Careers, Leadership, Social engineering, Compliance, Data security, Security awareness

Snowed In – PSW #718

This week, we kick off the show with an interview featuring Lodrina Cherne, and Martijn Grooten join to discuss the Realworld capabilities of Stalkerware! Then, Sachin Mahajan from Inguardians joins to delve MAVSH!! In the Security News: NPM hijacked again, hardcoding your keys, PAN-ODay, more Nmap in your python or python in your nmap, put your Docker API to rest, Busybox will own your box, Microsoft says its a feature not a vulnerability, SBDCs, TIPC Linux kernel vulnerability, patches that don't fix everything, truckloads of GPUs and “are you high”?

Segment Resources:

http://mav.sh/

https://github.com/0xkayn/Valkyrie

https://www.youtube.com/watch?v=CJZ2gCLopyU

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Stalkerware Capabilities in the Real World – Lodrina Cherne, Martijn Grooten – PSW #718

Can using technology risk your personal safety? Tracking information can be shared with attackers and facilitate cyberstalking in multiple ways including key logging and screen sharing. Exploration of recent court cases and investigations will be shared and attendees will learn what resources can help individuals experiencing digital abuse at the hands of a technical adversary.

Announcements

  • In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Guests

Lodrina Cherne
Lodrina Cherne
Principal Security Advocate at Cybereason

Lodrina Cherne is a champion for security in the digital forensics and cybersecurity industries. As Principal Security Advocate at Cybereason, she drives innovation and development of best practices related to cybersecurity standards and policy. Cherne is also a Certified Instructor at the SANS Institute where she helps information security professionals advance their foundational understanding of digital forensics. Cherne has earned a bachelor’s degree in Computer Science from Boston University and is an Aspen Tech Policy Hub Fellow.

Martijn Grooten
Martijn Grooten
Coordinator at Coalition Against Stalkerware

Martijn Grooten, a former mathematician, has been working in IT security for 14 years. He was previously the Editor of Virus Bulletin and currently works as a consultant on a number of projects, many of which deal with supporting vulnerable people and groups with digital security. He is head of threat intel research at Silent Push, part of the team that built the Ford Foundation’s Cybersecurity Assessment Tool, a fellow at the Civilsphere Lab and a Coordinator at the Coalition Against Stalkerware.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Jeff Man
Jeff Man
Information Security Evangelist at Online Business Systems
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. MAVSH – Sachin Mahajan – PSW #718

Over the course of 2020 and 2021 new UAV regulations and restrictions, such as Remote Identification, have threatened UAV hobbyist's ability to fly freely. These new regulations did leave hobbyists with one loophole: building a sub 250g quad. After this realization, I set out to build a sub250g quad which can be flown for fun, or as one of the first remotely accessible war-flying devices.

Segment Resources:

http://mav.sh/

https://github.com/0xkayn/Valkyrie

https://www.youtube.com/watch?v=CJZ2gCLopyU

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Sachin Mahajan
Sachin Mahajan
Developer Intern at InGuardians

Sach is a self taught developer, an aspiring pentester, and a drone enthusiast. In his spare time he enjoys playing chess, reading Sci-Fi novels, learning about cryptocurrencies, and flying drones.

Host

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly

3. TIPC Kernel Vulns, SBDCs, Truckloads of GPUs, & Hardcoded SSH Keys – PSW #718

This week in the Security News: NPM hijacked again, hardcoding your keys, PAN-ODay, more Nmap in your python or python in your nmap, put your Docker API to rest, Busybox will own your box, Microsoft says its a feature not a vulnerability, SBDCs, TIPC Linux kernel vulnerability, patches that don't fix everything, truckloads of GPUs and testing if your high!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. How THC “breathalyzers” work, and why some experts say they’re flawed - "This new test, called EPOCH (Express Probe for On-site Cannabis Inhalation) instead works by collecting and concentrating your saliva to evaluate it for current levels of THC. It evaluates whether or not THC levels are above one nanogram of THC per milliliter of saliva within a twelve-hour consumption window." Also, there's an app for that: "By reacting to different game-like stimuli from DRUID, the app determines if a user has impaired response time, coordination, or balance — signs of impairment that could be deadly when driving or operating heavy machinery."
  2. 2. Debunking Five Myths About Zero-Trust
  3. 3. Pythonizing Nmap - Interesting usage of subprocess with shlex to run Nmap from within a Python script. Awesome write-up and examples, a must read.
  4. 4. Types of Penetration Testing - Network, web app, red team and social engineering are the types. Really? The rabbit hole goes deeper.
  5. 5. Massive Zero-Day Hole Found in Palo Alto Security Appliances - "The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow. It affects Palo Alto firewalls running the 8.1 series of PAN-OS with GlobalProtect enabled (specifically versions < 8.1.17). Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products. Publicly available exploit code does not exist at this time. Patches are available from the vendor."
  6. 6. Hacking the Sony Playstation 5 – Schneier on Security
  7. 7. Shadow IT Makes People More Vulnerable to Phishing - Neat phishing trick!
  8. 8. Hackers Target Docker Servers That Are Not Well Configured - "In the beginning, by means of an accessible Docker REST API a container will be created on the susceptible host;" - Really, just don't do this. NEVER expose the Docker REST API to the Internet, unless you want to run a honeypot.
  9. 9. Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog - "All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0, which was released Aug. 19." - It will be a long time, and for some never, before these fixed are pushed to firmware projects and products. However, these do not appear to be very impactful: "The DoS vulnerabilities are trivial to exploit, but the impact is usually mitigated by the fact that applets almost always run as a separate forked process. The information leak vulnerability is nontrivial to exploit (see, next section). The use-after-free vulnerabilities may be exploitable for remote code execution, but currently we did not attempt to create a weaponized exploit for them. In addition, it is quite rare (and inherently unsafe) to process an awk pattern from external input."
  10. 10. Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton - hrmmm: "We thank Cisco Talos for sharing their continued research into Azure Sphere, which first started during the Azure Sphere Security Research Challenge in 2020. After reviewing the findings on TALOS-2021-1341 and TALOS-2021-1344, Microsoft believes the approach described is implemented by design and does not present a security risk to customer production environments."
  11. 11. Organizations believe they are ready for ransomware attacks – Help Net Security
  12. 12. US House Passes Acts to Help SMBs with Cybersecurity - Interesting: "The Small Business Development Center Cyber Training Act would establish a cyber counseling certification program at Small Business Development Centers (SBDCs) so that they can better assist small businesses with their cybersecurity and cyber-strategy needs."
  13. 13. US bans trade with security firm NSO Group over Pegasus spyware (updated) - "The US Commerce Department has added NSO to its Entity List, effectively banning trade with the firm. The move bars American companies from doing business with NSO unless they receive explicit permission. That's unlikely, too, when the rule doesn't allow license exceptions for exports and the US will default to rejecting reviews. NSO and fellow Israeli company Candiru (also on the Entity List) face accusations of enabling hostile spying by authoritarian governments. They've allegedly supplied spyware like NSO's Pegasus to "authoritarian governments" that used the tools to track activists, journalists and other critics in a bid to crush political dissent. This is part of the Biden-Harris administration's push to make human rights "the center" of American foreign policy, the Commerce Department said."
  14. 14. Critical RCE Vulnerability Reported in Linux Kernel’s TIPC Module - "While TIPC itself isn't loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks,"
  15. 15. Two NPM Packages With 22 Million Weekly Downloads Found Backdoored - "The two libraries in question are "coa," a parser for command-line options, and "rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "identical" password-stealing malware."
  16. 16. Yes, a literal truck heist over GPUs did just happen - "The post takes care to warn people about purchasing any of these cards that surface, as EVGA has listings of the serial numbers involved. So trying to register the warranty for any of these cards won’t work and may get you a visit from authorities. If you can register a card warranty, that’s a clear sign that your GPU is clean. It’s a better idea than ever to check the serial number before buying off Craigslist at the moment." - heh, criminals won't care if it's stolen, nor would they ever register for the warranty.
  17. 17. Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root Access - There is a vulnerability in SSH, but also: "Cisco Policy Suite Releases 21.2.0 and later will also automatically create new SSH keys during installation, while requiring a manual process to change the default SSH keys for devices being upgraded from 21.1.0." An important step, changing your keys, which should be automated in the first place. Also, if this allows access to the traffic (or not) its a great place to hide: "Also addressed by Cisco are multiple critical vulnerabilities affecting web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) that could enable an unauthenticated, remote attacker to log in using an inadvertent debugging account existing in the device and take over control, perform a command injection, and modify the configuration of the device."
  18. 18. How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus - Patches didn't fix everything: "None of the public analysis of this vulnerability mentions a Java class upload. The CISA report also mentions that "Subsequent requests are then made to different API endpoints to further exploit the victim's system." which is not the case here. Chances are in-the-wild attackers made use of another exploitation path. Anyway, the patch applied by ManageEngine only fixes the path traversal issue. While actually preventing our exploitation, this leaves opened the file upload and parameter injection issues for future use."
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
prestitial ad