Security Weekly
Paul's Security WeeklySubscribe
Careers, Security awareness, Threat intelligence, Vulnerability management

Funny Stories – PSW #717

This week, we kick off the show with an interview featuring Doug Burks, CEO of Security Onion Solutions, who joins to discuss Peel Back the Layers of Your Enterprise with Security Onion 2! Then, I'm going to continue guiding you through Scanning For Default Creds With Python!! In the Security News: LOLbins that make you LOL, over exposing your medical records, Shrootless gets past SIP, 73.6% of statistics are made up and other such lies, we love Signal, if an 0day drops on the Internet how many people have it?, fake Harvard students, uses for an Apple cleaning cloth, Bidi override characters, who owns my house?, who owns your printer?, and the return of Clippy!

Segment Resources:

https://securityonion.net

https://github.com/Security-Onion-Solutions/securityonion

https://securityonion.net/discuss

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Peel Back the Layers of Your Enterprise with Security Onion 2 – Doug Burks – PSW #717

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. We've got a new container-based platform that is more flexible, more powerful, and more scalable than ever before. Join us to see how you can peel back the layers of your enterprise and make your adversaries cry!

Segment Resources:

https://securityonion.net

https://github.com/Security-Onion-Solutions/securityonion

https://securityonion.net/discuss

Announcements

  • In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Guest

Doug Burks
Doug Burks
CEO at Security Onion Solutions

Doug Burks started Security Onion in 2008 to provide a comprehensive platform to help folks peel back the layers of their enterprise and make their adversaries cry. Today, Security Onion has over 1,000,000 downloads and is being used by organizations around the world for threat hunting, enterprise security monitoring, and log management. In 2014, Doug started Security Onion Solutions LLC to help those organizations by providing training, professional services, and hardware appliances. Doug is a CEO, public speaker, teacher, former president of the Greater Augusta ISSA, and co-founder of BSides Augusta, but what he really likes the most is catching bad guys.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Part 2: Scanning For Default Creds With Python – PSW #717

We've updated our script with all sorts of new features. The latest version uses the TOML configuration file format to store the vendor information and the credentials to test with. We'll focus on how to implement that as it's handy for all sorts of projects. We'll also cover some of the other updates, including testing protocols on different ports and better reporting.

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Shrootless Bug, Statistic Stats, Trojan Source, Fake Students, & Clippy Returns – PSW #717

This week in the Security News: LOLbins that make you LOL, over exposing your medical records, Shrootless gets past SIP, 73.6% of statistics are made up and other such lies, we love Signal, if an 0day drops on the Internet how many people have it?, fake Harvard students, uses for an Apple cleaning cloth, Bidi override characters, who owns my house?, who owns your printer?, and the return of Clippy!

Announcements

  • In case you missed it: Paul's Security Weekly's new streaming time is Wednesday nights from 6pm-9pm ET & Enterprise Security Weekly's new streaming time is Thursday afternoons from 3pm-4:30pm ET. You can view our live stream schedule at any time at https://securityweekly.com/live!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. How Hackers Cause Physical Damage
  2. 2. Signal Working on Improving Anti-Spam Capabilities
    Interesting: "Unlike Signal’s underlying code, which is open-source, the code for fighting spam is kept secret, to prevent bad actors from finding bypasses."
  3. 3. Google just tripled its bounty for Linux kernel bugs. Here’s why
    Linux security is important: "We are constantly investing in the security of the Linux Kernel because much of the internet, and Google – from the devices in our pockets, to the services running on Kubernetes in the cloud – depend on the security of it "
  4. 4. 10 Free and Best OSINT Tools 2021
    Which is your favorite?
  5. 5. Signal unveils how far US law enforcement will go to get information about people
    You can't provide what you don't collect: "In the search warrant, Santa Clara Police sought to get the name, street address, telephone number, and email address of a specific Signal user. It also wanted billing records, the dates of when the account was opened and registered, inbound and outbound call detail records, voicemails, video calls, emails, text messages, IP addresses along with dates and times for each login, and even all dates and times the user connected to Signal."
  6. 6. 8 funny cyber security quotes and why they matter to you – CyberTalk
    At the time, these were relavent: "Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” -- Clifford Stoll" - This one is like the "passwords are like underwear" horrible analolgy. Rotating passwords is no longer recommended the way it used to be. Sharing is still bad, but we have so many other ways to grant access (password/secret vaults, oAuth, etc...) that this advice is now dated. Then there is this on "The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it. -- Robert Morris" - I do not dispute the claim, its just less and less feasible as time goes on. Sure, we could not use any computers today, however many carry one in their pocket and for certain types of services it requires that you have some sort of computing device. I dig this one: "When you secure things right, people won’t be sure you’ve done anything at all - unknown".
  7. 7. Google fixes two high-severity zero-day flaws in Chrome
    "The two zero-day flaws -- which are being exploited by attackers now -- are being tracked with the identifiers CVE-2021-38000 and CVE-2021-38003. Both were found by Google's Threat Analysis Group (TAG), which tracks state-sponsored and cyber-criminal exploit activity. The second of the two zero-days was also reported by Samuel Groß from Google Project Zero on 26 October, indicating how fast Google is responding to zero-day discoveries." - I find it interesting that two different research groups, in this case, both within Google, found the same bug. Just when you think something has not been discovered by someone else or some other group, think again. I don't believe we can call it "safe" if it's not being exploited in the wild, maybe it is?
  8. 8. Scammers Injected Fake Students Into Harvard.edu and Used Them to Post SEO Spam
    This happens all the time, and has been happening for a long time: "As it turns out, there is no Harvard student by the name of Mikao John. Instead, a scammer invented that persona — and, alarmingly, managed to obtain the credentials to insert him into Harvard’s web system — in order to sell SEO-friendly backlinks, and the prestige of being hyped up by someone at one of the world’s most distinguished universities, to marketing firms with publicity-hungry clients." The scammers advertised for all sorts of things, including, synthetic urine. WTF? (Reference from actual post on Harvard site: https://archive.md/hgCU2). Companies that place ads were in on it or not? "One of the companies featured in a blog post by Mikao John, for instance, told Futurism that the mention had been secured through a marketing firm called T1 Advertising, which conceded in response to questions that it sometimes pays “media consultants” to plant blog posts on Harvard’s site."
  9. 9. 2021 MacBook Pro Teardown: A Glimpse at a Better Timeline
    They also tore apart the $19 Apple cleaning cloth...
  10. 10. Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection – Microsoft Security Blog
    "SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. We discovered the vulnerability while assessing processes entitled to bypass SIP protections. We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others." and right here is your problem: "when installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former. If the package contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and—if found—runs commands from that file automatically, even in non-interactive mode"
  11. 11. ‘Trojan Source’ Bug Threatens the Security of All Code – Krebs on Security
    So neat: "Therefore, by placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.” “Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic."
  12. 12. Luton man left shocked as his house is ‘stolen’
    Someone stole his identity and sold his house! Legally, this can be tricky to rectify.
  13. 13. IT risk consultant says New World devs “should be ashamed of themselves” for code injection vulnerability
    Turns out this is not run on the client, but on the server-side: "For those who missed it, New World players Josh Strife Hayes and Callum Upton discovered on Friday that the text boxes in the game are HTML, and that the text is not sanitized, which in short means you can run client-side code in any text box in the game."
  14. 14. What Small Businesses Can Do to Thwart the Top 5 Cybersecurity Threats – StartupNation
    This is like cookie cutter, very bland, tired old advice. How do we change the narritive? "Educate your managers and employees, Keep your software and system up to date, Ensure endpoint protection, Install a firewall, Back up your data."
  15. 15. CVE-2021-25219: Lame cache can be abused to severely degrade resolver performance – Security Advisories
    "The purpose of a resolver's lame cache is to ensure that if an authoritative server responds to a resolver's query in a specific broken way, subsequent client queries for the same tuple do not trigger further queries to the same server for a configurable amount of time." - You can turn off lame cache: lame-ttl 0;
  16. 16. Protect your home for under $100 with 2 blockchain-powered home security cameras
  17. 17. Is Sandboxing Dead?
    Holy ads batman, also, I did not get a whole lot out of this article...
  18. 18. MITRE Releases a List of Most Dangerous Hardware Vulnerabilities in 2021
  19. 19. Printers Hacked for First Time at Pwn2Own
    I'm really interested in seeing the research as printers are weird devices. In HP's case, the firmware was very specific and used PJL to perform the updates. There was not great documentation or other research several years ago (that I could find easily), however, a quick search turned up this: https://www.jsof-tech.com/unpacking-hp-firmware-updates-part-1/. Happy reading!
  20. 20. Clippy is back to troll your friends in Microsoft Teams
    Clippy is back! Not really, but, you know, rage...
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
  1. 1. Viewing website HTML code is not illegal or “hacking,” prof. tells Missouri gov.
  2. 2. Elliot on Twitter
  3. 3. Tiny Open Hardware Linux SBC Hides In Plain Sight
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. Over 800 million medical records exposed in data breach – Sacut Cyber Security
    an American medical artificial intelligence platform, containing 886,521,320 records. The total size of the dataset was 68.53 GB and contained U.S.-based medical-related data. The type of data collected was divided into the following sections: Date, document type, physician note, encounter IDs (An interaction between a patient and healthcare provider(s) to provide healthcare service(s)), patient ID, note, UUID, patient type, doctor notes, date of service, note type (example Nursing/other), and detailed note text.
  2. 2. FBI director asks US businesses to work with it to foil Chinese espionage
    The head of the FBI urged US companies on Thursday to develop closer ties with it to counter a “multi-avenue” effort by Beijing to amass enough intellectual property to “become the world’s only superpower”. Suggests establishing partnerships with the agency’s local offices – before breaches occur like the Microsoft Exchange email server hack discovered earlier this year.
  3. 3. Iranian hackers take down servers of Israeli internet hosting company Cyberserve
    Black Shadow hacking group, which hit Shirbit insurance firm last year, takes public transport companies, children’s museum and other sites offline; warns of data leak. Retaliation for gas pump hack or are they just continuing the cyber jousting?
  4. 4. New ‘Shrootless’ Bug Could Let Attackers Install Rootkit on macOS Systems
    Last week, Microsoft disclosed details about a new vulnerability (CVE-2021-30892) dubbed "Shrootless" that could be exploited by attackers to bypass macOS security restrictions and assume complete control over targeted devices to perform arbitrary operations on compromised devices without being flagged by security solutions.
  5. 5. APTs, Teleworking, and Advanced VPN Exploits: The Perfect Storm
    VPNs which have become essential for many organizations since the pandemic's onset, are a popular target for cyberattacks. Incident response teams say these attacks on VPNs aren't new, but attackers are finding new and sophisticated ways to compromise enterprise VPNs.
  6. 6. TA575 criminal group using ‘Squid Game’ lures for Dridex malware – The Cyber Post
    Cybersecurity firm Proofpoint has found evidence of a prolific cybercrime group using the popularity of Netflix hit “Squid Game” to spread the Dridex malware.
  7. 7. ‘Trojan Source’ Hides Invisible Bugs in Source Code – Sacut Cyber Security
    Researchers say they have uncovered a new attack method they have dubbed "Trojan Source attacks" in which attackers could exploit how Unicode handles script ordering to encode potentially malicious source code in such a way that human reviewers will only see the harmless version of the code while compilers see the nefarious version. The Trojan Source attack method exploits the difference between how text renderers display information versus how a compiler processes it.
  8. 8. Ransomware cybercriminals linked to Norsk Hydro attack fall prey to Europol swoop
    Europol says it has successfully disrupted operations of the high-profile, "professional, highly organized" ransomware group responsible for thousands of "devastating" attacks, including the one that hit Norsk Hydro, after successfully targeting 12 group members.
  9. 9. FBI warns of fake govt sites used to steal financial, personal data
    The FBI warned the US public that threat actors actively use fake and spoofed unemployment benefit websites to harvest sensitive financial and personal information from unsuspecting victims.
  10. 10. War-Driving – Still an Easy Bet for Household Wi-Fi attacks
    The old-time war-driving technique is still proving an efficient way to crack WiFi passwords. Recently, a researcher in Israel was able to crack 70% of WiFi network passwords after collecting network hashes via war-driving.
  11. 11. 40% of organizations suffered a cloud-based data breach in the past 12 months – Help Net Security
    Despite increasing cyberattacks targeting data in the cloud, 83% of businesses are still failing to encrypt half of the sensitive data they store in the cloud, raising even greater concerns as to the impact cyber criminals can have. 40% of organizations have experienced a cloud-based data breach in the past 12 months, according to a study conducted by 451 Research.
  12. 12. FBI: HelloKitty ransomware adds DDoS attacks to extortion tactics
    The FBI has sent out a flash alert warning private industry partners that the HelloKitty ransomware gang (aka FiveHands) has added DDoS attacks to their arsenal of extortion tactics.
  13. 13. FBI: Ransomware targets companies during mergers and acquisitions
    The Federal Bureau of Investigation (FBI) warns that ransomware gangs are targeting companies involved in "time-sensitive financial events" such as corporate mergers and acquisitions to make it easier to extort their victims.
  14. 14. Researchers Uncover ‘Pink’ Botnet Malware That Infected Over 1.6 Million Devices
    Cybersecurity researchers disclosed details of what they say is the "largest botnet" observed in the wild in the last six years, infecting over 1.6 million evices primarily located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users. Mainly targeting MIPS-based fiber routers, the botnet leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications, not to mention completely encrypting the transmission channels to prevent the victimized devices from being taken over.
  15. 15. Yahoo is the third major US tech platform to exit China in the past month
    Yahoo announced today (Nov. 2) that it will no longer operate in China as the country tightens data and privacy regulations that are making it increasingly difficult for US companies to operate there.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

Related

Careers
The Reasons Why CISOs Should Report to CEOs – Jeff Pollard – BSW #298

When CISOs report into CEOs it gives them more autonomy, empowers them with more decision making authority, and eliminates the inherent conflict of interest present when CISOs report into IT leaders like the CIO. Segment Resources: https://www.forrester.com/blogs/five-reasons-why-cisos-should-report-to-ceos
Careers
The Rise of the Chief Product Security Officer – Jason Christman – CSP #113

Cybersecurity is becoming a #1 business risk for many organizations. For CISOs to effectively manage this risk, proper strategy, adequate resourcing, and leadership support are all essential, but not enough. CISOs need a trusted partner on the supplier side, a product CISO, known within industry as a Chief Product Security Officer, who understand...
prestitial ad