Security Weekly
Paul's Security WeeklySubscribe
Remote access, Security awareness, Social engineering, Vulnerability management, Zero trust

Party Time! – PSW #683

This week, we welcome Peter Smith from ZScaler, to talk about What Does Zero Trust Mean To You?! Next, We dive straight Into the Security News, discussing Police Playing copyrighted music to stop video of them being posted online, Border agents can search phones freely under new circuit court ruling Microsoft warns enterprises of new 'dependency confusion' attack, Old security vulnerability left millions of IoT devices, A Simple And Yet Robust Hand Cipher,Zero Trust in the Real World , Clubhouse And Its Privacy & Security Risks,Google launches Open Source Vulnerabilities database, Hacker Tries to Poison Water Supply , Cyberpunk 2077 makers CD Projekt hit by ransomware hack, Multiple Security Updates Affecting TCP/IP, Microsoft’s Remote Desktop Web Access Vulnerability! Lastly, we close out the show with a special pre-recorded interview with 'Wheel' a Qualys researcher who helped discover the infamous Baron Samedi SUDO Vuln!

Visit https://securityweekly.com/zscaler to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. What Does Zero Trust Mean To You? – Peter Smith – PSW #683

In this segment we'll unpack "Zero Trust", what does it mean and how can it be applied as a concept to information security today? It certainly begs the question what and who do you trust? Often without too much thought, we trust software, machines, and people. Each time you run an "apt upgrade" (using sudo!), you are implying trust. When you deploy that enterprise monitoring software (*cough* Solarwinds *cough*), you have to trust it, but to what degree? Tune in to find out more!

This segment is sponsored by Zscaler.

Visit https://securityweekly.com/zscaler to learn more about them!

Sponsored By

Zscaler

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

Peter Smith
Peter Smith
VP, Secure Workload Communications at Zscaler

Peter Smith is Vice President of Secure Workload Communications at Zscaler. Previously, Peter was the Founder and CEO of Edgewise which was acquired by Zscaler. Peter brings a security practitioner’s perspective to segmentation, workload protection and zero trust security with over ten years of expertise as an infrastructure and security architect of data centers and customer-hosting environments for Harvard University, Endeca Technologies (Oracle), American Express, Fidelity UK, Bank of America, and Nike.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Jeff Man
Jeff Man
Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. CD Projekt Ransomwared, Ciphers, Water Supply Hacked, & Clubhouse Security Risks – PSW #683

This week in the Security News, Police Playing copyrighted music to stop video of them being posted online, Border agents can search phones freely under new circuit court ruling, Microsoft warns enterprises of new 'dependency confusion' attack, Old security vulnerability left in millions of IoT devices, A 'Simple And Yet Robust' Hand Cipher, Zero Trust in the Real World , Clubhouse And Its Privacy & Security Risks, Google launches Open Source Vulnerabilities database, Hacker Tries to Poison Water Supply , Cyberpunk 2077 makers CD Projekt hit by ransomware hack, Multiple Security Updates Affecting TCP/IP, Microsoft’s Remote Desktop Web Access Vulnerability, & more!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Cops playing copyrighted music to stop video of them being posted online
    Interesting hack, police officers will play popular music in the hopes what when the video is uploaded to a major site it's taken down due to a copyright violation.
  2. 2. Border agents can search phones freely under new circuit court ruling
    This is bad news: "A US appeals court has ruled that Customs and Border Protection agents can conduct in-depth searches of phones and laptops, overturning an earlier legal victory for civil liberties groups. First Circuit Judge Sandra Lynch declared that both basic and “advanced” searches, which include reviewing and copying data without a warrant, fall within “permissible constitutional grounds” at the American border."
  3. 3. Microsoft warns enterprises of new ‘dependency confusion’ attack technique
    "Researchers showed that if an attacker learns the names of private libraries used inside a company's app-building process, they could register these names on public package repositories and upload public libraries that contain malicious code. The "dependency confusion" attack takes place when developers build their apps inside enterprise environments, and their package manager prioritizes the (malicious) library hosted on the public repository instead of the internal library with the same name."
  4. 4. This old security vulnerability left millions of Internet of Things devices vulnerable to attacks
    Forescout is leading this research, from their paper: "In the second study of Project Memoria, Forescout Research Labs discloses NUMBER:JACK, a set of 9 new vulnerabilities affecting embedded TCP/IP stacks. The vulnerabilities are all related to the same problem: weak Initial Sequence Number (ISN) generation, which can be used to hijack or spoof TCP connections. Ultimately, attackers may be able to leverage those vulnerabilities to close ongoing connections, causing limited denials of service, to inject malicious data on a device or to bypass authentication" (Paper: https://www.forescout.com/company/resources/numberjack-weak-isn-generation-in-embedded-tcpip-stacks/)
  5. 5. A Simple And Yet Robust Hand Cipher
    I like that they are showing kids how neat cypto is: "KeypadCrypt is a so-called hand cipher, i.e. a simple manual method for encryption, without a computer. It is a substitution cipher that replaces each letter by a number. The numbers are chosen from a phone keypad, where letters have been shuffled according to an effortless memorizable secret code agreed between parties on forehand."
  6. 6. Zero Trust in the Real World
    But don't call it Zero Trust: "And organizations will need to implement a zero-trust framework without calling it zero trust (it's definitely a morale killer if you tell all your employees you don't trust them). Internal communications teams should come up with creative campaigns, so employees rally behind and adopt zero-trust concepts (talking about "protecting each other," for example, is a nice way to flip things around)."
  7. 7. A Silicon Chip Shortage Is Causing Big Issues for Automakers
    And it means getting a hold of new AMD processors, Nvidia RTX 30 series, Xbox series X/S and PS5.
  8. 8. Clubhouse And Its Privacy & Security Risk
    "The in-app audio chats are believably deleted once everyone has left the room. But the Alpha Exploration’s privacy policy says the conversations are only deleted automatically if nobody reported a “Trust and Safety violation” throughout the chat. In other words, if there is an incident, Clubhouse retains the audio until “the investigation is complete.” Although they added that the temporary audio recordings are encrypted, they reserve the right to share them with law enforcement if necessary."
  9. 9. Google launches Open Source Vulnerabilities (OSV) database
    “We are excited to launch OSV (Open Source Vulnerabilities), our first step towards improving vulnerability triage for developers and consumers of open source software.” reads the post published by Google. “The goal of OSV is to provide precise data on where a vulnerability was introduced and where it got fixed, thereby helping consumers of open source software accurately identify if they are impacted and then make security fixes as quickly as possible.”
  10. 10. Hacker Tries to Poison Water Supply of Florida Town
    Teamviewer for the loss.
  11. 11. Cyberpunk 2077 makers CD Projekt hit by ransomware hack
    Maybe the general public can find more bugs now: "If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism"
  12. 12. Multiple Security Updates Affecting TCP/IP:? CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 – Microsoft Security Response Center
    "The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic."
  13. 13. Google Chrome Zero-Day Afflicts Windows, Mac Users
  14. 14. Microsoft’s Remote Desktop Web Access Vulnerability — Raxis
    "Recently, I discovered that RD Web Access is susceptible to an anonymous authentication timing attack that can validate usernames within an Active Directory domain. Furthermore, RD Web Access exposes the connected domain name if the Remote Procedure Call (RPC) endpoint is accessible on the target server. An anonymous attacker can exploit this behavior to gather intelligence about an organization’s Active Directory environment and build a list of valid domain users for use in secondary attacks."
Jeff Man
Jeff Man
Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
  1. 1. Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests
  2. 2. New phishing attack uses Morse code to hide malicious URLs
  3. 3. Web hosting provider shuts down after cyberattack
  4. 4. Bloor on Twitter
  5. 5. Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online
  6. 6. Henry Ford cardiologists find iPhone 12 magnet deactivates implantable cardiac devices
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. Web developers SitePoint discloses a data breach
    Melbourne, Australia-based book, course, and article publisher SitePoint has disclosed it suffered a data breach after an unknown attacker compromised a third-party tool it uses to monitor its GitHub account, breached its infrastructure, and then stole approximately one million records containing "non-sensitive" customer data.
  2. 2. Patch Windows to avoid denial of service attacks: Microsoft
    Microsoft has issued an alert urging customers to immediately patch two remote code execution (RCE) vulnerabilities and another flaw (CVE-2021-24086) that can be easily exploited to conduct denial-of-service (DoS) attacks. According to Microsoft, while all three vulnerabilities affect the Windows transmission control/internet protocol (TCP/IP) networking stack, CVE-2021-24086 is easy to exploit and can result in a "STOP" error accompanied by the Blue Screen of Death.
  3. 3. Two Iranian hacking groups appear to be actively snooping on critics around the globe – CyberScoop
    Iranian hacking groups "Domestic Kitten" (APT-C-50) and "Infy" (Prince of Persia), which are believed to be sponsored by the Iranian government, have been spotted conducting eavesdropping campaigns around the world in order to collect sensitive information. According to Check Point, Domestic Kitten was identified targeting victims in Afghanistan, Iran, Pakistan, Turkey, the U.K., the U.S., and Uzbekistan, while Infy was found targeting dissidents in 12 different countries.
  4. 4. Ukrainian Police Arrest Author of World’s Largest Phishing Service U-Admin
    In coordination with U.S. authorities, the Ukrainian attorney generals' office announced last week that, along with the National Police, it had shut down the "U-Admin" phishing service; seized computer equipment, hard drives, and cell phones; and arrested the 39-year-old man responsible for developing the phishing package and a special admin panel for the service.
  5. 5. New BendyBear APT malware gets linked to Chinese hacking group
    Palo Alto Unit 42 researchers have disclosed the existence of "BendyBear," a new poly-morphic and "highly sophisticated" piece of malware that was initially discovered in August 2020 and includes capabilities similar to those found in the "WaterBear" malware family, which has been connected to the Chinese government-linked "BlackTech" cyber espionage group.
  6. 6. CD PROJEKT RED gaming studio hit by ransomware attack
    CD PROJEKT RED, the video game development studio behind Cyberpunk 2077 and The Witcher trilogy, has disclosed a ransomware attack that impacted its network.
  7. 7. Conti ransomware gang tied to latest attacks on hospitals in Florida and Texas
    A security researcher on Monday said the recent ransomware attacks on hospital chains in Florida and Texas are tied to the Conti ransomware gang.
  8. 8. Hackers try to contaminate Florida town’s water supply through computer breach
    Hackers broke into the computer system of a facility that treats water for about 15,000 people near Tampa, Florida and sought to add a dangerous level sodium hydroxide to the water supply. Remote access to OT what can go wrong?
  9. 9. CISA Alert AA21-042A Compromise of U.S. Water Treatment Facility
    US-CERT alert on the compromise of the Florida Water Treatment Facility - including technical details. Mentions of teamview and Windows 7 concerns. What could go wrong?
  10. 10. 20 ingenious uses for WD-40
    Use No. 16: It keeps snow from sticking to shovels. (Thanks to Chelle for this)
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Unearthing a 10-Year Old SUDO Vulnerability – . Wheel – PSW #683

“Wheel” was part of the team that discovered the heap overflow vulnerability in SUDO, Baron Samedit (CVE-2021-3156), that impacted major Unix-like operating systems included Linux, macOS, AIX and Solaris. He’ll provide an overview of the vulnerability and then dive into a technical discussion of the research.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

. Wheel
. Wheel
Researcher at Qualys

“Wheel” is a member of the Qualys Research Team responsible for finding zero-days.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

Related

Managed services
Work-from-Anywhere: Securing the Blurry Edges of Your Network – CFH #19

In the last few years, many companies have found that their home offices and their internal on-prem networks are no longer always the central core around which their business operations revolve. Even with more employees returning to the office now, remote and hybrid workforce models are here to stay, thanks to an exponentially increased reliance on...
prestitial ad