PSW #776 – Santiago Torres Arias
Full Audio
View Show IndexSegments
1. Everything’s Valid in Code & War: Attacks on the Software Supply Chain – Santiago Torres Arias – PSW #776
Software supply chain attacks, those in which hackers target the "water supply" of software are on the rise. This makes software developers everywhere valid targets. We will discuss the developer perspective on software supply chain attacks.
Segment Resources: https://in-toto.io https://sigstore.dev
Announcements
We’d like to invite our listeners to be part of our 2023 SC Awards!
Our prestigious and competitive SC Awards program recognizes outstanding innovations, organizations, and leaders that are advancing the practice of information security. This year, there are awards in 36 categories up for grabs, including best IT security-related training program, innovator of the year, best SASE solution, and more. We’d love to see your company in the spotlight!
Visit securityweekly.com/scawards to submit your entries by March 20!
Guest
Santiago is an Assistant Professor at Purdue’s Electrical and Computer Engineering Department. His interests include binary analysis, cryptography, distributed systems, and security-oriented software engineering. His current research focuses on securing the software development lifecycle, cloud security, and update systems. Santiago is a member of the Arch Linux security team and has contributed patches to F/OSS projects on various degrees of scale, including Git, the Linux Kernel, Reproducible Builds, NeoMutt, and the Briar project. Santiago is also a maintainer for Cloud Native Computing Foundation’s project The Update Framework (TUF) as well as the lead of the in-toto and Sigstore projects.
Hosts
2. How to Steal a Tesla, AI On Your Pi, Linux Desktop: Future, & SOCKS5 Your Burp – PSW #776
In the security news: AI on your PI, no flipper for you, stealing Tesla's by accident, firmware at scale, the future of the Linux desktop, protect your attributes, SOCKS5 for your Burp, TPM 2.0 vulnerabilities, the world's most vulnerable door device and hiding from "Real" hackers, sandwiches, robot lawyers, poisonis epipens, and profanity in your code! All that, and more, on this episode of Paul’s Security Weekly!
Announcements
Security Weekly listeners: Identiverse 2023 is heading to Vegas! Join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 30th to June 2nd. Identiverse is a must-attend annual event that brings together over 2,500 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, you’re able to receive 20% off your Identiverse 2023 tickets using code IDV23-SW20!
Register today: securityweekly.com/identiverse2023
Hosts
- 1. Reverse Engineering IoT Firmware: A Comprehensive Guide to Analyzing Embedded Systems with 10…
- 2. Two charged with breaking into US law enforcement database
- 3. Tesla App Lets Man Accidentally Steal Model 3 That Wasn’t His
LOL: "Tesla’s phone key app allows users to unlock their cars and start driving them when their phone is nearby, but it’s supposedly linked to each owner’s car. It shouldn’t be able to open a different Tesla. Some skeptics suggested that Mahmood’s Tesla was probably open and already turned on. Yet, the Model 3 has a system that locks the doors and prevents anyone from driving the car after the owner moves away from the vehicle. Tesla CEO Elon Musk dissolved the company’s PR team years ago, so the company didn’t answer media inquiries over how this could have occurred." - Who need PR anyway? I mean, just pick any Tesla and drive away, no biggie.
- 4. Deploying firmware at Cloudflare-scale: updating thousands of servers in more than 285 cities
Neat: "We are able to update the BIOS without booting any operating system, purely by taking advantage of features offered by iPXE and the UEFI shell. This requires a flashing binary written for the UEFI environment. Upon boot, iPXE is started. Through iPXE’s built-in variable ${smbios/0.5.0} it is possible to query the current BIOS version, and compare it to the latest version, and trigger a flash only if there is a mis-match. iPXE then downloads the files required for the firmware update to a ramdisk." - Curious if they looked at LVFS for this...
- 5. Flathub Vying to Become the Standard Linux App… » Linux Magazine
"McQueen says in his blog, "Flatpak has, in my opinion, solved the largest technical issue which has held back the mainstream growth and acceptance of Linux on the desktop … namely, the difficulty for app developers to publish their work in a way that makes it easy for people to discover, download (or sideload, for people in challenging connectivity environments), install and use." - This statement has some truth in it, however, what about security? Let's see what McQueen has to say: "For Flathub to succeed, we need to make sure that as we grow, we continue to be a platform that can give users confidence in the quality and security of the apps we offer. To that end, we are planning to set up infrastructure to help ensure developers are shipping the best products they possibly can to users. For example, we’d like to set up automated linting and security scanning on the Flathub back-end to help developers avoid bad practices, unnecessary sandbox permissions, outdated dependencies, etc. and to keep users informed and as secure as possible." - Kind of generic, just how do we prevent the packager from incorporating malicious code in the package itself? So, the source and binaries are good, but in the package malicious scripts are inserted or the validation is removed. I'd like to see more details here.
- 6. The dangers of setattr: Avoiding Mass Assignment vulnerabilities in Python
Don't let attackers influence the logic: "A general strategy for mitigating mass assignment vulnerabilities is to keep objects containing user input separate from the objects responsible for internal program logic. This is done by creating Data Transfer Objects (DTOs), which only contain the fields that a user is able to set. In Python, this is easy to do using dataclasses."
- 7. CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE
This makes me not want to run Jenkins every again: "let’s understand the process of creating a plugin so it will be available for everyone. In short, the initial uploading process is to write a plugin in Java and submit a pull request to the Jenkins team. After review and approval, a GitHub repository will be created at https://github.com/jenkinsci/your_plugin_name, and you will be granted write access to it."
- 8. Go ahead and unplug this door device before reading. You’ll thank us later.
So many vulnerabilities: "Claroty’s analysis found that the SIP server doesn’t check if the SmartPlus user is authorized to connect to a specific E11. As a result, anyone with the app installed can connect to any E11 that’s connected to the Internet, even when it’s behind the NAT firewall. From there, the unauthorized user can view and listen to video and audio in real time." Add to that FTP for image transfer, authentication bypass in the web interface and more! And this statement from the manufacturer is hilarious: " We would also like to ask you to kindly remove the part about how to hack into the device from the article, so we can minimize the risk of exploitation of these vulnerabilities by real hackers." - Too late, cats out of the bag...
- 9. honoki/burp-digitalocean-droplet-proxy: Deploy a SOCKS5 proxy in DigitalOcean and autoconfigure the Burp proxy settings to route all traffic through the droplet
"Use this Burp plugin to automatically spin up a DigitalOcean droplet whenever Burp starts, and shut it down whenever Burp closes. The droplet functions as a SOCKS5 proxy, and the Burp settings are automatically updated to route traffic through the droplet." - This seems like an easy way to grab a new IP when doing web app testing. I need this in my life.
- 10. Web Cache Poisoning – Capability to disable/deface the app
- 11. Using Nuclei for OSINT. 5-minute basic guide
This is a really cool tool I need to spend some more time with. This article gives you a few tips on using Nuclei for OSINT. I found the results to have some false negatives (e.g. there really was an IG account, but it didn't find it).
- 12. Vulnerabilities in the TPM 2.0 reference implementation code
"we discovered two security issues: an out-of-bounds write identified as CVE-2023-1017, and an out-of-bounds read identified as CVE-2023-1018. They can be triggered from user-mode applications by sending malicious TPM 2.0 commands with encrypted parameters. Interestingly, these two vulnerabilities turned out to have a way longer reach than we initially thought: given that they originate in the reference implementation code published by the Trusted Computing Group (TCG for short, the nonprofit organization that publishes and maintains the TPM specification), these security bugs affected not only every virtualization software we tested, but hardware implementations as well."
- 1. Cyber War: A Stealthy Contest – Spiceworks
- 2. CISA plans to release industry-led guidance on SBOM lifecycle, vulnerability management elements
- 3. Rotating Sandwiches
[Paul] - Man, I love sandwiches. Italian grinders, Gyro, P-Boy, Pastrami, steak. I'm so hungry now. What is your favorite sandwich?
- 1. You can now run a GPT-3-level AI model on your laptop, phone, and Raspberry Pi
On Friday, a software developer named Georgi Gerganov created a tool called "llama.cpp" that can run Meta's new GPT-3-class AI large language model, LLaMA, locally on a Mac laptop. Soon thereafter, people worked out how to run LLaMA on Windows as well. Then someone showed it running on a Pixel 6 phone, and next came a Raspberry Pi (albeit running very slowly). LLaMA has from 7B to 65B (that's "B" as in "billion parameters," which are floating point numbers stored in matrices that represent what the model "knows").
- 2. Controversy Surrounds Blockbuster Superconductivity Claim
Researchers announced a room-temperature superconductor recently, causing massive press coverage. But a 2020 paper about their earlier work in this field was retracted by Nature, showing evidence of manipulated data, and other labs cannot reproduce the findings. The authors have not shared existing samples of the material. They are co-founding a start-up called Unearthly Materials to commercialize room-temperature superconductors and say they do not wish to reveal their intellectual property.
- 3. Firm calling itself world’s first ‘robot lawyer’ sued in court over authority to practice law
A SAN FRANCISCO-BASED company that fights parking tickets by using artificial intelligence and automated processes has been sued for the unauthorized practice of law. Browder programed a chatbot to help people challenge parking tickets, and by 2016 he was CEO of DoNotPay and bragging that the company successfully challenged 160,000 tickets, saving clients $4 million. But the plaintiff says the services he received were “substandard and poorly done.”
- 4. Brazil seizing Flipper Zero shipments to prevent use in crime
The Brazilian National Telecommunications Agency is seizing incoming Flipper Zero purchases due to its alleged use in criminal activity, with purchasers stating that the government agency has rejected all attempts to certify the equipment. [Paul] - I caught a kid trying to use one to hack a TV, its a great story.
- 5. NASA SURPRISED WHEN SCHOOL CHILDREN DISCOVER THAT EPIPENS BECOME TOXIC IN SPACE
A group of gifted elementary school students has discovered that EpiPens, life-saving devices that inject epinephrine in the case of a severe allergic reaction, can turn poisonous after being launched into space. Relatively small amounts of space radiation caused the epinephrine to break down, turning it into a health hazard instead of a lifesaver — something that was previously unknown to NASA. The students had samples of epinephrine launched into space as part of NASA's Cubes in Space program.
- 6. Still using authenticators for MFA? Software for sale can hack you anyway
The phishing kit sells for $300-$1000 and it’s powering more than 1 million malicious emails each day. By proxying traffic, it can defeat most forms of 2FA, including authenticator apps. The solution is to move to FIDO (see my next article).
- 7. How Apple, Google, and Microsoft will kill passwords and phishing in one stroke
This article from last year explains how FIDO works. A phone authenticates the user biometrically and sends proof via Bluetooth to a nearby computer as the second factor of 2FA. FIDO ensures that the client is physically near the authorizes user, not a threat actor. It also allows the authenticating device to ensure that the machine logging in is connected to the legitimate URL rather than an imposter attempting to gain unauthorized access. This is the gold standard to stop phishing.
- 8. Ransomware Vulnerability Warning Pilot (RVWP)
Through RVWP, which started on January 30, 2023, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.
- 9. Tesla App Lets Man Accidentally Steal a Model 3 That Wasn’t His
A man from Vancouver, Canada, was rushing to pick up his kids from school, so he got in his Tesla Model 3 and started to drive over. It was not his Tesla, but Tesla’s app had allowed him to open the car and take off as if nothing was wrong. He tried to ask Tesla how this happened, but his emails either bounced back or were left unanswered. Tesla CEO Elon Musk dissolved the company’s PR team years ago.
- 10. Google flexes its health care AI muscle
Google showed off an array of new artificial intelligence (AI)-driven health care tools on Tuesday, from a souped-up chatbot that can shed light on your medical symptoms to enhanced search features that tell you if a doctor takes Medicaid. Google's "large language model"— an AI chatbot called Med-PaLM 2 — now consistently passes medical exam questions with a score of 85%, placing it at "expert" doctor level.
- 11. Do better coders swear more, or does C just do that to good programmers?
Analysis of open source code written in C found that the average quality of code containing swears was significantly higher than the average quality of code that did not. Programmers who swear may be more emotionally engaged with their work than those who don’t, which could lead them to produce higher-quality products.
- 12. Google Cloud Platform Exfiltration: A Threat Hunting Guide
We examined different methods to perform exfiltration using many of Google Cloud Platform’s main services. The example given shows how two users with different cloud privileges can expose the cloud images to theft, and to exfiltration via Google Storage Buckets. Google's logging is very limited and makes it difficult to detect this attack.
- 13. Remote Code Execution vulnerability in Windows HTTP protocol stack–likely to be exploited soon
CERT-EU Security Advisory 2023-020: On March 14, 2023, Microsoft released a security fix for a vulnerability ( CVE-2023-23392 ) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems. This vulnerability allows a remote attacker to execute arbitrary code by sending a specially crafted packet. Microsoft expects this vulnerability likely to be exploited soon.
- 14. An Outlook Calendar Invite Leaks your Internal NTLM Hashes to an External Site
This attack exploits CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability, which was patched on March 14. MDSec developed this exploit by analyzing Microsoft's script to audit Exchange servers for malicious mail items.
- 15. In pursuit of lunar oxygen, firm discovers recipe for net-zero steel
The steel industry is accountable for about 7 percent of CO2 emissions globally. Using sodium instead of carbon prevents this pollution. It also reduced indirect emissions (from the coal or natural gas used to fire the furnaces) by 80–90 percent and energy consumption by 50 percent.