PSW #760 – Michael Meis, Christopher Crowley
Full Audio
View Show IndexSegments
1. EDR, Driver Signing, SBOMS – Do They Work? – PSW #760
This week in the Security News: A Security Maturity Model for Hardware Development, Palo Alto Networks fixed a high-severity auth bypass flaw in PAN-OS, New UEFI rootkit Black Lotus offered for sale at $5,000, What are SBOMS, & Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
- 1. Researchers find 633% increase in cyber-attacks aimed at open source repositories
- 2. AMD, Google, Microsoft & NVIDIA Announce “Caliptra” Open-Source Root of Trust – Phoronix
- 3. Toner Deaf – Printing your next persistence (Hexacon 2022)
- 4. Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike
This is a supply chain issue. Let me clarify, this is a Log4j-style supply chain issue. This means it's a vulnerability management issue, but in software that is used by software, that then ends up in software that you (or an attacker) are using. Interesting how we could leverage this to attack the attackers (that's a separate issue). The fix is to apply the patch, from the vendor who applied a patch, like patching squared.
- 5. Introducing Our 8th Annual State of the Software Supply Chain Report
- 6. A software bill of materials (SBOM): What it is — and why it matters for software supply chain security
"SBOMs are often compared to the infamous black and white nutrition label most Americans are used to, in which all of the food items’ ingredients and daily value percentages are listed. " - Except they are nothing like this. Food ingredients don't change, once you make a food product with a recipe, it has the same profile once it ships (unless ingredients were tampered with or altered, different threat). When it comes to software or firmware, the recipe changes with each update. Also, an ingredient can be safe one day, but the next day be a completely toxic ingredient because someone found a vulnerability. SBOMs are only useful if you can update them. Also, the value in an SBOM is what you do with it. Just using it to be reactive is not as useful as being proactive. Looking at trends, most frequently used components, and least frequently used components. This analysis can help identify threats well in advance of an attack.
- 7. CVE-2022-42889 Test application
- 8. NVD – CVE-2022-42889
- 9. Banks face their ‘darkest hour’ as crimeware powers up
- 10. In GUID We Trust
- 11. Palo Alto Networks fixed a high-severity auth bypass flaw in PAN-OS
This is a huge problem. An enterprise pays A LOT of money for an enterprise-grade appliance (Firewall, VPN, etc...). It comes with a vulnerability that allows an attacker to bypass authentication, which in turn allows an attacker to bypass ANY AND ALL security controls the device has to offer, effectively rendering it useless. We deserve better, auth bypass flaws are fairly easy to find and fix before the product ships. Vendors should do that.
- 12. New UEFI rootkit Black Lotus offered for sale at $5,000
"Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities." - Right up until the Secure Boot bypass I was potentially not impressed. If they do have 0day against a Windows bootloader, they should sell it for more than $5k, which makes me think they don't, and wouldn't it be funny if it was just a re-packaging of this: https://github.com/HackingThings/OneBootloaderToLoadThemAll
- 13. Amazon Out of Control and Inside Your Homes: Every Product a Spy
I think we lack some evidence on just how much these devices collect, the toilet is funny: "What it knows: When you flush, or activate a cleansing spray or heated seat. Why that matters: You can’t get much more intimate than your bathroom time." I mean, all of these details individually aren't a big deal, but together could be problematic. We need tougher legislation that restricts just how much data can be collected, and more importantly who its shared with or sold to. I like these devices as they add convenience to my life (and my family), but don't share my data. Also, is Google any better? I ditched most Amazon devices from my house, I use some Google things, I turn off the assistant on my phone/watch/earbuds, I do have a Ring, and switched to a non-cloud security camera system (Reolink).
- 14. A Security Maturity Model for Hardware Development
This sounds great, but how do we get developers at the hardware level (microcode and firmware) to care about security? Often, the security features are in the hardware, but not implemented by developers because of other pressures, like deadlines.
- 15. conf-presentations/fuzzing_NVIDIA_drivers-tdore.pdf at master · quarkslab/conf-presentations
- 16. Linux Fixes 5 Gaping Holes in Wi-Fi
This is interesting: "Can we please stop running network drivers and network stacks in kernel mode? … It’s 2022 and we’ve got more than enough compute power: … The performance hit for running these in user-land is negligible." Also talk of RUST is coming to save the day. But don't hold your breath, it will be a LONG time before most distros see kernel 6.x, and even longer before most drivers are coded and tested in RUST.
- 17. FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)
Forging some header values basically gives an attacker full access to the entire web API, allowing them to manage the device. This is bad. You should patch it immediately. This has been added to the CISA KEV, which means attackers are exploiting it.
2. Shifting to a Victory Mindset – Michael Meis – PSW #760
Michael Meis, associate CISO at the University of Kansas Health System, joins PSW to discuss how the history of warfare has influenced modern-day cybercrime and how cyber leaders can shift to a victory mindset.
This segment is sponsored by Devo.
Visit https://securityweekly.com/devo to learn more about them!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest
Michael is an Army veteran with over 13 years’ experience and a passion for architecting security programs, leading people, and developing world-class security teams. During his career, Michael partnered with the USDA CISO to develop one of the largest consolidations of security services in the federal government. Michael also led the H&R Block Information Security team through a transformation of their GRC operations to instill quantitative cyber risk management practices. Michael currently leads The University of Kansas Health System Cybersecurity team as they protect the critical systems, data, and people that provide lifesaving patient care.
The University of Kansas Health System in Kansas City is a world-class academic medical center and destination for complex care and diagnosis. UKHS offers more options for patients with serious conditions because of their in-house expertise and leadership in medical research and education. UKHS physicians are researchers and educators expanding the boundaries of medical knowledge. Their major breakthroughs lead to the life-changing treatments and technologies of the future.
Additionally, Michael regularly donates his time and expertise to inspire the next generation of leaders and cyber professionals. Michael holds an undergraduate degree in Information Technology Service Management, two graduate degrees including an MBA and an M.S. in Cybersecurity and Information Assurance as well as multiple professional certifications.
Hosts
3. SANS Annual SOC Survey Insights – Christopher Crowley – PSW #760
Chris Crowley, SOC-Class Course Author, SANS Senior Instructor, and Consultant at Montance® LLC, joins PSW to discuss SOC training and development best practices, including insights from the SANS annual SOC survey.
This segment is sponsored by Devo.
Visit https://securityweekly.com/devo to learn more about them!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
Christopher Crowley has more than 20 years of industry experience managing and securing networks, his first job in the field was as an Ultrix and VMS systems administrator at 15 years old. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense via Montance® LLC: providing cybersecurity assessment, and framework development services enabling clients to create a new SOC, or improve existing security operations. He is the course author for SOC-Class, his course on effective cybersecurity operations; and a Senior Instructor at the SANS Institute. He holds a multitude of cyber security industry certifications. He travels globally to teach and present at conferences. He brings this global perspective to efforts such as the SOC Survey: a study of SOCs, which he has authored for five years.