Security Weekly
Paul's Security WeeklySubscribe
Security Staff Acquisition & Development, Threat Management, Malware

PSW #742 – John Pescatore

Full Audio

View Show Index

Segments

1. Building Career Links to Secure the Real Supply Chain – John Pescatore – PSW #742

John will go through his mostly random career choices that led to a long and fun career in information/cybersecurity - and how that ties into today's demand to secure the increase complex supply web of chains.

Segment Resources: SANS Cyberstart initiative - https://www.cyberstartamerica.org/

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Guest

John Pescatore
Director, Emerging Security Trends at SANS

Mr. Pescatore joined SANS in January 2013 with 35 years’ experience in computer, network and information security. He was Gartner’s lead security analyst for 13 years, working with global 5000 corporations and major technology and service providers. Prior to joining Gartner Inc. in 1999, Mr. Pescatore was Senior Consultant for Entrust Technologies and Trusted Information Systems, where he started, grew and managed security consulting groups focusing on firewalls, network security, encryption and Public Key Infrastructures. Prior to that, Mr. Pescatore spent 11 years with GTE developing secure computing and telecommunications systems.

Mr. Pescatore began his career at the National Security Agency, where he designed secure voice systems, and the United States Secret Service, where he developed secure communications and surveillance systems. He holds a Bachelor’s degree in Electrical Engineering from the University of Connecticut and is a NSA Certified Cryptologic Engineer. He is an Extra class amateur radio operator, callsign K3TN.

Hosts

Principal Security Evangelist at Eclypsium
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Prank Calls, Lazarus APT, WordPress Critical Vulns, CISA Adds 41 Flaws, & Zoom Bugs – PSW #742

This week in the Security News: Chaining Zoom bugs is possible to hack users in a chat by sending them a message, Microsoft vulnerabilities down for 2021, CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog, Using NMAP to Assess Hosts in Load Balanced Clusters, Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover, & more!

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Principal Security Evangelist at Eclypsium
  1. 1. Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover
    "One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme." - Not sure how we got to 9.9 when it still requires some level of authenticated user...
  2. 2. Downloading Pwned Passwords Hashes with the HIBP Downloader
    "The idea of taking 16^5 hash ranges, bundling them all up into a single monolithic archive then making it all downloadable seemed a non-trivial task."
  3. 3. Using NMAP to Assess Hosts in Load Balanced Clusters
    Good tip: "So, how do we work through this problem of "my DNS target is now multiple different hosts, each with their own IP", and add to that, now dozens or hundreds of other hosts (from other organizations) now reside on those same IP addresses? By default, nmap will only assess the first IP returned for the DNS query against your hostname. "
  4. 4. CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog
    738 if you're counting at home (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), given there are 176k+ CVEs (https://www.cvedetails.com/), I believe this is good guidance. I'd flag these in my VM and make sure they get patched at the highest priority.
  5. 5. Microsoft vulnerabilities down for 2021
    Counting CVEs is just silly. Multiple CVEs could be assigned for the same vulnerability, and multiple vulnerabilities can be addressed in a single advisory. Stop counting and comparing, it's just silly.
  6. 6. Chaining Zoom bugs is possible to hack users in a chat by sending them a message
    "Chaining the above vulnerabilities, an attacker can trick a vulnerable client into connecting to a rogue server, potentially leading to arbitrary code execution due to an update package downgrade in Zoom Client for Windows that could allow the installation of a less secure version."
  7. 7. Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room
    "At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space. The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones." - Snuffing? Okay, we typically say sniffing. Which, by the looks of it, you could do the same thing with Kismet...
  8. 8. r/InfoSecNews – U.S. DOJ will no longer prosecute ethical hackers under CFAA
    Well, let's get hacking people! - "With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area. Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors."
  9. 9. 380K Kubernetes API Servers Exposed to Public Internet
    "White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured." - Complexity breeds vulnerability.
  10. 10. Announcing PSP Security Protocol is now open source
    Interesting: "To address these challenges, we developed PSP (a recursive acronym for PSP Security Protocol,) a TLS-like protocol that is transport-independent, enables per-connection security, and is offload-friendly. At Google, we employ all of these protocols depending on the use case. For example, we use TLS for our user-facing connections, we use IPsec for site-to-site encryption where we need interoperability with 3rd party appliances, and we use PSP for intra- and inter- data center traffic." - Don't invent your own protocol, especially for encryption, I mean unless you're Google.
  11. 11. National bank hit by ransomware trolls hackers with dick pics
    Wow: "However, instead of paying the ransom, the bank representatives responded to the ransom negotiation by making fun of the hacker's '14m3-sk1llz.' They then proceeded to post a link to a dick pic while stating, "suck this dick and stop locking bank networks thinking that you will monetize something, learn to monetize."" - That's some balls right there...
  12. 12. Fake Windows exploits target infosec community with Cobalt Strike
    I hate binary exploits for just this reason: "However, it soon became apparent that these proof-of-concept exploits were fake and installed Cobalt Strike beacons on people's devices. Cobalt Strike is a legitimate pentesting tool that threat actors commonly use to breach and spread laterally through an organization. In a subsequent report by cybersecurity firm Cyble, threat analysts analyzed the PoC and found that it was a .NET application pretending to exploit an IP address that actually infected users with the backdoor."
  13. 13. Popular Python and PHP libraries hijacked to steal AWS keys
    "'ctx' is a minimal Python module that lets developers manipulate their dictionary ('dict') objects in a variety of ways. The package, although popular, had not been touched since 2014 by its developer, as seen by BleepingComputer. However, newer versions emerged starting May 15th into this week and contained malicious code:"
  14. 14. Outlets tricked by 7-zip CVE-2022-29072 hoax
    Not sure if we covered this last month, if we did, we apologize for not vetting the source. We believe this to be a hoax now...
Principal Researcher at The Defenders Initiative
Senior Cyber Advisor at Lawrence Livermore National Laboratory
  1. 1. WIRED: This Hacktivist Site Lets You Prank Call Russian Officials · Techukraine
    A group of international hacktivists calling itself the "Obfuscated Dreams of Scheherazade" has reportedly launched the WasteRussiaTime.today website, which was created to protest the war in Ukraine by placing automated robocalls and prank calls to officials working in various Russian government entities, the military, and intelligence agencies.
  2. 2. North Korea-linked Lazarus APT uses Log4J to target VMware servers
    North Korea-linked Lazarus APT group has been leveraging the Log4J remote code execution (RCE) vulnerability (CVE-2021-44228) since at least January 2021 in attacks designed to infect internet-exposed VMware Horizon servers with a PowerShell command that ultimately installs the "NukeSped" backdoor.
  3. 3. Clearview AI fined £7.5 million and told to delete all UK facial recognition data
    Clearview AI has been fined £7.55 million ($9.5 million) by the UK's privacy watchdog for illegally scraping the facial images of UK citizens from the internet and social media platforms.
  4. 4. Fake Windows exploits target infosec community with Cobalt Strike
    An unknown threat actor has been identified sending infosec security researchers bogus Windows proof-of-concept (PoC) exploits that are designed to infect targeted devices with the legitimate "Cobalt Strike" penetration testing tool.
  5. 5. Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability
    Cisco notified customers that it had identified "in-the-wild" attempts to exploit the new, medium-severity open-port vulnerability (CVE-2022-20821) impacting its RPM and IOS XR software, which can be exploited by unauthenticated attackers to gain access to a Redis instance running within the "NOSi" container.
  6. 6. Popular Python and PHP libraries hijacked to steal AWS keys
    A threat actor has reportedly compromised the "ctx" PyPI module as part of a supply chain attack and distributed malicious versions of the module that are designed to steal developers' environment variables.

Related