Security Weekly
Paul's Security WeeklySubscribe
Vulnerability Management, Application security, DevSecOps, Threat Management

Burning Hard Drive – PSW #707

This week, we jump straight Into the Security News for this week: Buffer overflows galore, how not to do Kerberos, no patches, no problem, all your IoTs belong to Kalay, the old pen test vs. vulnerability scan, application security and why you shouldn't do it on a shoe string budget, vulnerability disclosure miscommunication, tractor loads of vulnerabilities, The HolesWarm..malware, T-Mobile breach, and All you need is....Love? No, next-generation identity and access management with zero-trust architecture is what you need!!!! Next up, we have a pre-recorded interview featuring Qualys Researcher “Wheel”, who joined Lee and I to discuss Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer!!! Lastly, a segment from Black Hat 2021 featuring Sonali Shah, Chief Product Officer at Invicti Security, all about Shifting Left, and how YOU can make it right!

Segment Resources:
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 Visit https://securityweekly.com/qualys to learn more about them! Visit https://securityweekly.com/netsparker to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Tractorload of John Deere Vulns, T-Mobile Breach, Kalay IoT Hack, & HolesWarm – PSW #707

In the Security News for this week: Buffer overflows galore, how not to do Kerberos, no patches, no problem, all your IoTs belong to Kalay, the old pen test vs. vulnerability scan, application security and why you shouldn't do it on a shoe string budget, vulnerability disclosure miscommunication, tractor loads of vulnerabilities, The HolesWarm.......malware, T-Mobile breach, and All you need is....Love? No, next-generation identity and access management with zero-trust architecture is what you need!!!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. How Much Cybersecurity Do You Need?
    "Organizations also need to take a closer look into their cybersecurity investments to maximize ROI. In addition to strengthening the core through network, infrastructure and application security controls, security orchestration and automation with AI- and ML-based solutions and applying techniques like managed detection and response, next-generation identity and access management and zero-trust architecture will help counter modern-day threats, such as ransomware, more effectively and efficiently." - And there you have! All you need is a next-generation identity and access management solution with some zero-trust architecture and just like that, you have all the security you need! We can all retire now...
  2. 2. Discovering CAPTCHA Protected Phishing Campaigns
  3. 3. T-Mobile: Breach Exposed SSN/DOB of 40M+ People – Krebs on Security
  4. 4. Multiple Flaws Affecting Realtek Wi-Fi SDKs Impact Nearly a Million IoT Devices
    "The security issues are said to have remained untouched in Realtek's codebase for more than a decade" - Lots of buffer overflows. Lots. Sloppy coding, strcpy for the win in the "boa" web server, which I've seen on a few different IoT devices.
  5. 5. Critical Valve Bug Lets Gamers Add Unlimited Funds to Steam Wallets
  6. 6. Kerberos Authentication Spoofing: Don’t Bypass the Spec
    "The Kerberos protocol is solid. It was developed at MIT and provides Single Sign On (SSO) for many large companies." - Okay but define "solid", as in like, it has many security flaws that have been uncovered over the years? Oh, and really try to code to the spec: "Then again, these four security vendors didn’t implement the Client/Server exchange at all. So I can just log in with my fake password to all these systems."
  7. 7. Cisco will not patch critical flaw CVE-2021-34730 in EoF routers
    In this case, Cisco's recommendations are something that should be done anyhow, regardless of patch or not: "The IT giant recommends customers using RV110W Wireless-N VPN Firewalls, RV130 VPN Routers, RV130W Wireless-N Multifunction VPN Routers, and RV215W Wireless-N VPN Routers to disable UPnP on both the LAN and WAN interfaces of their devices."
  8. 8. Hacker Says He Found a ‘Tractorload of Vulnerabilities’ at John Deere
    "John Deere claimed in a statement that "none of the claims—including those identified at DEF CON—have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information. Further, contrary to claims made at DEF CON, none of the issues identified by the security researchers would have affected machines in use. John Deere considers the security of our systems and the data within them a top priority and we work tirelessly to identify and address any misconfigurations as quickly as possible. Deere also recognizes the important role our products play in food security and within the global food supply chain." - Yet the researcher proved otherwise....
  9. 9. Friendly hackers save Ford from potential leak of employee, customer data
  10. 10. Millions of IoT devices, baby monitors open to audio, video snooping
    "Over the course of several months, the researchers developed a fully functional implementation of ThroughTek’s Kalay protocol, which enabled the team to perform key actions on the network, including device discovery, device registration, remote client connections, authentication, and most importantly, process audio and video (“AV”) data. Equally as important as processing AV data, the Kalay protocol also implements remote procedure call (“RPC”) functionality. This varies from device to device but typically is used for device telemetry, firmware updates, and device control." - Sounds like you need to be on the same network as the device, so I thought, but this looks like a publically available network that they were able to interface with the protoctol over the Internet: "If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker."
  11. 11. GitGuardian now available on GitHub Marketplace – Help Net Security
  12. 12. The Onion Patch – Best 15 Dark Web Websites You Shouldn’t Miss
    I thought it was neat to listen to streaming music from the Tor network. Not great quality, and a mixed bag of music, but neat.
  13. 13. Fortinet slams Rapid7 for disclosing vulnerability before end of their 90-day window
    Sounds like some miscommunication: "Rapid7 said they contacted Fortinet multiple times to work on the issue but didn't get a response, so they followed their own disclosure policies when releasing the report." - Begs the question, what do you do when you don't receive a response? How hard do you try to get a response? What if emails go to SPAM? Difficult in larger companies as it can get lost in the shuffle. I think the lesson learned here is to closely monitor disclosure communication, and perhaps have multiple routes for disclosing vulnerabilities, or do a bug bounty so a 3rd party can help ensure clean and reliable communications.
  14. 14. Windows EoP Bug Detailed by Google Project Zero
  15. 15. BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices
  16. 16. Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon
  17. 17. How to Layer Secure Docker Containers with Hardened Images
    "The containerized CIS Hardened Images are built on provider based images via Docker. Docker, a self-contained software bundle, makes it easy for applications to run on multiple computing environments. CIS provides these containerized CIS Hardened Images in Amazon Web Services (AWS) Marketplace."
  18. 18. Secret terrorist watchlist with 2 million records exposed online
  19. 19. Penetration Tests vs Vulnerability Scans?—?Whats the Difference
    Lost me right away: "Penetration testing aka pentesting is the process of finding vulnerabilities in the network and preventing them from seeping into the system." - Nope. And then: "A vulnerability scan is a high-level test that seeks potential vulnerabilities in the system." - Again, not really.
  20. 20. Application Security on a Shoe-String Budget – Beyond Security Blog
    I believe this is really about 1) Create your teams to include devs, ops, and security people 2) Design and threat model with said team for functionality, reliability, performance, and security 3) Use OSS for static analysis, SCA, container scanning 4) Use commercial software for runtime protection.
Doug White
Doug White
Professor at Roger Williams University
  1. 1. HolesWarm Malware Exploits Unpatched Windows, Linux Servers.
  2. 2. Unpatched Fortinet Bug Allows Firewall Takeovers
  3. 3. Hacker grabs 600M in cryptocash from blockchain company Poly Network
  4. 4. Video surveillance network hacked by researchers to hijack footage
  5. 5. More than 47Million affected by T-Mobile Breach
  6. 6. How much Cybersecurity can 1.9 Billion Buy?
Jeff Man
Jeff Man
Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems

2. Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer – . Wheel – PSW #707

The Qualys Research Team discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.

Segment Resources:
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Guest

. Wheel
. Wheel
Researcher at Qualys

“Wheel” is a member of the Qualys Research Team responsible for finding zero-days.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory

3. Shifting Left Probably Left You Vulnerable, Here’s How To Make it Right – Sonali Shah – PSW #707

Shifting security left is good - but it’s an incomplete strategy that often leads to a false sense of security. In this segment, Sonali will discuss how organizations can reduce their risk of breach by embracing the modern AppSec techniques, that will allow development, operations and security teams to work together in order to efficiently and effectively secure all of their applications.

This segment is sponsored by Invicti.

Visit https://securityweekly.com/ to learn more about them! This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

Sponsored By

Invicti

Guest

Sonali Shah
Sonali Shah
Chief Product Officer at Invicti Security

A seasoned business and product leader, Sonali Shah brings more than 20 years of B2B SaaS and cybersecurity sector experience, having led product management, marketing, and strategy teams at companies such as HUMAN (formerly White Ops), Veracode, BitSight, and VeriSign, among others. Skilled at leading teams with a proven track record in bringing innovative solutions to market, she will be building on Invicti’s long history of innovation, transforming the application security market, with its enterprise Netsparker and mid-market Acunetix solutions.

Host

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly

Related

Incident Response
Making tabletop exercises better! – Ryan Fried – ESW #332

If you've ever played Dungeons & Dragons, you probably know that the quality of the experience depends on how prepared, experienced, and talented the Dungeon Master is. Today, we'll talk to InfoSec DM and practitioner extraordinaire Ryan Fried about some of the key elements that separate a good cybersecurity tabletop exercise from a bad one! T...