psw726

Paul’s Security Weekly Episode #726 – February 02, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Covert EDC & Physical Pen Tests – 06:00 PM-06:45 PM

Announcements

  • We have a few webcasts coming up soon. First, join us February 16th to learn about validation techniques within applications. Then join us March 2nd to learn five things you can do to catch more bad guys! Finally, join us March 10th for an intro to KQL queries! Also join us on February 9th for a full live stream day from 1-6pm with Polarity for a chance to win cash prizes and a Samurai Sword Trophy! To register for these webcasts visit https://securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

Discussing every-day-carry items that are utilized during covert entry assessments.
Also discussing the concealment of these tools, and which tools we use for various assessment types.

Segment Resources:

  1. Blog website : www.wehackpeople.com
  2. Employer’s website : www.darkwolfsolutions.com
  3. Link for EDC – Covert Entry Wallet : https://wehackpeople.wordpress.com/2019/10/10/lock-pick-concealment-edc-wallet/
  4. Link for other EDC items I use : https://wehackpeople.wordpress.com/2020/09/14/covert-entry-specialist-edc/

Physical Pentest Tools:
https://www.sparrowslockpicks.com/product_p/hp.htm
https://www.redteamtools.com/espkey
https://www.redteamtools.com/under-door-level-lock-tool

Guest(s)

Brent White

Brent White – Principal Security Consultant at Dark Wolf Solutions

@brentwdesign

Brent is a Covert Entry Specialist with Dark Wolf Solutions, specializing in physical, social engineering, and red team security assessments. He is the founder of the Nashville DEF CON group (DC615), and is the Global Coordinator for the official DEF CON conference “Groups” program. He is also a trusted adviser for the TN Dept of Safety and Homeland Security on the topic of physical and cyber security.

Brent has held the role of Web/Project Manager and IT Security Director for a global franchise company as well as Web Manager and information security positions for television personalities on The Travel Channel.

He has also been interviewed on the popular web series, “Hak5” with Darren Kitchen, BBC News, featured with Tim Roberts on the popular series “Profiling Evil” with Mike King and on Microsoft’s “Roadtrip Nation” television series.

Brent has also spoken at numerous private and public security conferences including DEF CON, BlackHat, ISC West, DerbyCon, InfoSec World, various “B-Sides” events, Techno Security Con, TakeDownCon and Appalachian Institute of Digital Evidence conference at Marshall University, and more.

Hosts

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Linux Post Exploitation – 07:00 PM-07:45 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

In this Technical Segment, Paul walks through Linux Post Exploitation!

Github: https://github.com/SecurityWeekly/vulhub-lab

Hosts

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Securing Olympians, Hiding in UEFI, ‘Fingerprinting GPUs’, & P4x vs. North Korea – 08:00 PM-09:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • CRA’s Business Intelligence Unit has launched its next survey on Zero Trust! What are Your Barriers to Zero Trust Implementation? Take our survey and enter to win a $500 Tango card by visiting https://securityweekly.com/zerotrust. Report results will be released at our upcoming Zero Trust E-Summit in March!

Description

This week in the Security News: Temporary phones, webcam hacks that are so much more, bags of cash, patch WordPress plugins and patch them some more, crowd-sourced-government-funded vulnerability scanning, hiding deep in UEFI and bouncing off the moon, even more UEFI vulnerabilities, if Samaba were a fruit it would be….well vulnerable for one thing, charming kittens, fingerprinting you right in the GPU, Let’s not Encrypt, your S3 bucket is showing again, and can you hack the latest wearable sex toys intended to delay things?

Hosts

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

  1. The Biggest NFT Video Game’s Economy Is Collapsing Because NFT Games Don’t Work
LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. Charming Kitten Sharpens Its Claws with PowerShell Backdoor
  2. Your Graphics Card Fingerprint Can Be Used to Track Your Activities Across the Web
  3. Shuckworm Continues Cyber-Espionage Attacks Against Ukraine
  4. Cyber Security Career Guide
  5. Let’s Encrypt to revoke about 2 million HTTPS certificates
  6. North Korea Hacked Him. So He Took Down Its Internet
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Fact Sheet: Biden-Harris Administration Expands Public-Private Cybersecurity Partnership to Water Sector – The Biden-Harris Administration is expanding the Industrial Control System (ICS) Cybersecurity Initiative to the country’s water sector.

    The challenge: there are 1000’s of water companies, some very small and it’s not easy explaining to a Board of Directors that security hygiene does NOT mean washing your hands and that visibility into security does NOT mean how much soap has been used to wash hands before board meetings.

  2. US Says National Water Supply ‘Absolutely’ Vulnerable to Hackers – Cyber defenses for US drinking water supplies are “absolutely inadequate” and vulnerable to large-scale disruption by hackers, a senior official said Thursday.
  3. FBI Reportedly Considered Buying NSO Spyware – An investigation by Ronen Bergman and Mark Mazzetti, both journalists at The New York Times Magazine, found that, beginning in 2019, the FBI paid millions to NSO as the bureau considered deploying the Pegasus surveillance tool in the U.S.

    iOS 15.3 has fixed the flaw this exploited. Don’t assume other governments aren’t using the NSO tools. Use loaner/burner devices in high risk countries, make sure they’re updated with minimal data, strong authentication and use caution with data transferred from them.

  4. US bans major Chinese telecom over national security risks – The U.S. FTC has revoked China Unicom Americas’ license, essentially banning it from providing domestic and international telecommunication services in the U.S. According the order, the Chinese telecom company has just 60-days after the order was released to terminate its domestic and international services.

    The order finds they are a a subsidiary of a state-owned enterprise, subject to exploitation, influence and control by the Chinese government.

  5. Unsecured AWS server exposed 3TB in airport employee records – An unsecured Securitas AWS S3 bucket has exposed sensitive data belonging to airport employees across Colombia and Peru.
  6. Mandiant: 1 in 7 Ransomware Extortion Attacks Exposes OT Data – Ransomware gangs often up their game by extorting their victims on so-called shaming sites, where they dump the stolen information to pressure the victims to pay the ransom.
    Mandiant researchers say one in seven of those extortion sites also exposed OT information lifted from industrial victims.
  7. FBI Document Cloud: Potential for Malicious Cyber Activities to Disrupt the 2022 Beijing Winter Olympics and Paralympics – The FBI is warning entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities to disrupt these events. These activities include distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats, and when successful, can block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics.
  8. Microsoft fends off record-breaking 3.47 Tbps DDoS attack – Microsoft’s Azure DDoS Protection team said that in November, it fended off what industry experts say is likely the biggest distributed denial-of-service attack ever: a torrent of junk data with a throughput of 3.47 terabits per second. The record DDoS came from more than 10,000 sources located in at least 10 countries around the world.
  9. DDoS attacks on Andorra’s internet linked to Squid Game Minecraft tournament – DDoS attacks on Andorra’s internet linked to Squid Game Minecraft tournament A high-stakes Minecraft tournament is believed to be the cause of a series of DDoS attacks targeting Andorra’s only internet provider for the last four days in what experts believe has been an attempt to prevent local gamers from participating. Attacks interrupted service for home, business and government users.
  10. Samba – Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution – CVE-2022-44142
    Summary: This vulnerability allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
  11. Samba bug can let remote attackers execute code as root – Samba has addressed a critical severity out-of-bounds heap read/write vulnerability that can let attackers gain remote code execution with root privileges on servers running the vfs_fruit module.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. North Korea Hacked Him. So He Took Down Its Internet
  2. Threat actor target Ubiquiti network appliances using Log4Shell exploits
  3. FBI urges temporary phones for Olympic athletes – Meh, the problem with a temporary phone is you’ll want to install all your social media apps anyhow, and oh I need that email so I can get something I need, or for 2FA. Not sound advice.
  4. Apple Pays $100.5K Bug Bounty for Mac Webcam Hack – “My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.” (Ref: https://www.ryanpickren.com/safari-uxss)
  5. Notorious Spyware Firm Reportedly Offered ‘Bags of Cash’ for Access to U.S. Networks – This is the type of attack that keeps me up at night: “A whistleblower alleges that the scandal-ridden spyware firm NSO Group once offered a telecom security company “bags of cash” to buy access to its cellular networks, ostensibly so its clients could track specific mobile users within the United States.”
  6. Researchers Devise “DrawnApart” – A GPU Fingerprinting Technique – We know who you are based on your GPU: “Specifically, the technique involves logging the speed variations between the GPU Execution Units (EU). Such fingerprinting can even distinguish between two fingerprints apparently sharing similar hardware. Also, it is easy to execute via a simple unprivileged JavaScript.”
  7. Android malware can factory-reset phones after draining bank accounts
  8. Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in – Oh boy: “An independent security researcher recently discovered the flaw in versions 5.0.4 and below of Essential Addons for Elementor and reported the issue to the developer of the plug-in. The developer then released an updated version with a fix for the vulnerability. But researchers at PatchStack, a WordPress plug-in security vendor, tested the patch and found it to be defective. They reported it to the developer, and another version — this one with a fix that worked — was issued on Jan. 28.” ugh: “First, $template_info is filled with user input data taken from $_REQUEST, which is taken from the URL or POST payload. This is then concatenated with some other values into a file path. This file path is passed on to the function include_with_variable as part of the HelperClass class. This function takes the file path and includes it which allows for the local file inclusion vulnerability to exist.” (Ref: https://patchstack.com/articles/critical-vulnerability-fixed-in-essential-addons-for-elementor-plugin/)
  9. UK government plans to release Nmap scripts for finding vulnerabilities – So a crowd-sourced, Government funded, vulnerability scanner? “The NCSC said that the SME project was created to solve this problem by having some of the UK’s leading security experts, from both the government and public sector, either create or review scripts that can be used to scan internal networks. Approved scripts will be made available via the NCSC’s SME GitHub project page, and the agency said it’s also taking submissions from the security community as well.”
  10. Finding a VMware vCenter Kernel 0day using Static Reverse Engineering — Signal Labs
  11. MoonBounce: the dark side of UEFI firmware – This is pretty scary: “Note that at the time of writing we lack sufficient evidence to retrace how the UEFI firmware was infected in the first place. The infection itself, however, is assumed to have occurred remotely. While previous UEFI firmware compromises (i.e. LoJax and MosaicRegressor) manifested as additions of DXE drivers to the overall firmware image on the SPI flash, the current case exhibits a much more subtle and stealthy technique where an existing firmware component is modified to alter its behaviour.” Also, people don’t update UEFI, unless they are trying to solve a non-security problem…
  12. She was a notorious hacker in the ’80s — then she disappeared – Really neat article. I have read about Susan “Thunder” in various works. I found it even more interesting that the journalist spent about a year tracking her down.
  13. Myanmar Junta’s New Cyber Law to Jail Anyone Using VPN – Zero privacy: “The draft law would grant the regime unlimited power to access user data, ban content it dislikes, restrict internet providers and intercept data, and imprison those criticizing the regime online and employees of non-compliant companies.”
  14. Public Exploit Released for Windows 10 Bug
  15. New Wearable Tech Could Stop Premature Ejaculation
  16. Samba bug can let remote attackers execute code as root – More info here: https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin
  17. I Spent a THOUSAND Dollars on HDMI Cables.. for Science
  18. UEFI firmware vulnerabilities affect at least 25 computer vendors – “The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the aforementioned vendors were using Insyde-based firmware SDK to develop their pieces of firmware. We had a short discussion with Fujitsu PSIRT and came to the conclusion that we should report all those issues to CERT/CC to lead an industry-wide disclosure. This is how the VU#796611 was created and how Binarly collaboration with CERT/CC began in September 2021.” (Ref: https://www.binarly.io/posts/An_In_Depth_Look_at_the_23_High_Impact_Vulnerabilities/index.html)
  19. Few things to do to improve your Cybersecurity posture
  20. Joy Of Tech® ‘Spotify Has A Joe Rogan Experience’
  21. 8 Security Dinosaurs and What Filled Their Footprints
  22. New Malware Used by SolarWinds Attackers Went Undetected for Years
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element