Active Directory, Encryption, DevOps, Bug bounties

PSW #635

January 17, 2020

 

 

We discuss the details and impact of the latest flaw, disclosed by NSA, in Windows 10 that allows attackers to pass off malware as signed applications and so much more. The Citric Netscaler vulnerability is a rare remote-easy-to-exploit opportunity for attackers. The crew also talks about book recommendations, backdoors in crypto (and why its bad), conspiracy theories and more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

CVE-2020-0601, Netscaler RCE, npm

Paul’s Stories

  1. Powerful GPG collision attack spells the end for SHA-1
  2. Artificial Personas and Public Discourse – Schneier on Security
  3. Unpatched Citrix Flaw Now Has PoC Exploits
  4. How Cyber Security Affects SEO
  5. Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution
  6. Security pitfalls to avoid when programming using an API – Help Net Security
  7. Lottery hacker gets 9 months for his 5 cut of the loot
  8. 5G Security – Schneier on Security
  9. Exploit that gives remote access affects ~200 million cable modems
  10. Perfect Sense unveils Gyro to simplify cloud infrastructure management – Help Net Security
  11. Serious back door Vulnerabilities spotted in Tik Tok
  12. Malicious npm package taken down after Microsoft warning
  13. Windows 10: NSA reveals major flaw in Microsoft’s code
  14. Trump Slams Apple for Refusing to Unlock Suspected Shooters iPhones
  15. PussyCash adult webcam data breach exposes highly sensitive data of models
  16. How to Reduce Your Attack Surface with 11 Proven Tips

Larry’s Stories

  1. CableHaunt – RCE in up to 200 million cable modems in Europe
  2. Rumblings ahead of the Tuesday patch. – Oh NSA did you do this out of the goodness of your heart?
  3. Windows 7 support ended January 14th
  4. Honda corporate hacked leaking details 978 million customers
  5. Microsoft patches the NSA crypto bug… – and then we are seeing one or more initial PoCs, then a real release of code.
  6. The cost of a breach – and stupidity/lackluster security practices]

Jeff’s Stories

  1. Yo, sysadmins! Thought Patch Tuesday was big? Oracle says ‘hold my Java’ with huge 334 security flaw fix bundle
  2. Microsoft’s Chain of Fools
  3. Tom Ptacek Analysis of Windows 10 Vulnerability from Hacker News
  4. Windows 10 Has a Security Flaw So Severe the NSA Disclosed It Let’s talk the NSA angle
  5. Russia Hacked Ukrainian Company Linked To Trump Impeachment, Security Firm Says Let’s Get Political?
  6. U.S. Army Hacked By 52 Hackers In Five Weeks
  7. The dark side of IoT, AI and quantum computing: Hacking, data breaches and existential threat

Lee’s Stories

  1. PayPal patches high severity password vulnerability Security token exposure in CAPTCHA process resolved. No evidence of abuse found.
  2. DOI halting use of DJI drones over concerns of Chinese Tech DOI has over 800 DJI drones which may have surveylence capabilities. Decision to replace rather than repair.
  3. Maze ransomware operators publish 14GB of Southwire files Southware refused to pay the ransom, and obtained an injunction aginst the first publisher of their data. Maze raises the stakes. REvil similarly inclined.
  4. AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems CryptoAPI spoofing vulnerability – CVD-2020-0601, Windows RDP vulnerabilities – CVD-2020-0609, CVD-2020-0610, CVD-2020-0611 – impacts Server 2012 and newer, Windows 7 and newer. Apply January patch bundle.
  5. DHS CISA Emergency Directive 20-02 – MS January Patch bundle DHS mandates all US Government agencies apply the MS January updates by January 29th, with reporting/accountability.
  6. Russian Hacking group targets Barisma Holdings ATP28 is targeting Ukrainian gas company at center of impeachment debate.
  7. 29 Million records from LimeLeads put up for sale Records from B2B lead generation company LimeLeads data breach found up for sale by “Omnichorus.” Data good for supporting identity theft.
  8. P&N Bank discloses data breach, customer account information, balances exposed
  9. Oski Data-Stealing Malware Emerges to Target North America, China
  10. Adobe’s first 2020 security patch update fixes code execution vulnerabilities.

Tyler’s Stories

  1. Oski Data-Stealing Malware Emerges to Target North America, China
  2. The Evil List Which tech companies are really doing the most harm? Here are the 30 most dangerous, ranked by the people who know.
  3. Inside the Feds’ Battle Against Huawei
  4. APT40 is run by the Hainan department of the Chinese Ministry of State Security
  5. Families of deployed paratroopers received ‘menacing’ messages, warned to double-check social media settings
  6. Russian government resigns as Vladimir Putin plans future
  7. Russians hack energy company that played major role in Trump Ukraine scandal
  8. Google to phase out user-agent strings in Chrome
  9. Russian hackers targeted Ukrainian company at center of impeachment storm: cybersecurity firm
  10. DOD needs cyberwarriors so badly it may let skilled recruits skip boot camp
  11. Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution
  12. Report: Adult Site Leaks Extremely Sensitive Data of Cam Models

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Tyler Robinson

Tyler Robinson – Managing Director of Network Operations

Guests

Announcements

  • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.
  • Join us at InfoSecWorld 2020 – March 30 – April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020 and click the register button to register with our discount code!
  • Attend RSA Conference 2020, February 24-28 and join thousands of security professionals, forward-thinking innovators and solution providers for five days of actionable learning, inspiring conversation and breakthrough ideas. Register before January 24 and save $900 on a Full Conference Pass. Save an extra $150 by going to securityweekly.com/rsac2020 and using our code to register!

 

 

The world continues to see a proliferation of highly insecure IoT/embedded products. How can companies making embedded products design security in from the start, and why don t they do it today? Importantly, security needs to be baked in while remaining lean and moving quickly towards an MVP product. Discussions will range from hardware chip selection, cryptographic protocol design, and firmware security — both at the design and security pen test phases.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Hacking IoT Devices

We keep seeing the same vulnerabilities in embedded / IoT – hardcoded passwords, outdated open source packages, unnecessary network exposure. While some exploited vulns are complex chains, most remain simple, fixable issues. However, we continue to see thousands of new embedded devices (consumer IoT to industrial and critical system) that don’t fix these issues (summary of landscape from f-prime at https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/04/01094545/IoT-Threat-Landscape.pdf). This creates the need to start identifying these issues earlier in development since patching cycle times in embedded are long.

  1. Shifting security left

– We looked at our past data from 10 years of services work, and found that it’s more expensive for firms to respond to 1 vulnerability disclosure than it is to do an end-to-end embedded secure design process https://www.riverloopsecurity.com/blog/2019/08/proactive-reactive/

  • Where security teams/expertise can help
  1. Considerations for embedded

– There’s a special order of operations when it comes to embedded systems – hardware changes can be incredibly expensive (for a PCB turn), and there’s a goal to always minimize BOM cost. This manifests itself as issues with chip selection and hardware design which create vulnerabilities from the start – that have no easy fix in the field. This makes the initial threat modeling, architecture, and key design decisions (e.g. chip selection) critical to get right

  1. Using tooling

– We’ve open sourced some things that may be relevant, such as https://www.riverloopsecurity.com/blog/2019/04/secure-embedded-development-banned-h/ to help developers avoid memory safety issues in the first place as much as possible. Firmware Security Analysis – quickly growing field – There are tools for firmware evaluation, including some open source ones such as https://github.com/cruise-automation/fwanalyzer and more in-depth commerical ones such as one we launched, https://pilot-security.com. If you want, we could talk about what such types of tools can/can’t do – and how people can use them to find bugs early in development.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Tyler Robinson

Tyler Robinson – Managing Director of Network Operations

Guests

Jeff Spielberg

Jeff Spielberg – Managing Partner

Ryan Speers

Ryan Speers – Security Researcher

Announcements

  • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.
  • Join us at InfoSecWorld 2020 – March 30 – April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020 and click the register button to register with our discount code!
  • Attend RSA Conference 2020, February 24-28 and join thousands of security professionals, forward-thinking innovators and solution providers for five days of actionable learning, inspiring conversation and breakthrough ideas. Register before January 24 and save $900 on a Full Conference Pass. Save an extra $150 by going to securityweekly.com/rsac2020 and using our code to register!

This is the Hacker Culture Roundtable discussion from the Security Weekly Christmas podcast marathon and features almost all of our hosts and special guests.

Hacking is a term used to describe the activity of modifying a product or procedure to alter its normal function, or to fix a problem. The term purportedly originated in the 1960s, when it was used to describe the activities of certain MIT model train enthusiasts who modified the operation of their model trains. They discovered ways to change certain functions without re-engineering the entire device. These curious individuals went on to work with early computer systems where they applied their curiosity and resourcefulness to learning and changing the computer code that was used in early programs. To the general public, a “hack” became known as a clever way to fix a problem with a product, or an easy way to improve its function.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

What Does It Mean To Be A Hacker?

Hosts

April Wright

April Wright – Preventative Security Specialist

Doug White

Doug White – Professor

Jason Albuquerque

Jason Albuquerque – CIO & CSO

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Joff Thyer

Joff Thyer – Security Analyst

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Matt Alderman

Matt Alderman – CEO

Patrick Laverty

Patrick Laverty – Security Consultant

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Tyler Robinson

Tyler Robinson – Managing Director of Network Operations

Guests

Bill Swearingen

Bill Swearingen – Cyber Strategist

Trent Lo

Trent Lo – Cyber Security Principal

Announcements

  • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.
  • Join us at InfoSecWorld 2020 – March 30 – April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020 and click the register button to register with our discount code!
  • Attend RSA Conference 2020, February 24-28 and join thousands of security professionals, forward-thinking innovators and solution providers for five days of actionable learning, inspiring conversation and breakthrough ideas. Register before January 24 and save $900 on a Full Conference Pass. Save an extra $150 by going to securityweekly.com/rsac2020 and using our code to register!

In this week’s episode of Paul’s Security Weekly, Paul and the guys welcome back Gene Kim to interview him about his newest book “The Unicorn Project”. Gene shares with us his goals and aspirations for The Unicorn Project, describes in detail the Five Ideals, along with his favorite case studies of both ideal and non-ideal, and why he believes more than ever that DevOps will be one of the most potent economic forces for decades to come.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

The Unicorn Project and The Five Ideals

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Larry Pesce

Larry Pesce – Senior Managing Consultant and Director of Research

Lee Neely

Lee Neely – Senior Cyber Analyst

Matt Alderman

Matt Alderman – CEO

Paul Asadoorian

Paul Asadoorian – Founder & CTO

Guests

Gene Kim

Gene Kim – Author & Researcher

Announcements

  • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.
  • Join us at InfoSecWorld 2020 – March 30 – April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
  • Attend RSA Conference 2020, February 24-28 in San Francisco, CA! Visit securityweekly.com/rsac2020 to sponsor an interview with us on-site at the conference or register using our code to save $150!
prestitial ad