psw711

Paul’s Security Weekly Episode #711 – September 23, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Velociraptor – Digging Deeper – 06:00 PM-06:45 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Description

Velociraptor is a multi-platform, open-source, endpoint forensics, monitoring, and response platform that allows security professionals to quickly and easily dig through host artifacts and perform detection and response at scale.

It’s fast, precise, powerful … and free. It also supports Linux, Windows and MacOS. Velociraptor is a unique tool since it offers a query language so that users may query their endpoint flexibly in response to new threat information.

In this session, we’ll discuss the key components of Velociraptor, and how it can be leveraged to improve endpoint security and visibility and facilitate rapid response to large networks.

Segment Resources:
Please visit our documentation site where you can learn about Velociraptor https://docs.velociraptor.app/

Guest(s)

Mike Cohen

Mike Cohen – Digital Paleontologist at Rapid7

@scudette

Mike is a digital forensic researcher and senior software engineer. He has been building cutting edge open source digital forensic software for over 2 decades. In 2018 Mike founded the Velociraptor project – an advanced open source endpoint visibility platform. Mike has joined Rapid 7 in 2021 to continue work on velociraptor and the wider open source DFIR community.

Wes Lambert

Wes Lambert – Principal Engineer at Security Onion Solutions

@therealwlambert

Wes Lambert is a Principal Engineer at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Nzyme – Paul Asadoorian & Larry Pesce – 07:00 PM-07:45 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

In this segment Paul and Larry attempt to confirm or deny that Nzyme performs intelligent device fingerprinting and behavioral analytics to detect rogue actors. Classic signature-based detection methods are just too easy to circumvent in WiFi environments.

Slides: https://securityweekly.com/wp-content/uploads/2021/09/Nzyme-TechSegment-Sept2021.pdf

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Renting Your Phone, Public-Key Explained, Toilet Identification, & AutoDiscover Bug – 08:00 PM-09:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the Security News: What to do with your old hardware, renting your phone, “persistently execute system software in the context of Windows”, sensational headline: ransomware could cause a food shortage, could someone please schedule the year of the Linux desktop?, public-key crypto explained?, malware attacks Windows through Linux, Microsoft Exchange AutoDiscover bug leaks 100k creds, and toilets that can identify you, er, from the bottom… & more!

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

  1. VMware Warns of Ransomware-Friendly Bug in vCenter Server
  2. Google Report Spotlights Controversial ‘Geofence Warrants’ by Police
  3. iOS 15 launches with 22 documented security patches – including a Face ID bypass using a “3D model”
JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. ASSET Research Group: BrakTooth
  2. Millions of iPhones, TVs and other devices could go offline next week — here’s why
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Microsoft Exchange Autodiscover bugs leak 100K Windows credentials – Bugs in the implementation of Microsoft Exchange’s Autodiscover feature have leaked approximately 100,000 login names and passwords for Windows domains.
    Researchers say organizations are unknowingly leaking their employees’ email passwords due to a design flaw in the widely used “Autodiscover” feature found in Microsoft Exchange that is designed to allow companies to host their own email servers and set up apps on phones or computers using only an employee’s email address and password. According to researchers, while the majority of apps search for the configuration file on a company’s domain, in instances where apps cannot find the configuration file, they will “fail up” somewhere else on the same domain, leaving users to deal with the problem.
  2. Dark web prices drop for credit cards but soar for PayPal accounts – Overall, average prices for credit cards fell this year by 27% compared with a similar study conducted eight months ago. For 2021, the price of a PayPal account rose by 194% compared with the study from eight months ago. Based on Comparitech’s research, the average price of a PayPal account on the dark web is $196.50, with an average account balance of $2,133.61.
  3. Customer Care Giant TTEC Hit By Ransomware – Krebs on Security – TTEC answers customer support calls on behalf of a large number of name-brand companies, like Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon.
  4. Ransomware gang strikes Iowa agriculture business New Cooperative, the latest hack on food supply chain – CyberScoop – Earlier this year Biden asked Russia to steer clear of 16 critical sectors of the U.S. Economy. Among those is “food and agriculture.” The BlackMatter group, which is behind the Iowa attack, is claiming that the volume of production from their victims doesn’t meet the definition of critical.
  5. Zero-click RCE vulnerability in Hikvision security cameras could lead to network compromise – A researcher using the moniker “Watchful IP” says that he or she has uncovered an unauthenticated, zero-click remote code execution (RCE) vulnerability (CVE-2021-36260) impacting Hikvision’s popular Internet of things (IoT) security camera that could be exploited by unauthenticated attackers to obtain full control over targeted devices and possibly internal networks.
  6. A zero-day flaw allows to run arbitrary commands on macOS systems – Security researchers disclosed a new zero-day flaw in Apple’s macOS Finder that can allow attackers to run arbitrary commands on Macs.
  7. Two-thirds of cloud attacks could be stopped by checking configurations, research finds – Two-thirds of cloud security incidents could have been avoided if the configuration of apps, databases, and security policies were correct.
  8. Chainalysis in Action: OFAC Sanctions Russian Cryptocurrency OTC Suex that Received Over $160 million from Ransomware Attackers, Scammers, Darknet Markets, and Seized Exchange BTC-e – Today, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced that Russia-based cryptocurrency Over The Counter (OTC) broker Suex was designated pursuant to Executive Order 13694 and added to the Specially Designated Nationals and Blocked Persons (SDN) List, thereby prohibiting Americans from doing business with the company.
  9. High-tech car theft ring busted; Bronx-based conspiracy forged electronic keys, reprogrammed vehicle computers – A band of high-tech car thieves used the Bronx as a staging area to steal hundreds of vehicles from New Yorkers trapped indoors during the pandemic, using bootleg computer code to spoof car owners’ electronic keys, authorities said.

    State Attorney General Letitia James and the NYPD announced Tuesday they’d dismantled the ring and busted 10 suspects on a 303-count indictment.

  10. Travel Themed Phishing URLs Set to Prey on Eager Travelers – Increase in Travel-Themed Phishing email and URLs. Unit 42 tracked increase which attempts to lure lockdown weary travelers as restrictions are easing.
  11. Probe launched into Afghan interpreter data breach – More than 250 people seeking relocation to the UK – many of whom are in hiding – were mistakenly copied into an email from the Ministry of Defence, potentially compromising their email addresses. OPSEC is important.
  12. BrakTooth: New Bluetooth Vulnerabilities Could Affect Millions of Devices – A group of researchers with the Singapore University of Technology and Design have disclosed a family of 16 new vulnerabilities that affect commercial Bluetooth.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Scientists Working on Toilet That Identifies You by Your Butthole – Privacy please: “Take the Stanford School of Medicine, where The Wall Street Journal reports that researchers are developing a scanner that can recognize the user’s unique “anal print,” or “distinctive features of their anoderm,” meaning the skin of the anal canal. To pull it off, they installed a camera inside a toilet bowl and used machine learning algorithms to match stool samples to specific, uh, users. The system could even calculate “the flow rate and volume of urine using computer vision as a uroflowmeter,” according to the researchers’ 2020 paper.”
  2. Google Chrome 94 arrives with controversial Idle Detection API
  3. Busting the Myths Surrounding Password-Based Security
  4. New Special Forces e-Bikes are Really Just Motorcycles
  5. Out with the Old – The Hacker Factor Blog – “Another option is to give the drive a hard tap, but that doesn’t always work. Usually this means opening the box, pulling the hard drive, and tapping the drive gently. Personally, I wasn’t feeling that patient. Instead, I intentionally dropped the 30 lbs desktop computer a few inches onto some cardboard. The cardboard protected the floor, while the drop gave it a sharp tap. Then I turned it on.” – Too funny!
  6. CVE-2021-40847 flaw in Netgear SOHO routers could allow remote code execution – Here we are in 2021 still talking about secure update protocols for IoT devices: “The daemon connects to Circle and Netgear to obtain version information and updates to the circled daemon and its filtering database. Experts noticed that database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP), allowing the attacker to carry out a MitM attack on the device.”
  7. FamousSparrow APT Wings in to Spy on Hotels, Governments
  8. Mirai botnet exploiting Azure OMIGOD vulnerabilities
  9. Security failure, 13 ways to avoid one and why security programs often fail
  10. New MacOS Zero-day Vulnerability Was Recently Discovered
  11. This day in history – “15yrsago Rented AT&T home phone cost elderly woman $2,000 over 40 years” – https://usatoday30.usatoday.com/news/offbeat/2006-09-14-phone_x.htm
  12. How the Mafia Is Pivoting to Cybercrime – Turns out they use it just like other cyber criminals, maybe they are just more organized about it?
  13. FBI decryption key decision explained, what to know – CyberTalk
  14. Nagios XI vulnerabilities open enterprise IT infrastructure to attack – Help Net Security
  15. Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials
  16. 100M IoT Devices Exposed By Zero-Day Bug – “Researchers at Guardara used their technology to find a zero-day vulnerability in NanoMQ, an open-source platform from EMQ that monitors IoT devices in real time, then acts as a “message broker” to deliver alerts that atypical activity has been detected. EMQ’s products are used to monitor the health of patients leaving a hospital, to detect fires, monitor car systems, in smartwatches, in smart-city applications and more.”
  17. A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit – Yikes: “”Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions,” the Windows maker notes in its documentation. “In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).” The vulnerability uncovered by the enterprise firmware security company is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check, thus permitting an attacker to sign a malicious binary with an already available expired certificate and run arbitrary code with kernel privileges when the device boots up.”
  18. $5.9 million ransomware attack on farming co-op may cause food shortage – This is a mistake, never negotiate with criminals and expect them to follow rules, even ones they created: “What’s notable about the attack is the company’s insistence that they are critical infrastructure and should therefore be spared as per BlackMatter’s own policy. However, the operators behind BlackMatter disagree with this assessment and are continuing to pursue payment from the victim”
  19. Windowsfx is the Linux distribution Windows users have been looking for – Okay, also, we don’t need Linux to look like Windows (or macOS for that matter). We’re not seeing Linux on the desktop for many reasons, the look and feel are way down on the list if it even makes the list at all. We’ll see Linux on more desktops when: Apple pissed off more of its customer base, Microsoft moves all your apps to the cloud and confused their user base, the Linux kernel driver developers work more closely with most hardware manufacturers, and we settle on a standard, or a few, for making apps for Linux that cross distribution boundaries (like snap, but actually better than snap).
  20. How to Explain Public-Key Cryptography and Digital Signatures to Non-Techies – Somehow, I am more confused than ever, which way does the key turn again?
  21. Malware attacks Windows machines through Windows Subsystem for Linux for the first time – “While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing” and “Since most endpoint agents designed for Windows systems don’t ship with signatures to analyze ELF files, this attack vector could’ve allowed the threat actors to infect a target without any resistance.” If you want to get busy with it: https://linuxhint.com/understanding_elf_file_format/
  22. 2021 Is the Year of Linux on the Desktop – Okay, just because ChromeOS is based on Linux, and many schools use it, does not mean this is the year of the Linux desktop.
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element