Jerry the Hedgehog – PSW #695
This week, we kick off the show with the Security News: Is the cyber NTSB a good thing?, Russian virtual keyboard for the win, information should be free, hang on while I unplug the Internet, security MUST be taken seriously, poison the water hole to poison the water, bombing hackers, how industry best practices have failed us?, publishing exploits is still a good thing regardless of what the studies say, & more! Then, we have a Technical Segment featuring our own Adrian Sanabria, & Sounil Yu from JupiterOne! Then we wrap up the show with a pre-recorded interview with ‘Wheel’ on the “21 Nails“ Exim Mail Server Vulns!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week in the Security News: Is the cyber NTSB a good thing?, Russian virtual keyboard for the win, information should be free, hang on while I unplug the Internet, security MUST be taken seriously, poison the water hole to poison the water, bombing hackers, how industry best practices have failed us?, publishing exploits is still a good thing regardless of what the studies say, and more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. The Establishment of a Cyber Safety Review Board – Security Boulevard - Yea, except cybersecurity, hacking and cyber crime is nothing like investigating airplane crashes in the sense that everything changes all the time, incidents happen at a far greater rate, and we're dealing with digital incidents, not physical (for the most part, unless they intersect, which happens).
- 2. Try This One Weird Trick Russian Hackers Hate – Krebs on Security - Russian virtual keyboard for the win?
- 3. Apple sent my data to the FBI, says boss of controversial research paper trove Sci-Hub - Information should be free (free like free beer and free like running naked through a field)
- 4. CISA: Disconnect Internet for 3-5 Days to Evict SolarWinds Hackers From Network - Oh yea, let me just go unplug the Internet for a few days...
- 5. Biden calls for $22 billion in cyber security funding - Throwing money at the problem does not fix cybersecurity issues, if it did, the companies who spend the most on cybersecurity would not have breaches, except they do.
- 6. New open source scanning tool is built for ethical hackers
- 7. The basics of security code review – Help Net Security
- 8. Wind River’s enhancements deliver cybersecurity and anti-tamper protection – Help Net Security - “Security must be taken seriously – the only way to do that is to be proactive. With billions of new devices constantly connecting locations around the world, the attack surface is staggering. It will be important for solution builders, both hardware and software, to be thoughtful stewards and strong advocates for cybersecurity in order to deliver trustworthy compute infrastructure.” - I read this as "our customers told us security is important to them now, so now security is important to us." Also, not necessarily a bad thing...
- 9. Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws
- 10. Watering Hole Attack Was Used to Target Florida Water Utilities - "An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. "This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event,"" - The irony of poisoning the watering hole to poison the watering hole is not lost...
- 11. Israel Says Its Fighter Jets Bombed Buildings Used by Hamas Cyber Unit
- 12. Lessons Learned From High-Profile Exploits
- 13. Exploit released for wormable Windows HTTP vulnerability
- 14. PeterM on Twitter - When availability ranks way higher than confidentiality.
- 15. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data - Just don't use XOR. However, attackers will double encrypt, maybe not all, but some of your data, so you have to pay twice.
- 16. Our cybersecurity ‘industry best practices’ keep allowing breaches - ""Industry best practices," for instance, dictate that network administrators should be boxed in administratively. They should not be able to see what is happening on workstations, servers or storage resources." - Actually, we do not dictate this at all. "Implement a "one strike and you are out" hiring policy for information security employees. When they fail, do not let it happen twice." - This is just wrong on so many levels, such as how do you measure failure? And so we all have to be perfect because no one makes mistakes, in any profession, right? Somehow we are different because we deal with cybersecurity? "Also, never hire an information security employee who has ever worked for a firm that has had a security incident." - Wow, you have really hit the crack pipe hard by this point in the article. I will let you in on a not-secret: 99% of us in information security have worked at a company that has had a security incident. Maybe we should just all quit? Maybe we should just all turn to the darkside and take over the galaxy? Just how is this a solution? "Embrace "holistic" approaches to information security." - You took a huge bong rip before you wrote that, then said it out loud when you typed it, and it sounded really good huh? And then you try to cover your ass: " The author, Professor Gwinn, states that his column included “what is likely to have been the worst wording I have ever used in my life” in the 19th and 20th paragraphs, which suggested that he favored the “willy-nilly firing of a whole staff of people after a security incident. My intent was to hold leadership accountable." He now states that businesses and industries should “implement a ‘one strike and you are out’ hiring policy for information security leadership whose job it was to secure systems and networks after a major, expensive breach. Rotate leadership and do not let it happen twice. Also, weed out and avoid hiring that former information security leader.”" Guess what? You are still wrong, on basically all points. Also, we will be looking at all of your future publications and I hope you have better suggestions in the future, because this article...sucks.
- 17. Samba arbitrary file access vulnerability attack
- 18. Why Is There a Lack of Women in Cyber? - This was a great article and did not get into finger-pointing, blaming people, or other such nonsense. For example, the media has continued the notion that the hacker/cybersecurity persona is a male, typically wearing a hoodie, alone, using a computer in the dark: "In general, Cybersecurity in the media typically has a very masculine look. As you can see in the above screenshot, eight of the nine images have the same blue/black color scheme. While this may seem trivial, it’s something that can subconsciously impact perception. Much of these images align with what’s referred to as masculine colors." This is also a great point: "Second, many of the images in my search showed lines of code, which can lead people to come to the conclusion that coding experience is a requirement for a cybersecurity career, which isn’t true." - Again the media is reinforcing the notion that not only should you be male, alone, in the dark, but you also better be super technical and able to write code. All just not true!
- 19. “Those aren’t my kids!” – Eufy camera owners report video mixups
- 20. Expert released PoC exploit code for Windows CVE-2021-31166 bug
- 21. Google makes a big security change, but other companies must follow
- 22. Dumping Plaintext RDP credentials from svchost.exe – n00py Blog
- 23. FIN7 Backdoor Masquerades as Ethical Hacking Tool
- 24. Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
- 25. Publishing exploits early doesn’t encourage patching or help defense, data shows - I am challenging this one, I don't believe this is what the data shows: "The report found that network defenders were almost exactly as likely to mitigate a problem when an exploit had been released before the patch. If an exploit was released first, a median of 46.3% of systems were patched in the first three months, a cumulative 57.5% after six months and 67.8% after 12 months. Patches were actually more common when the first exploit was released after the patch, although only marginally so, and remediation followed the same curve (49.1% at three months, 59.3% at six and 70.6% at 12 months)." - There is a HUGE difference between an exploit being released, and an exploit being used in the wild, and this data did not represent that aspect. There is also a huge difference between a PoC and the overall effectiveness of an exploit. Was the exploit a DoS or restricted to RCE? Also, what if an exploit does not have a patch? Or, what if the patch is REALLY hard to apply and rollout, vs. other vulnerabilities that are easier to remmediate? Also, what if I didn't apply a patch but I turned off the service, created a firewall rule or implemented some other compensating control? What if I do that more often when an exploit is released than I do patch a system? What if an exploit being release actually helps me with compensating controls rather than applying a patch? What if exploits are released for software that is not popular or I just don't have in my environment, therefore I don't have to patch?
- 26. I Mailed an AirTag and Tracked Its Progress; Here’s What Happened – The Mac Security Blog
- 27. AirTag Used to Successfully Track a Mailed Package Across the UK
- 28. Send My: Arbitrary data transmission via Apple’s Find My network
- 29. CVE?2021?1079 – NVIDIA GeForce Experience Command Execution – VoidSec
- 1. Emerson Patches Several Vulnerabilities in X-STREAM Gas Analyzers - Emerson says it has released firmware updates to address six vulnerabilities rated as high or severe affecting its Rosemount X-STREAM gas analyzer. In the case of CVE-2021-27459, arbitrary code execution is possible, but it requires a high privilege level and the code only executes in a limited context.
- 2. Knopp Resigns as Wyoming CIO After Major Health Data Leak - A Wyoming Health Department (WHD) employee appeared to have improperly handled the data by uploading it to public and private repositories on GitHub
- 3. Recruiter’s Cloud Snafu Exposes 20,000 CVs and ID Documents - An unsecured AWS S3 bucket belonging to Primrose Hill, London-based recruitment firm FastTrack Reflex Recruitment (now TeamBMS) containing some 5GB of data that includes 21,000 files containing CVs and PII
- 4. New Zealand’s hospitals battle daily cyber attacks: Ministry of Health – NZ Herald - According to Waikato DHB chief executive Kevin Snee, it appears that attackers managed to breach the health provider's networks via a malicious email attachment.
- 5. Student health insurance carrier Guard.me suffers a data breach - Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders' PII
- 6. Herff Jones Credit Card Breach: College Students Across the US Affected - According to reports, the credit card breach affects students attending Purdue, IU, Boston, Towson University, University of Houston, Lehigh, Misericordia, Cornell, Wake Forest, Florida State University, and Sonoma State university.
- 7. Irish health service hit by cyber attack - Irelands' Health Service Executive (HSE) says it was forced to temporarily shut down its IT systems in an effort to protect those systems from further compromise after experiencing a "significant cyber attack" on May 13.
- 8. Expert released PoC exploit code for Windows CVE-2021-31166 bug - A security researcher has published a working proof-of-concept exploit code for a wormable Windows IIS server vulnerability tracked as CVE-2021-31166.
- 9. Two flaws could allow bypassing AMD SEV protection system - AMD has issued guidance to customers for dealing with two new vulnerabilities (CVE-2020-12967 and CVE-2021-26311) affecting its Secure Encrypted Virtualization (SEV) protection technology that could be exploited by attackers to completely bypass SEV and execute arbitrary code on targeted systems.
- 10. Eufy security cameras suddenly start showing live feeds to strangers - Owners of security cameras from smart device maker Eufy have reported on Reddit and Twitter that they were able to access video cameras belonging to complete strangers rather than their own video feeds.
- 11. Insurer AXA hit by ransomware after dropping support for ransom payments - Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack. Avaddon operators stated on their website that they had stolen 3TB of sensitive customer information from AXA branches in Thailand, the Philippines, Hong Kong and Malaysia, and encrypted these entities' systems with ransomware.
- 12. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data - Researchers say they have identified ransomware operators encrypting victims' data twice (i.e., double-encrypting) at the same time during ransomware attacks in an effort to get the most money possible from targeted organizations.
- 13. Popular Russian hacking forum XSS bans all ransomware topics - According to a forum post from XSS forum owner "Admin" announcing the move, all "Ransomware affiliate programs," "Ransomware rental," and the "sale of lockers (ransomware software)" are prohibited, and any existing ransomware topics will be deleted.
- 14. Suspected Pakistani spies use catfishing, stealthy hacking tools to target Indian defense sector – CyberScoop - Pakistani government-linked APT group "Transparent Tribe" has spent the past 18 months using its hacking tool in cyber espionage campaigns leveraging catfishing that are designed to steal data from and take screenshots of compromised systems in India as well as to target Indian military personnel, defense contractors, and individuals attending Indian government-sponsored conferences and events.
- 15. Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack - Rapid7 disclosed that unauthorized third-party had access to source code and customer data as result of Codecov supply chain attack.
Five years after Sounil Yu originally introduced the Cyber Defense Matrix at the 2016 RSA conference, he just wrapped up the third workshop based on the framework. CDM has its own website, is an official OWASP project and has a forthcoming book. We talk to Sounil today to learn more about where the CDM came from, why people find it so useful and where it might be headed in the future.
Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!
Sounil Yu is the CISO and Head of Research at JupiterOne. Previously, he was CISO-in-Residence at YL Ventures and Chief Security Scientist at Bank of America. He created the Cyber Defense Matrix and the DIE Triad, which are reshaping approaches to cybersecurity. He’s a Board Member of the FAIR Institute and SCVX; co-chairs Art into Science: A Conference on Defense; is a visiting fellow at GMU Scalia Law School’s National Security Institute; teaches at Yeshiva University; and advises many startups.
Join Qualys researcher Wheel for a discussion on the team's recent discovery and disclosure of multiple critical vulnerabilities in the Exim mail server. This includes discussion of the vulnerabilities that can be chained together to obtain full remote unauthenticated code execution and gain root privileges.
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
“Wheel” is a member of the Qualys Research Team responsible for finding zero-days.