psw722

Paul’s Security Weekly Episode #722 – December 22, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Lock Picking & Physical Security – 06:00 PM-06:45 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Many of us, myself included, learned lock picking techniques from Deviant. He comes on the show to talk about physical security in a pandemic, how to train for lock picking and physical security assessments, share some war stories and more!

Guest(s)

Deviant Ollam

Deviant Ollam – Physical Penetration Specialist at Red Team Alliance

@deviantollam

While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing’s best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified safe technician and GSA certified safe and vault inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.

In his limited spare time, Deviant enjoys loud moments with lead acceleration and quiet times with podcasts. He arrives at airports too early and shows up at parties too late, but will promptly appear right on time for tacos or whiskey.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. The State Of Internet Exposed Services – 07:00 PM-07:45 PM

Announcements

  • We had an absolute blast putting together this year’s SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!

Description

John joins us to talk about what its like to run scans of the Internet on a regular basis. We’ll talk about some trends, such as what is more exposed, what is less exposed, and how select segments of devices impact the security of Internet, such as printers, medial devices, SMB, RDP and more!

Guest(s)

John Matherly

John Matherly – Founder at Shodan

@achillean

John Matherly is an Internet cartographer, engineer and founder of Shodan, the world’s first search engine for the Internet-connected devices. He has been at the forefront of Internet of Things for the past 10 years and his research has been covered on CNN, Bloomberg, Washington Post and many other outlets. Prior to Shodan, John received a bachelors degree in bioengineering and worked as a software engineer on bioinformatics applications.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Zip Tie Pick, Wifi/Bluetooth Bugs, Domain Controllers, & Beetle Behavior – 08:00 PM-09:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join us January 20th to learn how to build your own security lab at home! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

The greatest exploit in the world, throw some more logs on the log4j fire, lock picking with a zip tie, hacking metal detectors, please disclose your vulnerabilities here, bugs in Wifi and Bluetooth have an interesting relationship, not-so-secret backdoors, taking over domain controllers, and interesting precopulatory behavior in darkling beetles!

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’ – After thoroughly reviewing the “FORCEDENTRY” iPhone exploit, researchers at Google’s Project Zero say they have uncovered a never-before-seen “hacking roadmap” that includes a PDF file that appears to be a GIF image loaded with a custom-coded virtual CPU constructed out of “Boolean pixel operations.” According to Google’s Ian Beer and Samuel Groß, “We assess this to be one of the most technically sophisticated exploits we’ve ever seen.” According to Google, after receiving an exploit sample from Citizen Lab, it collaborated with Apple’s Security Engineering and Architecture (SEAR) group to perform a technical analysis, which revealed a high degree of technical sophistication in an exploit that was sold to governments worldwide.
  2. Bad things come in threes: Apache reveals another Log4J bug – Bad things come in threes: Apache reveals another Log4J bug Third major fix in ten days is an infinite recursion flaw.
    CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.
  3. Conti ransomware uses Log4j bug to hack VMware vCenter servers – The “Conti” ransomware gang has been spotted exploiting the Log4j vulnerability (CVE-2021-44228) in order to obtain “rapid” access to targeted organizations’ internal VMware vCenter Server instances and encrypt virtual machines.
  4. TellYouThePass ransomware revived in Linux, Windows Log4j attacks – Malicious actors have brought back an old and almost-retired malware family known as TellYouThePass, using it to target Linux and Windows devices vulnerable to the critical remote code execution vulnerability in the Apache Log4j library (CVE-2021-44228)
  5. Log4j vulnerability now used to install Dridex banking malware – Malicious actors have been spotted exploiting the Log4j vulnerability (CVE-2021-44228) in order to infect targeted Linux devices with “Meterpreter” and Windows devices with the “Dridex” banking Trojan.
  6. Clop ransomware gang is leaking confidential data from the UK police – Clop ransomware gang stolen confidential data from the UK police and leaked it in the dark web because the victim refused to pay the ransom.

    Researchers say the “Clop” ransomware gang managed to access, steal, and leak “confidential” information belonging to some 13 million individuals, which included data belonging to the U.K. police taken from its police national computer (PNC) system.

  7. FBI: State hackers exploiting new Zoho zero-day since October – The FBI’s Cyber Division has revealed that state-backed APT actors have been actively exploiting the authentication bypass vulnerability (CVE-2021-44515) affecting Zoho’s ManageEngine Desktop Central since at least October 2021 in order to conduct network reconnaissance and move laterally throughout compromised networks.
  8. Mitigating Log4Shell and Other Log4j-Related Vulnerabilities – CISA, the FBI, the NSA, and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Precopulatory oral sex found in darkling beetles – This is too funny: “As the researchers note, males giving females oral genital stimulation is rare in invertebrates. So they were surprised when they found male darkling desert beetles contacting and orally manipulating female genitalia multiple times prior to copulation.” – Also note there are people who are researching this and having discussions about this topic, presumably with a straight face, which is more than you can say for us…
  2. The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw – How a $400 grade 1 lock was bypassed with a zip tie: “At about 6 a.m., two hours after he started working on the lock, he pushed his homemade tool through the drain hole, caught the lever, gave a gentle tug, and the lock sprung open. When he reinserted the zip tie and pulled again, it locked. It worked again, and again, and again.”
  3. Vulnerability Spotlight: Vulnerabilities in DaVinci Resolve video editing software could lead to code execution
  4. Walk-Through Metal Detectors Can Be Hacked, New Research Finds – “The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.”
  5. China suspends deal with Alibaba for not sharing Log4j 0-day first with the government – Well, the Chinese Government will only use these for good, right? – “The move also comes months after the Chinese government issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to disclose them first-hand to the government authorities mandatorily.”
  6. Bugs in billions of WiFi, Bluetooth chips allow password, data theft – Pretty neat! The ability to exploit other chips via shared memory: “Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device’s other chips using shared memory resources. In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs.”
  7. A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution – This is amazing: “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”
  8. Windows 10 21H2 adds ransomware protection to security baseline
  9. Secret Backdoors Found in German-made Auerswald VoIP System – “Two backdoor passwords were found in the firmware of the COMpact 5500R PBX,” researchers from RedTeam Pentesting said in a technical analysis published Monday. “One backdoor password is for the secret user ‘Schandelah’, the other can be used for the highest-privileged user ‘admin.’ No way was discovered to disable these backdoors.” – Mr. Potato head, backdoors are not secrets! Well, not any longer…
  10. Exploiting and Mitigating CVE-2021-44228: Log4j Remote Code Execution (RCE) – Sysdig – This is one of the better write-ups, start here if you’ve not done a deep dive into log4j yet.
  11. New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
  12. An Analysis of The Log4Shell Alternative Local Trigger – “WebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request and they expect the server itself to validate the Origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilization.” – Doesn’t this mean that many web app vulnerabilities could be triggered via WebSockets?
  13. Remote Deserialization Bug in Microsoft’s RDP Client through Smart Card Extension (CVE-2021-38666)
  14. Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers – “While CVE-2021-42278 enables an attacker to tamper with the SAM-Account-Name attribute, which is used to log a user into systems in the Active Directory domain, CVE-2021-42287 makes it possible to impersonate the domain controllers. This effectively grants a bad actor with domain user credentials to gain access as a domain admin user.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element