PSW #766 – Sinan Eren, Nate Warfield
Full Audio
View Show IndexSegments
1. To The Cloud! (Or Not Yet?) – Sinan Eren – PSW #766
Is there still a network or has it slipped away from us entirely? What about efforts for localization because people do not trust the cloud, its providers or its reliability (ala Twitter vs. the Fediverse?). Do you still need actual hardware firewalls? What about VPNs? How long will these devices still be around as everyone goes to the cloud and SDWAN technologies? And what about identity? If you can nail identity, doesn't that set you up to be a cloud-first organization? Join us for a discussion with Sinan and the security weekly hosts as we tackle these questions!
This segment is sponsored by Barracuda.
Visit https://securityweekly.com/barracuda to learn more about them!
Announcements
Security Weekly listeners, we need to hear your voices! Leave us your feedback on Apple podcasts & submit a screenshot to our giveaway form for a chance to win a $100 gift card from Hacker Warehouse! This giveaway will be open until the end of the year. We appreciate your honest feedback so we can continue to make great content for our audience! Visit securityweekly.com/giveaway to enter!
Guest
Sinan is a veteran in the cybersecurity space and serves as VP of Zero Trust at Barracuda. Sinan is passionate about helping companies with an increasingly distributed workforce mitigate breach risk by enabling secure access to critical enterprise resources for their outsourcers, partners, contractors and telework employees.
Hosts
2. Severe BMC Vulnerabilities – Nate Warfield – PSW #766
Eclypsium's research team has discovered 3 vulnerabilities in BMCs. Nate Warfield comes on the show to tell the full story! This has garnered much attention in the press:
- Original research post: https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/
- https://www.securityweek.com/security-flaws-ami-bmc-can-expose-many-data-centers-clouds-attacks
- https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html
- https://therecord.media/three-vulnerabilities-found-in-popular-baseboard-software/
- https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-impact-servers-from-amd-arm-hpe-dell-others/
- https://duo.com/decipher/trio-of-megarac-bmc-flaws-could-have-long-range-effects
- https://www.csoonline.com/article/3682137/flaws-in-megarac-baseband-management-firmware-impact-many-server-brands.html
Announcements
Stay up-to-date with us on X (formerly known as Twitter) for the latest show clips and updates! Find us @SecWeekly and stay connected with our cybersecurity community.
Guest
Nate has 20 years of experience in network security and engineering, including designing networks for Microsoft and other Fortune 100 companies. During his career at Microsoft he transitioned to security research and vulnerability management, managing researcher engagement & patch delivery for high profile Windows vulnerabilities. A prolific conference speaker, he has presented his research on systemic flaws in cloud and network security at numerous security conferences worldwide. In 2020, he was named one of WIRED magazine’s WIRED25 for starting a volunteer group providing threat intelligence to hospitals & healthcare organizations during the COVID-19 pandemic.
Hosts
3. Ping of Death, 500 Year Old Ciphers, Pwn The Dev, & Chatbot’s Order 66 – PSW #766
In the Security News: ping of death returns, remembering when the Internet disconnected if your Mom picked up the phone, a 500-year-old cipher is cracked, VLC is always up-to-date, SIM swapper goes to prison, Rust is more secure but your supply chain is not, if you pwn the developer you win, you have too many security tools, Chrome zero days are not news, Log4Shell what changed?, Hive social again, ChatGPT, there's a vulnerability in your SDK, and it takes 3 exploits to pwn Linux, All that, and more, on this episode of Paul’s Security Weekly!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
- 1. Ping of death! FreeBSD fixes crashtastic bug in network tool
See the original advisory here: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc. From the article: "“[t]he ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.” - Also, keep in mind I believe this happens on a reply, so someone would have to inject a malicious reply or hope that you ping a malicious server.
- 2. Nvidia patches 29 GPU driver bugs
- 3. My secret life as an 11-year-old BBS sysop
If you remember this, it's time to book a colonoscopy: "Online time was precious back then. Since most BBSes only had one phone line, you didn't want to hog the line for too long or the sysop might boot you. And there was extra jeopardy involved. Since we were using our regular house telephone line to connect, the odds that my mom would pick up and try to dial out—thus ruining the transfer process—remained very high." Oh, and this article on how to connect to it has me interested, something I want to try for sure: https://www.howtogeek.com/686600/remember-bbses-heres-how-you-can-visit-one-today/
- 4. It took nearly 500 years for researchers to crack Charles V’s secret code
Interesting story, turns out they found a letter that had been transcribed and served as the key to unlocking the code. Also, this: "And a few symbols didn't seem to serve any function at all. "Simply putting it into a computer and telling the computer to work it out would have literally taken longer than the history of the universe"
- 5. VLC’s Check For Updates: No Updates?
This is another area I don't trust, software update processes. Here is a good example, the latest version of VLC fixes a security flaw. VLC's servers reported that an older version was the latest; therefore, clients would not update. My imagination runs wild; what if this were put there on purpose? And if I did it on purpose, I would tell you there was an update, except I would continue to install the older and vulnerable version of the software. How about that for a supply chain attack? The Synacktiv team has a write-up of the vulnerability here: VLC : Integer overflow in vnc module <= 3.0.18 CVE-2022-41325
- 6. Law enforcement agencies can extract data from thousands of cars’ infotainment systems
- 7. A new Linux flaw can be chained with other two bugs to gain full root privileges
- 8. https://www.securityweek.com/sim-swapper-who-stole-20-million-sentenced-prison
I remember listening to the "Dirty Coms" Darknet Diaries episode (https://darknetdiaries.com/episode/112/) and really being impressed how attackers were profitting from these coordinated attacks. Why all the effort? Well, Nicholas Truglia was convicted of stealing $20 million in cryptocurrency. Diving into how cyber criminals make money is really interesting, and reminds me of why law enforcement is famous for just following the money. The Hacked podcast just ran an episode that details how a Microsoft employee figured out how to "print" gift cards. He also got caught. Is it greed? Is it something like a drug, the more you steal the better the "high"? Then I think about all the ones that got away with it because they are not being greedy and flying under the radar.
- 9. Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
We should use Rust because its more memory safe. While true, it does not mean there will not be a supply chain attack, in this case against Rust, that stems from Github actions: "The “download artifacts” API (and various custom actions encapsulating it) doesn’t differentiate between artifacts that were uploaded by forked repositories and base repositories, which could lead privileged workflows to download artifacts that were created by forked repositories and that are potentially poisoned. To put it simply: in a vulnerable workflow, any GitHub user can create a fork that builds an artifact. Then inject this artifact into the original repository build process and modify its output. This is another form of a software supply chain attack, where the build output is modified by an attacker."
- 10. Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware
Interesting vulnerability, an attacker access the Redis server, tells it to replicate with an attacker server, the attacker server contains a backdoored shared object, the servers replicate, then the target server executes the shared object, then replication is terminated. The malware is interesting too, being described as: "Our investigation revealed new undetected malware written in Golang designed to target Redis servers to allow the attacking server to dominate the compromised machine."
- 11. Visual Studio Code: Remote Code Execution
So you compromise the editor of the programmer who is writing the compiler that compiles the compiler to install a backdoor?
- 12. oss-sec: Race condition in snap-confine’s must_mkdir_and_open_with_perms() (CVE-2022-3328)
This was really great work by the Qualys team, they combined some previous research (with multipathd) with this: "snap-confine created the temporary directory /tmp/snap.$SNAP_NAME or reused it if it already existed, even if it did not belong to root; a local attacker could race against snap-confine, retain control over /tmp/snap.$SNAP_NAME, and eventually obtain full root privileges."
- 13. Xiongmai IoT Exploitation – Blog – VulnCheck
- 14. Samsung, LG, Mediatek certificates compromised to sign Android malware
- 15. A Security Tools Crash Is Coming
Wow, the examples: "I know one security team that hired three people to chase down alerts from a CASB about open S3 buckets. Those buckets almost always contained nothing of value and were usually empty. I know another security team that recently showed us their Wiz instance and it had 884 alerts for Log4J issues. Despite the potential for that vulnerability to do serious damage, they just ignored it. They decided that the alerts were more expensive to triage than the potential risk to the" Okay, yea I'm sold on this point in the article: "If you want to sell to a security team, then you have to reduce the amount of tools they have (the best option), or replace existing tools by being a better mousetrap (the next best option). If you are adding a new tool, then good luck because you are going to need it."
- 16. LastPass says it was breached — again
- 17. Warning: do not use Hive Social
I could not find the original article or episode where I think we talked about this. Is it the same one we covered a few weeks ago? Certainly sounds like it: "Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing." The response? They shut down their servers...
- 18. The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
I believe we've reached a point where this isn't really news. Chrome is going to have vulnerabilities. Google's team will fix them. People will still continue to find them. Then Google will fix them. If you're not updating Chrome daily, you may get pwned. I do, perhaps, see a day where there are some protections against this, whether that's in the OS (sandboxing), outside the OS sandboxing (sorta like Bromium, but there are others), or just straight up exploit prevention running in the app (like Vicarious and some others).
- 19. Log4Shell Anniversary: One Year Later, What Has Changed? – Rezilion
Look, not much has changed here. People still have not patched. Software supply chain security is still a mess. There continues to be supply chain threats that weaken your overall security. One way to combat this is within the SDLC of the upstream provider and if you are making your own software (so in your SDLC). 3rd party software, software that you use but do not write yourself, is still a huge issue...
- 1. ChatGPT: Optimizing Language Models for Dialogue
- 2. Arduino Brings PLC Features To Their IDE
- 3. DEF CON 30 RF Talks: Biohacking, Designing Antennas, Tracking Military Ghost Helicopters and More
- 4. Stalkers’ “chilling” use of AirTags spurs class-action suit against Apple
- 5. Ouch! Ransomware gang says it won’t attack AirAsia again due to the “chaotic organisation” and sloppy security of hacked airline’s network
- 6. Anker’s Eufy lied to us about the security of its security cameras
- 7. Vulnerable SDK components lead to supply chain risks in IoT and OT environments – Microsoft Security Blog
- 1. Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says
The Chengdu-based hacking group known as APT41 stole at least $20 million in U.S. Covid relief benefits. “I’ve never seen them target government money before,” said John Hultquist, the head of intelligence analysis at the cybersecurity firm Mandiant. “That would be an escalation.” 20-40% of pandemic benefits were paid improperly.
- 2. Apple Expands End-to-End Encryption to iCloud Backups
Expanded end-to-end encryption would protect a user’s data even if Apple itself were breached. The company will also soon support the use of physical authentication keys with Apple ID, and is adding contact verification for iMessage in 2023.
- 3. Restaurants hacked, targeting Facebook
The thieves hacked into their Facebook site. Once there, they were able to tap into bank accounts associated with Arnold's Facebook. The thieves bought ads, turning money from bank accounts into Facebook advertising currency to be used in other countries. To ensure Arnold's couldn’t get back into their social media accounts, the hackers posted severely inappropriate material that got Arnold’s account banned for life.
- 4. Grandmother sues cop who wrongly targeted her home using “Find My” app
Colorado police used a "Find My" app as evidence to obtain a search warrant, without disclosing its limitations. They then sent a SWAT team to raid a 77-year-old grandmother, looking for a stolen truck which was not there.