View More ASW Episodes

ASW #230 – Lina Lau

Join us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks. Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/ Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (VIRTUAL) https://www.blackhat.com/asia-23/training/schedule/index.html#advanced-apt-threat-hunting–incident-response-virtual-29792 Blackhat USA 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RES...

Full Show Notes
Segment One

Supply Chain Breaches and Hacking the Cloud: Lessons Learned from IR – Lina Lau – ASW #230

Join us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks.

Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/

Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (VIRTUAL) https://www.blackhat.com/asia-23/training/schedule/index.html#advanced-apt-threat-hunting--incident-response-virtual-29792

Blackhat USA 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (IN-PERSON) https://www.blackhat.com/us-23/training/schedule/#advanced-apt-threat-hunting--incident-response-30558

Guest

Lina is the Founder of XINTRA, an advanced cybersecurity training focused on APT techniques and detections. She has an extensive background in leading complex incident response engagements, where she was formerly the Principal IR Consultant at Secureworks APJ and the AAPAC Incident Response lead for Accenture ANZ where she built and set up the IR capability for the ANZ region. She has worked multiple international cases covering sectors such as national defence, banking, energy, and manufacturing. Lina is also a Black Hat trainer, SANS advisory board member and has presented at several international conferences and authored a book on cybersecurity. She currently holds the following certifications: GXPN, GASF, GREM, GCFA and OSCP.

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!

Segment Two

Twitter 2FA, Server-Side Prototype Pollution, AI Security & Privacy, Smarter Testing – ASW #230

Twitter 2FA goes away, safe testing for server-side prototype pollution, OWASP's guide on AI security & privacy, Adobe's approach to smarter security testing, a fast web fuzzer

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

List of Articles

Mike Shema

  1. Analysts Slam Twitter’s Decision to Disable SMS-Based 2FA

    It's a bad step to tie security to premium features. Plus, SMS-based 2FA is the weakest of the available options. Phone numbers are easier to manage and more portable than authenticator apps, but authenticator apps are almost always better in the long run as long as they can be backed up and recovered in case of a lost device.

    This is also a lesson in communications. Even if this is just motivated by reducing costs for text messages, it would have been helpful to launch a campaign that encourages everyone to shift to authenticator apps or at least be clear that users have that alternative to 2FA.

    The bigger picture is that, as of December 2020, only about 2.3% of users enabled 2FA in the first place, and 80% of those relied on SMS. Looking at this from an appsec perspective, focusing on SMS ignores the problem that almost every user doesn't even use 2FA in the first place.

    Another article walks through how to setup for 2FA. All apps should support 2FA without additional cost to the user.

  2. Server-side prototype pollution: Black-box detection without the DoS | PortSwigger Research

    Really cool, detailed research on identifying flaws in server-side JavaScript apps. It's a good review of prototype pollution and an even better review of crafting safe, reliable payloads. It's possible to DoS a site with this kind of testing. That, of course, means there's a bug to fix. But it's more useful to be able to probe for this kind of vuln without taking down the site for everyone else.

    Every pentester likely has one story about a test gone wrong -- a payload shutdown a service or erased data. This article shows how to be deliberate and careful with security testing in order to keep those stories rare.

  3. OWASP Kubernetes Top 10 – Sysdig

    This is a nice overview of the Top 10 K8s issues from OWASP. It highlights three themes: misconfigurations, lack of visibility, and vulnerability management.

    The OWASP cheatsheet has more details. There's also another checklist and a checklist from k8s itself. Eventually, we'll have better default security and less need for long checklists.

  4. OWASP AI Security and Privacy Guide

    OWASP has a new project on AI security and privacy. Right now it has an overview of common attacks against ML models along with pitfalls of training data.

  5. Black Hat to Launch Official Certification Program

    We haven't talked about certifications on the show, but we should! Now Black Hat is getting into the certification business. Their current syllabus for it is half web hacking and half infrastructure hacking. The web hacking basically looks like items from the OWASP Top 10 and Portswigger articles (shout out to directory traversal vulns!). The infrastructure side seems heavy on corp IT, with Active Directory and lateral movement techniques.

    It's interesting to see where this kind of cert focuses attention. For example, there's mention of S3 buckets and Docker escapes, along with "common security weaknesses" in the cloud.

    More details at https://secops.group/blackhat-certified-pentester-bcpen/

  6. TOOL: ffuf: Fast web fuzzer written in Go

    Fuzz Faster U Fool (ffuf) is a Go-based web fuzzer that turns wordlists and patterns into HTTP requests to find directories, virtual hosts, usernames, and otherwise fuzz parameter names and values. While its pronunciation may be mysterious, its utility in discovering resources makes it a top choice for bug bounty researchers. The fuzzer might find unprotected pages, bypasses against weak security checks and poor regexes, misconfigurations, and exploitable flaws.

    Additional resources:

    p.s. here at ASW we pronounce it to rhyme with tough, just like Billy Ocean

  7. npm flooded with 15k spam packages with phishing links

    It feels like a time of reckoning is coming for npm.

Akira Brand

  1. Cyber attacks work because CISOs don’t do basic security: Microsoft

    This somewhat controversial article argues that CISOs aren't doing the basics right, resulting in breach after breach. The author gives several points as to what CISOs could be doing better and makes some...strongly worded arguments in the process.

  2. Dole Experiences Cybersecurity Incident

    Dole recently experienced a cyber incident that was identified as ransomware. While it is unclear based on their statement how much this incident has impacted their operations, other sources say that Dole had to shut down one of their plants for a day, impacting the availability of their salad products in grocery stores.

John Kinsella

  1. Adobe targeted appsec testing

    Adobe's pivoting to a model where they try to focus their security testing on types of attacks that are being seen. That sounds simple, but to do it with intention across a line of products like Adobe has is impressive.

    Moreso, though - is the also mentioned Adobe Trust Center. They're providing access to customers who sign an NDA to be able to review the pentest results and security whitepapers for various products.

  2. npm flooded with 15k spam packages with phishing links
  3. Fish shell plans to “port” to Rust

    This will be interesting to watch: The maintainer of the Fish shell is planning on a "port" (not a rewrite - definitely not a rewrite) of fish from C++ to Rust, pointing to things such as memory safety and...c++ header files?

    Anyways - the reason this will be interesting is it's being well planned (https://github.com/fish-shell/fish-shell/blob/master/doc_internal/fish-riir-plan.md), is happening in public, and they're already cognizant of a few issues - not everyone on the existing team knows Rust (or perhaps wants to learn), bugs may be introduced, and it will probably require pausing feature development while the port is worked on.

  4. Crypto Wallet Firm claims magic links have critical vulnerability
  5. Salesforce web3 guy: “the wallet is the new cookie”

    To me, browser cookies don't have a positive connotation?

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Episodes

Related Content

You can skip this ad in 5 seconds