Building AI BOMs – Helen Oakley – PSW #841
Full Audio
View Show IndexSegments
1. Building AI BOMs – Helen Oakley – PSW #841
Larry and Helen walk us through the AI supply chain landscape. Learn what goes into building and using AI models and the dangers that could lurk within.
Segment Resources:
- Community efforts on AIBOM topic: https://github.com/aibom-squad
Guest
Helen Oakley, CISSP, GPCS, GSTRT, is a leading figure in technology and cybersecurity, serving as Director of Secure Software Supply Chain and Secure Development at SAP’s Global Security and Cloud Compliance. She drives security-by-design principles across SAP’s engineering teams and leads AI software supply chain security efforts, including the development of the AI Bill of Materials (AIBOM) and co-leading the CISA SBOM Tiger Team for AIBOM. Recognized among the Top 20 Canadian Women in Cybersecurity, Helen co-founded LeadingCyberLadies.com, a network empowering women in cybersecurity, advises tech startups, and speaks frequently at industry events.
Hosts
2. I want ALL The Firmware – PSW #841
This week: I want all the firmware, its not just TP-Link, CVEs for malware, BLE and your health, faking your own death, serial ports, stealthy Linux malware, call this number, finding all the Wordpress plugin vulnerabilities!
Announcements
To ensure that you don’t lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
Hosts
- 1. Intel SGX Security Compromised: Root Provisioning Key Extracted
- 2. Overcoming Challenges in Defensive Cybersecurity Teams with an Offensive Mindset
- 3. CVE Hunting Made Easy
- 4. Back to School – Exploiting a Remote Code Execution Vulnerability in Moodle
- 5. TotalCloud Insights: When Multi-Factor Authentication Turns Into Single-Factor Authentication
- 6. “YOLO” is not a valid hash construction
- 7. How to root an Android device for analysis and vulnerability assessment
- 8. SLUBStick risk assessment for embedded systems
- 9. Vulnerabilities in Homepage Dashboard – Anvil Secure
- 10. Zero Day Initiative — From Pwn2Own Automotive: Taking Over the Autel Maxicharger
- 11. NGate Android malware relays NFC traffic to steal cash
- 12. Kaspersky found multiple memory corruptions in Suricata and FreeRDP
- 13. What the *bleep* is an SBAT and why does everyone suddenly care
MJG does an excellent job of explaining the issues that MS caused when updating the SBAT. Worth a read.
- 14. Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities
This is a really fun research paper and project. Check this out: "We implemented ChkUp and conducted a comprehensive analysis on 12,000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing." - They created a tool that checks how firmware updates are happening and determines if there are vulnerabilities associated with the update process. Make sure you visit the Github repo as they published scripts for downloading 19TB of firmware images, some charts and graphs on the architecture, and more.
- 15. Moolenaar, Krishnamoorthi Call for Investigation into Chinese Wi-Fi Routers in U.S. Vulnerable to CCP Hacking & Data Harvesting
"TP-Link is a company established in the People’s Republic of China (PRC) and is the world’s largest provider of Wi-Fi products, selling over 160 million products annually to more than 170 countries. TP-Link and its affiliates are also a leading Wi-Fi router provider in the United States. Because TP-Link routers are made in the PRC with Chinese technology, there are concerns that state-sponsored hackers may be able to more easily compromise the routers and infiltrate U.S. systems. Moreover, TP-Link is subject to draconian ‘national security’ laws in the PRC and can be forced to hand over sensitive U.S. information by Chinese intelligence officials. Alarmingly, just last year, security researchers found that PRC cyber military forces used TP-Link routers as part of a hacking campaign that targeted government officials in European countries." - Valid points, however, TP-Link is only part of the picture. There are millions more devices from several other manufacturers that have the same problems outlined above. In fact, most of the components in your PCs, laptops, and servers contain hardware and firmware that comes from China. We need to do a better job at protecting embedded systems and components from impacting the security of our organizations and our nation.
- 16. CVE-2024–45163: Remote DoS Exploit in Mirai Botnet
How often do we issue CVEs for malicious software such as botnets or malware? I think this is pretty awesome as first, it could help defenders take down botnets. It also feels weird because some commercial and open-source software vulnerabilities don't get CVEs, yet here we are issuing them for Mirai. I then wonder what the disclosure policy should be for this, and if there is someone responsible for fixing it. Then again, this is not something we want to get fixed, so why publish a CVE? It begs so many questions on how to handle vulnerabilities in software used by malicious actors. Will they have a bug bounty program?
- 17. GreyNoise Labs – BLUUID: Firewallas, Diabetics, And… Bluetooth
So much to unpack here: "From insulin pumps to firewalls, the best-case scenario of BTLE security and privacy is abysmal. It is imperative that we educate ourselves and strive to do better as an industry. Problems that are introduced in BTLE devices are likely to be permanent and impossible to resolve after the fact. Until that changes, we must do better from the start." - The technical details are awesome, and I haven't digested them yet. There are many aspects to this article that tackle the challenges we face at a high level with the use of Bluetooth technology, specifically in medical devices. We don't test for Bluetooth in the enterprise, and I don't believe this type of testing is included in many standards. This quote speaks volumes: "“The conclusion is: Bluetooth vulnerability assessment is not even a thing. For those of you that work enterprise security, I’m happy to tell you: Don’t worry, there’s nothing you have to do, because there’s nothing you could do even if you wanted to. I hope that makes you feel better.” - Xeno Kovah"
- 18. Man sentenced for hacking state registry to fake his own death
This reminds me of Hackers (1999), however, in this case, the person was convicted, Jesse Kipf, for bad things: "A press release from the U.S. Department of Justice (DoJ) informs that Jesse Kipf used stolen credentials to access the Hawaii Death Registry System to register himself as a deceased person." and that's just the beginning: "Kipf also accessed private corporate networks and government systems using stolen account credentials and then offered to sell access to the networks on darkweb markets." Kipf has been sentenced to 69 months (over 5.5 years) of prison time and will be placed under supervision for three years after release.
- 19. A Journey Into Unexpected Serial Ports
Serial is not always serial: "If you search online these are the two types of serial you’ll see described again and again. You might find the occasional reference to a third type that was popular in the early 1990s. This serial type operates between 0-5V like “TTL serial”, but with inverted data lines like RS-232, allowing it to be connected directly to a PC’s serial port." From: https://terinstock.com/post/2024/08/When-Serial-Isnt-RS-232-and-Geocaching-with-the-Garmin-GPS-95/
- 20. US Marshals Service disputes ransomware gang’s breach claims
"The U.S. Marshals Service (USMS) denies its systems were breached by the Hunters International ransomware gang after being listed as a new victim on the cybercrime group's leak site on Monday." - Basically they are an old victim, not a new one. Interesting.
- 21. This Badge is My Badge – LRQA Nettitude Labs
Why not just install fake RFID badge readers instead of backdooring (through hardware) existing ones, or trying to clone a badge from an employee? Pros and cons are discussed in the article, including: "One of the primary drawbacks of this tool is that (by design) it is visible once it is placed, but more to the point, it is easier to notice than its ESPKey alternative. Arguably the biggest drawback is the fact that the malicious reader will not actually open anything, as the reader is not attached to any other wires, which might cause confusion, or worse, questions. There are a few potential workarounds to lessen the likelihood that a malicious reader is caught, although this can be quite situational. Placing the reader next to a door that is always unlocked seems like one of the most logical options. This however either requires a successful tailgate or other method of entry, as the vast majority of unlocked doors will not be external building doors. This highlights another risk worth considering – exposure to the elements, i.e. rain, wind, etc. – in the event it is placed on an exterior wall, as these pose the potential of damaging the device."
- 22. Exploiting the Windows Kernel via Malicious IPv6 Packets (CVE-2024-38063) – MalwareTech
Basically, the RCE in Windows in the IPv6 stack is really hard to exploit. So far, we have not seen a reliable exploit. The danger of this assumption is what happens if/when someone figures this out. If you slacked on applying the patch, especially for a network RCE, you could end up in a bad situation. My advice, as usual, is to apply the patch and not get hung up on how the exploit writers are doing.
- 23. Weaponized Vulnerabilities Deserve a Seat at The Prioritization Table
Patrick has taken a stab at defining what "weaponized" means in the context of a vulnerability: "Weaponized vulnerabilities are those with explicit malicious intent, historic malware usage, prior reports of exploitation, or inclusion in point-and-click exploitation frameworks or kits. Projects facilitating point-and-click exploitation could include malicious exploit kits, such as those previously tracked by Contagio, or open source or commercial offerings like Metasploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact. Additionally, weaponized exploits often have secondary payloads, droppers, or implants. In our State of Exploitation Report published in May, we observed 2% of vulnerabilities over the past decade that have been weaponized." - Thoughts? For me, weaponized means there is a working exploit that can carry a payload that will have some impact on a system. I do believe we need a way to indicate if an exploit can cause a system crash reliably. Perhaps it is not considered fully weaponized but gets some sort of tag that tells us attackers could crash software and/or systems reliably.
- 24. Stealthy Linux Malware ‘Sedexp’ Having Zero-detections Since 2022
And udev rules are now being checked (At least on my systems). I need to back and check to see if tools such as Lynis check for this TTP (quick Google search doesn't reveal much).
- 1. Call this number (212) 203-4978!
The Hacked Existence team is happy to host the PhreakMe CTF. Dial (212) 203-4978 to begin. Follow the white rabbit.
- 2. Keep Pavel Durov LOCKED UP
The CEO of Telegram was arrested in France. The hacker group THC stated "He was arrested because he facilitates a wide range of crimes, including drug trafficking and ransomware groups."
- 3. Stealthy ‘sedexp’ Linux malware evaded detection for two years
A stealthy Linux malware named 'sedexp' has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework. "At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK," the researchers note, highlighting that sedexp is an advanced threat that hides in plain sight. MALWARE ON LINUX!? CLUTCHES PEARLS
- 4. Windows Downdate
yeah yeah yeah I know we talked about this before. But now you can "down"load and use it.
- 5. macOS Red Teaming
Macs cannot be hacked, right? Here are some tips and commands if you are ever going on a MacOS engagement.
- 6. Installing The Sonic Drive-In Operating System
The Sonic "Operating System" has been dumped to Archive.org, and it seems like there is a pretty active community attempting to get it running on standard hardware. If you have 30mins to spare and want to watch somebody attempt to get it running on a MICROS POS here is a YT link (https://www.youtube.com/watch?v=MmJ8NVLji84)
- 1. NGate Android malware relays NFC traffic to steal cash
- 2. Automated Bug Hunting With Semgrep — Somerset Recon
- 3. Exploring Russian and International Analog TV From Leaky Cable TV Networks via the Airspy Server Network
- 4. WUSTL-CSPL/Firmware-Dataset
- 5. GreyNoise Labs – BLUUID: Firewallas, Diabetics, And… Bluetooth
- 6. mjg59
- 7. Seattle airport ‘possible cyberattack’ snarls travel again
- 8. Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities
- 9. NGate Android malware relays NFC traffic to steal cash
- 10. The gigantic and unregulated power plants in the cloud – Bert Hubert’s writings
- 11. Automated Bug Hunting With Semgrep — Somerset Recon
- 12. Taking the Crossroads: The Versa Director Zero-Day Exploitation – Lumen
- 13. Exploring Russian and International Analog TV From Leaky Cable TV Networks via the Airspy Server Network
- 14. Group Offers CAPTCHA-Solving Services to Cybercriminals
- 15. NGate Android malware relays NFC traffic to steal cash
- 16. WUSTL-CSPL/Firmware-Dataset
- 17. Automated Bug Hunting With Semgrep — Somerset Recon
- 18. GreyNoise Labs – BLUUID: Firewallas, Diabetics, And… Bluetooth
- 19. mjg59
- 20. Exploring Russian and International Analog TV From Leaky Cable TV Networks via the Airspy Server Network
- 21. Seattle airport ‘possible cyberattack’ snarls travel again
- 22. WUSTL-CSPL/Firmware-Dataset
- 23. Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities
- 24. GreyNoise Labs – BLUUID: Firewallas, Diabetics, And… Bluetooth
- 25. The gigantic and unregulated power plants in the cloud – Bert Hubert’s writings
- 26. mjg59
- 27. Taking the Crossroads: The Versa Director Zero-Day Exploitation – Lumen
- 28. Seattle airport ‘possible cyberattack’ snarls travel again
- 29. Group Offers CAPTCHA-Solving Services to Cybercriminals
- 30. Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities
- 31. The gigantic and unregulated power plants in the cloud – Bert Hubert’s writings
- 32. Taking the Crossroads: The Versa Director Zero-Day Exploitation – Lumen
- 33. Group Offers CAPTCHA-Solving Services to Cybercriminals