PSW #768 – Robert Martin
Full Audio
View Show IndexSegments
1. Software Supply Chain Security & MITRE’s System of Trust – Robert Martin – PSW #768
This session explores software supply chain security and the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices.
Segment Resources: - https://sot.mitre.org/overview/about.html - https://shiftleft.grammatech.com/automating-supply-chain-integrity - https://www.reversinglabs.com/conversinglabs/robertmartinmitresoftwaresupplychainsystemoftrust - https://www.mitre.org/sites/default/files/2022-11/PR-22-01488-20-cybersecurity-benefits-of-sbom-september-2022.pdf - https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf
Announcements
Dive deeper into the world of cybersecurity with Security Weekly on Instagram! Follow us @SecWeekly to find exclusive clips, hilarious memes, behind-the-scenes sneak peeks, and more! Stay connected, stay informed, and join our growing community!
Guest
Robert Martin, a Senior Principal Software and Supply Chain Assurance Engineer at the MITRE Corporation, has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality assessment and assurance. For 23 years, Robert has applied his expertise to international cybersecurity initiatives such as CVE, CAPEC, and CWE, which host large active vendor and research communities, and is now working on standardizing the Software Bill of Materials (SBoM) and the supply chain security System of Trust™.
Robert is frequently invited to speak on security and quality issues pertaining to software-based technology systems and the work of the IIC and has published numerous articles and presentation. He also contributed to or authored over 60 standards within ITU-T, ETSI, OMG, The Open Group, UL, and ISO, including the new ISO/IEC 5055 code quality measurement standard. Prior to joining MITRE, Robert designed and installed manufacturing control systems in Area 2 of Kodak Park and performed software integration and porting projects for both RPI and General Electric. Robert holds degrees in electrical engineering from RPI and an MBA from Babson.
Hosts
2. Roblox Prison, 3DS RCE, Puckungfu, Google Home Wiretaps, & Lastpass Hack – PSW #768
In the Security News: The Roblox prison yard, password manager problems, PyTorch gets torched with a supply chain attack, Oppenheimer cleared, Puckungfu, spice up your persistence with PHP, turning Google home into a wiretap device, Nintendo 3DS remote code execution, Linux kernel remove code execution, steaking cards in 2022 - The API way, and there is no software supply chain... and more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
- 1. Southwest Airlines flight cancellations continue to snowball
US Transportation Secretary Pete Buttigieg says his agency will investigate what caused the unusually large number of flight cancellations over the holiday weekend. The company’s pilot and flight attendant unions said that Southwest ignored the need to upgrade its outdated computer systems, which contributed to the airline’s troubles in the face of winter storms.
Southwest has historically under staffed IT positions and not kept IT systems current. Will this change?
- 2. Linux Kernel 5.15 Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The bug affects the in-kernel SMB server designed to augment Samba, on systems running the Linux 5.15 kernel, such as Ubuntu 22.04.
- 3. New York governor signs modified right-to-repair bill at the last minute
New York state governor Kathy Hochul has signed the Digital Fair Repair Act into law , months after it had passed both chambers of the state's legislature. The law will require companies to provide the same diagnostic tools, repair manuals, and parts to the public that they provide to their own repair technicians.
The bill as signed contains even more conditions and exceptions, ostensibly added to address the governor's concerns about "technical issues that could put safety and security at risk, as well as heighten the risk of injury from physical repair projects."
- 4. PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
A critical arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plug-in is being actively exploited. The exploit leverages a flaw in the importactionsfromsettingsfrompanel which runs admininit hook meaning the flaw is running as admin, without authentication, so you can pretty much impact anything in the /wp-admin/ directory. The function was lacking a CSRF and capacity/type check.
- 5. New Linux malware uses 30 plugin exploits to backdoor WordPress sites
There are two exploits, the first: Linux.BackDoor.WordPressExploit.1 has remote C&C, targets 32 bit Linux, but will run on 64 bit variants as well; the second: Linux.BackDoor.WordPressExploit.2 appears to be an updated version, with different C&C servers, and has exploits for additional plugins. The Doctor Web blog lists the plugins each targets and has links to IOCs you can ingest. https://news.drweb.com/show/?i=14646&lng=en&c=23
- 6. CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports flaws to its Known Exploited Vulnerabilities Catalog. CVE-2018-5430 and CVE-2018-18809 have patches from TIBCO, also released in 2018.
- 7. Ransomware gang apologizes, gives SickKids hospital free decryptor
The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking a hospital. The attack violated LockBit's code of ethics, and they removed the affiliate who executed the attack from their network. But they still took long enough to release the decryptor that the hospital was able to restore over 50% of systems to operational status.
- 8. Okta GitHub Repositories Breached
Okta Workforce Identity Cloud service source code stolen. The question: do you believe Okta claim that they are not dependent on the source code for service?