Network security, Emerging technology, Identity and access, Malware, Vulnerability management

PSW #753 – Davi Ottenheimer, Daniel Niefeld, Zachary Stashis

There's a lot of worry about "fakes" especially in a world rapidly adopting AI/ML, so it's time for solutions. "Solid" is the W3C open standard, extending HTTPS, to upgrade the Web with security paradigms that solve for data integrity. Distributed systems naturally break through digital moats, free control through proper ownership, thus helping expand and achieve the best of the Internet.

Segment Resources:

https://solidproject.org/

https://github.com/inrupt

https://www.flyingpenguin.com/?p=29523

https://alltechishuman.org/davi-ottenheimer

https://www.schneier.com/blog/archives/2020/02/inrupt_tim_bern.html

https://events.inrupt.com/dublin

This week in the Security News: Crypto Miners Using Tox P2P Messenger as Command and Control Server, 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe, & Janet Jackson music video given CVE for crashing laptops, & more!

Segment Resources:

Use code "securityweekly" to save 10% off Hack Red Con tickets at https://www.hackredcon.com/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Data Integrity Lights the Way: Security With the Decentralized Web – Davi Ottenheimer – PSW #753

There's a lot of worry about "fakes" especially in a world rapidly adopting AI/ML, so it's time for solutions. "Solid" is the W3C open standard, extending HTTPS, to upgrade the Web with security paradigms that solve for data integrity. Distributed systems naturally break through digital moats, free control through proper ownership, thus helping expand and achieve the best of the Internet.

Segment Resources:

https://solidproject.org/

https://github.com/inrupt

https://www.flyingpenguin.com/?p=29523

https://alltechishuman.org/davi-ottenheimer

https://www.schneier.com/blog/archives/2020/02/inrupt_tim_bern.html

https://events.inrupt.com/dublin

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!

Guest

Davi Ottenheimer
Davi Ottenheimer
VP Trust and Digital Ethics at Inrupt

Davi strives to ensure that engineering and business practices are grounded in scientific principles with full cognizance of design; measure the economics of intended functions and operate them with regard to human safety. His career over three decades leading security and trust for global organizations (high availability and confidentiality missions) has been guided by his expertise making technology more effective and used for good. His current role involves developing and implementing real-world decentralization technology with ethics at their core (integrity), to help the Web be as beneficent and trustworthy as possible.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Jason Albuquerque
Jason Albuquerque
Chief Operating Officer at Envision Technologies
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Mudge, Tox P2P Messenger, 8 Year Old Linux Flaws, Dirty Pipe, & Unix Legends – PSW #753

This week in the Security News: Crypto Miners Using Tox P2P Messenger as Command and Control Server, 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe, & Janet Jackson music video given CVE for crashing laptops, & more!

Segment Resources:

Use code "securityweekly" to save 10% off Hack Red Con tickets at https://www.hackredcon.com/

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guests

Daniel Niefeld
Daniel Niefeld
CFO & Co-Founder at Hack Red Con
Zachary Stashis
Zachary Stashis
CEO at Hack Red Con

Founder of Hack Red Con and Red Seer Security, Red Teamer, Bug Hunter, and Mentor.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Microsoft warns that KB5012170 update may cause 0x800f0922 error
  2. 2. Microsoft Pluton: Security chip doesn’t let Linux on the Lenovo Z13 and Z16 - "this means that given the default firmware configuration, nothing other than windows will boot. it also means that you won't be able to boot from any third-party external peripherals that are plugged in via thunderbolt. there's no security benefit to this."
  3. 3. Vulnerability wholesaler cuts disclosure times over poor-quality patches - "For failed patches, ZDI will give vendors 30 days to address the flaw if it's critical, the patch is easily circumvented, and if exploitation is expected. Vendors will have 60 days to address critical and high severity issues if the patch provides some defence and exploitation is possible. They will get 90 days for all other vulnerabilities below these severity ratings and there's no imminent threat of exploitation. "
  4. 4. Janet Jackson music video given CVE for crashing laptops - "It turns out that the song contained one of the natural resonant frequencies for the model of 5400 RPM laptop hard drives that they and other manufacturers used"
  5. 5. Intel SA-00086 vulnerability and CPU firmware security: what
  6. 6. 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe - “DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged. Although the concept is simple, it is effective.”
  7. 7. Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts
  8. 8. Uncovering a ChromeOS remote memory corruption vulnerability – Microsoft Security Blog - "As with other modern browsers, exploiting ChromeOS usually requires chaining vulnerabilities together. Due to hardening measures in ChromeOS, discovering vulnerabilities became a specific niche and, therefore, the number of public vulnerabilities is quite low compared to other operating systems." interesting: "The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE. Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code."
  9. 9. Zoom patches root exploit, patches patch due to root exploit - Moar patching: "The two holes could be exploited together to, simply put, feed a malicious update to Zoom to install and run, which shouldn't normally be allowed to happen. Wardle gave Zoom credit for issuing quick patches for the flaws, which the biz published individually on August 9 and 13. But look at Zoom's recent security bulletins, and it becomes quickly clear that something went wrong: five days later a third patch was released for the same problem. "
  10. 10. An encrypted ZIP file can have two correct passwords — here’s why
  11. 11. Vulnerability in Linux containers – investigation and mitigation
  12. 12. New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data
  13. 13. Privilege Escalation Flaw Haunts VMware Tools
  14. 14. Last port of call – The Hacker Factor Blog
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
  1. 1. Hack Red Con - Announcing a new conference called Hack Red Con this September in Louisville, KY. With the mission of educating, mentoring, and workforce development for the future of the cyber security industry. Conference dates are September 7th-11th 2022. We hope to see you there! Security Weekly listeners get a 10% discount on tickets!
prestitial ad