‘Master Faces’, Ship Hijacked, Windows Container Escape, & DNS Loopholes – PSW #705

Basically: Because it's there...

Actually some pretty decent tips

This is like the easy button for ARP poisoning: http://arcai.com/what-is-netcut/. The solution? perhaps: "So, wrote a script to scrape ARP table repeatedly, found duplicate entries for IP addresses, New duplicate ARP entries in subsequent scrapes are attackers, since original entry is the victim device’s ARP entry. Found original MAC addresses for attackers from the duplicate ARP entries, ARP poisoned the attackers themselves."

This is a much better article on crypto.

Some neat tips, in fact I am testing out this one: https://github.com/laurent22/joplin as it allows for note taking, copy/paste images and even has a vim mode. I also thought it was a neat trick to switch your caps lock key for the escape key.

This is a really interesting concept, and glad to see the research will be continued: "Researchers created 300 fake identities, signing them up on 185 legitimate websites ranging from Target to Fox News, with each identity used on a single website. Then they tracked how many email messages, phone calls, text messages and other responses were received based on the personally identifiable information (PII) used to register."

This article was not what it claimed to be. I suggest that the author, and anyone else looking to write articles such as this, to confide in someone in the community as a reviewer/editor first. We are happy to help.

I need to look into this one more. So Prometheus is a time-series DB for monitoring (https://prometheus.io/) and Grafana (https://grafana.com/) allows you to "Query, visualize, alert on, and understand your data no matter where it’s stored.".

Agree or Disagree? "Nothing is unhackable. It is extremely important for everyone to understand that nothing is unhackable. The more complicated the device, and the more complicated the software, or the more open it is to interaction with other applications, or research by security researchers or hackers, the more likely it is that you have created an additional attack surface. Playing offense is easy, because all you need to do is find a vulnerability. And playing defense is hard, because you need to defend yourself on all fronts, all the time."

"...users should follow Microsoft’s guidance recommending not to use Windows containers as a security feature. Microsoft recommends using strictly Hyper-V containers for anything that relies on containerization as a security boundary. Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host, which in this case is the Kubernetes node. " - So can you run a container inside Kubernetes and then run Kubernetes inside Hyper-V?

1) Its often the web interface 2) Its never supposed to be exposed to the Internet 3) scans always show that people have exposed it to the Internet 4) its always specially crafted requests that lead to RCE or DoS, hence this: "To exploit the bug, a remote, unauthenticated attacker has to send specially crafted HTTP requests to an affected device, which could allow them to execute arbitrary code or cause a denial of service (DoS) condition. “[T]he web management interface is locally accessible by default and cannot be disabled, but is not enabled for remote management by default. However, based on queries via BinaryEdge, we’ve confirmed there are at least 8,850 remotely accessible devices,” "

Handy, so a good tool used by bad people has a vulnerability that good people can use against the bad people using the good tool: "They discovered that a user is able to register fake beacons with the server of a particular Cobalt Strike installation and that by sending fake tasks to the server, can crash it by exhausting the available memory."

"What we found was that registering certain "special" domains, specifically the name of the name server itself, has unexpected consequences on all other customers using the name server. It breaks the isolation between tenants. We successfully registered one type of special domain, but we suspect there are many others."

Just for the LOLs

A previously undocumented Android-based RAT has been found to use VNC screen and keystroke recording features to steal sensitive information on the device.

A new phishing campaign exploiting a compromised Chipolte Mailgun mailing service account was discovered in mid-July. In Of the 121 phishing emails detected, two were vishing attacks (fake voicemail notifications with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft.

Pneumatic tube system (PTS) stations used in thousands of hospitals worldwide are vulnerable to a set of nine critical security issues collectively dubbed "PwnedPiper," that could be exploited by unauthenticated attackers to take complete control over some Internet-connected TransLogic PTS stations and ultimately take control over a targeted hospital's entire PTS network.

A new variant of the LockBit 2.0 ransomware is now able to encrypt Windows domains by using Active Directory group policies.

An audit report regarding Western Australia’s SafeWA COVID-19 contact tracing app reveals that police accessed the app’s data and that the app itself contained security flaws. In the report, the Auditor-General of Western Australia expressed concern that the personal data the app collected were used for purposes other than contact tracing. Western Australia released the SafeWA app in November 2020.

Lazio Italy's regional government was forced to take down its COVID-19 shot-booking system after it was hit by a possible ransomware attack during which attackers targeted its database

Abuses of location technology might just result in hot political disputes. According to Wired, SkyWatch and Global Fishing Watch theyound the fakes by comparing uses of the automatic identification system (AIS, a GPS-based system to help prevent collisions) with verifiable position data by using an identifying pattern.

Researchers have identified more than a dozen vulnerabilities in the NicheStack TCP/IP stack, which appears to be used by many operational technology (OT) vendors. The issues could be exploited by attackers to perform remote code execution; conduct denial-of-service attacks, TCP spoofing, DNS cache poisoning; and to leak information.

Have you seen the prompt on your iPhone to update to iOS 14.7.1, but you've been putting it off? After all, it doesn't seem like there's much to it... Hint -it's a big deal.

WizCase’s ethical cyber researchers discovered a misconfigured Amazon S3 bucket belonging to Reindeer containing over 50,000 files and totaling 32GB of data. The Reindeer Company is a defunct American advertising company.