– PSW #715
Full Audio
View Show IndexSegments
1. Evolution & Maturity of the Cybersecurity Industry – Maxime Lamothe-Brassard – PSW #715
The business of Security is gaining in maturity, from being an obscure corner of IT to becoming a core part of the C-Suite. How is this transformation happening and what can we learn from the similar trend that occurred in IT for the last decade?
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
Maxime began his career in cybersecurity working for the Canadian Security Establishment (CSE). CSE is Canada’s national cryptologic agency, providing the Government of Canada with information technology security and foreign
signals intelligence. As part of the Canadian Intelligence apparatus, Maxime worked in positions ranging from the development of cyber defense technologies, Counter Computer Network Exploitation, and Counter Intelligence.
After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defense. He was an early employee at Crowdstrike, then worked for Google where he eventually landed in Google X. Maxime left Google X – where he was a founding member of Chronicle Security – in 2018 to found LimaCharlie.
Hosts
2. Scanning For Default Credentials With Python – PSW #715
We've been working on this Python project that will use the Nmap Python library to scan the local network, enumerate select systems and devices, try to login with default or known credentials, and send a Slack message if it finds anything.
The initial release is here: https://github.com/SecurityWeekly/netslackbot
Announcements
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Hosts
3. Wild Hippos, Chrome FTP, L0phtCrack Is Open-Source, Win 11 Pentium, & Legacy Systems – PSW #715
This week in the Security News: More security advice for non-profits, faster 0-day exploits, ban all the things, you are still phishable, how to treat security researchers, what the heck is cyber hygiene?, Gummy browsers, the Internet is safe now, a particular kind of crack is open-source, sysmon: Now for Linux, Windows 11 and lies, and cocaine Hippos!
Announcements
InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
In case you missed it: Paul's Security Weekly's new streaming time is Wednesday nights from 6pm-9pm ET & Enterprise Security Weekly's new streaming time is Thursday afternoons from 3pm-4:30pm ET. You can view our live stream schedule at any time at https://securityweekly.com/live!
Hosts
- 1. Malicious NPM Packages Caught Running Cryptominer On Windows, Linux, macOS DevicesWe seem to be getting better at identifying these: "The bad actor's NPM account has since been deactivated, and all the three libraries, each of which were downloaded 112, 4, and 65 times respectively, have been removed from the repository as of October 15, 2021."
- 2. Microsoft Launches Security Program for NonprofitsAgain, this sound like more of pointing out the problems, not the hard work of helping them fix the problems: "Nonprofits will also have access to free security assessments to help them understand the flaws in their endpoints, identity access, infrastructure, network, and data. The goal here is to help them create a remediation plan to protect their environments."
- 3. Attackers Weaponizing Zero-Days at Record Pace"Cybercriminals exploited a new remote code execution (RCE) zero-day, CVE-2021-40444, a week before a patch was released in September—that’s just one of the recent findings in a report by HP Wolf Security. On September 10, researchers discovered scripts on GitHub that automated the creation of the exploit, which ostensibly means that even less-savvy attackers can use it in their malicious actions, according to the company’s Quarterly Threat Insights Report." (Ref: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) - Curious how they are doing this.
- 4. 5 Reasons the Public Sector Must Move Away From Legacy ITThere is A LOT of legacy IT out there: "The Government Accounting Office (GAO) in the United States analyzed 65 federal legacy systems and revealed the 10 most critical systems were eight to 51 years old. In response, the U.S. government plans to spend over $100 billion this year on IT; most of that will go toward maintaining those older systems. " - How do we tackle this problem?
- 5. U.S. Ban on Sales of Cyberattack Tools Is Anemic, Experts WarnI don't believe we can regulate our way out of this problem: "Chris Clements, with Cerberus Sentinel, he isn’t convinced the efforts will make much of a dent in attacks. “First, some of the biggest purveyors of such software are based outside the U.S. where the regulation may not affect them,” Clements said. “Second, many of the most used tools are open source in nature, and it isn’t clear to me how these rules will impact their distribution.” He added, “Even if common open-source hosting organizations such as GitHub or GitLab were to enact GeoIP restrictions on the download of such designated intrusion software, it would seem trivial for a banned nation to simply VPN through a common VPN provider to bypass such restrictions."
- 6. (99+) Why Is the Majority of Our MFA So Phishable?"Unfortunately, most MFA users can be tricked into revealing their MFA codes or into letting an attacker steal their access control token by simply clicking on the wrong link sent in a phishing email. The link sends the victim to a “proxy” server that then links the victim to the legitimate destination server the victim thought they were going to in the first place. But the proxy server is now capturing everything sent from the legitimate destination server to the victim; and vice-versa. This includes any login information: login name, password and any provided MFA codes. The attacker can even capture the resulting access control token cookie, which allows the attacker to take over the victim’s session." - I don't believe MFA really prevents phishing attacks, I see it as helping prevent password brute-forcing and credential stuffing attacks.
- 7. Windows Exploitation Tricks: Relaying DCOM Authentication
- 8. Congratulations to the Top MSRC 2021 Q3 Security Researchers!"Congratulations to all the researchers recognized in this quarter’s MSRC Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers." - Did you see this Apple? This is how it's done, recognition and respect for security researchers go a long way. Good job Microsoft!
- 9. Many organizations lack basic cyber hygiene despite high confidence in their cyber defensesWhat is basic cyber hygiene? Also, this is interesting and not talked about enough: "Detecting stolen credentials and resetting them before criminals can use them to infiltrate corporate networks is the most direct path to fighting ransomware before criminals can gain a foothold."
- 10. A New Type of Cyberattack Developed by Researchers: Gummy Browsers AttackReally interesting: "The 'Gummy Browsers' attack is the process of capturing a person's fingerprint by making them visit an attacker-controlled website and then using that fingerprint on a target platform to spoof that person's identity." Better reference: https://www.bleepingcomputer.com/news/security/new-gummy-browsers-attack-lets-hackers-spoof-tracking-profiles/
- 11. New Linux kernel memory corruption bug causes full system compromiseExtremely technical write-ups linked in this article (you may have to read The Linux Programming Interface book first: https://man7.org/tlpi/) - One highlight I found interesting (and could actually understand): "memory corruption is a big problem because small bugs even outside security-related code can lead to a complete system compromise" (From Haroon's paper https://thinkst.com/resources/papers/38_Paper.pdf : "Memory corruption exploitation refers to the class of attacks that rely on ones ability to hijack the execution flow of a program by corrupting the applications memory space through a number of different possible attack vectors. The two most popular techniques of Stack and heap based exploitation are discussed below.")
- 12. How Psychology Can Save Your Cybersecurity Awareness Training ProgramSo the solution is to do this: "People are clever and like to work things out for themselves. Ensure your awareness program takes this into account and does not patronize employees, nor make things needlessly difficult." (Make it a game, not too hard, but not too easy) and "Short and more frequent topics can be better than lengthy training sessions which take up several hours." (Break up the materials and exercises into smaller chunks) and "Part of creating a culture of cybersecurity involves removing the stigma associated with the fear that comes with having to report a mistake." (Don't punish your users) - My take: This is the same stuff we've been evangelizing and using for years. The fact remains that people still fall for phishing attacks and scams, so it's really NOT working...Also, love you Jaavid!
- 13. Google strips FTP code from ChromeWhew, we are all saved now and the Internet is secure...
- 14. Mudge on Twitter: As of version 7.2 L0phtcrack is now open source.I was hoping to find swears and interesting stuff in the comments, a quick glance, I could not, but they did create a Hashcat shared library which is neat.
- 15. Pablo Escobar’s Cocaine Hippos Are Legally People, Court Rules"All was well until the hippos started fucking. Now, there are up to 120 hippos roaming around Colombia, and they are considered one of the top invasive species in the world. Authorities have weighed a plan to kill the hippos off and on since 2009, and its recently gained steam." and then "Last July, Colombian attorney Luis Domingo Gómez Maldonado filed a lawsuit on the hippos’ behalf to save them from being euthanized. Instead, the case recommends sterilization. Colombian officials announced a plan to use a chemical contraceptive developed by the U.S. Agriculture Department to sterilize “the main group” of the hippos, and the region’s environmental agency Cornare began to implement the plan on Friday, darting 24 hippos." and somehow: "“So we applied for the hippos’ rights to compel their testimony in order to support the Colombian litigation, and now the [U.S. District Court for the Southern District of Ohio] has granted that application, recognizing that the hippos are interested persons.” This may seem like a minor and incremental step in the hippos’ court proceedings. But the implications of this decision could be huge. In granting this application, the district court recognized animals as legal persons for the first time in U.S. history."
- 16. Microsoft launches open source Linux version of system monitoring utility Sysmon
- 17. Sinclair TV stations crippled by weekend ransomware attack
- 18. WinRAR’s vulnerable trialware: when free software isn’t free
- 19. FontOnLake malware infects Linux systems via trojanized utilities
- 20. Hackers are disguising their malicious JavaScript code with a hard-to-beat trickhttps://flip.it/Ndxhia
- 21. No New PC Needed: Windows 11 Runs on a 15-Year-Old Intel Pentium 4 Chiphttps://flip.it/bLhSxb
- 1. VPN Provider’s Misconfiguration Exposes One Million UsersAt least one million users of a Chinese-run VPN service have had their personally identifiable information (PII) exposed due to a misconfigured Elasticsearch
- 2. 83% of ransomware victims paid ransom: SurveyA new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.
- 3. Zerodium wants zero-day exploits for Windows VPN clientsIn a short tweet today, exploit broker Zerodium said that it is looking to acquire zero-day exploits for vulnerabilities in three popular virtual private network (VPN) providers NordVPN, ExpressVPN, and SurfShark VPN.