Snowed In – PSW #718
This week, we kick off the show with an interview featuring Lodrina Cherne, and Martijn Grooten join to discuss the Realworld capabilities of Stalkerware! Then, Sachin Mahajan from Inguardians joins to delve MAVSH!! In the Security News: NPM hijacked again, hardcoding your keys, PAN-ODay, more Nmap in your python or python in your nmap, put your Docker API to rest, Busybox will own your box, Microsoft says its a feature not a vulnerability, SBDCs, TIPC Linux kernel vulnerability, patches that don't fix everything, truckloads of GPUs and “are you high”?
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
1. Stalkerware Capabilities in the Real World – Lodrina Cherne, Martijn Grooten – PSW #718
Can using technology risk your personal safety? Tracking information can be shared with attackers and facilitate cyberstalking in multiple ways including key logging and screen sharing. Exploration of recent court cases and investigations will be shared and attendees will learn what resources can help individuals experiencing digital abuse at the hands of a technical adversary.
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Lodrina Cherne is a champion for security in the digital forensics and cybersecurity industries. As Principal Security Advocate at Cybereason, she drives innovation and development of best practices related to cybersecurity standards and policy. Cherne is also a Certified Instructor at the SANS Institute where she helps information security professionals advance their foundational understanding of digital forensics. Cherne has earned a bachelor’s degree in Computer Science from Boston University and is an Aspen Tech Policy Hub Fellow.
Martijn Grooten, a former mathematician, has been working in IT security for 14 years. He was previously the Editor of Virus Bulletin and currently works as a consultant on a number of projects, many of which deal with supporting vulnerable people and groups with digital security. He is head of threat intel research at Silent Push, part of the team that built the Ford Foundation’s Cybersecurity Assessment Tool, a fellow at the Civilsphere Lab and a Coordinator at the Coalition Against Stalkerware.
2. MAVSH – Sachin Mahajan – PSW #718
Over the course of 2020 and 2021 new UAV regulations and restrictions, such as Remote Identification, have threatened UAV hobbyist's ability to fly freely. These new regulations did leave hobbyists with one loophole: building a sub 250g quad. After this realization, I set out to build a sub250g quad which can be flown for fun, or as one of the first remotely accessible war-flying devices.
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
3. TIPC Kernel Vulns, SBDCs, Truckloads of GPUs, & Hardcoded SSH Keys – PSW #718
This week in the Security News: NPM hijacked again, hardcoding your keys, PAN-ODay, more Nmap in your python or python in your nmap, put your Docker API to rest, Busybox will own your box, Microsoft says its a feature not a vulnerability, SBDCs, TIPC Linux kernel vulnerability, patches that don't fix everything, truckloads of GPUs and testing if your high!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. How THC “breathalyzers” work, and why some experts say they’re flawed"This new test, called EPOCH (Express Probe for On-site Cannabis Inhalation) instead works by collecting and concentrating your saliva to evaluate it for current levels of THC. It evaluates whether or not THC levels are above one nanogram of THC per milliliter of saliva within a twelve-hour consumption window." Also, there's an app for that: "By reacting to different game-like stimuli from DRUID, the app determines if a user has impaired response time, coordination, or balance — signs of impairment that could be deadly when driving or operating heavy machinery."
- 2. Debunking Five Myths About Zero-Trust
- 3. Pythonizing NmapInteresting usage of subprocess with shlex to run Nmap from within a Python script. Awesome write-up and examples, a must read.
- 4. Types of Penetration TestingNetwork, web app, red team and social engineering are the types. Really? The rabbit hole goes deeper.
- 5. Massive Zero-Day Hole Found in Palo Alto Security Appliances"The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow. It affects Palo Alto firewalls running the 8.1 series of PAN-OS with GlobalProtect enabled (specifically versions < 8.1.17). Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products. Publicly available exploit code does not exist at this time. Patches are available from the vendor."
- 6. Hacking the Sony Playstation 5 – Schneier on Security
- 7. Shadow IT Makes People More Vulnerable to PhishingNeat phishing trick!
- 8. Hackers Target Docker Servers That Are Not Well Configured"In the beginning, by means of an accessible Docker REST API a container will be created on the susceptible host;" - Really, just don't do this. NEVER expose the Docker REST API to the Internet, unless you want to run a honeypot.
- 9. Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog"All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0, which was released Aug. 19." - It will be a long time, and for some never, before these fixed are pushed to firmware projects and products. However, these do not appear to be very impactful: "The DoS vulnerabilities are trivial to exploit, but the impact is usually mitigated by the fact that applets almost always run as a separate forked process. The information leak vulnerability is nontrivial to exploit (see, next section). The use-after-free vulnerabilities may be exploitable for remote code execution, but currently we did not attempt to create a weaponized exploit for them. In addition, it is quite rare (and inherently unsafe) to process an awk pattern from external input."
- 10. Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Plutonhrmmm: "We thank Cisco Talos for sharing their continued research into Azure Sphere, which first started during the Azure Sphere Security Research Challenge in 2020. After reviewing the findings on TALOS-2021-1341 and TALOS-2021-1344, Microsoft believes the approach described is implemented by design and does not present a security risk to customer production environments."
- 11. Organizations believe they are ready for ransomware attacks – Help Net Security
- 12. US House Passes Acts to Help SMBs with CybersecurityInteresting: "The Small Business Development Center Cyber Training Act would establish a cyber counseling certification program at Small Business Development Centers (SBDCs) so that they can better assist small businesses with their cybersecurity and cyber-strategy needs."
- 13. US bans trade with security firm NSO Group over Pegasus spyware (updated)"The US Commerce Department has added NSO to its Entity List, effectively banning trade with the firm. The move bars American companies from doing business with NSO unless they receive explicit permission. That's unlikely, too, when the rule doesn't allow license exceptions for exports and the US will default to rejecting reviews. NSO and fellow Israeli company Candiru (also on the Entity List) face accusations of enabling hostile spying by authoritarian governments. They've allegedly supplied spyware like NSO's Pegasus to "authoritarian governments" that used the tools to track activists, journalists and other critics in a bid to crush political dissent. This is part of the Biden-Harris administration's push to make human rights "the center" of American foreign policy, the Commerce Department said."
- 14. Critical RCE Vulnerability Reported in Linux Kernel’s TIPC Module"While TIPC itself isn't loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks,"
- 15. Two NPM Packages With 22 Million Weekly Downloads Found Backdoored"The two libraries in question are "coa," a parser for command-line options, and "rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "identical" password-stealing malware."
- 16. Yes, a literal truck heist over GPUs did just happen"The post takes care to warn people about purchasing any of these cards that surface, as EVGA has listings of the serial numbers involved. So trying to register the warranty for any of these cards won’t work and may get you a visit from authorities. If you can register a card warranty, that’s a clear sign that your GPU is clean. It’s a better idea than ever to check the serial number before buying off Craigslist at the moment." - heh, criminals won't care if it's stolen, nor would they ever register for the warranty.
- 17. Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root AccessThere is a vulnerability in SSH, but also: "Cisco Policy Suite Releases 21.2.0 and later will also automatically create new SSH keys during installation, while requiring a manual process to change the default SSH keys for devices being upgraded from 21.1.0." An important step, changing your keys, which should be automated in the first place. Also, if this allows access to the traffic (or not) its a great place to hide: "Also addressed by Cisco are multiple critical vulnerabilities affecting web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) that could enable an unauthenticated, remote attacker to log in using an inadvertent debugging account existing in the device and take over control, perform a command injection, and modify the configuration of the device."
- 18. How to exploit CVE-2021-40539 on ManageEngine ADSelfService PlusPatches didn't fix everything: "None of the public analysis of this vulnerability mentions a Java class upload. The CISA report also mentions that "Subsequent requests are then made to different API endpoints to further exploit the victim's system." which is not the case here. Chances are in-the-wild attackers made use of another exploitation path. Anyway, the patch applied by ManageEngine only fixes the path traversal issue. While actually preventing our exploitation, this leaves opened the file upload and parameter injection issues for future use."
- 1. GHSA-g2q5-5433-rhrf – GitHub Advisory Database
- 2. Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware
- 3. Popular ‘coa’ NPM library hijacked to steal user passwords
- 4. Full Disclosure: The Knights of NYNEX presents: Song of the siren
- 5. 4 Tips on How Small to Midsize Businesses Can Combat Cyberattacks
- 6. Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root Access