PSW #782 – Kaitlyn Handelman
Full Audio
View Show IndexSegments
1. Hack All The Things With Flipper Zero – Kaitlyn Handelman – PSW #782
STM32 boards, soldering, decapping chips, RTOS development, lasers, multiple flippers and for what you ask? So I can be alerted about a device I already know is there. The Flipper Zero attracted the attention of news outlets and hackers alike as people have used it to gain access to restricted resources. Is the Flipper Zero that powerful that it needs to be banned? This is a journey of recursion and not taking “no” for an answer. Kailtyn Hendelman joins the PSW crew to discuss the Flipper Zero and using it to hack all the things.
Flipper resources: * Changing Boot Screen Image on ThinkPad's UEFI * A collection of Awesome resources for the Flipper Zero device. * Flipper Zero Unleashed Firmware - This is what Paul is using currently. * A maintained collective of different IR files for the Flipper! - Paul uses these as well. * Alternative Infrared Remote for Flipperzero
Guest
Kaitlyn is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.
Hosts
2. SSD AI/ML, Salsa for your Software, Hacking Smart TVs with IR, & Getting Papercuts – PSW #782
In the Security News: SSDs use AI/ML to prevent ransomware (And more buzzword bingo), zombie servers that just won't die, spectral chickens, side-channel attacks, malware-free cyberattacks!, your secret key should be a secret, hacking smart TVs with IR, getting papercuts, people still have AIX, ghosttokens, build back better SBOMs, Salsa for your software, Intel let Google hack things, and they found vulnerabilities, and flase positives on your drug test, All that and more on this episode of Paul’s Security Weekly.
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.
We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.
Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. SSD Uses AI to Protect Your Data From Ransomware Attacks
I believe this could be a good measure to stop ransomware. Thoughts?
- 2. Apple Slices Bitcoin Manifesto Out of Latest macOS Beta
I don't know why this is news, but its fun to follow.
- 3. The Hidden Cost of Zombie Servers in Data Centers
Feed them some brains? This should be a pretty easy thing to detect, look for low-bandwidth across the servers and a few packets sent/received, low CPU consumption, and turn those bad boys off. Though, its hard to turn things off, when you do there is change someone will complain (sorry Lee, love you man). Do as I say, not as I do, and communicate when turning off servers and services! The benefit is a reduction in attack surface and cost, so its time well spent.
- 4. Debian Fixes Secure Boot For 64-bit ARM After Being Broken For Two Years – Phoronix
I think this means the version of grub2 on Debian is either not in the DB or in the DBX. It was tough to follow, but it's been fixed in any case.
- 5. Linux Kernel Drama: AMD’s Spectral Chicken – Phoronix
Wow, harsh: "This gets to be the spectral chicken forever more as punishment. Next time AMD can try again, and if they manage to get their act together and publish something before I get to write the code and invent a name for a magical bit, they get to name it how they like." - The former AMD engineer, who is now again an AMD engineer, proposed a change made by an Intel engineer, but gets denied by said Intel engineer and Linux kernel maintainer. And that's how Spectral Chicken will live on forever, or at least for now.
- 6. New Type of Side-Channel Attack Impacts Intel CPUs and Allows Data Leakage
Still unpacking this: "Instead of relying on the cache system like many other side-channel attacks, this new attack leverages a flaw in transient execution that makes it possible to extract secret data from user memory space through timing analysis."
- 7. Malware-Free Cyberattacks Are On the Rise; Here’s How to Detect Them
"When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect."
- 8. CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution
Changing the SecretKey in Flask is important: *"When a user logs in, the web application sends a session cookie that includes a user identifier back to the end user’s browser. The web application signs the cookie with a SECRETKEY, a value that is supposed to be randomly generated and typically stored in a local configuration file. With every web request, the browser sends the signed session cookie back to the application. The application then validates the signature on the cookie to re-authenticate the user prior to processing the request."*
- 9. HOMESPY: The Invisible Sniffer of Infrared Remote Control of Smart TVs
"Our research re-examines the general belief that clicking an IR remote control is a homely and safe thing to do. We have developed a HOMESPY attack and evaluate its performance using test data of received signal and our offline IR code database. Our studies show that IR signals at home can be easily sniffed by an IoT device sitting in the same room, and attackers can uniquely reproduce the key pressed by the victim and derive sensitive information via semantic extraction techniques. In the era of IoT, many smart devices are connected to the Internet and support IR for compatibility with universal IR controllers. This means the invisible IR vulnerability presented in this paper will continue to cause significant threats to smart home security."
- 10. The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders
- 11. PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise
Whoops: "This function is normally called throughout the software only after a user has had their password validated through a login flow. However, here in the SetupCompleted flow, the logic accidentally validates the session of the anonymous user. This type of web application vulnerability is called Session Puzzling." - Logic flaws are hard. This isn't they forgot to authenticate the user, its they authenticated the anonymous user. Another reference here: https://arstechnica.com/information-technology/2023/04/exploit-released-for-9-8-severity-papercut-flaw-already-under-attack/
- 12. Intel Trust Domain Extensions (TDX) Security Review
Google did an audit of Intel TDX; there were vulnerabilities. However, this audit was done before the code was shipped, so it was fixed before it ever landed on any computer. Bravo! Google has a vested interest in this, as do all cloud providers.
- 13. gh-action-pip-audit
"A GitHub Action that uses pip-audit to scan Python dependencies for known vulnerabilities."
- 14. Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges
Sounds like it could be a sneaky attack: "The same configurable mechanism by which errdaemon handles events written to /dev/error, could also be used by adversaries to construct a persistence mechanism, with errdaemon being configured to perform malicious activities when an appropriately constructed message is logged by a user." - Also, I wonder just how much AIX is out there? Apparently, not much: https://www.osnews.com/story/135756/in-case-you-thought-aix-had-a-future/
- 15. Ghosttoken – A Zero-Day Bug Let Hackers Create Invisible Google Accounts
Really glad they fixed this, it could have gotten out of control: "By exploiting the GhostToken vulnerability, attackers can hide their malicious application from the victim’s Google account application management page. Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account." - Also, a good reminder to cleanup your Google account app permissions.
- 16. Hackers Abuse Outdated Eval PHP WordPress Plugin To Deploy Backdoors
I put a backdoor in your death star, check the thermal exhaust port: "Briefly, the researchers noticed that the threat actors are using the Eval PHP plugin to infect websites with backdoors. For this, they first sneakily install the vulnerable plugin on a target website. This step remains easy given the plugin’s availability on the official WordPress plugin repository."
- 1. mjg59
- 2. Data-leak flaw in Qualcomm, HiSilicon-based Wi-Fi AP chips
- 3. CISA Releases Software Bill of Materials (SBOM) Sharing Lifecycle Report
- 4. QueueJumper: Critical Unauthorized RCE Vulnerability in MSMQ Service
- 5. APT28 Exploits Known Vulnerability To Carry Out Reconnaissance and Deploy Malware on Cisco Routers
- 6. Popular Fitness Apps Leak Location Data Even When Users Set Privacy Zones
- 7. US gov’t stopped Iranian hackers who ‘gained access’ to 2020 election infrastructure
- 8. Google Finds Flaws in Intel TDX After Nine-Month Audit
- 9. Iranian Hackers
- 10. Building a Better SBOM
- 11. Google Cloud Introduces Security AI Workbench for Faster Threat Detection and Analysis
- 12. YD1RUH on Twitter
- 13. Where the SLSA 1.0 Release Shines (and Its Limitations)
- 14. Google’s Open Source Security Upstream Team: One Year Later
- 1. Hackers can breach networks using data on resold corporate routers
ESET security researchers have revealed that various enterprise-level, corporate-grade routers being sold on the secondary market could be used by hackers to breach corporate environments or to steal customer information. According to ESET, it bought 18 used core routers and discovered that the full configuration data was still accessible on more than half the routers that still worked properly.
- 2. MIT and Stanford researchers develop operating systems with one major promise: Resisting ransomware
Imagine an OS which changes from everything is a file to everything is a table. A database which has transaction logs for changes, making roll-back quick and easy, and also logs for forensicating.
- 3. Massive Abuse of Abandoned Eval PHP WordPress Plugin
Hackers are exploiting a vulnerability in an unsupported WordPress plugin to inject malicious PHP code into web pages. Eval PHP has not been updated for a decade, yet researchers noted a sudden surge in Eval PHP downloads over the past months. The attackers are installing the plugin on compromised sites to establish backdoors.
- 4. GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts – Astrix Security
Google has fixed a flaw in its Cloud Platform (GCP) that could be exploited to backdoor accounts using malicious OAuth applications. The issue was reported to Google in June 2022; the fix was released in a patch earlier this month.
- 5. Schneider Electric issues patches for three vulnerabilities in APC UPS units
Three vulnerabilities — two of them critical — were reported last week in the Easy UPS Online Monitoring Software from Schneider Electric’s American Power Conversion (APC).
- 6. 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
Researchers from Mandiant investigating the recently disclosed 3CX supply chain attack say that attack was made possible by an earlier attack against a different supply chain. The earlier attack targeted Trading Technologies’ X-TRADER installer, adding a backdoor. In their blog, Mandiant writes, ”The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise.”
- 7. X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
Symantec’s Threat Hunter Team says that the XTrader supply chain attack that affected 3CX attack also affected at least four other organizations – two in the energy sector and two in the financial sector. A trojanized version of the XTrader installer was used to compromise 3CX systems, which allowed that company’s software to become compromised as well.
- 1. WINDOWS SECRETS EXTRACTION: A SUMMARY
After compromising a Windows host and having obtained local administrator privileges, the following type of secrets can be retrieved: Secrets in LSASS process, Secrets in registry such as LSA secrets, and DPAPI (Data Protection API) secrets. This article describes them and lists tools to extract them. The secrets include hashes, cleartext credentials, Kerberos tickets, and more. The tools use memory dumps and known vulnerable kernel drivers.
- 2. Intel Let Google Cloud Hack Its New Secure Chips and Found 10 Bugs
After years of scrambling to remediate the security fallout from design flaws in the processor feature known as “speculative execution,” chipmakers have invested more in advanced security testing. GOOGLE CLOUD AND Intel released results today from a nine-month audit of Intel's new hardware security product: Trust Domain Extensions (TDX). The analysis revealed 10 confirmed vulnerabilities, including two that researchers at both companies flagged as significant. One related to loose ends from a cryptographic integrity feature that had been dropped from the product. The other was in Intel's Authenticated Code Modules, which are cryptographically signed chunks of code that are built to run in the processor at a particular time. The vulnerability involved a small window in which an attacker could have hijacked the mechanism to execute malicious code.
- 3. Intel® Trust Domain Extensions (Intel® TDX)
Intel® Trust Domain Extensions (Intel® TDX) is introducing new, architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. These hardware-isolated TDs include: Secure-Arbitration Mode (SEAM), Intel® Total Memory Encryption-Multi Key (Intel TME-MK) engine, and Remote attestation designed to provide evidence of TD executing on a genuine, Intel TDX system and its TCB version.
- 4. Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker
Qualcomm chipsets are backdoored. "During our security research we found that smart phones with Qualcomm chip secretly send personal data to Qualcomm. This data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because the Qualcomm chipset itself sends the data, circumventing any potential Android operating system setting and protection mechanisms."
- 5. Microsoft reportedly working on its own AI chips that may rival Nvidia’s
Microsoft is reportedly working on its own AI chips that can be used to train large language models and avoid a costly reliance on Nvidia. The Information reports that Microsoft has been developing the chips in secret since 2019, and some Microsoft and OpenAI employees already have access to them to test how well they perform for the latest large language models like GPT-4.
- 6. DSA enforcement: Commission launches European Centre for Algorithmic Transparency
The Digital Services Act imposes risk management requirements for companies designated by the European Commission as Very Large Online Platforms and Very Large Online Search Engines. They will have to identify, analyse and mitigate a wide array of risks on their platforms. The risk mitigation plans of designated platforms' and search engines will be subject to an independent audit and oversight by the European Commission.
- 7. China building cyber weapons to hijack enemy satellites, says US leak
China is building sophisticated cyber weapons to “seize control” of enemy satellites, rendering them useless for data signals or surveillance during wartime, according to a leaked US intelligence report.
- 8. As Japan’s population drops, one city is turning to ChatGPT to help run the government
Yokosuka City will begin using ChatGPT to help with administrative tasks. Employees could use the chatbot to “summarize sentences, check spelling errors, and create ideas.” With ChatGPT handling rote administrative tasks, “staff can focus on work that can only be done by people, pushing forward an approach that brings happiness for our citizens,” said the news release.
- 9. Stability AI launches StableLM, an open source ChatGPT alternative
Stability AI released a new family of open source AI language models called StableLM.
With refinement, StableLM could be used to build an open source alternative to ChatGPT. StableLM is currently available in alpha form on GitHub in 3 billion and 7 billion parameter model sizes, with 15 billion and 65 billion parameter models to follow. Like other recent "small" LLMs like Meta's LLaMA, Stanford Alpaca, Cerebras-GPT, and Dolly 2.0, StableLM purports to achieve similar performance to OpenAI's benchmark GPT-3 model while using far fewer parameters—7 billion for StableLM verses 175 billion for GPT-3. - 10. Capturing the Flag with GPT-4
At the BSides SF 2023 CTF, GPT-4 straight up solved some challenges for me. For challenges that GPT-4 didn't solve on its own, it provided incredibly helpful tips, or quickly wrote scripts that would have been tedious or time consuming for me to write myself.
- 11. Let’s take a closer look at these claims of anti-ransomware SSDs
The Cigent Secure SSD+ has an on-board processor that uses machine learning algorithms to constantly monitor disk accesses and will step in to block access if it detects ransomware activity,.
- 12. Courts Are Beginning to Prevent the Use of Roadside Drug Tests
Inmates are suing Sirchie Acquisition Co., manufacturer of the NARK II kits, and Premier Biotech, a retailer that sells them, in federal court for negligence. The NIK Public Safety brand field tests used in California’s prisons are unreliable. A judge ruled in 2018 that the test kit “does not meet a scientific admissibility standard.” The tests are small plastic pouches holding vials of chemicals. They’re cheap, roughly $2 apiece, and easy to use. Officers open the pouch and add the substance to be tested. The tests are designed to produce specific colors when mixed with drugs like heroin, cocaine or methamphetamine. But dozens of items, including foods and household cleaners, trigger similar reactions.
- 13. ESA satellite ethical hacking exercise at CYSAT
For the third edition of CYSAT, the European event entirely dedicated to cybersecurity for the space industry, taking place on 26-27 April 2023 at Station F in Paris, the European Space Agency (ESA) set up a satellite test bench to simulate attempts to seize control of OPS-SAT, a nanosatellite operated by the agency for demonstration purposes.
- 14. Timing the Transient Execution: A New Side-Channel Attack on Intel CPUs
In this work, we discover a vulnerability that the change of the EFLAGS register in transient execution may have a side effect on the Jcc (jump on condition code) instruction after it in Intel CPUs. Based on our discovery, we propose a new side-channel attack that leverages the timing of both transient execution and Jcc instructions to deliver data. This attack doesn't rely on the cache system and doesn't need to reset the EFLAGS register manually to its initial state before the attack, which may make it more difficult to detect or mitigate. We implemented this side-channel on machines with Intel Core i7-6700, i7-7700, and i9-10980XE CPUs. In the first two processors, we combined it as the side-channel of the Meltdown attack, which could achieve 100% success leaking rate.