Security Weekly
Paul's Security WeeklySubscribe
Vulnerability Management, Malware

PSW #757 – Ev Kontsevoy, Casey Ellis

Full Audio

View Show Index

Segments

1. The Role of Human Behavior in Security & the Future – Ev Kontsevoy – PSW #757

Hackers rarely break through crypto or exploit fancy zero days. Most of the time they simply login using stolen credentials. Managing passwords, keys and other forms of secrets does not work at scale. In this segment we’ll look into a more radical approach to infrastructure security: getting rid of secrets entirely and moving to access control based on physical properties of humans and machines.

This segment is sponsored by Teleport. Visit https://securityweekly.com/teleport to learn more about them!

Sponsored By

Teleport

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Guest

Ev Kontsevoy
Co-Founder and CEO at Teleport

An engineer by trade, Ev Kontsevoy founded Teleport in 2015 in order to help engineers quickly, effectively and securely access all computing infrastructure. Teleport eliminates passwords, static credentials and VPNs to improve security and meet compliance requirements without sacrificing developer experience and productivity.

Ev graduated from Siberian Federal University before holding a series of engineering roles at companies including National Instruments and GE. Prior to launching Teleport, Ev was co-founder and CEO of Mailgun, an API-based email delivery service which was later acquired by Rackspace. Under Ev’s leadership, Teleport has grown from 25 employees in 2020 to over 200 employees just two years later. His work is driven by a mission to maintain simplicity, clarity and security in increasingly complex computing environments.

Hosts

Principal Security Evangelist at Eclypsium
Principal Researcher at The Defenders Initiative
Founder at Guardedrisk
Product Security Research and Analysis Director at Finite State

2. Voltron, Karakurt Extortion, 1 Click Workaround, Snowden Citizenship, & Casey Ellis – PSW #757

This week, we're joined by Casey Ellis to discuss a Telco breach from a land down under, UK government sits out bug bounty boom but welcomes vulnerability disclosure, Karakurt Data Extortion Group, Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack, being caught with your pants down, & more!

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

Casey Ellis
Founder & Chief Strategy Officer at Bugcrowd

Casey is the Founder and Chief Strategy Officer of Bugcrowd, as well as the co-founder of The disclose.io Project. He is a 20+ year veteran of information security who entered the space from a youth spent inventing things and generally getting technology to misbehave. Prior to Bugcrowd, Casey entered information security as a penetration tester and security researcher, before wearing a variety of hats ranging from solutions architecture and sales to CSO, and finally landing as a career cybersecurity entrepreneur.

Casey pioneered Crowdsourced Security as-a-Service, launching Bugcrowd and its first bug bounty programs in 2012, and co-founded the disclose.io vulnerability disclosure standardization and adoption project in 2014.

Hosts

Principal Security Evangelist at Eclypsium
  1. 1. SSRF vulnerabilities and where to find them – Detectify Labs
  2. 2. Fingerprintx Tool: An Internship Project for the Real World – Praetorian
  3. 3. Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804)
  4. 4. Russia gives citizenship to ex-NSA contractor Edward Snowden
    "A decree signed Monday by Russian President Vladimir Putin listed Snowden as one of 75 foreign citizens listed as being granted Russian citizenship. After fleeing the U.S. in 2013, Snowden was granted permanent Russian residency in 2020 and said at the time that he planned to apply for Russian citizenship without renouncing his U.S. citizenship." - Could he be called for military services for Russia? Has he disclosed secrets to Russia? Also, curious how he is making a living these days...
  5. 5. How 3 hours of inaction from Amazon cost cryptocurrency holders $235,000
    "On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, since they were able to demonstrate to certificate authority GoGetSSL in Latvia that they had control over the subdomain. With possession of the certificate, the hijackers then hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page."
  6. 6. SIM Swapper Abducted, Beaten, Held for $200k Ransom – Krebs on Security
    "A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life." - SIM swapping gets real. Why is it typically younger kids who are "holders"?
  7. 7. Negotiating a golden parachute clause in a CISO contract
  8. 8. Mythic Case Study: Assessing Common Offensive Security Tools
  9. 9. Introducing Hintfo – The Hacker Factor Blog
    "After chatting with Jeffrey last July, I decided to create my own "just metadata viewer". Since metadata contains helpful hints and internal information about files, I named my new service Hintfo (it's online at https://hintfo.com/). It works as easily as Jeffrey's: You upload a file to Hintfo and it shows you the metadata."
  10. 10. Shift F10 bypass and Autopilot privilge escalation
  11. 11. $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned
    It can be costly to properly destroy data on older equipment (we interviewed someone a while back on this subject). However, I think its still cheaper than paying fines of $35 million.
  12. 12. What’s behind the different names for hacker groups
    "Microsoft picks names from the periodic table. CrowdStrike gives Chinese state groups a name with "Panda" in it, Russian state groups get a "Bear" name, Iranian groups have "Kitten" names, and North Korean group are "Chollima." Broadcom's Symantec uses names of insects. Palo Alto Networks names groups after constellations." - Not gonna lie, I kinda like how CrowdStrike does it. But why can't we all agree on a standard? I mean, we agree on so many other stand...oh nevermind...
  13. 13. Vultron: A Protocol for Coordinated Vulnerability Disclosure
  14. 14. New hacking group ‘Metador’ lurking in ISP networks for months
  15. 15. Linux System Call Monitoring – Black Hills Information Security
  16. 16. Tarfile: Exploiting the World With a 15-Year-Old Vulnerability
  17. 17. 350,000 open source projects at risk from Python vulnerability
  18. 18. Hunting for Unsigned DLLs to Find APTs
  19. 19. When Ransomware Meets IoT: What’s Next?
    "Trojan ZuoRAT was found to target initially routers to then enumerate and move laterally to workstations in the victim’s network. Beyond that, we spoke directly with security leaders at financial organizations, who confirmed that IP cameras are among their riskiest devices according to their own internal security assessments." - I'm concerned with the bricking of devices being tied to ransomeware. Its so easy to brick a device remotely today, just keep dropping devices until a ransom is paid, not that I want to give anyone ideas. However, recovery from a firmware wipe is hard.
  20. 20. Attackers abuse web security flaw in Sophos Firewall
    This must be trivial to exploit: "This is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall that could be abused by remote attackers to execute arbitrary code on the vulnerable versions of Sophos firewalls." Ref: https://thesecmaster.com/how-to-fix-cve-2022-3236-a-critical-rce-vulnerability-in-sophos-firewall/
  21. 21. Attackers impersonate CircleCI platform to compromise GitHub accounts
  22. 22. ISC fixed high-severity flaws in the BIND DNS software
  23. 23. CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation
    Hot mess: "This vulnerability happens due to a vulnerable version of ApacheOfBiz (CVE-2020-9496) that exposes an XML-RPC endpoint at /webtools/control/xmlrpc in case of Manage Engine products this endpoint is /xmlrpc. This endpoint can deserealizes java objects, as part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands." References: https://www.bigous.me/2022/09/06/CVE-2022-35405.html and https://github.com/viniciuspereiras/CVE-2022-35405/
  24. 24. New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access
    This is the dangerous part: "In terms of supply chain impact, it will take 6-9 months based on our data for the vulnerabilities to be patched by device manufacturers at least on all the enterprise devices"
Principal Researcher at The Defenders Initiative
  1. 1. FBI Helping Australian Authorities Investigate Massive Optus Data Breach: Reports
    Allegedly young attacker, got in over their head; initially tried asking for a $1M ransom to not release the data; then madly backpedaled, apologized, said they deleted the data Some very interesting talking points here: 1. Optus is Australia's 2nd largest mobile telecom. It is a subsidiary of Singtel, a Singaporean government-owned telecom conglomerate that happens to be a huge cybersecurity investor (they bought Trustwave back in 2015 and rumors of them selling it have been swirling for the past few years) 2. The attack vector was apparently an unauthenticated API that gave access to the entire live customer database. It was allegedly part of a test network that wasn't supposed to be exposed to the Internet (whoopsie!) 3. The attacker alleges they would have reported the security issue, but couldn't find any way to do so (no bug bounty, VDP, security contact, Security.txt, DNS security record) 4. They released a 10,200 record sample as proof they had the data, but allegedly "nearly 10 million records" were exfiltrated, making it potentially Australia's biggest breach in terms of impact to individual citizens 5. Was texting individuals, trying to ransom each record individually for $1300 per record. Bold enough to be requesting bank transfer to a domestic (CBA) bank!!
  2. 2. Tenchi Security’s new newsletter, Alice in Supply Chains
Founder at Guardedrisk
Product Security Research and Analysis Director at Finite State
  1. 1. Digital natives more likely to fall for phishing attacks at work than their Gen X and Boomer colleagues
  2. 2. Getting Started with the undocumented Tesla BLE API
  3. 3. Someone is pretending to be me.
  4. 4. “Girls Who Code” books banned in some US classrooms • The Register
  5. 5. Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers – Krebs on Security

Related

5G Hackathons – Casey Ellis – BTS #28

Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results and how we can use bug bounty programs to improve the security of "things". This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!