ASW #197 – Brian Glas

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Brian Glas

Assistant Professor of Computer Science at Union University

Brian has over 20 years of experience in various roles in IT and over a decade and a half of that in application development and security. His day job is serving as an Assistant Professor teaching a full load of Computer Science and Cybersecurity classes at Union University. He helped build FedEx’s AppSec team, worked on the Trustworthy Computing team at Microsoft, consulted on software security for years, and served as a project lead and active contributor for SAMM v1.1-2.0+ and OWASP Top 10 2017 and 2021. Brian is a contributor to the RABET-V Pilot Program for election related technology. He holds several Cybersecurity and IT certifications and is currently working on his Doctor of Computer Science in Cybersecurity and Information Assurance.

Hosts

Mike Shema

Security Partner at Square

John Kinsella

Co-founder & CTO at Cysense

Announcements

• Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Hosts

Mike Shema

Security Partner at Square

1. 1. Security advisory: malicious crate rustdecimal
   There's surely a maturity model somewhere for software projects that receive their first vuln report, first cryptographic implementation mistake, and first attack against their package management system. This typosquatting attack against Rust had little impact and on its own is mostly a curiosity. But it does point to the larger problem of managing dependencies and how attestation of packages is a problem that's agnostic to programming languages.
2. 2. Serious Security: Learning from curl’s latest bug update
   Two of the flaws reported to curl are fun examples of simple syntax gone wrong. One involves mishandling %2f in hostnames and the other involves mishandling cookie scopes in domains with a trailing dot. They're the kinds of bugs that look obvious in hindsight, yet understandably creep into code due to the nuances and complexity of normalizing data before operating on it. Curl is also an interesting project that has been a C implementation for decades and likely will remain that way for decades to come. The project's owner, Daniel Stenberg, has created not only one of the most useful web utilities, but also created a model for curating an open source project. Even though we're using some security flaws to talk about curl, it's not a project that's consistently plagued by flaws. Yet it could always use assistance and sponsorship to add new features and maintain the code. Find more details at https://curl.se/sponsors.html Read more about reporting security bugs in curl at https://curl.se/dev/secprocess.html
3. 3. Linux, OpenSSF Champion Plan to Improve Open Source Security
   This 10 point plan, backed by financial investment to make it happen, is welcome news to the open source community. The points would also be great references for any appsec team looking to build or improve an internal secure SDLC program. Read more details at https://openssf.org/oss-security-mobilization-plan/, which also links to a PDF of the plan.
4. 4. A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures.
   Returning to the topic of home labs and learning new security domains, here's a resource of information on reverse engineering.
5. 5. CISO Shares Top Strategies to Communicate Security’s Value to the Biz
   We're always on the lookout for recommendations on how to build a narrative within security, whether it's pitching DevOps teams on what taking more responsibility for security means or gaining support and investment from leadership to grow security programs. Here's a summary of one of the keynotes from Black Hat Asia. We'll revisit this once the recording is available for everyone. But we also wanted to use this as a chance to ask our listeners what recent conference presentations have you seen that changed your mind on a subject? Or that inspired you to approach a problem differently and that led to success? Or even just a presentation you found insightful and entertaining?
6. 6. Known macOS Vulnerabilities Led Researcher to Root Out New Flaws
   Another summary of a presentation from Black Hat Asia. This one is about taking an attacker mindset -- a topic we like to highlight -- to previous vulns within a system in order to look for patterns or architecture weaknesses where new vulns might be found. The presentation whitepaper and slides are already available at - https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Fitzl-macOS-vulnerabilities-hiding-in-plain-sight-wp.pdf - https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Fitzl-macOS-vulnerabilities-hiding-in-plain-sight.pdf
7. 7. Vulnerability Analysis – CVE-2022-1388 – Randori
   This authentication bypass in F5 came out a few weeks ago. It's a flaw that falls into the "dead simple" category -- use a Basic Authentication header with a request that causes F5's state machine for handling user vs. admin authentication to be confused. The underlying flaw seems surprising in modern app design. Of course, this particular software stack may not be modern, but that leads to additional questions about how to migrate software architectures over time.

John Kinsella

Co-founder & CTO at Cysense

1. 1. Don’t try this at home: Sometimes you can be too realistic in your testing
   First responders recently were head scratching about a malicious package distributed via npm. After several days, it was discovered to be part of a penetration test a security company was doing, and that in order to be "as realistic as possible," an intern at the company uploaded the package with hopes that the pentest customer would download it. Realism is great, but how can we do this in a manner that doesn't send people into panic-response mode?
2. 2. Researchers figure out path to misuse low-power mode iphone features
   Modern iPhones continue to power bluetooth NFC, and ultra-wideband radios when the phone is turned "off," to enable "find my phone" and some payment capabilities. But...it turns out the bluetooth firmware is not signed, and there's an ability to use these radios for purposes other than intended.