Security Weekly
Paul's Security WeeklySubscribe
Email security, Vulnerability Management, Cloud Security, Security Staff Acquisition & Development, Distributed Workforce

There Was Definitely Harm Done – PSW #680

Full Audio

View Show Index

Segments

1. Beyond Phishing Blockers – Ryan Noon – PSW #680

Ryan Noon joins Paul, and the rest of the PSW team, this week to chat through the importance of resilience in everything companies do to protect cloud-stored data and IP, unpack growing enterprise demand for a "digital seatbelt," and explain why Material takes a fresh approach to email security: building products with the assumption that bad actors will successfully hack inboxes.

This segment is sponsored by Material Security.

Visit https://securityweekly.com/materialsecurity to learn more about them!

Sponsored By

Material Security

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Guest

Ryan Noon
Co-Founder and CEO at Material Security

Ryan Noon is a serial entrepreneur and an expert on cloud security. He is the founder and CEO of Material Security, a company that protects the email of high-risk VIPs and top global organizations. Previously he ran infrastructure teams at Dropbox after it acquired his last company, Parastructure. Before that he helped build a company spun out of Stanford by the Department of Defense. He holds bachelors and masters degrees from Stanford in Computer Science and Computer Security.

Hosts

Principal Security Evangelist at Eclypsium
Sr. InfoSec Consultant at Online Business Sytems
Security Analyst at Black Hills Information Security
Product Security Research and Analysis Director at Finite State
Senior Cyber Advisor at Lawrence Livermore National Laboratory
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Hacking Ubiquiti Devices – Jon Gorenflo – PSW #680

Ubiquiti network gear has become a favorite among tech enthusiasts, but various Ubiquiti products have had some serious vulnerabilities in recent history. Listen in as we discuss hack, secure, and learn with Ubiquiti gear. We'll also discuss Ubiquiti's data breach announced Jan. 11and what that could mean to the security of your network.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Jon Gorenflo
Founder, Principal Consultant at Fundamental Security, LLC

Jon is the Founder and Principle Consultant of Fundamental Security, a small consulting firm focused on penetration testing, incident response, and strategic security consulting. He started working with technology in High School as a student of the Cisco Networking Academy, and has focused on Information Security since 2006. In addition to his role as a security consultant, he also travels the world as an instructor for the SANS Institute. Currently, he teaches two of SANS’s seminal courses, SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC560: Network Penetration Testing and Ethical Hacking. He is proud to have served in the Army Reserve for 11 years, where he became a Warrant Officer and served one tour in Afghanistan. He currently maintains the GCIH, GPEN, GAWN, GMOB, CISSP, and Security+ certifications.

Hosts

Principal Security Evangelist at Eclypsium
Sr. InfoSec Consultant at Online Business Sytems
Security Analyst at Black Hills Information Security
Product Security Research and Analysis Director at Finite State
Senior Cyber Advisor at Lawrence Livermore National Laboratory
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. WRT54G Hacking History, 70 Unpatched Cisco Vulns, & Bypassing MFA – PSW #680

In the Security News, How two authors became part of WRT54G hacking history, European police and German law enforcement have taken down the illegal "DarkMarket" online marketplace, 70 unpatched Cisco vulnerabilities and why these are not a big deal, Adobe is blocking Flash content, most containers still run as root, watching private videos on YouTube is more like silent films, and get a free bag of weed when you get your vaccine!

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Principal Security Evangelist at Eclypsium
  1. 1. Hackers used 4 zero-days to infect Windows and Android devices
    One of the bugs was described as the following (which I found interesting): "One of the features that make JavaScript code especially difficult to optimize is the dynamic type system. Even for a trivial expression like a + b the engine has to support a multitude of cases depending on whether the parameters are numbers, strings, booleans, objects, etc. JIT compilation wouldn’t make much sense if the compiler always had to emit machine code that could handle every possible type combination for every JS operation. Chrome’s JavaScript engine, V8, tries to overcome this limitation through type speculation. "
  2. 2. Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers
    This sounds bad, except: "The security bugs exist because user-supplied input to the web-based management interface of the affected router series is not properly validated, thus allowing an attacker to send crafted HTTP requests to exploit these issues. An attacker able to successfully exploit these vulnerabilities would be able to execute arbitrary code with root privileges on the underlying operating system. A mitigating factor, however, is that valid administrator credentials are required for exploitation." Uhm, if I have administrator credentials already, why would I need an exploit?
  3. 3. Most containers are running as root, which increases runtime security risk
    "Among its findings, the report states that while 74 percent of customers are scanning before deployment, still 58 percent of containers are running as root. There are some containers that should run as root—security and system daemons for example—but this is a small portion of total containers." Report here: https://sysdig.com/blog/sysdig-2021-container-security-usage-report/ and it looks like it was a report based on Sysdig customers, who have implemented a container security platform, yet still, run containers as root? WTH?
  4. 4. Google reveals high-profile attack targeting Android, Windows users
  5. 5. Understanding TCP/IP Stack Vulnerabilities in the IoT
    If it were only that easy: "Experts point to three foundational steps for dealing with TCP/IP stack vulnerabilities: identifying all devices on a network to understand which are vulnerable; assessing the risks introduced by these devices, which include their business context, criticality, and Internet exposure; and mitigating the assessed risks."
  6. 6. Larger CyberBunker investigation yields shutdown of DarkMarket – CyberScoop
    "German police raided the CyberBunker’s headquarters in September 2019 in Traben-Trarbach, a small town close to the Luxembourg border. Eight defendants — four Dutchmen, three Germans and one Bulgarian — stood trial beginning in October for allegedly aiding and abetting 249,000 transactions involving drugs, money laundering, stolen information and pornographic images of children."
  7. 7. Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content
    But, if its not updating Flash, how will Flash Player block content? "“Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems,” according to Adobe."
  8. 8. How I found a bug in YouTube that let me watch private videos I wasn’t allowed to, says compsci student
  9. 9. RCE Vulnerability Affecting Microsoft Defender
  10. 10. Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender – Microsoft Security
    See my story number 9 above...
  11. 11. Minimizing cyberattacks by managing the lifecycle of non-human workers
    It's important to manage the lifecycle of alien workers (from outer space), not just humans...
  12. 12. Criminals are Bypassing MFA to Access Organisation’s Cloud Services
  13. 13. Get A Free Bag Of Marijuana With Your Covid-19 Vaccine
    Literally called "Joints For Jabs". They gave out joints in 2016 at the presidential inauguration, but this year thought it was a bad idea because 1. They licked all the joints and 2. People lit them up immediately...
  14. 14. User successfully runs Ubuntu on a jailbroken iPhone 7 – 9to5Mac
    https://flip.it/.FZloD
Sr. InfoSec Consultant at Online Business Sytems
Security Analyst at Black Hills Information Security
Product Security Research and Analysis Director at Finite State
  1. 1. Investigating Transit – Part 1 :: xerbo.net
  2. 2. Email security firm Mimecast says hackers hijacked its products to spy on customers
  3. 3. WRT54G History: The Router That Accidentally Went Open Source
  4. 4. Credential harvesting campaign targets government, military, and private sector organisations ? Cyjax
  5. 5. Man arrested for counterfeiting 25 popsicle sticks to claim prize
Senior Cyber Advisor at Lawrence Livermore National Laboratory
  1. 1. Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
    CISA has become aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices in cloud services. CISA released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services.
  2. 2. Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services
    The analysis report has a great summary of attack vectors and solutions/mitigations. Make sure that you’re adequately securing cloud environments, at a minimum make sure you’re following the service’s security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires MFA. Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.
  3. 3. Networking giant Ubiquiti alerts customers of potential data breach
    Ubiquiti has announced a security incident that may have exposed its customers' data. Ubiquiti is asking users to enable MFA and change passwords.
  4. 4. Illegal marketplace “DarkMarket” taken offline
    European police and German law enforcement have taken down the illegal "DarkMarket" online marketplace, seized some 20 servers hosting the site in Moldova and Ukraine, and arrested an Australian man who is believed to be the site's operator. DarkMarket underground community was one of the more prominent and largest underground marketplaces that threat actors used to trade malicious tools and illegal goods on the dark web.
  5. 5. SolarLeaks site claims to sell data stolen in SolarWinds attacks
    A website named 'SolarLeaks' is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. The solarleaks.net domain containing the data was registered with "NJALLA," which is used by Russian hacking groups "Fancy Bear" and "Cozy Bear."
  6. 6. Hackers Compromise Mimecast Certificate For Microsoft Authentication
    A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, tenants using Mimecast need to delete and re-add the connection using the new certificate.
  7. 7. Accellion hack behind Reserve Bank of NZ data breach
    The Reserve Bank of New Zealand, which yesterday disclosed it had suffered a data breach, now says it was caught up in a hack targeting an unpatched Accellion file transfer appliance (FTA). The replacement is Kiteworks.
  8. 8. This Android malware claims to give hackers full control of your smartphone
    Attackers have combined the "Cosmos" and "Hawkshaw" Android remote access Trojans (RAT) to create the "Rogue RAT." Which also monitors victims' GPS locations, takes screenshots, uses the camera to snap photos, and secretly records audio all while remaining hidden.
  9. 9. Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks
    Fortinet identified four serious vulnerabilities (CVE-2020-29015, CVE-2020-29016, CVE-2020-29018, and CVE-2020-29019) affecting the FortiWeb administration interface that Fortinet describes as a "SQL injection issue and two buffer overflows" - Likely low to medium risk due to limited impacts of exploitation.
  10. 10. US Announces Controversial State Department Cyber-Bureau
    The US government has announced the creation of a new cybersecurity agency to align with the country’s diplomatic efforts. The Bureau of Cyberspace Security and Emerging Technologies (CSET) will lead U.S. government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect U.S. foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber-conflict, and prevailing in strategic cyber-competition.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

Related