PSW #739 – Fatih Karayumak

Announcements

• Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

Fatih Karayumak

Cyber Research Lead

Fatih Karayumak is the Cyber Security Research Lead at a large commercial property insurance company. He is a senior information security professional with over 14 years of experience in Cyber Risk Management, Secure Software Development, Security Engineering, Cryptography, ICS&IOT Security.
He started his IT Security career in academia, then worked for various government and military agencies including NATO. Currently he is working in the private sector helping one third of Fortune 1000 companies improve their cyber security postures.
Fatih had also taught Secure Software Development and Human Computer Interaction on graduate level at various colleges in Germany, Turkey and US.

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

Doug White

Professor at Roger Williams University

https://securedigitallife.com/

Josh Marpet

Executive Director at RM-ISAO

Larry Pesce

Product Security Research and Analysis Director at Finite State

https://www.finitestate.io/

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

1. 1. Users complain over Heroku’s incident management comms
   Lots of speculation here: "One customer said they'd invited the Salesforce incident handler to provide a "statement that confirms whether or not config variables and secrets were accessed, or that you're not sure." According to the post, they received the reply: "We currently have no evidence that Heroku customers' secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.""
2. 2. Lnkbomb- Exploit Insecure File Shares
   Interesting (https://github.com/dievus/lnkbomb) - "Lnkbomb is used for uploading malicious shortcut files to insecure file shares. The vulnerability exists due to Windows looking for an icon file to associate with the shortcut file. This icon file can be directed to a penetration tester's machine running Responder or smbserver to gather NTLMv1 or NTLMv2 hashes (depending on configuration of the victim host machine)."
3. 3. What Stars Wars Teaches Us About Threats
   Looking forward to this one: "That's why I'm really excited to go in depth and take these lessons to the next level with my next book, Threats: What Every Engineer Should Learn from Star Wars, coming this fall. For all the fun, we need engineers to know what threats to consider, and what they mean. If we want people to build more secure systems ... it's our only hope!"
4. 4. KrbRelayUp
5. 5. Russia Is Being Hacked at an Unprecedented Scale
6. 6. DJI insisted drone-tracking AeroScope signals were encrypted — now it admits they aren’t
7. 7. Spanish prime minister’s phone ‘targeted with Pegasus spyware’
   "The Spanish government has said the mobile phones of the prime minister, Pedro Sánchez, and the defence minister, Margarita Robles, were both infected last year with the Pegasus spyware that its manufacturers claim is available only to state agencies."
8. 8. Embed Python scripts in HTML with PyScript
   "The new PyScript project lets you embed Python programs directly in HTML pages and execute them within the browser without any server-based requirements." - This is really cool, we'll see if it catches on though and what the security fallout may be.
9. 9. Compromising Read-Only Containers with Fileless Malware – Sysdig
   This is neat, I have to read up on it: "More recently, Spanish researcher arget13 shared DDexec, their take on code injection, via the commonly available Linux LOLBin (installed by default as part of GNU coreutils) dd" Then they use /dev/shm to create an in-memory filesystem, so the attack works like this: "Deployed our Redis exploit, Written our script and shellcode to two temporary files, Used bash to execute our script, giving the shellcode as input, Evaded multiple defenses and detections (MITRE T1211) – the process listing (ps) and the read-only filesystem" - Neat!
10. 10. Critical flaws in ‘millions of Aruba, Avaya switches’
    Not much in the way of details, however, it looks like there is a captive portal breakdown and a VLAN breakout that is possible using the five vulnerabilities disclosed by Armis being dubbed TLStorm 2.0.
11. 11. Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices
    "The vulnerability in uClibc and uClibc-ng is the result of having a predictable transaction ID assigned to each DNS lookup and their static use of source port 53, effectively defeating source port randomization protections." Well yeah: "This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution. Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure." - And basically an uninitialized variable, leading to the transaction ID always being incremented by 1.
12. 12. The Gmail SMTP Relay Service Exploit
13. 13. Every ISP in the US has been ordered to block three pirate streaming services
    Like how? Talk about a game of Whack-A-Mole. More info here: https://torrentfreak.com/us-court-orders-every-isp-in-the-united-states-to-block-illegal-streaming-sites-220502/
14. 14. Kellogg Community College closes after ransomware attack
    "While the investigation continues, the college says all classes will be canceled until the school can safely reopen, hopefully later this week. In addition to canceling classes, the school says that all students, faculty and staff will be forced to reset their passwords." The statement reads: “We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” - Except classes are currently cancelled and everyone has to reset their password.
15. 15. Pentagon finds hundreds of cyber vulnerabilities among contractors
    Did they expect to find less vulnerabilities? "“[The program] has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” Melissa Vice, interim director of the vulnerability disclosure program, said in a statement. Vice added that the pilot was intended to identify whether similar critical and high-severity vulnerabilities existed for small-to-medium-cleared and non-cleared defense-industrial base companies with potential risks for critical infrastructure and the U.S. supply chain."
16. 16. Botnet that hid for 18 months boasted some of the coolest tradecraft ever
    "The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools,"
17. 17. PyScript brings Python into the browser, more easily than ever
    https://flip.it/K6aPNn

Doug White

Professor at Roger Williams University

https://securedigitallife.com/

Josh Marpet

Executive Director at RM-ISAO

Larry Pesce

Product Security Research and Analysis Director at Finite State

https://www.finitestate.io/

1. 1. David Walden, Computer Scientist at Dawn of Internet, Dies at 79
2. 2. QR code, app enabled elevator
3. 3. CDC Tracked Millions of Phones to See If Americans Followed COVID Lockdown Orders
4. 4. Wyandotte County cyber attack went on for three days before being reported; officials not ‘laying out’ seriousness of it – The Heartlander
5. 5. RFC 9116: A File Format to Aid in Security Vulnerability Disclosure
6. 6. Cyber War Against Russia: Anonymous hacked 1.23 million emails from Elektrocentromontazh which is the primary power organization in Russia
7. 7. Anonymous hacks into Russian energy companies, exposing over 1 million emails