psw718

Paul’s Security Weekly Episode #718 – November 10, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Stalkerware Capabilities in the Real World – 04:00 PM-04:45 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista! Keynotes from Alyssa Miller, John Strand, Lesley Carhart, Dave Kennedy, & Maril Vernon! Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

Can using technology risk your personal safety? Tracking information can be shared with attackers and facilitate cyberstalking in multiple ways including key logging and screen sharing. Exploration of recent court cases and investigations will be shared and attendees will learn what resources can help individuals experiencing digital abuse at the hands of a technical adversary.

Guest(s)

Lodrina Cherne

Lodrina Cherne – Principal Security Advocate at Cybereason

Lodrina Cherne is a champion for security in the digital forensics and cybersecurity industries. As Principal Security Advocate at Cybereason, she drives innovation and development of best practices related to cybersecurity standards and policy. Cherne is also a Certified Instructor at the SANS Institute where she helps information security professionals advance their foundational understanding of digital forensics. Cherne has earned a bachelor’s degree in Computer Science from Boston University and is an Aspen Tech Policy Hub Fellow.

Martijn Grooten

Martijn Grooten – Coordinator at Coalition Against Stalkerware

@martijn_grooten

Martijn Grooten, a former mathematician, has been working in IT security for 14 years. He was previously the Editor of Virus Bulletin and currently works as a consultant on a number of projects, many of which deal with supporting vulnerable people and groups with digital security. He is head of threat intel research at Silent Push, part of the team that built the Ford Foundation’s Cybersecurity Assessment Tool, a fellow at the Civilsphere Lab and a Coordinator at the Coalition Against Stalkerware.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. MAVSH – 05:00 PM-05:45 PM

Announcements

Description

Over the course of 2020 and 2021 new UAV regulations and restrictions, such as Remote Identification, have threatened UAV hobbyist’s ability to fly freely. These new regulations did leave hobbyists with one loophole: building a sub 250g quad. After this realization, I set out to build a sub250g quad which can be flown for fun, or as one of the first remotely accessible war-flying devices.

Segment Resources:

http://mav.sh/

https://github.com/0xkayn/Valkyrie

https://www.youtube.com/watch?v=CJZ2gCLopyU

Guest(s)

Sachin Mahajan

Sachin Mahajan – Developer Intern at InGuardians

@0xkayn

Sach is a self taught developer, an aspiring pentester, and a drone enthusiast. In his spare time he enjoys playing chess, reading Sci-Fi novels, learning about cryptocurrencies, and flying drones.

Hosts

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

3. TIPC Kernel Vulns, SBDCs, Truckloads of GPUs, & Hardcoded SSH Keys – 08:00 PM-09:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

This week in the Security News: NPM hijacked again, hardcoding your keys, PAN-ODay, more Nmap in your python or python in your nmap, put your Docker API to rest, Busybox will own your box, Microsoft says its a feature not a vulnerability, SBDCs, TIPC Linux kernel vulnerability, patches that don’t fix everything, truckloads of GPUs and testing if your high!

Hosts

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. GHSA-g2q5-5433-rhrf – GitHub Advisory Database
  2. Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware
  3. Popular ‘coa’ NPM library hijacked to steal user passwords
  4. Full Disclosure: The Knights of NYNEX presents: Song of the siren
  5. 4 Tips on How Small to Midsize Businesses Can Combat Cyberattacks
  6. Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root Access
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. How THC “breathalyzers” work, and why some experts say they’re flawed – “This new test, called EPOCH (Express Probe for On-site Cannabis Inhalation) instead works by collecting and concentrating your saliva to evaluate it for current levels of THC. It evaluates whether or not THC levels are above one nanogram of THC per milliliter of saliva within a twelve-hour consumption window.” Also, there’s an app for that: “By reacting to different game-like stimuli from DRUID, the app determines if a user has impaired response time, coordination, or balance — signs of impairment that could be deadly when driving or operating heavy machinery.”
  2. Debunking Five Myths About Zero-Trust
  3. Pythonizing Nmap – Interesting usage of subprocess with shlex to run Nmap from within a Python script. Awesome write-up and examples, a must read.
  4. Types of Penetration Testing – Network, web app, red team and social engineering are the types. Really? The rabbit hole goes deeper.
  5. Massive Zero-Day Hole Found in Palo Alto Security Appliances – “The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow. It affects Palo Alto firewalls running the 8.1 series of PAN-OS with GlobalProtect enabled (specifically versions < 8.1.17). Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products. Publicly available exploit code does not exist at this time. Patches are available from the vendor."
  6. Hacking the Sony Playstation 5 – Schneier on Security
  7. Shadow IT Makes People More Vulnerable to Phishing – Neat phishing trick!
  8. Hackers Target Docker Servers That Are Not Well Configured – “In the beginning, by means of an accessible Docker REST API a container will be created on the susceptible host;” – Really, just don’t do this. NEVER expose the Docker REST API to the Internet, unless you want to run a honeypot.
  9. Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog – “All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0, which was released Aug. 19.” – It will be a long time, and for some never, before these fixed are pushed to firmware projects and products. However, these do not appear to be very impactful: “The DoS vulnerabilities are trivial to exploit, but the impact is usually mitigated by the fact that applets almost always run as a separate forked process. The information leak vulnerability is nontrivial to exploit (see, next section). The use-after-free vulnerabilities may be exploitable for remote code execution, but currently we did not attempt to create a weaponized exploit for them. In addition, it is quite rare (and inherently unsafe) to process an awk pattern from external input.”
  10. Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton – hrmmm: “We thank Cisco Talos for sharing their continued research into Azure Sphere, which first started during the Azure Sphere Security Research Challenge in 2020. After reviewing the findings on TALOS-2021-1341 and TALOS-2021-1344, Microsoft believes the approach described is implemented by design and does not present a security risk to customer production environments.”
  11. Organizations believe they are ready for ransomware attacks – Help Net Security
  12. US House Passes Acts to Help SMBs with Cybersecurity – Interesting: “The Small Business Development Center Cyber Training Act would establish a cyber counseling certification program at Small Business Development Centers (SBDCs) so that they can better assist small businesses with their cybersecurity and cyber-strategy needs.”
  13. US bans trade with security firm NSO Group over Pegasus spyware (updated) – “The US Commerce Department has added NSO to its Entity List, effectively banning trade with the firm. The move bars American companies from doing business with NSO unless they receive explicit permission. That’s unlikely, too, when the rule doesn’t allow license exceptions for exports and the US will default to rejecting reviews. NSO and fellow Israeli company Candiru (also on the Entity List) face accusations of enabling hostile spying by authoritarian governments. They’ve allegedly supplied spyware like NSO’s Pegasus to “authoritarian governments” that used the tools to track activists, journalists and other critics in a bid to crush political dissent. This is part of the Biden-Harris administration’s push to make human rights “the center” of American foreign policy, the Commerce Department said.”
  14. Critical RCE Vulnerability Reported in Linux Kernel’s TIPC Module – “While TIPC itself isn’t loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks,”
  15. Two NPM Packages With 22 Million Weekly Downloads Found Backdoored – “The two libraries in question are “coa,” a parser for command-line options, and “rc,” a configuration loader, both of which were tampered by an unidentified threat actor to include “identical” password-stealing malware.”
  16. Yes, a literal truck heist over GPUs did just happen – “The post takes care to warn people about purchasing any of these cards that surface, as EVGA has listings of the serial numbers involved. So trying to register the warranty for any of these cards won’t work and may get you a visit from authorities. If you can register a card warranty, that’s a clear sign that your GPU is clean. It’s a better idea than ever to check the serial number before buying off Craigslist at the moment.” – heh, criminals won’t care if it’s stolen, nor would they ever register for the warranty.
  17. Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root Access – There is a vulnerability in SSH, but also: “Cisco Policy Suite Releases 21.2.0 and later will also automatically create new SSH keys during installation, while requiring a manual process to change the default SSH keys for devices being upgraded from 21.1.0.” An important step, changing your keys, which should be automated in the first place. Also, if this allows access to the traffic (or not) its a great place to hide: “Also addressed by Cisco are multiple critical vulnerabilities affecting web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) that could enable an unauthenticated, remote attacker to log in using an inadvertent debugging account existing in the device and take over control, perform a command injection, and modify the configuration of the device.”
  18. How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus – Patches didn’t fix everything: “None of the public analysis of this vulnerability mentions a Java class upload. The CISA report also mentions that “Subsequent requests are then made to different API endpoints to further exploit the victim’s system.” which is not the case here. Chances are in-the-wild attackers made use of another exploitation path. Anyway, the patch applied by ManageEngine only fixes the path traversal issue. While actually preventing our exploitation, this leaves opened the file upload and parameter injection issues for future use.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element