Software Flea Market – PSW #725
This week, we start the show off with an interview with Jimmy Sanders, CISO at Netflix, to talk about Cracks in the Castle! Next up, we have a technical segment where I walk through Securing Ubiquiti WiFi Systems!
In the Final Segment, it’s the Security News: More QR codes you shouldn't trust, race conditions in Rust, encrypting railways, Pwnkit - the latest Linux exploit, tricking researchers into crashing, cybersecurity is broken?, the best cybersecurity research paper, evil Favicons, escaping Kubernetes, pimping your cubicle and someone who actually recovered their crypto wallet!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Enterprises today has an ever expanding attack surface. Jimmy Sanders, Head of Security for DVD.com, joins to discuss how Organizations are constantly trying to stay ahead of the latest known and unknown risks!
CRA's Business Intelligence Unit has launched its next survey on Zero Trust! What are Your Barriers to Zero Trust Implementation? Take our survey and enter to win a $500 Tango card by visiting https://securityweekly.com/zerotrust. Report results will be released at our upcoming Zero Trust E-Summit in March!
Jimmy Sanders, Head of Information security at Netflix DVD. Jimmy has spent his career creating holistic and innovative security program as well as learning security ideas from some of the industries brightest minds. In addition to his duties at DVD.com, Jimmy currently serves as the San Francisco Bay Area chapter president of the Information Systems Security Association (ISSA) since 2014. He is also on the ISSA International Board of Directors, a Board Member for the ISSA Education Foundation, a Board member of the Information Security Leaders Foundation (ISLF), and a member of the Office of the CIO. Furthermore, he has been a keynote speaker at BlackHat, RSA, SecureWorld, InfoSec World as well as other notable events. Prior to DVD.com, Jimmy Sanders has also held key roles at organizations that include Samsung, Fiserv, and SAP. He is a Cyber Security Committee advisor for Merritt College, Ohlone College as well as on advisory board for other colleges and non-profits.
Ubiquiti has become a crown favorite for WiFi (and many other solutions). Learn how to do some basic security, update the software, change passwords and more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
This week in the Security News: More QR codes you shouldn't trust, race conditions in Rust, encrypting railways, Pwnkit - the latest Linux exploit, tricking researchers into crashing, cybersecurity is broken?, the best cybersecurity research paper, evil Favicons, escaping Kubernetes, pimping your cubicle and someone who actually recovered their crypto wallet!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. PwnKit
- 2. TrickBot malware now crashes researchers’ devices to evade analysis - "The third line of defense is the most interesting one as malware operators have added an anti-debugging script that triggers a memory overload when a security researcher performs a Code Beautifying technique."
- 3. A bug lurking for 12 years gives attackers root on most major Linux distros - "The Qualys researchers aren't the only ones to stumble upon this vulnerability, or at least a very similar bug. In 2013, researcher Ryan Mallon publicly reported much the same bug and even wrote a patch, although he ultimately could find no way to exploit the vulnerability. And last June, Github security researcher Kevin Backhouse also reported a privilege escalation vulnerability. It received the tracking designation of CVE-2021-3560 and a patch from major Linux distributors." - FYI, K. Backhouse bug looks totally different. R. Mallon's discovery analyzed the same code block, but did not publish an exploit. Are we now compelled, give the success of Pwn2Own and Dragos's recent comments, to make sure we weaponize all exploits?
- 4. Cybersecurity Is Broken: How We Got Here & How to Start Fixing It - "By the end of the third quarter, the number of data breaches was 17% higher in 2021 than the previous year. The manufacturing and utilities sector was affected the most, followed by healthcare, which saw more than 40 million patient records breached. Ransomware attacks are also seeing a precipitous rise, having earned an estimated $590 million in the first half of 2021, which already surpasses 2020's total estimated earnings of $416 million." - Could it be that we've gotten better at detecting breaches and/or you know your breached because the attackers are using extortion more than before? Are more patient records breached because our records are, more than ever before, being stored digitally? Ransomware payouts have increased due to cyber insurance and breach reporting laws? Not everything, especially statistics, are due to failures in defending networks...perhaps?
- 5. Is Google tracking your location even when you think you’ve turned it off? US states sue over “deception”
- 6. Open-source code: How to stay secure while moving fast – Help Net Security
- 7. Best Cybersecurity Research Paper Revealed - "Titled On One-way Functions and Kolmogorov Complexity, the winning paper was published at the 2020 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Foundations of Computer Science. " - Wow, from the paper: "A one-way function  (OWF) is a function f that can be efficiently computed (in polynomial time), yet no probabilistic polynomial-time (PPT) algorithm can invert f with inverse polynomial probability for infinitely many input lengths n."
- 8. An Armful of CHERIs – Microsoft Security Response Center
- 9. Apple paid me $100k bounty for Safari UXSS super-bug
- 10. McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges
- 11. 10 Years Later, What Did LulzSec Mean for Cybersecurity? - "Because there is no predictability — perhaps that’s a part of their point — there is the idea that they can hit anyone at any time for whatever reason,” Coroneos said. “That seems to be what they are actually trying to show: that they are not restricted to one ideology or cause."
- 12. Segway Hit by Magecart Attack Hiding in a Favicon - "Also of interest is the fact that the threat actors are embedding the skimmer inside a favicon.ico file. Favicons are small icon images that link to other websites. “If you were to look at it, you’d not notice anything because the image is meant to be preserved,”"
- 13. How I Got Pwned by My Cloud Costs
- 14. PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
- 15. Linux kernel bug can let hackers escape Kubernetes containers - Oh you would be surprised: "However, for the exploit process to work, the attacker needs to leverage an unprivileged namespace or use "unshare" to enter a namespace with the CAP_SYS_ADMIN permission. This capability isn't the default setting on Docker, and using the "–privileged" flag when starting the container isn't common practice."
- 16. Webcam Hacking (again) – Safari UXSS
- 17. ‘Cyberpartisans’ hack Belarusian railway to disrupt Russian buildup
- 18. Apple’s AirTag uncovers a secret German intelligence agency
- 19. A hacker recovered a crypto wallet worth $2 million for the owner who forgot the password: report
- 20. We talked to the guy who turned his cubicle into a cabin
- 21. argv silliness
- 1. Apple Releases iOS 15.3 and iPadOS 15.3 - Apple updated iOS/iPadOS/watchOS/tvOS and macOS to resolve kernel and webkit vulnerabilities. 10 CVEs addressed in iOS and iPadOS. Code reuse means the updates hit many of the product lines.
- 2. Security advisory for the standard library (CVE-2022-21658) - An update for the Rust programming language fixes a bug that could be exploited to delete files and directories from unpatched systems. This is a TOCTOU (time of check/time of use) race condition. Updating to version 1.58.1 is the only fix, as adding code to check prior to calling the “remove_dir_all” function will not mitigate the problem as those calls will also be subject to the same race condition.
- 3. FBI warns of malicious QR codes used to steal your money - The FBI warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes in attacks designed to redirect victims to malicious website designed to steal targeted victims' financial information and login credentials.
- 4. CISA adds 17 vulnerabilities to list of bugs exploited in attacks - This week, CISA has added 17 actively exploited vulnerabilities to its "Known Exploited Vulnerabilities" catalog that was established under "Binding Operational Directive (BOD) 22-01" and lists vulnerabilities that have been successfully exploited by hackers and are required to be patched by Federal Civilian Executive Branch (FCEB) agencies.
- 5. OpenSubtitles data breach impacted 7 million subscribers - OpenSubtitles suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.
- 6. Attackers are actively targeting critical RCE bug in SonicWall Secure Mobile Access - Threat actors are actively exploiting a critical flaw (CVE-2021-20038) in SonicWall’s Secure Mobile Access (SMA) series 100 gateways addressed in December. Remember the SMA 100 series of appliances include the SMA 200, 210, 400, 500v products. This is a high risk vulnerability as it allows for remote code execution. Sonicwall Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
- 7. Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant - Threat hunters at Kaspersky have spotted a well-known Chinese government-linked "APT41" (Winnti) APT group has been leveraging a UEFI implant dubbed "MoonBounce" in order to evade detection across system reboots while operators conduct state-sponsored cyber espionage activity.
- 8. Hackers say they encrypted Belarusian Railway servers in protest - The Belarusian Cyber-Partisans says it successfully breached and encrypted servers belonging to the state-owned Belarusian Railway after it learned that Russia was using the rail transport network to move military personnel and equipment into Belarus.