PSW #768 – Robert Martin
Full Audio
View Show IndexSegments
1. Software Supply Chain Security & MITRE’s System of Trust – Robert Martin – PSW #768
This session explores software supply chain security and the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices.
Segment Resources: - https://sot.mitre.org/overview/about.html - https://shiftleft.grammatech.com/automating-supply-chain-integrity - https://www.reversinglabs.com/conversinglabs/robertmartinmitresoftwaresupplychainsystemoftrust - https://www.mitre.org/sites/default/files/2022-11/PR-22-01488-20-cybersecurity-benefits-of-sbom-september-2022.pdf - https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf
Announcements
Dive deeper into the world of cybersecurity with Security Weekly on Instagram! Follow us @SecWeekly to find exclusive clips, hilarious memes, behind-the-scenes sneak peeks, and more! Stay connected, stay informed, and join our growing community!
Guest
Robert Martin, a Senior Principal Software and Supply Chain Assurance Engineer at the MITRE Corporation, has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality assessment and assurance. For 23 years, Robert has applied his expertise to international cybersecurity initiatives such as CVE, CAPEC, and CWE, which host large active vendor and research communities, and is now working on standardizing the Software Bill of Materials (SBoM) and the supply chain security System of Trust™.
Robert is frequently invited to speak on security and quality issues pertaining to software-based technology systems and the work of the IIC and has published numerous articles and presentation. He also contributed to or authored over 60 standards within ITU-T, ETSI, OMG, The Open Group, UL, and ISO, including the new ISO/IEC 5055 code quality measurement standard. Prior to joining MITRE, Robert designed and installed manufacturing control systems in Area 2 of Kodak Park and performed software integration and porting projects for both RPI and General Electric. Robert holds degrees in electrical engineering from RPI and an MBA from Babson.
Hosts
2. Roblox Prison, 3DS RCE, Puckungfu, Google Home Wiretaps, & Lastpass Hack – PSW #768
In the Security News: The Roblox prison yard, password manager problems, PyTorch gets torched with a supply chain attack, Oppenheimer cleared, Puckungfu, spice up your persistence with PHP, turning Google home into a wiretap device, Nintendo 3DS remote code execution, Linux kernel remove code execution, steaking cards in 2022 - The API way, and there is no software supply chain... and more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
- 1. Inside Roblox’s Criminal Underworld, Where Kids Are Scamming Kids – IGN
Crazy insights: "Roblox, to reiterate, is one of the largest sources of children's entertainment in the world. Forty-three million players log into it everyday, and countless kids rely on the servers to keep them connected with their friends during the dog days of the pandemic. So it's strange to hear a parent compare the game to a prison yard. After talking to the flippers, gamblers, and hustlers of the Roblox underworld, I do wonder if Roblox Corporation understands the responsibility that comes when your player base is composed of innocents."
- 2. Password Managers. (From Tavis Ormandy)
Very interesting: "If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions. I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use. No doubt there will be many people reading this who don’t like this advice. All I can say is I’ve heard all the arguments, and stand by my conclusions." - Should we ditch all the fancy password managers and just use the one built into Chrome?
- 3. PyTorch compromised to demonstrate dependency confusion attack on Python environments
I feel like this is a solvable problem. - "At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch nightly package index. Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default."
- 4. J. Robert Oppenheimer cleared of “black mark” against his name after 68 years
"Nearly 70 years after having his security clearance revoked by the Atomic Energy Commission (AEC) due to suspicion of being a Soviet spy, Manhattan Project physicist J. Robert Oppenheimer has finally received some form of justice just in time for Christmas, according to a December 16 article in the New York Times. US Secretary of Energy Jennifer M. Granholm released a statement nullifying the controversial decision that badly tarnished the late physicist's reputation, declaring it to be the result of a "flawed process" that violated the AEC's own regulations."
- 5. Puckungfu: A NETGEAR WAN Command Injection
It looks like the automated update process has a command injection vulnerability, the irony is not lost here. Also, this was interesting: "We initially did this research to use it for Pwn2Own 2022 Toronto but Netgear released firmware version 1.0.9.90 one day prior to the competition and therefore this vulnerability was no longer eligible. However, we managed to find an alternative Netgear WAN vulnerability after the patch in time as seen on Twitter."
- 6. Spice up your persistence: loading PHP extensions from memory
There is a lot of reading to do on this one: "Using backdoored plugins/addins/extensions as persistence method is one of my favorite techniques to keep a door open after compromising a web server (indeed I wrote about this topic in multiple times in last years: Backdoors in XAMPP stack (part I): PHP extensions, Backdoors in XAMP stack (part II): UDF in MySQL, Backdoors in XAMP stack (part III): Apache Modules and Improving PHP extensions as a persistence method. Today’s article is a direct continuation of the PHP extensions saga, serving as the end of the trilogy. It is therefore MANDATORY to read the two previous articles"
- 7. Turning Google smart speakers into wiretaps for $100k
Great post, amazing research, boils down this: "Putting it all together, I had a Python script that takes your Google credentials and an IP address as input and uses them to link your account to the Google Home device at the provided IP." And this: "Rather than making a local API request to control the device, you instead make a local API request to retrieve innocuous-looking device info, and use that info along with cloud APIs to control the device."
- 8. ENLBufferPwn (CVE-2022-47949)
"ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victim's console by just having an online game with them (remote code execution). It was dicovered by multiple people independently during 2021 and reported to Nintendo during 2021 and 2022. Since the initial report, Nintendo has patched the vulnerability in many vulnerable games." Classic: "The ENLBufferPwn vulnerability exploits a buffer overflow in the C++ class NetworkBuffer present in the network library enl (Net in Mario Kart 7) used by many first party Nintendo games. This class contains two methods Add and Set which fill a network buffer with data coming from other players. However, none of those methods check that the input data actually fits in the network buffer. "
- 9. Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
Lots of hacking, lots of vulnerabilities!
- 10. There is no secure software supply-chain.
This is the nuclear option: "In the end, the maintainers of the Gorilla framework did the right thing: they decommissioned a widely used project that was at risk of rotting from the inside out. And instead of let it live in disarray or potentially fall into the hands of bad actors, it is simply gone. Its link on the chain of software has been purposefully broken to force anyone using it to choose a better, and hopefully, more secure option."
- 11. Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability
"The SMB2 TREE DISCONNECT command processing is where the specific flaw is found. The problem arises from failing to validate an object’s existence before performing operations. Using this flaw, an attacker might run code within the kernel." - Ref: All You Need to Know About the Linux Kernel ksmbd Remote Code Execution (ZDI-22-1690) Vulnerability
- 12. LastPass users: Your info and password vault data are now in hackers’ hands
General advice: Move away from LastPass...
- 13. Fedora 38 Plots Path To Unified Kernel Support – Phoronix
We talked about this in a previous episode, Fedora is making it happen, neat!
- 14. Vulnerability Prioritisation – PwnDefend
- 15. NETGEAR Router Network Misconfiguration
- 16. Antivirus and EDR solutions tricked into acting as data wipers
Hence, by implementing the following five-step process, Yair could delete files in a directory he didn't have modification privileges.
Create a special path with the malicious file at C:tempWindowsSystem32driversndis.sys Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot Delete the C:temp directory Create a junction C:temp → C: Reboot when prompted.
- 17. Are home video surveillance systems safe?
"Moore’s video gives a detailed demonstration of the problem, which he detected quite easily. Having installed a Eufy video doorbell, Paul logged in to the device’s web interface, where he analyzed the source code in the browser and showed that the camera sends a picture to the vendor’s server every time someone appears in the frame. This means that at least one of Eufy’s guarantees (“no clouds”) isn’t true."
- 1. Southwest Airlines flight cancellations continue to snowball
US Transportation Secretary Pete Buttigieg says his agency will investigate what caused the unusually large number of flight cancellations over the holiday weekend. The company’s pilot and flight attendant unions said that Southwest ignored the need to upgrade its outdated computer systems, which contributed to the airline’s troubles in the face of winter storms.
Southwest has historically under staffed IT positions and not kept IT systems current. Will this change?
- 2. Linux Kernel 5.15 Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The bug affects the in-kernel SMB server designed to augment Samba, on systems running the Linux 5.15 kernel, such as Ubuntu 22.04.
- 3. New York governor signs modified right-to-repair bill at the last minute
New York state governor Kathy Hochul has signed the Digital Fair Repair Act into law , months after it had passed both chambers of the state's legislature. The law will require companies to provide the same diagnostic tools, repair manuals, and parts to the public that they provide to their own repair technicians.
The bill as signed contains even more conditions and exceptions, ostensibly added to address the governor's concerns about "technical issues that could put safety and security at risk, as well as heighten the risk of injury from physical repair projects."
- 4. PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
A critical arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plug-in is being actively exploited. The exploit leverages a flaw in the importactionsfromsettingsfrompanel which runs admininit hook meaning the flaw is running as admin, without authentication, so you can pretty much impact anything in the /wp-admin/ directory. The function was lacking a CSRF and capacity/type check.
- 5. New Linux malware uses 30 plugin exploits to backdoor WordPress sites
There are two exploits, the first: Linux.BackDoor.WordPressExploit.1 has remote C&C, targets 32 bit Linux, but will run on 64 bit variants as well; the second: Linux.BackDoor.WordPressExploit.2 appears to be an updated version, with different C&C servers, and has exploits for additional plugins. The Doctor Web blog lists the plugins each targets and has links to IOCs you can ingest. https://news.drweb.com/show/?i=14646&lng=en&c=23
- 6. CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports flaws to its Known Exploited Vulnerabilities Catalog. CVE-2018-5430 and CVE-2018-18809 have patches from TIBCO, also released in 2018.
- 7. Ransomware gang apologizes, gives SickKids hospital free decryptor
The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking a hospital. The attack violated LockBit's code of ethics, and they removed the affiliate who executed the attack from their network. But they still took long enough to release the decryptor that the hospital was able to restore over 50% of systems to operational status.
- 8. Okta GitHub Repositories Breached
Okta Workforce Identity Cloud service source code stolen. The question: do you believe Okta claim that they are not dependent on the source code for service?