Hackers Be Hackin’ – PSW #719
This week, we kick off the show with a technical segment where we walk through creating vulnerable Docker Containers – On Purpose! Then, Derek Rook from Senior Director Purple Team atTeradata, & SANS Certified Instructor joins to discuss technologies to build CTFs as well as what types of things to consider while doing so!! In the Security News: The FBI is spamming you, hacking exists in the mind, Beg Bounties, nasty top-level domains, MosesStaff, why own one npm package when you can own them all, how much is your 0day worth, upnp strikes again, when patches break exploits in weird ways, records exposed in stripchat leak, can we just block ICMP?, trojans in your IDA, suing Satoshi Nakamoto, paying to be in the mile high club, it was cilantro, and sexy VR furniture!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
I needed to create some vulnerable targets for testing exploits and my default password finder I wrote in Python (featured in previous episodes). I found a few useful projects, including Vulhub, that made the task of building an insecure lab environment pretty easy. I've made several additions and improvements to the available code, which I will run through in this segment.
CyHub Armenia in cooperation with Security Weekly is happy to announce its next batch of Incubation program, which aims to supercharge the growth of early stage cyber security startups. We’re looking for founders from anywhere in the world to join us for a three-month, mentor-driven, 100% virtual program. The best teams will have the opportunity to get up to $50,000 funding and then we'll do everything we possibly can to make them successful.
Visit https://securityweekly.com/acceleration to apply now!
Derek and the hosts will discuss technologies to build CTFs as well as what types of things to consider while doing so. They will also talk about the computer fundamentals that are often undervalued when entering security.
Throughout 2022, CRA's Business Intelligence Unit will be releasing research reports on the top topics across the security industry. Our first report will be on Third-Party Risk and the Supply Chain. To participate in the survey, please visit https://securityweekly.com/thirdpartyrisk. The results will be shared at our Third-Party Risk eSummit in January.
Derek is an industry veteran with over 20 years of experience spanning IT, security, and senior leadership. He currently serves as Senior Director of Purple Team at Teradata, driving a holistic security posture by aligning offensive security with security engineering and operations. A passionate educator, he is constantly working on new community education and outreach projects, including an offensive security focused YouTube channel, a few CTFs, and a variety of community talks. Derek holds several security certifications and a NolaCon Black Badge.
This week in the Security News: The FBI is spamming you, hacking exists in the mind, Beg Bounties, nasty top-level domains, MosesStaff, why own one npm package when you can own them all, how much is your 0day worth, upnp strikes again, when patches break exploits in weird ways, records exposed in stripchat leak, can we just block ICMP?, trojans in your IDA, suing Satoshi Nakamoto, paying to be in the mile high club, it was cilantro, and sexy VR furniture!
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. Hoax Email Blast Abused Poor Coding in FBI Website - Heh: "Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” Pompompurin said. “This post request includes the parameters for the email subject and body content."
- 2. Some Thoughts on Teaching Hacking - I love this: "However, for whatever reason, many students don't seem to view their role as investigators, they see their role as, well, attackers. They aren't approaching their targets with the notepad and pipe of a detective, but rather with the bow and quiver of a hunter. If your student seems to be too eager to fire off exploits and then gets frustrated when they don't work, help them realize that their attack can only fail if their model of the machine is wrong. By helping a student "take off their hacker hat", you can give them the space they need to step back and assess the situation more clearly." Also, this is great "Hacking exists in the mind, not in the machine." And when troubleshooting, this question is so important: "Why do you think that your beliefs about the machine are the right beliefs to have?" - I go through this all the time with students and interns. You have beliefs, and you tend to follow them. The beliefs that will always get you in trouble when you are trying to fix something or make something work are: "Nothing changed." and "But this should just work". Just because you believe it, doesn't mean it's true, you need proof. When troubleshooting you will find that 1) Something has changed but you have not observed it (yet) and 2) It doesn't work because you, or another person, has done something incorrectly.
- 3. Running a WiFi-less Home Network: Security Paranoid Edition - A bit extreme. I do like the recommendations for monitoring and tools, and for small networks these are great (maybe even for larger networks too).
- 4. Beg Bounties - "This is why my email above says "beg bounty" and it's exactly what it sounds like - someone begging for a bounty. Sophos wrote up a bunch of good examples earlier this year and they typically amount to easily discoverable configurations that are publicly observable and minor in nature. DMARC records. A missing CSP. Anything that as Sophos puts it, is "scaremongering for profit". And just to be crystal clear, these are "reports" submitted to website operators who do not have a published bug bounty." - Yep, we get these, best to have a policy for bounties, begs and bugs.
- 5. A Peek into Top-Level Domains and Cybercrime - "One of the most fascinating stories in the domain name world is how .tk, the ccTLD of a small Pacific island called Tokelau, became one of the most populous TLDs in the world. Domain registrations contributed at one point one-sixth of Tokelau’s income. Their TLD became popular by providing free domain registrations, where the source of income for the TLD operator is through advertisement rather than domain registration fees. Unfortunately, their domain registration policy also invites abuse, spam and a large amount of sensitive content," - A good case for some quality blocking.
- 6. MosesStaff Locks Up Targets, with No Ransom Demand, No Decryption - Oh, just patch: "MosesStaff has a specific modus operandi of exploiting vulnerabilities in public-facing servers, then using a combination of unique tools and living-off-the-land maneuvers to leave the targeted network encrypted, with encryption used solely for destruction purposes,” said CPR researchers. “The vulnerabilities exploited in the group’s attacks are not zero days, and therefore all potential victims can protect themselves by immediately patching all publicly-facing systems." - But also, curious about the motive of this group, just to watch stuff crash and burn?
- 7. Intel CPU flaw could enable hackers to attack PCs, cars, and medical devices - "Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect" (https://www.ptsecurity.com/ww-en/about/news/positive-technologies-discovers-vulnerability-in-intel-processors-used-in-laptops-cars-and-other-devices/)
- 8. GitHub’s commitment to npm ecosystem security - Wow, so scary: "Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report. We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package."
- 9. The rise of millionaire zero-day exploit markets - Whew, how do we compete? "This is probably why zero-day sellers have moved their auctions to cybercriminal forums: to fish in this large and wealthy pool. Zero-day exploits are incredibly pricey and we’ve observed threat actors claiming that they could go away for up to $10,000,000 during our investigations. These prices can appear enormous but there‘s a key aspect to keep in mind.” reads the paper published by Digital Shadows experts. “Whatever legitimate bug bounty programs offer (and we’ve often seen them offering multi-million dollar bounties before), cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering)." And just who has this kind of dough? Well: "An interesting consideration that emerged from the report is that not only nation-state hackers are able to pay so high prices, cybercriminal organizations have also the same expense capabilities, especially ransomware gangs."
- 10. Netgear Patches Code Execution Vulnerability Affecting Many Products - Exploit and full details available here: https://github.com/grimm-co/NotQuite0DayFriday/tree/trunk/2021.11.16-netgear-upnp Also, super interesting that there is a bug in the code that breaks UPnP, and in-turn also fixes the vulnerability: "As a result, all UPnP SUBSCRIBE and UNSUBSCRIBE requests are broken in the R7000 in version 220.127.116.11 and later. Thus, the vulnerable UUID handling code within upnpd cannot be reached and these firmware images are not vulnerable to the UUID stack overflow vulnerability. However, once this functionality is fixed, the vulnerable code will once again be reachable, and the devices will be exploitable again." - So patch your router to be vulnerable?
- 11. 200M Adult Cam Model, User Records Exposed in Stripchat Breach - Too much leaking and exposure...
- 13. Linux has a serious security problem that once again enables DNS cache poisoning - Interesting: "We find that the handling of ICMP messages (a network diagnostic protocol) in Linux uses shared resources in a predictable manner such that it can be leveraged as a side channel,” researcher Qian wrote in an email. “This allows the attacker to infer the ephemeral port number of a DNS query, and ultimately lead to DNS cache poisoning attacks. It is a serious flaw as Linux is most widely used to host DNS resolvers."
- 14. This mysterious malware could threaten millions of routers and IoT devices - https://flip.it/u9rKCK
- 15. The Microprocessor Is 50: Celebrating the Intel 4004 - Comparing the 4004 with the i9 12900k is really funny: 4004 = 0.074 GHz (740 kHz) and i9 12900k = 5.20 GHz (5,200,000 kHz)
- 16. NanoDump
- 17. North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro - So now we need to run IDA on our own copy of IDA? ""Attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components," the Slovak cybersecurity firm said, one of which is an internal module called "win_fw.dll" that's executed during installation of the application. This tampered version is then orchestrated to load a second component named "idahelper.dll" from the IDA plugins folder on the system."
- 18. Bitcoin creator Satoshi Nakamoto could be unmasked at Florida trial - "That is what a Florida jury will try to tackle. The family of David Kleiman is suing his former business partner, a 51-year-old Australian programmer living in London named Craig Wright. Mr. Wright has been arguing since 2016 that he created bitcoin, a claim dismissed by most in the bitcoin community. Mr. Kleiman’s family argues that the two worked on and mined bitcoin together, entitling Mr. Kleiman’s family to half a million bitcoins. "We believe the evidence will show there was a partnership to create and mine over one million bitcoin," said Vel Freedman, a lawyer for the Kleiman family."
- 19. You can now pay US$995 to have sex in an airplane flying over Las Vegas - WTH? "Sometimes, Blake has even been invited to join in the fun, but has declined such invitations every single time – not for any reason other than to ensure everyone ends up safe. "It's a one-pilot plane and I can't leave the cockpit," he said. "I love sex, but I love flying even more."
- 20. ‘Smell it, I promise you’: Churchgoers mistake woman’s cilantro for marijuana, kick her out in viral TikTok - It was cilantro, I swear! In this case, probably so.
- 21. The Brave New World of Erotic VR Body-Swapping - You really have to have tried A LOT of things to come to "Hey, let's go into VR worlds and have sex as furniture and home appliances". WTAF? "but one day, they decided to explore what it would be like to have sex as objects instead. In their respective bedrooms on different corners of the globe, they strapped on their VR headsets, and embodied two non-human avatars; Smoos chose a chest of drawers, her partner a TV."