Playing Hanky Panky – PSW #710

Sponsored By

Announcements

• InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Guest

Sinan Eren

VP, Zero Trust at Barracuda Networks

Sinan is a veteran in the cybersecurity space and serves as VP of Zero Trust at Barracuda. Sinan is passionate about helping companies with an increasingly distributed workforce mitigate breach risk by enabling secure access to critical enterprise resources for their outsourcers, partners, contractors and telework employees.

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

Patrick Laverty

Security Consultant at Rapid 7

http://patricklaverty.com/

Announcements

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Justin Collins

People Empowerer for Product Security Team at Gusto

Justin currently empowers the product security team at Gusto. In the past, he has been an application security engineer at SurveyMonkey, Twitter, & AT&T Interactive. Justin is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. The commercial version of Brakeman was acquired by Synopsys in 2018.

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

John Kinsella

Co-founder & CTO at Cysense

Patrick Laverty

Security Consultant at Rapid 7

http://patricklaverty.com/

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

• In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

1. 1. Drone accidentally drops off several pounds of weed, tobacco at high school
   Oops: "A drone carrying a package filled with marijuana, tobacco and three cell phones landed on school grounds in Brunswick County, Virginia on Monday. Investigators say this package was meant to be dropped off at the Lawrenceville Correctional Center."
2. 2. U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation
   "Baier, Adams, and Gericke are alleged to have violated the International Traffic in Arms Regulations and conspired to commit access device fraud and computer hacking offenses. In another filing, prosecutors added that they will drop the charges if the three men cooperate with U.S. authorities, pay a financial penalty, and agree to a list of unspecified restrictions on their employment" - So, turns out, you can't just sell exploits to anyone willy niilly...(or if you do, there are consequences)
3. 3. There Are Too Many Underemployed Former Spies Running Around Selling Their Services to the Highest Bidder
   Agree? "This has been a years-long investigation and, in addition, far from the spotlight, policymakers have been trying to update the laws and regulations regarding how much of their expertise former American intelligence operatives can peddle to foreign countries, which will use that expertise to, oh, let’s just say, ratfck any attempts to reform their oil-sodden repression. This cannot be a space that is beyond the law."
4. 4. 8 Useful Websites That Can Replace Computer Software
   Is this more or less secure? Or, does it really matter? - My issue is that your data has to be uploaded to a 3rd party, for PDF editor as an example...
5. 5. Google is backing security reviews of these key open source projects
   "OSTIF has identified a total of 25 MAP projects targeted for funding, including the eight that Google has funded to date. Other projects with funding pending support include well-known systems and tools developers use, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat's Ansible, and Google's Guava Java framework. "
6. 6. Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
7. 7. FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild – The Citizen Lab
   "Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. They designated the FORCEDENTRY exploit CVE-2021-30860, and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.”"
8. 8. Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code – The Citizen Lab
9. 9. Fuzzing Closed-Source JavaScript Engines with Coverage Feedback
10. 10. Universal decryptor key for Sodinokibi, REvil ransomware released
11. 11. Apple Issues Urgent Updates to Fix New Zero-Day Linked to Pegasus Spyware
    "The updates arrive weeks after researchers from the University of Toronto's Citizen Lab revealed details of a zero-day exploit called "FORCEDENTRY" (aka Megalodon) that was weaponized by Israeli surveillance vendor NSO Group and allegedly put to use by the government of Bahrain to install Pegasus spyware on the phones of nine activists in the country since February this year."
12. 12. Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing’s Favorite Web Host
    "Members of the hacktivist collective Anonymous claim to have hacked web registration company Epik, allegedly stealing “a decade’s worth of data,” including reams of information about its clients and their domains. Epik is controversial, having been known to host a variety of rightwing clients, including ones that other web hosting providers, like GoDaddy, have dropped for various reasons." - How active is Anonymous these days?
13. 13. All PrintNightmare Vulnerabilities Fixed
14. 14. No Patch for High-Severity Bug in Legacy IBM System X Servers
    "By sending a specially-crafted request through SSH or Telnet session, an attacker could exploit this vulnerability to execute arbitrary commands on the system." The fix is easy LOL: "Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface)"
15. 15. Microsoft Fixes Critical OMIGOD Vulnerabilities in Linux App
    WOW: "Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0"
16. 16. Security Researchers Unhappy With Apple’s Bug Bounty Program
    So get this, researchers say: "Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there's a "massive backlog" of bugs that have yet to be addressed." and "In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn't always pay out what's owed.". YET, Apple says: "Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future"
17. 17. Critical vulnerability in HAProxy
    "HTTP Request Smuggling is an attack technique that emerged in 2005. It is based on interfering with the processing of HTTP requests between the frontend server (i.e. HAProxy) and the backend server. An adversary typically exploits this technique by sending a specially crafted request that includes an additional request in its body. On a successful attack, the inner request is smuggled through the frontend (that considers it as only the request’s body) but is consumed as a normal request by the backend."
18. 18. PoC released for Ghostscript vulnerability that exposed Airbnb, Dropbox
    "Hackers have released proof-of-concept code that exploits a recently demonstrated vulnerability in older but still widely used versions of Ghostscript, the popular server-side image conversion software package. Security researcher Emil Lerner demonstrated an unpatched vulnerability for Ghostscript version 9.50 at the ZeroNights X conference in Saint Petersburg, Russia last month." - PoC: https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50 and more info: https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/ (Originally From: https://twitter.com/jensvoid/status/1435631308294795264)

Joff Thyer

Security Analyst at Black Hills Information Security

https://www.blackhillsinfosec.com/team/joff-thyer/

John Kinsella

Co-founder & CTO at Cysense

Patrick Laverty

Security Consultant at Rapid 7

http://patricklaverty.com/