psw715

Paul’s Security Weekly Episode #715 – October 21, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Evolution & Maturity of the Cybersecurity Industry – 06:00 PM-06:45 PM

Announcements

  • Join us for our next live webcast on November 4th to learn about Pragmatic Steps to Reduce Your Software Supply Chain Risk. Then join us November 11th to learn the key insights and takeaways from the the 2021 OWASP top ten. Visit https://securityweekly.com/webcasts to save your seat! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand

Description

The business of Security is gaining in maturity, from being an obscure corner of IT to becoming a core part of the C-Suite. How is this transformation happening and what can we learn from the similar trend that occurred in IT for the last decade?

Guest(s)

Maxime Lamothe-Brassard

Maxime Lamothe-Brassard – CEO at LimaCharlie

@_maximelb

As part of the Canadian Intelligence apparatus, Maxime worked in positions ranging from development of cyber defence technologies through Counter Computer Network Exploitation and Counter Intelligence. Maxime led the creation of an advanced cyber security program for the Canadian government and received several Director’s awards for his service.

After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defence and spent some time working with CrowdStrike. For the past few years Maxime has also been providing analysis and guidance to major Canadian media organizations. Maxime left Google X – where he was a founding member of Chronicle Security – in 2018 to found LimaCharlie.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

2. Scanning For Default Credentials With Python – 07:00 PM-07:45 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

We’ve been working on this Python project that will use the Nmap Python library to scan the local network, enumerate select systems and devices, try to login with default or known credentials, and send a Slack message if it finds anything.

The initial release is here: https://github.com/SecurityWeekly/netslackbot

Download the Python script here: https://github.com/SecurityWeekly/netslackbot (Development will continue, pull requests and forks are encouraged!)

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

3. Wild Hippos, Chrome FTP, L0phtCrack Is Open-Source, Win 11 Pentium, & Legacy Systems – 08:00 PM-09:30 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Starting the week of October 25th, we will be live streaming Paul’s Security Weekly on Wednesday nights from 6pm-9pm ET & Enterprise Security Weekly’s on Thursday afternoons from 3pm-4:30pm ET. You can view our live stream schedule at any time at https://securityweekly.com/live!

Description

This week in the Security News: More security advice for non-profits, faster 0-day exploits, ban all the things, you are still phishable, how to treat security researchers, what the heck is cyber hygiene?, Gummy browsers, the Internet is safe now, a particular kind of crack is open-source, sysmon: Now for Linux, Windows 11 and lies, and cocaine Hippos!

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. Sinclair Broadcast Group hit by ransomware attack
  2. Ferrara Candy factory gets hacked slowing candy corn production
  3. vscode.dev Visual Studio Code for the Web
  4. CVE – CVE-2021-42340
  5. Dutch forensic lab says it has decoded Tesla’s driving data
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. VPN Provider’s Misconfiguration Exposes One Million Users – At least one million users of a Chinese-run VPN service have had their personally identifiable information (PII) exposed due to a misconfigured Elasticsearch
  2. 83% of ransomware victims paid ransom: Survey – A new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.
  3. Zerodium wants zero-day exploits for Windows VPN clients – In a short tweet today, exploit broker Zerodium said that it is looking to acquire zero-day exploits for vulnerabilities in three popular virtual private network (VPN) providers NordVPN, ExpressVPN, and SurfShark VPN.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Malicious NPM Packages Caught Running Cryptominer On Windows, Linux, macOS Devices – We seem to be getting better at identifying these: “The bad actor’s NPM account has since been deactivated, and all the three libraries, each of which were downloaded 112, 4, and 65 times respectively, have been removed from the repository as of October 15, 2021.”
  2. Microsoft Launches Security Program for Nonprofits – Again, this sound like more of pointing out the problems, not the hard work of helping them fix the problems: “Nonprofits will also have access to free security assessments to help them understand the flaws in their endpoints, identity access, infrastructure, network, and data. The goal here is to help them create a remediation plan to protect their environments.”
  3. Attackers Weaponizing Zero-Days at Record Pace – “Cybercriminals exploited a new remote code execution (RCE) zero-day, CVE-2021-40444, a week before a patch was released in September—that’s just one of the recent findings in a report by HP Wolf Security. On September 10, researchers discovered scripts on GitHub that automated the creation of the exploit, which ostensibly means that even less-savvy attackers can use it in their malicious actions, according to the company’s Quarterly Threat Insights Report.” (Ref: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) – Curious how they are doing this.
  4. 5 Reasons the Public Sector Must Move Away From Legacy IT – There is A LOT of legacy IT out there: “The Government Accounting Office (GAO) in the United States analyzed 65 federal legacy systems and revealed the 10 most critical systems were eight to 51 years old. In response, the U.S. government plans to spend over $100 billion this year on IT; most of that will go toward maintaining those older systems. ” – How do we tackle this problem?
  5. U.S. Ban on Sales of Cyberattack Tools Is Anemic, Experts Warn – I don’t believe we can regulate our way out of this problem: “Chris Clements, with Cerberus Sentinel, he isn’t convinced the efforts will make much of a dent in attacks. “First, some of the biggest purveyors of such software are based outside the U.S. where the regulation may not affect them,” Clements said. “Second, many of the most used tools are open source in nature, and it isn’t clear to me how these rules will impact their distribution.” He added, “Even if common open-source hosting organizations such as GitHub or GitLab were to enact GeoIP restrictions on the download of such designated intrusion software, it would seem trivial for a banned nation to simply VPN through a common VPN provider to bypass such restrictions.”
  6. (99+) Why Is the Majority of Our MFA So Phishable? – “Unfortunately, most MFA users can be tricked into revealing their MFA codes or into letting an attacker steal their access control token by simply clicking on the wrong link sent in a phishing email. The link sends the victim to a “proxy” server that then links the victim to the legitimate destination server the victim thought they were going to in the first place. But the proxy server is now capturing everything sent from the legitimate destination server to the victim; and vice-versa. This includes any login information: login name, password and any provided MFA codes. The attacker can even capture the resulting access control token cookie, which allows the attacker to take over the victim’s session.” – I don’t believe MFA really prevents phishing attacks, I see it as helping prevent password brute-forcing and credential stuffing attacks.
  7. Windows Exploitation Tricks: Relaying DCOM Authentication
  8. Congratulations to the Top MSRC 2021 Q3 Security Researchers! – “Congratulations to all the researchers recognized in this quarter’s MSRC Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.” – Did you see this Apple? This is how it’s done, recognition and respect for security researchers go a long way. Good job Microsoft!
  9. Many organizations lack basic cyber hygiene despite high confidence in their cyber defenses – What is basic cyber hygiene? Also, this is interesting and not talked about enough: “Detecting stolen credentials and resetting them before criminals can use them to infiltrate corporate networks is the most direct path to fighting ransomware before criminals can gain a foothold.”
  10. A New Type of Cyberattack Developed by Researchers: Gummy Browsers Attack – Really interesting: “The ‘Gummy Browsers’ attack is the process of capturing a person’s fingerprint by making them visit an attacker-controlled website and then using that fingerprint on a target platform to spoof that person’s identity.” Better reference: https://www.bleepingcomputer.com/news/security/new-gummy-browsers-attack-lets-hackers-spoof-tracking-profiles/
  11. New Linux kernel memory corruption bug causes full system compromise – Extremely technical write-ups linked in this article (you may have to read The Linux Programming Interface book first: https://man7.org/tlpi/) – One highlight I found interesting (and could actually understand): “memory corruption is a big problem because small bugs even outside security-related code can lead to a complete system compromise” (From Haroon’s paper https://thinkst.com/resources/papers/38_Paper.pdf : “Memory corruption exploitation refers to the class of attacks that rely on ones ability to hijack the execution flow of a program by corrupting the applications memory space through a number of different possible attack vectors. The two most popular techniques of Stack and heap based exploitation are discussed below.”)
  12. How Psychology Can Save Your Cybersecurity Awareness Training Program – So the solution is to do this: “People are clever and like to work things out for themselves. Ensure your awareness program takes this into account and does not patronize employees, nor make things needlessly difficult.” (Make it a game, not too hard, but not too easy) and “Short and more frequent topics can be better than lengthy training sessions which take up several hours.” (Break up the materials and exercises into smaller chunks) and “Part of creating a culture of cybersecurity involves removing the stigma associated with the fear that comes with having to report a mistake.” (Don’t punish your users) – My take: This is the same stuff we’ve been evangelizing and using for years. The fact remains that people still fall for phishing attacks and scams, so it’s really NOT working…Also, love you Jaavid!
  13. Google strips FTP code from Chrome – Whew, we are all saved now and the Internet is secure…
  14. Mudge on Twitter: As of version 7.2 L0phtcrack is now open source. – I was hoping to find swears and interesting stuff in the comments, a quick glance, I could not, but they did create a Hashcat shared library which is neat.
  15. Pablo Escobar’s Cocaine Hippos Are Legally People, Court Rules – “All was well until the hippos started fucking. Now, there are up to 120 hippos roaming around Colombia, and they are considered one of the top invasive species in the world. Authorities have weighed a plan to kill the hippos off and on since 2009, and its recently gained steam.” and then “Last July, Colombian attorney Luis Domingo Gómez Maldonado filed a lawsuit on the hippos’ behalf to save them from being euthanized. Instead, the case recommends sterilization. Colombian officials announced a plan to use a chemical contraceptive developed by the U.S. Agriculture Department to sterilize “the main group” of the hippos, and the region’s environmental agency Cornare began to implement the plan on Friday, darting 24 hippos.” and somehow: ““So we applied for the hippos’ rights to compel their testimony in order to support the Colombian litigation, and now the [U.S. District Court for the Southern District of Ohio] has granted that application, recognizing that the hippos are interested persons.” This may seem like a minor and incremental step in the hippos’ court proceedings. But the implications of this decision could be huge. In granting this application, the district court recognized animals as legal persons for the first time in U.S. history.”
  16. Microsoft launches open source Linux version of system monitoring utility Sysmon
  17. Sinclair TV stations crippled by weekend ransomware attack
  18. WinRAR’s vulnerable trialware: when free software isn’t free
  19. FontOnLake malware infects Linux systems via trojanized utilities
  20. Hackers are disguising their malicious JavaScript code with a hard-to-beat trick
  21. No New PC Needed: Windows 11 Runs on a 15-Year-Old Intel Pentium 4 Chip