PSW #731 – Daniel Trauner, Antranig Vartanian, & David Marble
This week, we start the show off with an interview featuring Daniel Trauner, Senior Director of Security at Axonius, to discuss why Technology Changes, but Security (Often) Stays the Same! Next up, we welcome Antranig Vartanian, the CEO of Illuria Security, Inc to discuss The State of Security of Current UNIX(-like) Systems! Lastly, the Security News for this week: HP UEFI Flaws, Strange Social Engineering Tactics, Samsung Galaxy Source Code Stolen, Malware with NVIDIA code-signing Certs, and Amazon echos hack.... themselves!?
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
1. Technology Changes, but Security (Often) Stays the Same – Daniel Trauner – PSW #731
In a world with rapidly-changing technology, it can be tempting to constantly reach for the newest, shiniest security tools/techniques at both the program management and engineering levels. But even given unusual circumstances like startup hypergrowth or Web3 applications, sometimes we should focus on more basic issues. We can learn a lot about where to start with some of these basics when thinking about recent current events, especially related to widely-reported vulnerabilities or specific security incidents.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Daniel Trauner is the Senior Director of Security at Axonius, a cybersecurity asset management company, where he leads the implementation of security practices for a distributed and rapidly growing team. Previously, he was the Director of Platform Security at Bugcrowd, where he worked with (and was sometimes a part of) the thousands of security researchers worldwide who collectively attempt to understand, break, and fix anything that companies will let them. Growing up, he was always the kid who had more fun knocking down Lego towers than actually building them. Outside of security, Trauner enjoys reading, writing, collecting art, and trying to solve problems that others consider to be Kobayashi Maru scenarios.
2. The State of Security of Current UNIX(-Like) Systems – Antranig Vartanian – PSW #731
Unix-like systems are growing rapidly. Sometimes we forget to learn from the past and sometimes the past haunts us. We talk about how the rapid change in Unix-like systems affected it's security state.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Antranig started his career 10 years ago as a system administrator and part-time OS developer. After spending a couple of years in operations he started working as the only security engineer at Armenia’s National Computer Emergency Response Team (CERT-AM), having responsibilities, including and not limited to, detecting active bots, botnets, vulnerable servers and to inform the public and the private sector about the security posture. Through his experience in security and operations, Antranig worked as a system engineer and later as CTO for multiple start-ups. Antranig currently serves as the CEO of illuria Security, a Cyber Deception company aiming to make deception the next standard in InfoSec. He uses, loves and contributes to FreeBSD, the Operating System made by Unix people, for Unix people
3. Dirty Pipes Vuln, OSHEAN, Samsung Source Code, Root Through Azure, & Article 45.2 – PSW #731
This Security News segment will include a discussion with OSHEAN CEO David Marble about the upcoming Security Conference to be held at Bryant University on March 15th.
This week in the Security News: Dirty pipes, UEFI firmware flaws, strange social engineering, command Amazon devices to hack themselves, TLStorms, article 45.2 and why its a bad idea, misconfiguration leads to compromise, 10 signs of a poor leader, when power supplies attack, attacking SATCOMs, and the campus master key
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
David Marble is the President and CEO of OSHEAN Inc. in North Kingstown, Rhode Island. David brings over 35 years of experience in technology companies. He is experienced in operations planning, budget development and management as well as technical planning and project management. David is also Secretary of the Board of Directors for the Northeast Research and Education Network (NEREN) and former Chair of the CEO Roundtable for The Quilt, the national Research and Education coalition. David also is on the steering committee for the Eastern Regional Network (ERN) dedicated to collaboration and resource sharing in research infrastructure.
Prior to joining OSHEAN in 2012, David was an executive and serial entrepreneur in a number of technology companies working in telecommunications, internet and software applications. He is committed to growing OSHEAN’s role as a strategic asset for the research, education and economic future of the region and works closely with members, the RI state leadership and national organizations in support of this mission.
- 1. Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities"Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google. Users able to create a pod could have abused these to (1) escape their pod and compromise the underlying node, (2) escalate privileges and become full cluster administrators, and (3) covertly persist administrative access through backdoors that are completely invisible to cluster operators."
- 2. Linux has been bitten by its most high-severity vulnerability in yearsMore Linux exploit fun: "Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel." All the details here: https://dirtypipe.cm4all.com/ and neat exploit here: https://haxx.in/files/dirtypipez.c
- 3. HP addressed 16 UEFI firmware flaws impacting laptops, desktops, PoS systems"“By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.” reads the analysis published by Binarly."
- 4. 2 New Mozilla Firefox 0-Day Bugs Under Active Attack — Patch Your Browser ASAP!
- 5. Microsoft Azure flaw allowed unauthorized account access
- 6. 5 Strangest Social Engineering Tactics of 2021This is a leap: "The email was sent to soccer clubs with legitimate video files and YouTube links showing training and match highlights. Victims who were intrigued by the video footage were instructed to download and enable a Microsoft Excel document infected with malware." In this case, better to pre-text that you can see everyone who was promoted or fired, that'll get em' to click: "some recipients received a message informing them that their employment was terminated, while others got news of a promotion or that they received a holiday bonus. By downloading the Excel file and clicking “enable content,” resulted in a Trojan being dropped on the victims’ computer." And this is just too classic: "A fraudster attempted to weave an email like this last year, posing as a Chief Justice of Canada, also adding in the email that the recipient had won additional lottery winnings, and the Bank of Canada has come to collect the money. The attacker claimed all of it could be resolved for the modest sum of just $100 and once the payment was received, the winnings would be available in the form of an ATM visa card."
- 7. Attackers can force Amazon Echos to hack themselves with self-issued commands"Because the hack uses Alexa functionality to force devices to make self-issued commands, the researchers have dubbed it "AvA," short for Alexa vs. Alexa. It requires only a few seconds of proximity to a vulnerable device while it’s turned on so an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands."
- 8. TLStormThe breakdown: "CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade. CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE). These vulnerabilities can be triggered via unauthenticated network packets without any user interaction (ZeroClick attack). The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. "
- 9. Access:7 vulnerabilities impact medical and IoT devices
- 10. Samsung Galaxy Source Code Stolen in Data Breach
- 11. Mozilla and the EFF publish letter about the danger of Article 45.2Clipper chip anyone? This is the new version of it: "Proposed EU legislation threatens to disrupt this balance. Article 45.2 of the eIDAS Regulation mandates support for a new kind of certificate called a Qualified Website Authentication Certificate (QWAC). Under this regulation, QWACs would be issued by Trust Service Providers (another name for CAs), with those TSPs being approved not by the browsers but rather by the governments of individual EU member states. Browsers would be required to trust certificates issued by those TSPs regardless of whether they would meet Root Program security requirements, and without any way to remove misbehaving CAs. "
- 12. The Cyberspace Solarium Commission pushed some major policies into law. So what now?"With some of its key recommendations now law — such as the creation of the Office of the National Cyber Director in the White House — the remnant of the congressionally created panel is turning its attention to tracking how those ideas are implemented, while studying some of the issues it didn’t get to fully examine before releasing its final report. Those areas of study include protecting the water, maritime transport and health care sectors, as well as strengthening the federal and private sector workforce and ensuring plans to avert disruptions to the economy caused by cyberattacks."
- 13. Most ServiceNow Instances Misconfigured, ExposedNo details that I could find, however, I believe there is an API that was looked at very closely: "Earlier this year, as part of my ongoing security research into the ServiceNow platform, I discovered external interfaces exposed to the public that may be utilized by a malicious actor to extract data from records. AppOmni’s analysis of ServiceNow instances, similar to our earlier analysis of other SaaS providers like Salesforce, showed that nearly 70% of tested ServiceNow instances were vulnerable to this misconfiguration, which could allow an unauthenticated user to extract data. Further investigation into these findings highlight that the root causes for data exposure are a combination of misconfigured Access Control Lists (ACL) and overprovisioning of permissions to guest users."
- 14. The threat is coming from inside the power supply"Schneider Electric has issued patches while the researchers advised changing default network management card passwords where applicable and installing publicly-signed SSL certificates. Access control lists are also said to help."
- 15. 10 Signs of a Poor Security LeaderThese are 10 signs of poor leadership in general...
- 1. Insecure Comms for Russians in UkraineThe Russian army in Ukraine has knocked down the 3G towers that it needs for its secure phones to work and are now using insecure comms, which get intercepted.
- 2. Secure comms, redux.Russia lost a Major General outside of Kharkiv. The FSB officer who reported this had to do it on a phone with a local sim card because the Russian secure comms system has completely broken down.
- 3. SATCOM terminals under attack in Europe: a plausible analysis.
- 4. How a simple security bug became a university campus ‘master key’ – TechCrunch
- 5. Attackers can force Amazon Echos to hack themselves with self-issued commands
- 6. AutoWarp Microsoft Azure Automation Vulnerability – Orca Security
- 1. TikTok stops new content being uploaded in RussiaWhile it assesses new, tough laws designed to crack down on Russian "fake news" about Russian armed forces following the invasion of Ukraine, Chinese-owned TikTok says it has suspended live streaming and new content on the platform as of March 4. The Russian government objects to the conflict in Ukraine being called a "war" rather than a "special military operation."
- 2. Ukraine says local govt sites hacked to push fake capitulation newsThe Security Service of Ukraine (SSU) revealed yesterday that "enemy" hackers are now leveraging compromised local government and regional authorities' websites to push disinformation claiming the Ukraine government has surrendered and signed a peace agreement with Russia.
- 3. Treasury Department sanctions alleged Russian cyber-espionage, disinformation sources – CyberScoopU.S. Department of Treasury levied sanctions against Russian organizations and oligarchs for actively spreading disinformation and supporting Putin's war in Ukraine
- 4. Malware now using stolen NVIDIA code signing certificatesHackers are now leveraging two stolen NVIDIA code-signing certificates to sign malware in order to make it appear trustworthy and load malicious drivers in Windows.
- 5. CVE-2022-0492 flaw in Linux Kernel cgroups feature allows container escapeA Linux kernel flaw, tracked as CVE-2022-0492 , can allow an attacker to escape a container to execute arbitrary commands on the container host. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
- 6. Cisco Patches Critical Vulnerabilities in Expressway, TelePresence VCS ProductsCisco this week announced patches that address a couple of critical vulnerabilities in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products that could be exploited by remote, authenticated attackers to write files or launch code with root privileges on the underlying operating system.
- 1. NETSPI: Escalating from Logic App Contributor to Root Owner in AzureThe short explanation is that having Contributor access to an Azure Resource Manager (ARM) API Connection would allow you to create arbitrary role assignments as the connected user. Per the Author: "In October 2021, I was performing an Azure penetration test. By the end of the test, I had gained Owner access at the Root level of the tenant."