PSW #781 – Ivan Arce
Full Audio
View Show IndexSegments
1. Supply Chain Security – Ivan Arce – PSW #781
We will talk about Supply chain security, the TPM 2.0 vulnerabilities recently discovered by a Quarkslab researcher, bugs in reference implementations, vulnerability disclosure and perhaps various other topics.
Segment Resources:
Vulnerabilities in the TPM2.0 reference implementation https://blog.quarkslab.com/vulnerabilities-in-the-tpm-20-reference-implementation-code.html
Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html
Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++
https://github.com/programa-stic/security-advisories/blob/master/ObjSys/CVE-2016-5080/README.md
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Guest
Ivan is Chief Research Officer at Quarkslab, a french infosec company specialized in services and products that require in-depth technical expertise, where he leads a cross-functional team that coordinates all the security research of the company.
He is an industry veteran with over 30 years in the infosec (now known as cybersecurity) community. He co-founded Core Security Inc., an argentinean cybersecurity company, in the mid 1990s, and was a very early guest of PSW.
He lives in Buenos Aires, Argentina
Hosts
2. Under the Weather (Taxonomy?), Beating Roulette, Monitoring Macs, & XBMC Glory Days – PSW #781
In the security news: Blizzards, Sleet, Typhoons, Sandstorms and Tsunamis, masking your car stealing tech in a Nokia phone, kill -64, Google doesn't want to fix an RCE, hijacking packages, monitoring macs, beating Roulette, lame advice from Microsoft, are post-authentication vulnerabilities even vulnerabilities?, Ghosts, burpgpt, and do you trust Google? All that and more on this episode of Paul’s Security Weekly.
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape. We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register. Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. Memory corruption in JCRE: An unpatchable HSM may swallow your private key
- 2. Microsoft shifts to a new threat actor naming taxonomy – Microsoft Security Blog
" we are shifting to a new threat actor naming taxonomy aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity. With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name." - I think each one should have a theme song, pulled from popular culture, e.g. Storm should be Thunderstruck, Blizzard is Led Zeppelin "Immigrant Song", etc..
- 3. The Car Thieves Using Tech Disguised Inside Old Nokia Phones and Bluetooth Speakers
"Despite the devices’ high prices, the one Tabor bought contained just $10 worth of components, the write-up says. These include a chip with CAN hardware and firmware, and another CAN-related chip. " - So $2k for some fancy packaging LOL. I think we all predicted this would happen, that thieves would become more technical and use that expertise to steal cars, then create a market for the tech where even non-tech people could easily steal vehicles.
- 4. Linux Rootkits Part 3: A Backdoor to Root :: TheXcellerator
Very well-written blog series, neat stuff: "Taking a look at signal.h, we see that these SIG names for the signals are really just numbers (as you’ll see, this is the case for many things in the kernel). Here you’ll see for instance that SIGKILL is defined as 9, which is the reason we type kill -9 $PID when we really want a process to die. Notice also that these numbers only go up to 32 (on x86). We are going to implement our own signal handler for number 64 - no one would notice that, right?" - I am still working through the entire series.
- 5. Finding Something New About CVE-2022-1388 – Blog – VulnCheck
- 6. burpgpt
- 7. Remote Code Execution Vulnerability in Google They Are Not Willing To Fix
This is a pretty amazing story, I blame pip and not Google: "I scanned GitHub repositories for lists of dependencies in common formats and looked for dependencies that were part of a dependency list, but there was no matching package in the public package repository. For example, for Python, I looked at lists matching the output of pip freeze command and for packages that were not present in PyPi. The search space was constrained to repositories that were owned by an organization related to major technology companies, such as Google or Microsoft, and to repositories that were owned by employees of these companies. I considered a GitHub user an employee if they had set their company in GitHub to a large tech company, e.g., they had the @google tag on their profile." - This was also an interesting read: https://github.com/pypa/pip/issues/8606
- 8. Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories
Interesting research, especially where they cross-referenced different vulnerable conditions in Git with the most popular packages. This is fixable, though as I believe the vulnerabilities stem from poorly configured Github accounts and repos. Seems like we just need to rollout this fix: "GitHub deployed mitigation against repo jacking attacks: the popular repository namespace retirement. We did not discuss this mitigation in this blog post as it only applies to popular GitHub repositories."
- 9. Introducing: Red Canary Mac Monitor
"Red Canary Mac Monitor is a feature-rich dynamic analysis tool for macOS that leverages our extensive understanding of the platform and Apple’s latest APIs to collect and present relevant security events. Mac Monitor is practically the macOS version of the Microsoft Sysinternals tool Procmon. Mac Monitor collects a wide variety of telemetry classes, including processes, interprocess, files, file metadata, logins, XProtect detections, and more—enabling defenders to quickly and effectively analyze enriched, high-fidelity macOS security events in a native, modern, and customizable user interface."
- 10. Shell in the Ghost: Ghostscript CVE-2023-28879 writeup – Almond Offensive Security Blog
- 11. Pretalx Vulnerabilities: How to get accepted at every conference
- 12. Proxyjacking has Entered the Chat – Sysdig
- 13. The Gambler Who Beat Roulette
Crazy story.
- 14. Google delivers secure open source software packages – Help Net Security
Do you trust Google?
- 15. Patch Tuesday: Microsoft fixes a zero-day, and two curious bugs that take the Secure out of Secure Boot
- 16. Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks
"“Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications” - Microsoft" - I believe what Microsoft isn't stating is just how many privilege escalation vulnerabilities and methods are available to attackers. While the advice is good security advice, there are many other vectors to consider and monitor for. This is a good start: PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalation.md
- 17. Archer MR500 Router TP-Link Resolves WPS Pixie-Dust Vulnerability with Firmware Update
- 18. StarkeBlog – CVE Wednesday – CVE-2023-145{6,7,8}
This stance is from Ubiquity on post-authentication command injection vulnerabilities reported: "NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities." - Do you agree or disagree?
- 19. Ghosts and podcasts
"Ghost types will allow for no-harm source augmentation to have more verification-ready language conditions, as opposed to going to some intermediate or non-standard verification-friendly language like Dafny or F. The important part of adding software assurance is to avoid taxing the developer as much as possible. " - Also, this is interesting: *"Verus is a tool for verifying the correctness of code written in Rust. Developers write specifications of what their code should do, and Verus statically checks that the executable Rust code will always satisfy the specifications for all possible executions of the code. Rather than adding run-time checks, Verus instead relies on powerful solvers to prove the code is correct. Verus currently supports a subset of Rust (which we are working to expand), and in some cases, it allows developers to go beyond the standard Rust type system and statically check the correctness of code that, for example, manipulates raw pointers." (https://github.com/verus-lang/verus) -
- 1. wireproxy
Use WireGuard without root privs!
- 2. debugHunter – Chrome Extension
"Discover hidden debugging parameters and uncover web application secrets"
- 3. Living Off The Land Drivers
"Today, we are excited to announce the release of the Living Off The Land Drivers project. This project aims to consolidate as many vulnerable and malicious drivers as possible into a single location, making it accessible for everyone to find and learn from."
- 4. CryptoClippy Speaks Portuguese
Real-time clipboard monitoring and shenanigans. Scary!
- 5. Technical analysis of the Genesis Market
Some interesting analysis of the Genesis market software and related malware, Chrome extensions, etc.
- 6. GreyNoise – Introducing IP Similarity
GreyNoise is starting to introduce some REALLY cool features on their platform, using large scale data analysis and ML models. IP Similarity is exactly what it sounds like: "show me other IPs exhibiting the same behavior as this"
- 7. Harnessing the Power of AI in AWS Pentesting.pdf
A bit disappointed in the limited imagination here, but it's a very practical set of examples. Mostly focusing on the fact that ChatGPT enables a pen tester to 'just-in-time' learn any tool's cli or generate code they need during a pen test. Just-in-time cheatsheets for most anything (as long as it existed before September 2021, that is).
- 8. 64 Methods For Execute Mimikatz(RTC0003)
Wondering why mimikatz is still an issue for defenders and a core attacker tool? Check this out.
- 9. APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers
Do these show notes support facepalm emoji? 1. it has been a best practice for 20+ years not to expose administrative services to the public Internet 2. the vuln being exploited is nearly SIX YEARS OLD 3. come on people