psw703

Paul’s Security Weekly Episode #703 – July 22, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Online Safety & Security: Dating Apps & Online Marketplaces – 06:00 PM-06:45 PM

Announcements

Description

Safety in online dating spaces is an issue the dating industry has grappled with for some time; with the surge of dating app usage during the pandemic, the demand for dating apps to take responsibility and ensure safer online interactions is at an all-time high. RealMe is a technology platform that hopes to solve this problem on dating apps (and other online marketplaces) by providing in-app background checks that aggregate publicly available information on criminal records, sex offender status, personal reviews, and more.

Guest(s)

Jeff Tinsley

Jeff Tinsley – CEO at RealMe

Jeff Tinsley is the founder and CEO of RealMe, a turnkey, no-cost technology solution to protect dating app users and other online marketplaces.
For nearly 20 years, Jeff has dedicated his career to building trust and transparency online. A perpetual entrepreneur, Jeff founded several other successful business ventures prior to RealMe. Notable highlights include GreatDomains, an early leader in the field of internet domain transactions that sold to VeriSign for $100 million, RealtyTracker, an online real estate service acquired by Guthy-Renker, and MediaPass, a B2B platform for publishers to attract and retain subscribers.
Today, Jeff is dedicated to cultivating safety and trust online through RealMe. Beyond his work with RealMe, Jeff finds his greatest professional fulfillment in helping shape the successes of the next generation of leaders, through mentorship and thoughtful advice as a veteran of online business for 25+ years.
Jeff Tinsley’s acumen has been recognized by Ernst & Young, who named him Entrepreneur of the Year in 2009. When not managing his businesses, Jeffrey enjoys the outdoors and spending time with his family.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. CyberMarket & Democratisation/Globalisation of CyberSecurity Consulting – 07:00 PM-07:45 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Our Call For Presentations Deadline has been extended through July 23rd at 11:59 pm ET! Visit securityweekly.com/unlocked to submit your presentation!

Description

CyberMarket.com is a marketplace where CyberSecurity Consultancies and clients can find each other. There is a growing trend where CyberSecurity Consultants recognize the gap between what they are worth to a consultancy as being sold out for a daily rate compared to what they get paid. There are a number of consultants who are leaving consultancies to start the next generation of independent / boutique consultancies but they don’t have a sales pipeline and sales staff like their old consultancies do. CyberMarket.com is a place to help facilitate the sales pipeline for cybersecurity consultancies of various sizes.

Segment Resources:
https://www.cybermarket.com

There is a blog at https://www.cybermarket.com/homes/blog where an article to help people to start up their own cybersecurity consultancy can be found.

Guest(s)

Gordon Draper

Gordon Draper – Founder and CEO at CyberMarket.com

Gordon Draper is the Director and CEO of the CyberMarket.com which is a marketplace connecting CyberSecurity Consultancies and clients together. CyberMarket.com has regions covering USA, India and Australia to start with covering all forms of CyberSecurity services from Red Teaming, to Incident Response teams to GRC and CyberSecurity Awareness.

He is also the Director and CEO of the CyberSecurity Consultancy Fortsafe.com which includes clients in the Banking and Finance Industry. He has over 20 years’ experience in the IT Industry and oversees services including Red Teaming, Penetration Testing, Incident Response, Governance Risk and Compliance including Cyber Security Assurance. He has developed Cyber Security Questionnaires based on the NIST 800-53 Controls Framework, ISO 27k and CSA-CCM which assess Vendor’s solutions for clients.

He has presented at International Conference Defcon 27 and in Australia the SecTalks monthly community meetings covering previous research into Bitcoin Hackers trying to steal money from a bitcoin honeypot. In his spare time he hunts for Bug Bounties, is investigating vehicle 2 everything (v2x) and develops training courses for the next generation of Info Sec professionals.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Windows Vulns Galore, Homoglyph Domains, Pegasus, & “Trust No One”! – 08:00 PM-09:30 PM

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

This week in the Security News: Trust no one, its all about the information, so many Windows vulnerabilities and exploits, so. many., Saudi Aramco data for sale, Sequoia, a perfectly named Linux vulnerability, is Microsoft a national security threat?, Pegasus and clickless exploits for iOS, homoglyph domain takedowns, when DNS configuration goes wrong and a backdoor in your backdoor!Trust no one, its all about the information, so many Windows vulnerabilities and exploits, so. many., Saudi Aramco data for sale, Sequoia, a perfectly named Linux vulnerability, is Microsoft a national security threat?, Pegasus and clickless exploits for iOS, homoglyph domain takedowns, when DNS configuration goes wrong and a backdoor in your backdoor!

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

  1. Senate bill gives contractors, others 24 hours to disclosure breaches – Because breach notification is the most important thing missing from data security programs.
  2. How Data Discovery and Zero Trust Can Help Defend Against a Data Breach – It’s all about the information, Marty.
  3. Risk of Cloud Breaches Rising, Teams Struggling to Address Them, Fugue and Sonatype Survey Finds – But I thought migrating to the cloud solved all your security woes.
  4. Security And Compliance Tools And Strategies For The Cloud – Some of these recommendations might be more readily apparent if the focus was on compliance first rather than security. just sayin’.
  5. China’s GDPR is coming: are you ready? – Wait. Aren’t they the bad guys?
  6. ‘Trust No One’ Should Be Our New Security Motto – Wait, what? New?
JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. White House: The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China – The United States has long been concerned about the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace. Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security.
  2. Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department – This Joint Cybersecurity Advisory was written by the FBI and the CISA to provide information on a Chinese APT group known in open-source reporting as APT40. This advisory provides APT40’s TTPs and IOCs to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.
  3. Chinese State-Sponsored Cyber Operations: Observed TTPs – Trends in Chinese State-Sponsored Cyber Operations NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).
  4. Apple security updates – Safari 14.1.2 macOS Catalina and macOS Mojave19. iOS and iPadOS 14.7, watchOS 7.6, tvOS 14.7, macOS 11.5 all dropped 7/19 & 7/21.
  5. New Windows 10 vulnerability allows anyone to get admin privileges – Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files. SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE databases can be read by anybody.
  6. The US government is offering big bucks to track down foreign hackers – The US State Department has announced that it is offering up to $10 million for information that can help identify or locate state-sponsored threat actors.
  7. Microsoft secured court order to take down domains used in BEC campaign – Microsoft obtained a court order that allowed the company to take down malicious “homoglyph” domains that are being used to conduct fraud. In all, Microsoft took down 17 domains that were crafted to appear legitimate through variations in spelling or the use of characters that are similar in appearance.
  8. Saudi Aramco data breach sees 1 TB stolen data for sale – This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale.
    ZeroX claims the data was stolen by hacking Aramco’s “network and its servers,” sometime in 2020.
    As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1 – “This blog post is the first in the series and will describe the vulnerability, the initial constraints from an exploit development perspective and finally how WNF can be abused to obtain a number of exploit primitives. The blogs will also cover exploit mitigation challenges encountered along the way, which make writing modern pool exploits more difficult on the most recent versions of Windows.”
  2. Sequoia: A Deep Root In Linux’s Filesystem Layer ? Packet Storm – Neat! “Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel’s filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string “//deleted” to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.” Qualys Post: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 Note: In a separate post, the Qualys research team also disclosed a DoS vulnerability in systemd: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1
  3. CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable – SentinelLabs – Ya wonder how no one has found this before, given: “Several months ago, while configuring a brand new HP printer, our team came across an old printer driver from 2005 called SSPORT.SYS thanks to an alert by Process Hacker once again. This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products.”
  4. SonicWall warns of ‘imminent ransomware campaign’ targeting its EOL equipment – The Record by Recorded Future – Don’t want ransomware? Upgrade your devices, and you’ll pay: “If customers can’t update, SonicWall is recommending that they disconnect devices immediately and reset their access passwords, and enable account multi-factor authentication, if supported. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” it added.” – I mean, or you could just unplug your firewalls and other gear…SMH.
  5. Microsoft: New Unpatched Bug in Windows Print Spooler – “The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.”
  6. Backdoor.Win32.IRCBot.gen Remote Command Execution – Is this a bug or a feature? “The malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail.”
  7. Is Microsoft a National Security Threat? – I don’t buy it, regardless of the operating system, you are just as vulnerable: “Because of this, organizations relying on Windows will have a hell of a time migrating away from Windows and the rest of the Microsoft ecosystem which means that they’re naturally going to drag their toes in doing so; the bigger they are, the slower any attempt at a migration will go. In turn, this means that there is plenty of time for those that can easily migrate away from the madness and insecurity of the Microsoft ecosystem as a means of sheltering themselves from a barrage of attacks safely in the shadow of Microsoft for the time being.” – Apple hides their vulnerabilities as best they can. No one wants to take the time to find and disclose a big enough percentage of Linux vulnerabilities to make a difference (Though Qualys is having a go at it.).
  8. “Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones – “Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target’s iPhone or Android device, Pegasus immediately trawls through a wealth of the device’s resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target’s movements and steal messages from end-to-end encrypted chat apps.” More info: https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones
  9. Microsoft Cracks Down on Malicious Homoglyph Domains – Brand monitoring tools should catch this, right? If so, then why did Microsoft have to kill 20 attacker-owned domains? – “In one instance, the attackers hijacked legitimate Office 365 e-mail communication to send an impersonation email from a homoglyph domain (that had a single letter changed) and convince the victim that the message came from a known trusted source. They then falsely claimed that the CFO put a hold on the account, asking for a payment to be made as soon as quickly.”
  10. Bug Bounty Bootcamp?—?Ch07: Open Redirects – We talked about open redirects on a previous episode, this is a pretty good tutorial to use as a reference.
  11. Fortinet’s security appliances hit by remote code execution vulnerability – “A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device,” the vendor warned customers. Note that the FGFM service is disabled by default in FortiAnalyzer…”
  12. How to Test a Plugin’s Performance and Security – For WordPress, mostly stuff people know about already, but interesting how you can use Chrome’s built-in dev tools to report on unused CSS/JS files. Curious if there are potential attack vectors here…?
  13. How does TLS work?
  14. The elegant maths behind the RSA Encryption
  15. Security implications of misconfigurations – The lost domain that led to: “Talos registered the domain and we immediately noticed a significant majority of the DNS requests were related to internet computers looking for a file called “wpad.dat” on tiburoninc.net’s web server…Abusing the proxy settings communicated to these employees could have allowed a potential attacker to establish their own proxy, inspect all data transmitted from the employees’ computers, and manipulate the data returned in the response.” They also found a typosquat domain that had requests for VPN connections and others that made a typo in the MX server record!
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security