PSW #783 – Rob Fuller
Full Audio
View Show IndexSegments
1. Pen Testing Techniques and Jurassic Malware – Rob Fuller – PSW #783
Rob "Mubix" Fuller comes on the show to talk about penetration testing, what's changed over the years? He'll also discuss "Jurassic Malware" and creating games in your BIOS.
Announcements
Our teams from Security Weekly and SC Media were onsite at RSA Conference 2023 delivering in-depth reporting, analysis and interviews from the conference. If you were unable to join us in person, or didn't manage to catch our video livestream from Broadcast Alley, you can access all of our RSAC 2023 coverage at https://securityweekly.com/rsac.
Guest
Rob has over 17 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks – as well as performing penetration tests and Red Team engagements against those same networks. More recently, Rob has built and led numerous Red Teams in successful engagements against many of the Fortune 50 companies, representing some of the best defensive teams in the industry.
Rob’s experience and expertise ranges from embedded and wireless devices in ICS/OT networks to standard IT infrastructures. He is a frequent speaker and trainer at a number of well-known security conferences. He has also served as a senior technical advisor for HBO’s show Silicon Valley. Rob has acquired a number of certifications and awards over the years, but the ones he holds above the rest are father, husband, and United States Marine.
Hosts
2. No Pr0nHub 4 U, HTTP Lock Status, Selling Hacking Tools, & Chrome Drops HTTP Lock – PSW #783
This week in the Security News: 5-year old vulnerabilities, hijacking packages, EV charging apps that could steal stuff, do we even need software packages, selling hacking tools and ethics, I hate it when vendors fix stuff, HTTPS lock status, no pornhub for you!
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.
We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.
Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. Sensitive data is being leaked from servers running Salesforce software
- 2. Evilflare: Circumventing Cloudflare’s Protection
- 3. Hackers exploit 5-year-old unpatched flaw in TBK DVR devices
"The exploit uses a maliciously crafted HTTP cookie, to which vulnerable TBK DVR devices respond with admin credentials in the form of JSON data." - A very convenient exploit! Also, looking like no one is patching this.
- 4. PornHub blocked in Utah over SB287 age-verification law
It's how the law was written that's the issue: "Under this bill, pornographic sites are required to verify that a visitor is at least 18 years old using uploaded government IDs or a third-party age verification service." - MindGeek (parent company of PornHub and several other brands) displays a message for Utah visitors: " While safety and compliance are at the forefront of our mission, giving your ID card every time you want to visit an adult platform is not the most effective solution for protecting our users, and in fact, will put children and your privacy at risk." They then recommend that you instead use "demand device-based verification solutions". I'm not sure what that means, but there must be a trade-off here. Also, this could just drive folks to 1) Use a proxy and 2) visit sites that are not-so-good at monitoring the content posted to their site...
- 5. Researcher hijacks popular Packagist PHP packages to get a job
"A developer, as opposed to uploading binaries or software releases directly to Packagist.org, simply creates a Packagist.org account, and "submits" a link to their GitHub repo for a particular package. Packagist's crawler then visits the provided repo and aggregates all the data to display on the Packagist page for that package" - Okay, this is pretty terrible, and I would never think its a good thing to use Composer in production if you care about security at all. However, the attacker hijacked packages to get a job, which is probably not the best way to do so. Also, I believe the attacker just hijacked accounts with credential stuffing. I'm not impressed.
- 6. Fuzz testing for connected and autonomous vehicles
- 7. EV Charging Station Applications – a Growing Cyber Security Risk
I started looking at one of these apps, kind of scary. The apps want all sorts of information to give you better routes, and payment information. This article covers several different attack vectors. Now I don't want to install any of these apps, but I do want better routes than what Telsa provides. The one I tested also just asked me to provide my Tesla login to "provide live data from your car". Uhm, that's a big fat no! (A bank account is tied to your Tesla account!)
- 8. Software Packages, Do We Even Need Them?
"Switching to immutable binary packages addresses these risks. Since they can’t be changed, they can be cached in a local repository manager for fast, repeatable builds that let developers work quickly. Teams are insulated from disruptions in the supply chain of dependencies because whatever versions in use can be readily sourced from private caches or the centralized repository. When every package is uniquely identified, reliable software composition analysis becomes possible. Teams can easily comply with requirements for a software bill of materials, and when advisories or recalls are necessary, identifying which application versions are affected is a simple process. Finally, malicious open source attacks on developers and development infrastructure can be stopped at the repository, before they even enter the software development life cycle." - Interesting points, distribute binaries that are signed rather than source and make them immutable. You just need gatekeepers throughout the development process and at the distribution source.
- 9. How to operationalize SBOMs for incident response
- 10. The Ethics of Selling Hacker Tools
"The sale of hacking tools also raises several legal issues. While the NSO Group argued that it only sells its products to legitimate governments, the definition of “legitimate” is subjective and may vary depending on the country or organization. " - Laws should dictate who you sell weapons to, in fact, there are some US laws that cover this. However, if your policy is to sell to "legit" folks, who defines that term? Also, who is responsible? Again, I go back to my hammer analogy, it can be used to build houses or beat people to death, should we get the ban hammer out to ban the hammers? Probably not. Its what you do with a tool, not the tool itself, that should be restricted, regulated and monitored. This is a slippery slope as we get into things such as weapons, especially "cyber" weapons.
- 11. First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
- 12.
- 13. Zero Day Initiative — TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
" the bug was also used by the Tenable team in their unsuccessful Pwn2Own attempt against the device. They, too, disclosed the bug to TP-Link, but their public report did not show that the bug could be exploited on the WAN interface. TP-Link released a firmware update in March that “Fixed some security issues” – including this and other CVEs. It was after this fix was made public that exploit attempts using this CVE were detected in the wild." - I hate it when we get confused, or there is hand waving, about the exploit path. WAN or LAN? Big difference. I also hate it when vendors fix stuff, but don't tell us exactly what they've fixed, like a CVE for a remotely exploitable bug. I also hate it, or love it, when developers use "popen" and don't sanitize the input.
- 14. New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP)
"SLP was not intended to be made available to the public Internet. According to RFC 2165, "Service Location provides a dynamic configuration mechanism for applications in local area networks. It is not a global resolution system for the entire Internet; rather, it is intended to serve enterprise networks with shared services." However, the protocol has been found in a variety of instances connected to the Internet. A recent internet-wide scan revealed more than 54,000 SLP-speaking instances online, belonging to organizations across many sectors and geographies." - Oops. If you design something like this, it will end up on the Internet.
- 1. Chrome to drop lock icon showing HTTPS status
- 2. Pornhub, the largest porn site in the U.S., blocks Utahns ahead of new age verification law
- 3. Man Inserts magnets in Fingertips to Cheat at Dice Game
- 4. T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more
- 5. A GNU Radio DCF77 Time Signal Decoder
- 6. A GNU Radio DCF77 Time Signal Decoder
- 7. Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker
- 8. Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker
- 9. The Untold Story of the Boldest Supply-Chain Hack Ever
- 10. The Untold Story of the Boldest Supply-Chain Hack Ever
- 11. Game of Protocols: How To Pick a Network Protocol for Your IoT Project – Part 1 – RTInsights
- 12. Game of Protocols: How To Pick a Network Protocol for Your IoT Project – Part 1 – RTInsights
- 13. Google Ads Abused to Lure Corporate Workers to LOBSHOT Backdoor
- 14. Google Ads Abused to Lure Corporate Workers to LOBSHOT Backdoor
- 15. Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes
- 16. Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes
- 1. A team of US scientists is turning dead birds into drones to study flight techniques that may help the aviation industry
The birds aren't real, but their bodies are.
A research team in New Mexico is converting taxidermic birds into drones in order to study flight patterns, Reuters reported.
From Popular Mechanics article https://www.popularmechanics.com/technology/robots/a42940200/scientists-turning-dead-birds-into-drones/: While a realistic bird drone could be great for keeping an eye on reclusive wildlife, it could also turn its gaze on humans as a spy tool. The CIA designed a nuclear-powered bird drone during the Cold War to spy on the Soviet Union and a real-life bird drone could fulfill a similar function.
- 2. List of Equipment and Services Covered By Section 2 of The Secure Networks Act
Section 1.50002 of the Commission’s rules directs the Public Safety and Homeland Security Bureau to publish a list of communications equipment and services (Covered List) that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons, based exclusively on any of four sources for such a determination and that such equipment or services possess certain capabilities as enumerated in section 2(a) of the Secure and Trusted Communications Networks Act of 2019, Pub. L. No. 116-124, 133 Stat. 158 (2020) (codified as amended at 47 U.S.C. §§ 1601–1609).
Some expected: ZTE devices, Huawei devices, China Telecom
From covered list: Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates. Date of inclusion 3.25.22
In practice, is this widely known? Rated as Never Use by FCC? Is this used in assessments in general practice?
- 1. ‘The Godfather of A.I.’ Leaves Google and Warns of Danger Ahead
Geoffrey Hinton was an artificial intelligence pioneer. Last year, as Google and OpenAI built systems using much larger amounts of data, his view changed. He still believed the systems were inferior to the human brain in some ways but he thought they were eclipsing human intelligence in others. “Maybe what is going on in these systems,” he said, “is actually a lot better than what is going on in the brain.” His immediate concern is that the internet will be flooded with false photos, videos and text, and the average person will “not be able to know what is true anymore.” He is also worried that A.I. technologies will in time upend the job market. And he fears a day when truly autonomous weapons — those killer robots — become reality.
- 2. Palantir Demos AI to Fight Wars But Says It Will Be Totally Ethical Don’t Worry About It
Palantir, the company of billionaire Peter Thiel, is launching Palantir Artificial Intelligence Platform (AIP), software meant to run large language models like GPT-4 and alternatives on private networks. In a demonstration video, the operator uses a ChatGPT-style chatbot to order drone reconnaissance, generate several plans of attack, and organize the jamming of enemy communications. The operator uses AIP to generate three possible courses of action to target enemy equipment. The options include attacking the tank with an F-16, long range artillery, or Javelin missiles.
- 3. A decoder that uses brain scans to know what you mean — mostly
Scientists have found a way to decode a stream of words in the brain using MRI scans and artificial intelligence. The system reconstructs the gist of what a person hears or imagines, rather than trying to replicate each word. This technology can't read minds, though. It only works when a participant is actively cooperating with scientists.
- 4. The Untold Story of the Boldest Supply-Chain Hack Ever
Behind the scenes of the SolarWinds investigation. In 2019, Volexity performed IR on a Solarwinds server. The attackers kept returning through June 2020, despite it having no vulnerability they could identify. It wasn't identified until Nov, 2020, when Mandiant found that they had been hacked, owned for up to eight months. SolarWinds said they were publishing everything it could about the incident, but both it and Mandiant withheld some answers on the advice of legal counsel or per government request--Mandiant more so than SolarWinds.
- 5. Missouri trans ‘snitch form’ down after people spammed it with the ‘Bee Movie’ script
The Missouri Attorney General’s office launched an online form for “Transgender Center Concerns” in late March, inviting those who’ve witnessed “troubling practices” at clinics that provide gender-affirming care to submit tips. But after days of TikTok and Twitter users spamming the site with gibberish, the tip line has been removed from the Missouri government site entirely.
- 6. Microsoft makes its AI-powered Designer tool available in preview
Designer is a web app that can generate designs for presentations, posters, and more to share on social media and other channels. It leverages user-created content and DALL-E 2, OpenAI’s text-to-image AI.
- 7. Biden Administration to Investigate Worker Surveillance Software
Is your employer monitoring your mouse clicks, keystrokes, or webcam? What about your location or pace of work? If so, the White House wants to hear from you.
- 8. Microsoft is busy rewriting core Windows code in memory-safe Rust
Microsoft showed interest in Rust several years ago as a way to catch and squash memory safety bugs, which were at the heart of about 70 percent of the CVE-listed security vulnerabilities patched by the Windows maker in its own products since 2006. You will actually have Windows booting with Rust in the kernel in probably the next several weeks or months. The basic goal here was to convert some of these internal C++ data types into their Rust equivalents.
- 9. Apple and Google lead initiative for an industry specification to address unwanted tracking
Location-tracking devices help users find personal items like their keys, purse, luggage, and more through crowdsourced finding networks. However, they can also be misused for unwanted tracking of individuals. Today Apple and Google jointly submitted a proposed industry specification to help combat the misuse of Bluetooth location-tracking devices for unwanted tracking. There are no technical details in this article--for those, see the next article.
- 10. Detecting Unwanted Location Trackers
This document lists a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. The devices should only emit location information when not near the owner. They should also provide a way for a user to physically locate unknown accessories traveling with them, such as emitting sounds when moved.
- 11. New York Police Department asks car owners to place an AirTag in their cars
The 21st century calls for 21st century policing. AirTags in your car will help us recover your vehicle if it’s stolen. We’ll use our drones, our StarChase technology & good old fashion police work to safely recover your stolen car. Help us help you, get an AirTag.
- 12. About Rapid Security Responses for iOS, iPadOS, and macOS
Rapid Security Responses are a new type of software release for iPhone, iPad, and Mac. They deliver important security improvements between software updates — for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. New Rapid Security Responses are delivered only for the latest version of iOS, iPadOS and macOS — beginning with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1.
- 13. Fakespot Joins Mozilla, Enhancing Trustworthy Shopping on Firefox
Fakespot uses a machine learning (ML) system to detect patterns and similarities between reviews in order to flag those that are most likely to be deceptive. Using Fakespot, a buyer is able to quickly see where deceptive reviews may be artificially inflating a product’s ranking in search engines. Fakespot will continue to work across all major web browsers and mobile devices, and the Mozilla team will be investing in continuing to enhance the Fakespot experience for its many, dedicated users. There will also be future Fakespot integrations that are unique to Firefox.
- 14. Why it’s time to ditch your one password for passphrases
The Australian Cyber Security Centre is recommending that users and companies move away from passwords and start using passphrases. Passphrases use 4 or more random words, with the strongest passphrases being more than 14 characters. This makes them harder for cybercriminals to hack, but easy for you to remember.
- 15. A list of public attacks on BitLocker
Three hardware and four software attacks are described, all rather esoteric and limited. Strangely, the Stanford Cold Boot attack and dissolving the TPM with chemicals did not make the list. I added links to them following this article.
- 16. New Kids On The Block: Understanding Cold Boot Attacks (from 2011)
Cold Boot attacks can steal encryption keys from nearly any laptop, by cooling the RAM, removing it, and reading it on a different system. This attack requires physical access, and generally require the target machine to be in a suspended state, not powered off. The risk is low for most users.
- 17. Supergeek pulls off ‘near impossible’ crypto chip hack (from 2010)
Christopher Tarnovsky soaked TPM chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle. The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."