psw710

Paul’s Security Weekly Episode #710 – September 16, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. The State of Network Security in 2021 – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/barracuda for more information!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Description

Network breaches, ransomware attacks, and remote-work challenges highlight the need for cloud-native Secure Access Service Edge (SASE) deployments.

This segment is sponsored by Barracuda Networks.

Visit https://securityweekly.com/barracuda to learn more about them!

Guest(s)

Sinan Eren

Sinan Eren – VP, Zero Trust Access • ZTNA Engineering at Barracuda Networks

@DidymaWorks

Sinan Eren is the VP of Zero Trust Access at Barracuda. Sinan was formerly the Founder & CEO at Fyde, acquired by Barracuda in November of 2020.

Hosts

PatrickLaverty

Patrick Laverty

@plaverty9

Security Consultant at Rapid 7

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

2. Brakeman – 07:00 PM-07:45 PM

Announcements

Description

Brakeman is a free static analysis security tool specifically designed for Ruby on Rails applications. It analyzes Rails application code to find security issues at any stage of development.

Justin first released Brakeman in 2010. In 2018, the commercial version, “Brakeman Pro”, was acquired by Synopsys. Brakeman continues to be a very popular security tool for Rails, with tens of thousands of downloads per day.

https://github.com/presidentbeef/brakeman

Guest(s)

Justin Collins

Justin Collins – People Empowerer for Product Security Team at Gusto

@presidentbeef

Justin currently empowers the product security team at Gusto. In the past, he has been an application security engineer at SurveyMonkey, Twitter, & AT&T Interactive. Justin is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. The commercial version of Brakeman was acquired by Synopsys in 2018.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

PatrickLaverty

Patrick Laverty

@plaverty9

Security Consultant at Rapid 7

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

3. Dubious Drones, NSO Group, Apple’s Bug Bounties, Ghostscript 0-Day, & IBM Server Bugs – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    We are excited to announce our speakers: Lesley Carhart, John Strand, Alyssa Miller, Dave Kennedy, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, Justin Kohler, Jay Beale, Trenton Ivey & Ryan Cobb!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

This week in the Security News: Anonymous hacks Epik (with a K), Fuzzing Close-Source Javascript Engines, ForcedEntry, 8 Websites that can replace computer software, REvil decryptor key released, Microsoft fixes Critical vulnerability in Linux App, Drone accidentally delivers drug paraphernalia to high schoolers, & more!!!

Hosts

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

PatrickLaverty

Patrick Laverty

@plaverty9

Security Consultant at Rapid 7

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Drone accidentally drops off several pounds of weed, tobacco at high school – Oops: “A drone carrying a package filled with marijuana, tobacco and three cell phones landed on school grounds in Brunswick County, Virginia on Monday. Investigators say this package was meant to be dropped off at the Lawrenceville Correctional Center.”
  2. U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation – “Baier, Adams, and Gericke are alleged to have violated the International Traffic in Arms Regulations and conspired to commit access device fraud and computer hacking offenses. In another filing, prosecutors added that they will drop the charges if the three men cooperate with U.S. authorities, pay a financial penalty, and agree to a list of unspecified restrictions on their employment” – So, turns out, you can’t just sell exploits to anyone willy niilly…(or if you do, there are consequences)
  3. There Are Too Many Underemployed Former Spies Running Around Selling Their Services to the Highest Bidder – Agree? “This has been a years-long investigation and, in addition, far from the spotlight, policymakers have been trying to update the laws and regulations regarding how much of their expertise former American intelligence operatives can peddle to foreign countries, which will use that expertise to, oh, let’s just say, ratfck any attempts to reform their oil-sodden repression. This cannot be a space that is beyond the law.”
  4. 8 Useful Websites That Can Replace Computer Software – Is this more or less secure? Or, does it really matter? – My issue is that your data has to be uploaded to a 3rd party, for PDF editor as an example…
  5. Google is backing security reviews of these key open source projects – “OSTIF has identified a total of 25 MAP projects targeted for funding, including the eight that Google has funded to date. Other projects with funding pending support include well-known systems and tools developers use, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat’s Ansible, and Google’s Guava Java framework. “
  6. Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
  7. FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild – The Citizen Lab – “Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. They designated the FORCEDENTRY exploit CVE-2021-30860, and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.””
  8. Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code – The Citizen Lab
  9. Fuzzing Closed-Source JavaScript Engines with Coverage Feedback
  10. Universal decryptor key for Sodinokibi, REvil ransomware released
  11. Apple Issues Urgent Updates to Fix New Zero-Day Linked to Pegasus Spyware – “The updates arrive weeks after researchers from the University of Toronto’s Citizen Lab revealed details of a zero-day exploit called “FORCEDENTRY” (aka Megalodon) that was weaponized by Israeli surveillance vendor NSO Group and allegedly put to use by the government of Bahrain to install Pegasus spyware on the phones of nine activists in the country since February this year.”
  12. Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing’s Favorite Web Host – “Members of the hacktivist collective Anonymous claim to have hacked web registration company Epik, allegedly stealing “a decade’s worth of data,” including reams of information about its clients and their domains. Epik is controversial, having been known to host a variety of rightwing clients, including ones that other web hosting providers, like GoDaddy, have dropped for various reasons.” – How active is Anonymous these days?
  13. All PrintNightmare Vulnerabilities Fixed
  14. No Patch for High-Severity Bug in Legacy IBM System X Servers – “By sending a specially-crafted request through SSH or Telnet session, an attacker could exploit this vulnerability to execute arbitrary commands on the system.” The fix is easy LOL: “Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface)”
  15. Microsoft Fixes Critical OMIGOD Vulnerabilities in Linux App – WOW: “Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0”
  16. Security Researchers Unhappy With Apple’s Bug Bounty Program – So get this, researchers say: “Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there’s a “massive backlog” of bugs that have yet to be addressed.” and “In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn’t always pay out what’s owed.”. YET, Apple says: “Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future”
  17. Critical vulnerability in HAProxy – “HTTP Request Smuggling is an attack technique that emerged in 2005. It is based on interfering with the processing of HTTP requests between the frontend server (i.e. HAProxy) and the backend server. An adversary typically exploits this technique by sending a specially crafted request that includes an additional request in its body. On a successful attack, the inner request is smuggled through the frontend (that considers it as only the request’s body) but is consumed as a normal request by the backend.”
  18. PoC released for Ghostscript vulnerability that exposed Airbnb, Dropbox – “Hackers have released proof-of-concept code that exploits a recently demonstrated vulnerability in older but still widely used versions of Ghostscript, the popular server-side image conversion software package. Security researcher Emil Lerner demonstrated an unpatched vulnerability for Ghostscript version 9.50 at the ZeroNights X conference in Saint Petersburg, Russia last month.” – PoC: https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50 and more info: https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/ (Originally From: https://twitter.com/jensvoid/status/1435631308294795264)