastructure. It’s not just about open ports, but finding the assets that are exposed or exploitable, or abandoned, that create the greatest risk.
Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies. Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence Corps. Honors that he received as an Israel Defense Forces Officer included Award for Excellence, the Creative Thinking Award and the Source of Life Award.
Hosts
Adrian Sanabria
@sawaba
Senior Research Engineer at CyberRisk Alliance
Jeff Man
@MrJeffMan
#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems
Joff Thyer
@joff_thyer
Security Analyst at Black Hills Information Security
Larry Pesce
@haxorthematrix
Principal Managing Consultant and Director of Research & Development at InGuardians
Lee Neely
@lelandneely
Senior Cyber Analyst at Lawrence Livermore National Laboratory
Paul Asadoorian
@securityweekly
Founder at Security Weekly
Tyler Robinson
@tyler_robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!
Description
This week, In the Security News Paul & the crew discuss: Microsoft Patches 6 Zero-Days Under Active Attack, US seizes $2.3 million Colonial Pipeline paid to ransomware attackers, the largest password compilation of all time leaked online with 8.4 billion entries, How to pwn a satellite, One Fastly customer triggered internet meltdown, and I got 99 problems, but my NAC ain’t one, and more!
Hosts
Adrian Sanabria
@sawaba
Senior Research Engineer at CyberRisk Alliance
Jeff Man
@MrJeffMan
#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems
Joff Thyer
@joff_thyer
Security Analyst at Black Hills Information Security
Larry Pesce
@haxorthematrix
Principal Managing Consultant and Director of Research & Development at InGuardians
New Kubernetes malware backdoors clusters via Windows containers – Attackers have been identified leveraging the new “Siloscape” malware for more than a year in attacks designed to compromise Windows containers in order to then compromise Kubernetes nodes and backdoor clusters, which allows them to later abuse the compromised clusters to conduct other malicious attacks.
WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes – Researchers have uncovered two vulnerabilities (CVE-2021-21000 and CVE-2021-21001) affecting WAGO industrial controllers that could be exploited by attackers to disrupt technological processes, which could result industrial accidents.
Researchers Warn of Critical Bugs Affecting Realtek Wi-Fi Module – A new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges and hijack wireless communications on vulnerable devices.
ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack – Hackers have been spotted actively scanning the Internet in search of VMware vCenter servers that have not been patched against a critical remote code execution (RCE) vulnerability (CVE-2021-21985) that could be exploited to execute commands on the system hosting the targeted vCenter Server.
Feds Say Imprisoned Hacker Ran a Drone Smuggling Ring – A San Francisco hacker already serving a 13-year prison term has been charged with using a smuggled cell phone to loot consumer debit card accounts, then channeling the profits into smuggling which used a remotely-piloted drone to drop contraband into the prison yard.
Paul Asadoorian
@securityweekly
Founder at Security Weekly
The Workforce Shortage in Cybersecurity Is a Myth – “We don’t have a workforce shortage problem. What we have is an automation-in-the-wrong-place problem. It’s not about training people to do traditional network security. What we need are mathematical models that meaningfully predict risk and provide pathways to reduce it. This lesson is easily seen in vulnerability management, but it’s applicable to other fields. Think of it this way: The typical enterprise network has millions of vulnerabilities. On median, our research found that out of about 500 enterprises, IT teams fix 10% of those vulnerabilities, though some exceptional performers patch 25% on a monthly basis. If companies were to hire enough people to eliminate every vulnerability from their systems, they’d need to at least quadruple their workforce devoted to the task.” – I disagree with Michael Roytman on all points. We do have a workforce shortage problem, as there is not enough talent across the board to fill roles IN ALL aspects of cybersecurity. Cybersecurity needs people in IT, development, policy, HR, legal and more. We need a fundamental structure that defines what roles need to be created and curated, then a system to develop talent in those areas. Yes, we need technical people, but more importantly we need people that understand cybersecurity (and that does not mean that your are a technical wizard per se). Also, the entire narrative that there are so many vulnerabilities and we should only focus on the ones that are weaponized does not represent the entire picture. Attackers don’t always rely on vulnerabilities and exploits, that ship sailed a long time ago. Successful attacks are about targeted weaknesses. These weaknesses could be people, processes, technologies, or even better a combination of all three. Security is not just about patching your shit (but you must patch your shit). Security is not all about educating your employees (though you should do that too). Its more about building resilient systems and monitoring said resilient systems to enure they are working properly. Patching, configuration management, event monitoring, data security, etc.. are all part of that. You can patch all your shit, okay even patch all your shit that has exploits that are being used, and still get hacked because of authentication, social engineering, the fact that you just installed AD and did nothing else to secure it, configured cloud services and didn’t apply any controls, etc…
Hacking space: How to pwn a satellite – Valid point? – “Speaking of cryptography, it’s not just about using proven technologies, but since your flying metal might be up there for decades, using beginning-of-life cryptography algorithms that are more resistant to quantum cryptographic cracking is a good idea. Large number AES (Advanced Encryption Standard) is quantum resistant, for example, while RSA isn’t.”
How Can You Prevent Ransomware? – This is actually a good article (based on title alone I was ready to shread it). I love this: “So, what is needed, say CIOs, are three things: Good security operations, Good security policy, Good security engineering and testing”
Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning – “Cisco describes Smart Install as a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. Smart Install can be very useful for organizations, but it can also pose a serious security risk.” – I actually have never seen Smart installs being used by enterprises, other than to allow people to hack your shit.
Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy – A few thoughts on this: While Phil was not a hardcore mathematician or cryptographer, his application of public-key systems was a notable change in computing history. His first attempt at cipher suite was called “Bass-o-matic” in PGP 1.0, and it was horrible. The article seems to leave this out! TO Phil’s credit, he got with actual crypto people and swapped it out in version 2. The fact that we can all use cryptosystems today is amazing when prior to 2001 the US Government was not keen on allowing everyone to encrypt communications.
I got 99 problems but my NAC ain´t one – “Using a transparent bridge. This is the implementation of Skip´s idea, which involves a device that – simply spoken – in a first instance just lets all the traffic traverse it by means of forwarding rules, being totally transparent to the network and all the participants. Next it does some tcpdump magic to sniff traffic like ARP, NetBIOS but also Kerberos, Active Directory, web etc., extracting the needed info to spoof the victim and the networks gateway to stay under the radar. With this info the needed rules in ebtables, iptables etc. are automatically created, and will allow an attacker to interact with the network mimicking the victim.”