Security Weekly
Paul's Security WeeklySubscribe
Email security, Leadership, Security Staff Acquisition & Development

Short Term Memory Issues – PSW #689

View Show Index

Segments

1. The Intersection of Cybersecurity & Cryptocurrency – Nick Percoco – PSW #689

With an uptick in malware scams and email compromises, the best thing we can do is educate the cryptocurrency community about risks and security best practices.

https://www.youtube.com/playlist?list=PL1fKlftNZ_xGh8AFVy46suO193IIQ7lnq

https://www.kraken.com/en-us/features/security/kraken-security-labs

https://www.canisecure.com/ https://blog.kraken.com/security-labs/

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Guest

Nick Percoco
Chief Security Officer at Kraken

Nick Percoco, Chief Security Officer at Kraken, has been an active member of the security industry for over two decades, working as both a security practitioner and advisor. He’s presented research on targeted malware, iOS and Android vulnerabilities, and IoT security at events such as DEF CON, Black Hat, RSA Conference and SXSW. He’s also designed, led and advised in the development of security products and services used by millions of people and businesses while working for Internet Security Systems, VeriSign, Trustwave and Rapid7. Nick founded SpiderLabs and led global teams of hackers that discovered real-world 0-day vulnerabilities to help secure the most targeted businesses such as Las Vegas casinos, global financial institutions, major retail brands and video game companies to ensure their facilities, products, employees and clients were kept safe and secure.

Hosts

Principal Security Evangelist at Eclypsium
Sr. InfoSec Consultant at Online Business Sytems
Product Security Research and Analysis Director at Finite State
Senior Cyber Advisor at Lawrence Livermore National Laboratory
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Cybersecurity Journalist – Robert Lemos – PSW #689

Paul, and the rest of the PSW Hosts, will talk to Robert about how he got his start in InfoSec.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Robert Lemos
Cybersecurity and Data Journalist at Undisclosed

Writes for DarkReading and TechBeacon. Veteran technology journalist of more than 25 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R.

Hosts

Principal Security Evangelist at Eclypsium
Sr. InfoSec Consultant at Online Business Sytems
Product Security Research and Analysis Director at Finite State
Senior Cyber Advisor at Lawrence Livermore National Laboratory
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Ubiquiti Breach, Tesla, PHP, & More Sagas – PSW #689

npm netmask library has a critical bug, when AI attacks, firmware attacks on the rise, Microsoft Hololens and order 66, a real executive order 13694, The Ubiquity breach saga, the FreeBSD and wireguard saga, is the cloud more secure? Hopefully for PHP it is, software updates limit muscle car to 3 HP, a brand new Windows 95 easter egg just in time for, well, easter, and aging wine in space, does it make a difference?

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Principal Security Evangelist at Eclypsium
  1. 1. Critical netmask networking bug impacts thousands of applications
    "The root cause of the problem turned out to be Netmask’s incorrect evaluation “of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound" (https://portswigger.net/daily-swig/ssrf-vulnerability-in-npm-package-netmask-impacts-up-to-279k-projects), "For example, a remote unauthenticated attacker can request local resources using input data 0177.0.0.1 (127.0.0.1), which netmask evaluates as public IP 177.0.0.1. Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 (87.0.0.1) as localhost, yet the input data is a public IP and potentially cause local and remote file inclusion (LFI/RFI)" (https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md)
  2. 2. Will AI Short Circuit Cybersecurity?
    Basically, how do we prevent creating Skynet? - "The article describes how engineers discovered a surprising feature relating to the now defunct Google Project Loon, which was intended to make the Internet universally available using balloons rather than satellites. They observed that, on a trip from Puerto Rico to Peru, the balloon began tacking, which is the method used with sailboats for changing direction. Not that that is particularly startling, except that they had never taught the AI how to do that—it did it all by itself! While this was a “gee whiz moment,” it portends what might be one of the greatest dangers of AI (artificial Intelligence) systems, namely, acting autonomously in unanticipated and possibly dangerous ways."
  3. 3. Alan Turing, WWII Cryptanalyst and Computer Pioneer, on New £50 Note – Security Boulevard
    "Turing was selected to appear on the note?…?in recognition of his groundbreaking work in mathematics and computer science, as well as his role in cracking the Enigma code?…?in World War II. … [It] incorporates a number of designs linked to Turing’s life and legacy. These include technical drawings for the bombe, a decryption device used during WWII; a string of ticker tape with Turing’s birthday rendered in binary?…?a green and gold security foil resembling a microchip; and a table and mathematical formulae taken from one of Turing’s most famous papers." Also: "It’s a way to let the UK honor historic people. But don’t pretend like it’s some big feat or victory for oppressed people. Pardoning and putting a him on a note doesn’t undo that."
  4. 4. The Importance of Cybersecurity to SEO
    Recovering from the SEO hits you take from a website compromise could be impactful: "When a business website become a victim of hackers, it can have below mentioned impacts, Website traffic can be redirected to third party servers., Error 50X, internal server error can be generated., Massive 404 errors, content not found can be caused across the website.,Websites can be infected with malicious code, which can spread infections to all visitors., Websites can be infected by phishing attacks to trick visitors."
  5. 5. Serious Vulnerability In Netmask npm Package Risked 270K+ Projects
  6. 6. Two Linux Vulnerabilities Could Allow Bypassing Spectre Attack Mitigations
    So many privilege abuses in the Linux Kernel: "Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel."
  7. 7. Blind XPath Injections: The Path Less Travelled
    Awesome article explaining XPath injections, with examples from a CTF.
  8. 8. 83% of Businesses Hit With a Firmware Attack in Past Two Years
    "Microsoft last year released a line of "Secured-Core" Windows 10 PCs as part of a partnership with Intel, Qualcomm, and AMD, to help businesses better defend against attacks that attempt to interfere with the boot process. Last June, it added a UEFI scanner to Microsoft Defender Advanced Threat Protection to assess the security posture inside of a firmware file system. However, even though Microsoft working to expose firmware visibility, "I don't think we yet have the total picture," he says, and it's a challenge to observe attacks taking place below the operating system. What's more, not all businesses can shift to new hardware in the near term, and many security teams are juggling too many other issues to prioritize firmware."
  9. 9. President Biden extended Executive Order 13694 regarding cyberattack sanctions
  10. 10. Microsoft Wins $22 Billion Deal Making Headsets for US Army
    Interesting to think about hacking these, like in a battle, executing order 66! - "The technology is based on Microsoft’s HoloLens headsets, which were originally intended for the video game and entertainment industries. Pentagon officials have described the futuristic technology — which the Army calls its Integrated Visual Augmentation System — as a way of boosting soldiers’ awareness of their surroundings and their ability to spot targets and dangers."
  11. 11. Top 5 Attack Techniques May Be Easier to Detect Than You Think
  12. 12. How I “Hacked” a Popular Illicit Website Accidentally.
    Interesting story, crime doesn't pay (though as a criminal you may have to pay): "Hey, it’s been a while, but Sammy just got sent a cease and desist from Chick-Fil-A. He has to pay restitution."
  13. 13. DD-WRT 45723 Buffer Overflow – Exploitalert
  14. 14. Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security
    Holy crap, what a saga...
  15. 15. Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
    Holy crap, what another saga!
  16. 16. Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forg
  17. 17. PHP’s Git server hacked to add backdoors to PHP source code
    So, moral of the story, the cloud is more security?
  18. 18. OpenSSL fixes severe DoS, certificate validation vulnerabilities
  19. 19. Dodge Offers Software Update For Chargers And Challengers That Limits Them To 3 HP Of Raw Hemi Power
    "The way the engine manages to restrict the power so effectively from 485 HP/475 pound-feet or 707 HP and 650 lb of torque is by limiting the engines to a 675 rpm idle."
  20. 20. Google’s unusual move to shut down an active counterterrorism operation being conducted by a Western democracy
  21. 21. Windows 95 Easter egg discovered after being hidden for 25 years
    "You have to open its About window, select one of the files, and type MORTIMER. Names of the program's developers will start scrolling"
  22. 22. Tasting experts sample wine aged for a year in space
    I feel like this is a hacker thing like someone asked the question: "What would wine taste like if it were aged in zero gravity?".
Sr. InfoSec Consultant at Online Business Sytems
Product Security Research and Analysis Director at Finite State
  1. 1. Police say they found mafia fugitive on YouTube, posting cooking tutorials
  2. 2. Update on campaign targeting security researchers
  3. 3. Child tweets gibberish from US nuclear-agency account
  4. 4. Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
  5. 5. Activision Forces Online Check DRM Into New Game, Which Gets Cracked In One Day
  6. 6. SpaceX seemingly takes steps to protect telemetry data after leak
  7. 7. Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security
  8. 8. Recovering a full PEM Private Key when half of it is redacted
  9. 9. PHP Compromised: What WordPress Users Need to Know
Senior Cyber Advisor at Lawrence Livermore National Laboratory
  1. 1. Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military
    Charleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.
  2. 2. China Bans Tesla Cars From Entering Military Locations and Housing Compounds
    China has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk's cars from entering any Chinese military complexes or housing compounds.
  3. 3. PHP’s Git server hacked to add backdoors to PHP source code
    Malicious actors pushed two malicious commits to the "php-src" Git repository maintained by the PHP team on its "git.php.net" server Sunday in an attempt to add backdoors to and compromise the PHP code base. PHP maintainers have migrated the official PHP source code repository to GitHub.
  4. 4. Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’
    The whistleblower said that attackers were able to obtain administrative access to AWS Ubiquiti databases using credentials stored in and stolen from an employee's LastPass account, which allowed them to access AWS accounts, S3 buckets, app logs, SSO cookie secrets, and all databases, including those containing user credentials.
  5. 5. OpenSSL fixes severe DoS, certificate validation vulnerabilities
    OpenSSL has released an advisory about two high-severity vulnerabilities (CVE-2021-3449 and CVE-2021-3450) affecting its products that could be leveraged by attackers to create a denial-of-service (DoS) condition or prevent the Certificate Authority (CA) from issuing certificates.
  6. 6. This Android malware hides as a System Update app to spy on you
    A new, "sophisticated" Android spyware app disguising itself as a software update has been discovered by researchers. Once installed on a device, the compromised device is registered with a Firebase C&C server that issues commands while a dedicated C&C server manages data exfiltration. Information collected by the RAT is said to include GPS data, SMS messages, contact lists, call logs, images and video files, and microphone audio.
  7. 7. Tax scammers hack government-run facial recognition system
    A group of tax scammers has been identified leveraging manipulated personal information, high-definition photos, and a fake video to hack the government-run facial recognition system used by the State Taxation Administration, which allowed their registered shell company to issue bogus tax returns to clients. $500M Yuan ($76.2M USD)
  8. 8. FBI published a flash alert on Mamba Ransomware attacks
    "Mamba" ransomware has been identified abusing the "DiskCryptor" (HDDCryptor, HDD Cryptor) open-source tool to encrypt entire hard drives.
  9. 9. Evil Corp switches to Hades ransomware to evade sanctions
    The "Evil Corp" cybercrime gang has been spotted using the "Hades" ransomware to evade sanctions levied in December 2019 by the U.S. Department of Treasury's (Treasury) Office of Foreign Assets Control (OFAC).
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

Related