InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
Velociraptor is a multi-platform, open-source, endpoint forensics, monitoring, and response platform that allows security professionals to quickly and easily dig through host artifacts and perform detection and response at scale.
It’s fast, precise, powerful … and free. It also supports Linux, Windows and MacOS. Velociraptor is a unique tool since it offers a query language so that users may query their endpoint flexibly in response to new threat information.
In this session, we’ll discuss the key components of Velociraptor, and how it can be leveraged to improve endpoint security and visibility and facilitate rapid response to large networks.
Please visit our documentation site where you can learn about Velociraptor https://docs.velociraptor.app/
Mike Cohen – Digital Paleontologist at Rapid7
Mike is a digital forensic researcher and senior software engineer. He has been building cutting edge open source digital forensic software for over 2 decades. In 2018 Mike founded the Velociraptor project – an advanced open source endpoint visibility platform. Mike has joined Rapid 7 in 2021 to continue work on velociraptor and the wider open source DFIR community.
Wes Lambert – Principal Engineer at Security Onion Solutions
Wes Lambert is a Principal Engineer at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks.
Professor at Roger Williams University
Principal Managing Consultant and Director of Research & Development at InGuardians
Senior Cyber Analyst at Lawrence Livermore National Laboratory
Founder at Security Weekly
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
2. Nzyme – Paul Asadoorian & Larry Pesce – 07:00 PM-07:45 PM
Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!
Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!
In this segment Paul and Larry attempt to confirm or deny that Nzyme performs intelligent device fingerprinting and behavioral analytics to detect rogue actors. Classic signature-based detection methods are just too easy to circumvent in WiFi environments.
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
This week in the Security News: What to do with your old hardware, renting your phone, “persistently execute system software in the context of Windows”, sensational headline: ransomware could cause a food shortage, could someone please schedule the year of the Linux desktop?, public-key crypto explained?, malware attacks Windows through Linux, Microsoft Exchange AutoDiscover bug leaks 100k creds, and toilets that can identify you, er, from the bottom… & more!
Senior Cyber Analyst at Lawrence Livermore National Laboratory
Microsoft Exchange Autodiscover bugs leak 100K Windows credentials – Bugs in the implementation of Microsoft Exchange’s Autodiscover feature have leaked approximately 100,000 login names and passwords for Windows domains.
Researchers say organizations are unknowingly leaking their employees’ email passwords due to a design flaw in the widely used “Autodiscover” feature found in Microsoft Exchange that is designed to allow companies to host their own email servers and set up apps on phones or computers using only an employee’s email address and password. According to researchers, while the majority of apps search for the configuration file on a company’s domain, in instances where apps cannot find the configuration file, they will “fail up” somewhere else on the same domain, leaving users to deal with the problem.
Dark web prices drop for credit cards but soar for PayPal accounts – Overall, average prices for credit cards fell this year by 27% compared with a similar study conducted eight months ago. For 2021, the price of a PayPal account rose by 194% compared with the study from eight months ago. Based on Comparitech’s research, the average price of a PayPal account on the dark web is $196.50, with an average account balance of $2,133.61.
Zero-click RCE vulnerability in Hikvision security cameras could lead to network compromise – A researcher using the moniker “Watchful IP” says that he or she has uncovered an unauthenticated, zero-click remote code execution (RCE) vulnerability (CVE-2021-36260) impacting Hikvision’s popular Internet of things (IoT) security camera that could be exploited by unauthenticated attackers to obtain full control over targeted devices and possibly internal networks.
Probe launched into Afghan interpreter data breach – More than 250 people seeking relocation to the UK – many of whom are in hiding – were mistakenly copied into an email from the Ministry of Defence, potentially compromising their email addresses. OPSEC is important.
Scientists Working on Toilet That Identifies You by Your Butthole – Privacy please: “Take the Stanford School of Medicine, where The Wall Street Journal reports that researchers are developing a scanner that can recognize the user’s unique “anal print,” or “distinctive features of their anoderm,” meaning the skin of the anal canal. To pull it off, they installed a camera inside a toilet bowl and used machine learning algorithms to match stool samples to specific, uh, users. The system could even calculate “the flow rate and volume of urine using computer vision as a uroflowmeter,” according to the researchers’ 2020 paper.”
Out with the Old – The Hacker Factor Blog – “Another option is to give the drive a hard tap, but that doesn’t always work. Usually this means opening the box, pulling the hard drive, and tapping the drive gently. Personally, I wasn’t feeling that patient. Instead, I intentionally dropped the 30 lbs desktop computer a few inches onto some cardboard. The cardboard protected the floor, while the drop gave it a sharp tap. Then I turned it on.” – Too funny!
CVE-2021-40847 flaw in Netgear SOHO routers could allow remote code execution – Here we are in 2021 still talking about secure update protocols for IoT devices: “The daemon connects to Circle and Netgear to obtain version information and updates to the circled daemon and its filtering database. Experts noticed that database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP), allowing the attacker to carry out a MitM attack on the device.”
100M IoT Devices Exposed By Zero-Day Bug – “Researchers at Guardara used their technology to find a zero-day vulnerability in NanoMQ, an open-source platform from EMQ that monitors IoT devices in real time, then acts as a “message broker” to deliver alerts that atypical activity has been detected. EMQ’s products are used to monitor the health of patients leaving a hospital, to detect fires, monitor car systems, in smartwatches, in smart-city applications and more.”
A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit – Yikes: “”Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions,” the Windows maker notes in its documentation. “In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).” The vulnerability uncovered by the enterprise firmware security company is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check, thus permitting an attacker to sign a malicious binary with an already available expired certificate and run arbitrary code with kernel privileges when the device boots up.”
$5.9 million ransomware attack on farming co-op may cause food shortage – This is a mistake, never negotiate with criminals and expect them to follow rules, even ones they created: “What’s notable about the attack is the company’s insistence that they are critical infrastructure and should therefore be spared as per BlackMatter’s own policy. However, the operators behind BlackMatter disagree with this assessment and are continuing to pursue payment from the victim”
Windowsfx is the Linux distribution Windows users have been looking for – Okay, also, we don’t need Linux to look like Windows (or macOS for that matter). We’re not seeing Linux on the desktop for many reasons, the look and feel are way down on the list if it even makes the list at all. We’ll see Linux on more desktops when: Apple pissed off more of its customer base, Microsoft moves all your apps to the cloud and confused their user base, the Linux kernel driver developers work more closely with most hardware manufacturers, and we settle on a standard, or a few, for making apps for Linux that cross distribution boundaries (like snap, but actually better than snap).
Malware attacks Windows machines through Windows Subsystem for Linux for the first time – “While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing” and “Since most endpoint agents designed for Windows systems don’t ship with signatures to analyze ELF files, this attack vector could’ve allowed the threat actors to infect a target without any resistance.” If you want to get busy with it: https://linuxhint.com/understanding_elf_file_format/