Leadership, Security awareness, Threat intelligence, Remote access, Zero trust, Careers, Compliance

Vulcan Mind Meld – PSW #692

This week, Fleming Shi, CTO of Barracuda Networks, joins us for an interview to talk about Protecting the Hybrid Workforce! Then, Fred Gordy, Director of Cybersecurity at Intelligent Buildings, joins us for a discussion on Smart Building Control System Cybersecurity - The Real World! In the Security News, Penetration testing leaving organizations with too many blind spots, A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks, Apple AirDrop Vulnerability Exposes Users’ Personal Information, Darkside Ransomware gang aims at influencing the stock price of their victims, Security firm Kaspersky believes it found new CIA malware, and a Hacker leaks 20 million alleged BigBasket user records for free! All that and more on this episode of Paul's Security Weekly!

Segment Resources:

Visit https://securityweekly.com/barracuda to learn more about them!

Intelligent Buildings - https://www.intelligentbuildings.com/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Segments

1. Protecting the Hybrid Workforce – Fleming Shi – PSW #692

Fleming will cover the vulnerabilities of a hybrid workforce and how employees are now working from anywhere, not just their homes. Zero trust will play a large part in securing workforces in the future as well as password managers for corporate and personal use. He will expand his point of view on the topics in the prep call next week.

This segment is sponsored by Barracuda Networks.

Visit https://securityweekly.com/barracuda to learn more about them!

Sponsored By

Barracuda Networks

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Fleming Shi
Fleming Shi
CTO at Barracuda Networks

Fleming joined Barracuda in 2004 as the founding engineer for the company’s web security product offerings, helping to create the first version of Barracuda’s message archiving product and paving the way for expansion into new content security product areas. As Chief Technology Officer, Fleming leads the company’s threat research and innovation engineering teams in building future technology platforms to deliver continued success in our security and data protection products. He has more than 20 patents granted or pending in network and content security.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Smart Building Control System Cybersecurity – The Real World – Fred Gordy – PSW #692

Currently, in the United States, there are over 87 billion square feet of commercial real estate. Smart Building control systems pervasive throughout these buildings and helped increase efficiency, profitability, and the occupant experience. This increase of this technology has exponentially increased the attack surface of companies. In this episode, Fred Gordy will discuss findings, attacks, and IT-induced events that he and his team have seen from the thousands of assessments they have performed in the US, Canada, and overseas. He will also provide low-cost basic practices to decrease exposure to these events.

Segment Resources:

Intelligent Buildings - https://www.intelligentbuildings.com/

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to "see" you there!

Guest

Fred Gordy
Fred Gordy
Director of Cybersecurity at Intelligent Buildings

Fred is an industry expert within building intelligence data analysis for building control and power monitoring systems with an emphasis on cybersecurity. His control systems knowledge gives him insight into challenges of interlacing traditional IT environments with control systems for a cohesive and secure operational technology (OT) platform. With over 20 years in the BAS space, over seven years of BAS cybersecurity, and 20 years in the IT space, Fred is nationally recognized as an OT cybersecurity thought-leader. Fred was Chairperson of the Cybersecurity Committee for the InsideIQ 55 international member companies, Security Steering Committee Member for Sports & Entertainment Alliance in Technology, and founding member of Cyber Security for Control Systems Association International (CS2AI), as well as the past president and current president emeritus the Atlanta CS2AI Chapter.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Joff Thyer
Joff Thyer
Security Analyst at Black Hills Information Security
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. AirDrop Vulns, Linux Hypocrite Commits, Wi-Fi Code Execution, & We’ll Miss You Dan – PSW #692

This week in the Security News, Penetration testing leaving organizations with too many blind spots, A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks, Apple AirDrop Vulnerability Exposes Users’ Personal Information, Darkside Ransomware gang aims at influencing the stock price of their victims, Security firm Kaspersky believes it found new CIA malware, and a Hacker leaks 20 million alleged BigBasket user records for free!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Jailbreak or Jail – Is Hacking for the Government A Crime? - Did they violate the CFAA, copyright laws, or both? - "Maybe. In fact, the U.S. Supreme Court is currently considering a case that will help clarify whether accessing a database you are allowed to access, but for a purpose for which you are not authorized, constitutes a violation of the statute. When Azimuth “cracked” the iPhone, they probably violated something in the license agreement. I have no earthly clue, because, frankly, the license agreement is unreadable. In fact, that’s kind of the point."
  2. 2. Penetration testing leaving organizations with too many blind spots - Pen tests don't test everything, do you still need them? - "surveyed enterprises with 3,000 or more employees and found that 70 percent of organizations perform penetration tests as a way to measure their security posture and 69 percent to prevent breaches, yet only 38 percent test more than half of their attack surface annually. Many organizations are conducting penetration tests to detect and mitigate threats yet remain dangerously vulnerable. The research shows that when using penetration testing as a security practice organizations lack visibility over their internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise."
  3. 3. MythBusters: What pentesting is (and what it is not) – Help Net Security - Same source, different take: "During pentests, highly technical and skilled individuals manually vet results to identify risks via exploitation attempts and vulnerability chaining. Scanning for vulnerabilities and penetration testing are both necessary components of a comprehensive security strategy. One does not replace the other."
  4. 4. How to Conduct Vulnerability Assessments: An Essential Guide for 2021 - "A vulnerability scan provides a point-in-time snapshot of the vulnerabilities present in an organization's digital infrastructure. However, new deployments, configuration changes, newly discovered vulnerabilities, and other factors can quickly make the organization vulnerable again. For this reason, you must make vulnerability management a continuous process rather than a one-time exercise."
  5. 5. Identifying People Through Lack of Cell Phone Use – Schneier on Security
  6. 6. Zero-Knowledge Proofs (ZKPs) for vulnerability disclosure
  7. 7. A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks - "Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer. According to SonarSource, the vulnerability stems from the way package source download URLs are handled, potentially leading to a scenario where an adversary could trigger remote command injection. As proof of this behavior, the researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that takes advantage of its "alias" option to execute a shell command of the attacker's choice."
  8. 8. ISC Releases Security Advisory for BIND - "GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network. SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack."
  9. 9. Apple AirDrop Vulnerability Exposes Users’ Personal Information - Vuln 1 - "After collecting the (hashed) contact identifiers, the attacker can recover phone numbers and email addresses offline. As shown in prior work, recovering phone numbers is possible in the order of milliseconds. Recovering email addresses is less trivial but possible via dictionary attacks that check common email formats such as [email protected]{gmail.com,yahoo.com,…}." and vuln 2 - "Importantly, the malicious sender does not have to know the receiver: A popular person within a certain context (e.g., the manager of a company) can exploit this design flaw to learn all (private) contact identifiers of other people who have the popular person in their address book (e.g., employees of the company)."
  10. 10. CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities - Quite the list of RTOSes! Samsung TVs, ICS gear with VxWorks, wow... Bob may have to go find these exploits (There are many).
  11. 11. An issue in the Linux Kernel could allow the hack of your system - “TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.”
  12. 12. Google Chrome V8 Bug Allows Remote Code-Execution
  13. 13. Opinion: The FBI just got permission to break into private computers without consent so it can fight hackers
  14. 14. Experian API Exposed Credit Scores of Most Americans – Krebs on Security
  15. 15. New stealthy Linux malware used to backdoor systems for years
  16. 16. HashiCorp reveals exposure of private code-signing key after Codecov compromise
  17. 17. Adobe releases open source ‘one-stop shop’ for security threat, data anomaly detection
  18. 18. When Windows bug fixes go bad, IT can now roll back individual changes
  19. 19. Researchers Secretly Tried To Add Vulnerabilities To Linux Kernel, Ended Up Getting Banned
  20. 20. A ransomware gang made $260,000 in 5 days using the 7zip utility
  21. 21. All Your Macs Are Belong To Us
  22. 22. Signal >> Blog >> Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
  23. 23. Sound Engineer Descends Into 9-Hour Trip After Fixing ’60s Radio Equipment Covered In LSD - This story is amazing.
Joff Thyer
Joff Thyer
Security Analyst at Black Hills Information Security
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
  1. 1. ATT&CK® for Containers now available!
  2. 2. A novel way to deliver XSS…. - Thread See new Tweets Tweet soooooo a few APRS sites might have XSS problems.... 4 36 101 This was sent over radio btw >> 2 2 24 Replies Replying to @xssfox and
  3. 3. Security firm Kaspersky believes it found new CIA malware
  4. 4. Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it
  5. 5. Bluetooth ? Wi-Fi Code Execution & Wi-Fi Debugging
  6. 6. Experian API Exposed Credit Scores of Most Americans – Krebs on Security
  7. 7. Bluetooth ? Wi-Fi Code Execution & Wi-Fi Debugging
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. 250 Million Americans Sensitive Data Leaked Online by Pompompurin - Pompompurin hacking group has reportedly dropped a 263GB database containing the personally identifiable information (PII) of more than 250 million U.S. citizens on a popular hacking forum. Information reportedlyincludes victims' full names, telephone numbers, mailing addresses, dates of birth, marital status, zip codes, genders, house rentals, home addresses, credit limits, political affiliations, number of proprietary cars, wages and tax information, number of pets, and number of children.
  2. 2. Threat Actors Impersonate Chase Bank - A new phishing campaign has been spotted leveraging phishing emails impersonating JP Morgan Chase Bank in order to steal customers' login credentials. One of the phishing emails appeared to include a credit card statement while the other impersonated a locked account workflow.
  3. 3. CISA, NIST Provide New Resource on Software Supply Chain Attacks - CISA and NIST have released a joint report titled "Defending Against Software Supply Chain Attacks" that details software supply chain attacks, the risks associated with those attacks, and how firms can successfully mitigate those attacks. https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf
  4. 4. CISA/NIST Defending Against Software Supply Chain Attacks Joint Report
  5. 5. NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability - A newly identified NTLM relay attack abuses a RPC vulnerability to enable elevation of privilege from "User" to "Doman Admin." Requires MITM, and POC code is available. Microsoft will not be releasing a patch.
  6. 6. Actively exploited Mac 0-day neutered core OS security defenses - Version 11.3 for macOS, addresses a zero-day vulnerability (CVE-2021-30657) that was being actively exploited by hackers in order to infect targeted devices with "Shlayer" malware without triggering Mac security mechanisms that have been in place for more than 10 years.
  7. 7. Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs - Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords and is publishing information on how to check and fix compromised systems.
  8. 8. Hacker leaks 20 million alleged BigBasket user records for free - A threat actor has leaked approximately 20 million BigBasket user records containing personal information and hashed passwords on a popular hacking forum. Includes victims' email addresses, SHA1 hashed passwords, addresses, phone numbers, and other sensitive information.
  9. 9. University of Minnesota security researchers apologize for deliberately buggy Linux patches - University of Minnesota researchers have apologized for intentionally submitting a "buggy" patch into the Linux kernel to test the integrity of the update process without permission.
  10. 10. Darkside Ransomware gang aims at influencing the stock price of their victims - "Darkside" ransomware operators have been spotted threating targeted organizations listed on the NASDAQ and other stock markets with leaking stolen data that could adversely impact their stock prices in order to intimidate them into paying the ransom.
  11. 11. Logins for 1.3 million Windows RDP servers collected from hacker market - About 1.3 million current and historic login credentials from compromised Windows RDP servers have been leaked on the "Ultimate Anonymity Services" (UAS) criminal underground forum.
  12. 12. AV Under Attack: Trend Micro Confirms Apex One Exploitation - Trend Micro is warning customers that hackers are now trying to exploit a previously patched, high-severity vulnerability (CVE-2020-24557) affecting its Apex One, Apex One as a Service, and OfficeScan products that could be exploited by attackers to elevate privileges on vulnerable systems.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
prestitial ad