Paul’s Security Weekly #705
1. RF Village at DefCon – Rick Farina, Rick Mellendick – PSW #705
The RF Hackers Sanctuary is a group of experts in the areas of Information, Wifi, and Radio Frequency Security with the common purpose to teach the exploration of these technologies with a focus on security. We focus on teaching classes on Wifi and Software Defined Radio, presenting guest speakers and panels, and providing the very best in Wireless Capture the Flag games to promote learning.
https://rfhackers.com/ [email protected]
SC Media debuts its all-new SC digital experience, fully integrated with Security Weekly podcast content and more. The new site increases the scope and scale of original content resources from editorial staff, contributors, and the far-reaching CyberRisk Alliance network. Visit www.scmagazine.com to check out the new look!
After an unsuccessful adult film career under the pseudonym “Chubby Cox”, Zero has settled comfortably into his backup career of Wireless Security. Specializing in Wifi security, he has also branched out into bluetooth, radio, and sdr. Currently, he is working on the best Linux distro to ever grace the face of the earth, Pentoo. This bio is entirely unbiased.
Rick is the Chief Security Officer for PI Achievers by day, a process improvement and security firm, and an RF Hacker by night. Rick specializes in designing and assessing networks using offensive techniques to assist in securing client networks. He is a subject matter expert in computer network operations, Radio Frequency (RF) offense and defense, and building large scale security programs. Rick has completed over 500 vulnerability assessments and penetrations tests, specializing in the radio frequency spectrum.
2. The Stakes Are Raised When Protecting the Foundation of Computing – Scott Scheferman – PSW #705
With Eclypsium researchers' discovery of BIOSDisconnect and their upcoming talk and demo at DefCon 29 upon us, the stakes have never been higher when it comes to protecting the foundation of computing at the firmware level. A feature meant to make updating and protecting the firmware easier for users (BIOSConnect) ends up exposing the BIOS to being bricked or implanted with malicious code operating at the highest privilege. Yet another example of the significant vulnerabilities that exist at the firmware level that attackers have been eyeing of late.
https://defcon.org/html/defcon-29/dc-29-speakers.html#shkatov https://eclypsium.com/2021/06/24/biosdisconnect/ https://eclypsium.com/2021/04/14/boothole-how-it-started-how-its-going/ https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/
This segment is sponsored by Eclypsium.
Visit https://securityweekly.com/eclypsium to learn more about them!
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Scott, aka “Shagghie” in the community, is a public speaker, thought leader and cyber strategist. With decades of cyber consulting in both Federal and Commercial domains, he brings strong opinions and insight into any topic covering cyber, privacy, AI/ML, or the intersections of these. Winner of the first defcon badge-hacking contest and a defcon music artist, he currently works to bring urgent awareness to the device and firmware attack surface now being readily exploited.
3. ‘Master Faces’, Ship Hijacked, Windows Container Escape, & DNS Loopholes – PSW #705
This week in the Security News: PwnedPiper and vulnerabilities that suck, assless chaps, how non-techy people use ARP, how to and how not to explain the history of crypto, they are still calling about your car warranty, master faces, things that will always be true with IoT vulnerabilities, DNS loopholes, and a toilet that turns human feces into cryptocurrency!
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. July Firmware Threat Report – Eclypsium
- 2. Why Would Someone Hack My Website?Basically: Because it's there...
- 3. A NSA Guidance Explains How to Secure Your Wireless Devices?Actually some pretty decent tips
- 4. The hostel WiFi vigilanteThis is like the easy button for ARP poisoning: http://arcai.com/what-is-netcut/. The solution? perhaps: "So, wrote a script to scrape ARP table repeatedly, found duplicate entries for IP addresses, New duplicate ARP entries in subsequent scrapes are attackers, since original entry is the victim device’s ARP entry. Found original MAC addresses for attackers from the duplicate ARP entries, ARP poisoned the attackers themselves."
- 5. Let’s understand CryptographyThis is a much better article on crypto.
- 6. Research Shows How a Remote Print Server Leads to Windows Admin Privileges
- 7. Productivity tools for [email protected]Some neat tips, in fact I am testing out this one: https://github.com/laurent22/joplin as it allows for note taking, copy/paste images and even has a vim mode. I also thought it was a neat trick to switch your caps lock key for the escape key.
- 8. ‘I’m Calling About Your Car Warranty’, aka PII HijinxThis is a really interesting concept, and glad to see the research will be continued: "Researchers created 300 fake identities, signing them up on 185 legitimate websites ranging from Target to Fox News, with each identity used on a single website. Then they tracked how many email messages, phone calls, text messages and other responses were received based on the personally identifiable information (PII) used to register."
- 9. A brief history of cryptographyThis article was not what it claimed to be. I suggest that the author, and anyone else looking to write articles such as this, to confide in someone in the community as a reviewer/editor first. We are happy to help.
- 10. How I Monitor Active SSH Sessions With Prometheus And GrafanaI need to look into this one more. So Prometheus is a time-series DB for monitoring (https://prometheus.io/) and Grafana (https://grafana.com/) allows you to "Query, visualize, alert on, and understand your data no matter where it’s stored.".
- 11. Nothing is UnhackableAgree or Disagree? "Nothing is unhackable. It is extremely important for everyone to understand that nothing is unhackable. The more complicated the device, and the more complicated the software, or the more open it is to interaction with other applications, or research by security researchers or hackers, the more likely it is that you have created an additional attack surface. Playing offense is easy, because all you need to do is find a vulnerability. And playing defense is hard, because you need to defend yourself on all fronts, all the time."
- 12. Microsoft Patched the Issue That Enabled a Windows Container Escape"...users should follow Microsoft’s guidance recommending not to use Windows containers as a security feature. Microsoft recommends using strictly Hyper-V containers for anything that relies on containerization as a security boundary. Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host, which in this case is the Kubernetes node. " - So can you run a container inside Kubernetes and then run Kubernetes inside Hyper-V?
- 13. Cisco Patches Critical Vulnerability in Small Business VPN Routers1) Its often the web interface 2) Its never supposed to be exposed to the Internet 3) scans always show that people have exposed it to the Internet 4) its always specially crafted requests that lead to RCE or DoS, hence this: "To exploit the bug, a remote, unauthenticated attacker has to send specially crafted HTTP requests to an affected device, which could allow them to execute arbitrary code or cause a denial of service (DoS) condition. “[T]he web management interface is locally accessible by default and cannot be disabled, but is not enabled for remote management by default. However, based on queries via BinaryEdge, we’ve confirmed there are at least 8,850 remotely accessible devices,” "
- 14. Cobalt Strike Bugs Found in the Latest Versions of the Cobalt Strike’s Server.Handy, so a good tool used by bad people has a vulnerability that good people can use against the bad people using the good tool: "They discovered that a user is able to register fake beacons with the server of a particular Cobalt Strike installation and that by sending fake tasks to the server, can crash it by exhausting the available memory."
- 15. Black Hat 2021: DNS loophole makes nation-state level spying as easy as registering a domain"What we found was that registering certain "special" domains, specifically the name of the name server itself, has unexpected consequences on all other customers using the name server. It breaks the isolation between tenants. We successfully registered one type of special domain, but we suspect there are many others."
- 16. Scientist Invents Toilet That Turns Human Feces Into CryptocurrencyJust for the LOLs
- 1. New Android Malware Uses VNC to Spy and Steal Passwords from VictimsA previously undocumented Android-based RAT has been found to use VNC screen and keystroke recording features to steal sensitive information on the device.
- 2. Chipotle’s Email Marketing Account Hacked to Spread MalwareA new phishing campaign exploiting a compromised Chipolte Mailgun mailing service account was discovered in mid-July. In Of the 121 phishing emails detected, two were vishing attacks (fake voicemail notifications with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft.
- 3. PwnedPiper critical bug set impacts major hospitals in North AmericaPneumatic tube system (PTS) stations used in thousands of hospitals worldwide are vulnerable to a set of nine critical security issues collectively dubbed "PwnedPiper," that could be exploited by unauthenticated attackers to take complete control over some Internet-connected TransLogic PTS stations and ultimately take control over a targeted hospital's entire PTS network.
- 4. LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domainsA new variant of the LockBit 2.0 ransomware is now able to encrypt Windows domains by using Active Directory group policies.
- 5. SafeWA – Application AuditAn audit report regarding Western Australia’s SafeWA COVID-19 contact tracing app reveals that police accessed the app’s data and that the app itself contained security flaws. In the report, the Auditor-General of Western Australia expressed concern that the personal data the app collected were used for purposes other than contact tracing. Western Australia released the SafeWA app in November 2020.
- 6. The Lazio Region vaccine portal is held hostage by hackersLazio Italy's regional government was forced to take down its COVID-19 shot-booking system after it was hit by a possible ransomware attack during which attackers targeted its database
- 7. Over 100 warship locations have been faked in one yearAbuses of location technology might just result in hot political disputes. According to Wired, SkyWatch and Global Fishing Watch theyound the fakes by comparing uses of the automatic identification system (AIS, a GPS-based system to help prevent collisions) with verifiable position data by using an identifying pattern.
- 8. Vulnerabilities in NicheStack TCP/IP Stack Affect Many OT Device VendorsResearchers have identified more than a dozen vulnerabilities in the NicheStack TCP/IP stack, which appears to be used by many operational technology (OT) vendors. The issues could be exploited by attackers to perform remote code execution; conduct denial-of-service attacks, TCP spoofing, DNS cache poisoning; and to leak information.
- 9. Stop ignoring this iPhone warningHave you seen the prompt on your iPhone to update to iOS 14.7.1, but you've been putting it off? After all, it doesn't seem like there's much to it... Hint -it's a big deal.
- 10. Reindeer leaked the sensitive data of more than 300,000 peopleWizCase’s ethical cyber researchers discovered a misconfigured Amazon S3 bucket belonging to Reindeer containing over 50,000 files and totaling 32GB of data. The Reindeer Company is a defunct American advertising company.