Managing Bug Bounty Programs At Scale – Dr. Jared DeMott – PSW #796
Jared has a long, and outstanding, history in cybersecurity. Today, he works for Microsoft helping them run and respond to bug bounty reports. The scale is massive and I think we can all learn a thing or two about vulnerability management and bug bounties!
Segment Resources:
https://www.microsoft.com/en-us/msrc/bounty?rtc=1 https://www.microsoft.com/en-us/msrc https://msrc.microsoft.com/report/vulnerability/new https://www.microsoft.com/en-us/msrc/bounty https://msrc.microsoft.com/blog/ https://jobs.careers.microsoft.com/global/en/search?q=msrc&l=en_us&pg=1&pgSz=20&o=Relevance&flt=true https://www.microsoft.com/bluehat/
Background: I cut my cyber teeth at the NSA, gaining important vulnerability research skills. I then shared my AppSec knowledge by teaching at various conferences and universities. I was a leader in successful malware, monitoring, and pentest startups.
Industry Passion: I manage a team in Microsoft, protecting products and customers by turning bug bounty reports into fixes for cloud services. I love the field and I’m thankful for the opportunities to make the world a little safer.
Personal Passion: Outside of work, you might find me doing all kinds of random and fun things with my family — traveling, swimming, biking, you name it.
Program Improvements: I bring an entrepreneurial spirit to build fun and inclusive teams that achieve outsized impacts.
Security Weekly listeners: Now is your chance to join the infosec community as they come together at InfoSec World 2023, September 23 – 28, 2023 at Disney's Coronado Spring Resort in Lake Buena Vista, FL. Hear keynotes from Scott Shapiro, Founding Director at Yale CyberSecurity Lab’s and Rachel Wilson, Managing Director and Head of Cybersecurity at Morgan Stanley.
As a Security Weekly community member, you’re able to receive 20% off your InfoSec World 2023 tickets using code ISW23-SECWEEK20! Register today: securityweekly.com/infosecworld2023
Lora Projects, WinRAR, Kali Mobile, Benchmarks Vs. IRL, & VPN HYPE! – PSW #796
In the Security News: Lora projects are popular, simple checksums are not enough, WinRAR: shareware or native OS?, ATM software is vulnerable, attackers could learn from security researchers (but lets hope they don’t), NoFilter and behavior by design, Apple vs. A security researcher: there are no winners, sneaky npm packages, faster Nmap scans, kali on more phones, more LOl drivers, comparing security benchmarks to the real world, tunnelcrack and why VPNs are over-hyped, Ubuntu has lost its mind, and there’s a Python in the sheets! All that and more on this episode of Paul’s Security Weekly!
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape. We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register. Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Paul Asadoorian
- Speeding up nmap service scanning 16x
Basically comes down to this: "Instead of editing every NSE file to implicitly set a low timeout or nselib/comm.lua, we can edit the l_set_timeout function in nse_nsock.cc to set a maximum of a 500ms timeout." - Your welcome (And thank you to Joshua Rogers for this great post)
- Critical Security Flaws Affect Ivanti Avalanche, Threatening 30,000 Organizations
This is something you need to patch ASAP.
- Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability
"An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored." I think they stole this from our playbook: https://eclypsium.com/research/pwned-balancers-commandeering-f5-and-citrix-for-persistent-access-c2/ - Nate's research shows how you can hide in backup files for the devices and persist upgrades.
- Exploits Explained: Finding Flaws in an ATM Software Tool
"ScrutisWeb is accessible from any browser and helps organizations worldwide monitor ATMs and reduce response time if there are problems, according to its developer, Iagona. ATM fleets can include sensitive equipment like check deposit machines as well as payment terminals in a restaurant chain." - Turns out the server responsible for management implements a web site that is full of easily exploitable holes. They've all been fixed, but concerning that such easily exploitable features existed in the first place.
- #NoFilter – Abusing Windows Filtering Platform for Privilege Escalation
It is touted as the latest privilege escalation in Windows. Also of note: "This research was reported to Microsoft Security Response Center. According to Microsoft this behavior is by design." Github: https://github.com/deepinstinct/NoFilter
- Over a Dozen Malicious npm Packages Target Roblox Game Developers
Sneaky: "The only difference between a legitimate package and a malicious one was that a malicious payload was put inside a separate file, postinstall.js, that is called after installation of the main npm package is complete. This was a clever move on the malicious actors' part. That's because the original noblox.js package also contains a postinstall.js script that displays a thank-you and some useful information to the users who installed it."
- WinRAR vuln could allow code to run when files are opened
"Microsoft announced back in May that it was adding support for RAR files into Windows, along with support for other archive formats, including tar, 7-zip, gz and others, thanks to the addition of the libarchive open-source library, but presumably only for Windows 11. Redmond has had native support for zip files since the last century, when Windows 98 debuted." - Are we better off, security-wise, having this natively in the OS or relying on a 3rd party vendor to supply secure software?
- Fedora 37: linux-firmware 2023-eabbf4ca4d
This is a reminder for me to note that if you are staying up-to-date with Linux you likely got a patch for Zenbleed. I tested this and Zenbleed no longer works on my system.
- Kali Linux 2023.3 released with 9 new tools, internal changes
New updates are neat, and I have on my list to get Kali Nethunter on one of my Pixel devices I have laying around. This is not new, however, there are some new models supported with the latest update.
- Windows Driver Exploit Development — irec.sys
Interesting LOLDriver: "If this driver is truly an integral part of this product, we’re going to have a really powerful tool for Bring Your Own Vulnerable Driver attacks. While the driver is in the LOLDrivers project, it is not in the Microsoft driver blocklist (at the time of writing)."
- macOS 0day: App Management
Dropping 0-day: "Today I will discuss the details of the bypass, not because it's been fixed in macOS—in fact it hasn't been fixed yet—but rather because I've lost all confidence in Apple to address the issue in a timely manner. In other words, I'm dropping a 0day. We're at ten months and counting, with no end in sight, and I feel that's absurd. It should be noted that by disclosing the issue publicly, I'm sacrificing the opportunity to receive an Apple Security Bounty."
- Smart Bulbs can be Hacked to Steal Wi-Fi Passwords
Interesting, but maybe not as earth-shattering as described in the cybersecurity news: "Using the acquired credentials, the attacker can launch a man-in-the-middle attack to intercept the session keys during bulb setup and escalate the malicious potential with exposed Wi-Fi credentials."
- Carderbee Hacking Group Uses Legitimate Software in Supply Chain Attack
- Obfuscating Shellcode Using Jargon
- NVD – CVE-2023-39950
- StarkeBlog – CVE Wednesday – CVE-2021-39297
- Windows feature that resets system clocks based on random data is wreaking havoc
- Comparison of security benchmarks
This is a must-read: "I conducted a thorough analysis of some of the prominent security benchmarks/guidelines for my GitHub repository and I discovered some fascinating insights. By analysis, I mean that I examined every single recommendation in them and compared them with my own suggestions and Microsoft Security Baselines. The majority of the recommendations in the security benchmarks align with the Microsoft Security Baselines, which are a set of best practices for securing various products and services. Only a small fraction of the recommendations deviate from the baselines, and they are either additional enhancements (rarely), redundant suggestions or erroneous advice that undermine security!"
- AudioCodes VoIP Phones Insufficient Firmware Validation
Complete takeover of VoIP devices, complete with backdoored firmware to eavesdrop: "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.’s desk phones and Zoom’s Zero Touch Provisioning feature can gain full remote control of the devices, potentially allowing the attacker e.g. to: eavesdrop on rooms or phone calls, pivot through the devices and attack corporate networks, build a bot net of compromised devices In addition, we were able to analyze and reconstruct cryptographic routines of AudioCodes devices, and to decrypt sensitive information such as passwords and configuration files. Due to improper authentication, a remote attacker is able to access such files and data."
Larry Pesce
- (26) Will the European Cyber Resilience Act kill Open Source Software?
- gr-lora_sdr – A GNU Radio SDR implementation of a LoRa transceiver – CNX Software
reverse-engineer the LoRa standard for years with projects such as GR-LoRa
- Ubuntu 23.10’s App Store Will Block DEB Files When a Snap Is Available
- TP-Link smart bulbs can let hackers steal your WiFi password
- Introducing Python in Excel: The Best of Both Worlds for Data Analysis and Visualization
- This $70 device can spoof an Apple device and trick you into sharing your password
This is a carry over from last week. I'm hoping some discussion can help lure more info about it into the wild.
- TunnelCrack: Widespread design flaws in VPN clients
Another carry over from last week, that deserves some lip service, especially when we consider the implications to WiFi network security.
Lee Neely
- CISA adds Citrix ShareFile flaw to the KEV catalog
Tracked as CVE-2023-24489, the critical Citrix vulnerability has a 9.8 CVSS score and, if exploited, could let an unauthenticated attacker remotely compromise the customer-managed ShareFile storage zones controller. ShareFile told SC Media that the fix for the CVE was released one month prior to public disclosure and that ShareFile worked with its customers to get them upgraded during that month.
- Bringing Safety check to the chrome://extensions page – Chrome Developers
Starting in Chrome 117, Chrome will proactively highlight to users when an extension they have installed is no longer in the Chrome Web Store. This is limited to three specific cases:
- The extension has been unpublished by the developer.
- The extension has been taken down for violating Chrome Web Store policy.
- The item was marked as malware.
Under Settings, Privacy & Security
- Cyber Incident Notification Requirements
Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
- RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. RARLAB has issued an update to correct this vulnerability. More details can be found at: https://www.win-rar.com/singlenewsview.html?&L=0&txttnews%5Bttnews%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
- Hotmail email delivery fails after Microsoft misconfigures DNS
A misconfigured Hotmail DNS Sender Policy Framework (SPF) record prevented recipient services from determining that the messages came from a trusted source. Hotmail users noticed last Thursday evening that messages were being returned with errors related to SPF. Now that we've implemented SPF, DKIM and DMARC, it's important to keep those updated and configured properly so legitimate email flows, as well as bogus messages are rejected.
- LinkedIn Accounts Under Attack
LinkedIn users are reporting account takeovers. In some cases, the hackers are demanding payment to return control of the accounts and threatening to permanently delete them if payment is not made. Researchers from Cyberint say that the attacks are affecting people around the world and that analysis of Google Trends data indicates “a significant surge [in account takeovers] in the past 90 days.”
Enable 2FA on your LinkedIn account, use strong password, eliminate old email/phone numbers for validation.
- Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
A threat actor has compromised close to 2,000 thousand Citrix NetScaler servers in a massive campaign exploiting the critical-severity remote code execution tracked as CVE-2023-3519.
More than 1,200 servers were backdoored before administrators installed the patch for the vulnerability and continue to be compromised because they have not been checked for signs of successful exploitation, the researchers say.
