Digging Into Supply Chain Security – James McMurry – PSW #824
Full Audio
View Show IndexSegments
1. Digging Into Supply Chain Security – James McMurry – PSW #824
Jim joins the Security Weekly crew to discuss all things supply chain! Given the recent events with XZ we still have many topics to explore, especially when it comes to practical advice surrounding supply chain threats.
Announcements
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
We’d like to invite our listeners to be part of our prestigious 2024 SC Awards! Entries are officially open.
The SC Awards continue to serve as a beacon of excellence, recognizing the industry’s best solutions, organizations, and people that are advancing information security. This year, there are 34 categories, many updated to reflect trends in artificial intelligence, cloud security and continuous threat exposure management. This is your chance to shine among the brightest in the cybersecurity world.
Take advantage of the early bird rate by April 12! Visit securityweekly.com/scawards to submit your entries by May 31st!
Guest
James McMurry is a leader and innovator in the cybersecurity industry, recognized for founding ThreatHunter.ai, a forefront company in developing advanced AI and machine learning-based solutions for threat detection and response. His leadership has propelled ThreatHunter.ai to notable success, emphasizing not just technological innovation but also a keen focus on cybersecurity’s evolving challenges. McMurry’s establishment of VETCON highlights his dedication to the veteran community, creating a platform for veterans in cybersecurity to connect, support, and learn from each other. This initiative, alongside his ongoing support for active-duty service members, particularly those from his alma mater, the U.S. Coast Guard, illustrates his deep commitment to giving back to the military community. McMurry’s contributions to both cybersecurity and veteran support reflect his broad impact, blending professional excellence with a heartfelt commitment to service.
Hosts
2. Why Is Your TV & NAS On The Internet? – PSW #824
Ahoi new VM attacks ahead! HTTP/2 floods, USB Hid and run, forwarded email tricks, attackers be scanning, a bunch of nerds write software and give it away for free, your TV is on the Internet, Rust library issue, D-Link strikes again, EV charging station vulnerabilities, and rendering all cybersecurity useless.
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
Guest
James McMurry is a leader and innovator in the cybersecurity industry, recognized for founding ThreatHunter.ai, a forefront company in developing advanced AI and machine learning-based solutions for threat detection and response. His leadership has propelled ThreatHunter.ai to notable success, emphasizing not just technological innovation but also a keen focus on cybersecurity’s evolving challenges. McMurry’s establishment of VETCON highlights his dedication to the veteran community, creating a platform for veterans in cybersecurity to connect, support, and learn from each other. This initiative, alongside his ongoing support for active-duty service members, particularly those from his alma mater, the U.S. Coast Guard, illustrates his deep commitment to giving back to the military community. McMurry’s contributions to both cybersecurity and veteran support reflect his broad impact, blending professional excellence with a heartfelt commitment to service.
Hosts
- 1. Command Injection and Backdoor Account in D-Link NAS Devices
This reminds me of Joel's backdoor. Joel's backdoor and this recent vulnerability seem to share the same design mistake, at least that's my guess. Judging by the username "messagebus" it would seem that backend processes need to access the web interface or API, therefore the developers just build in a backdoor, complete with the ability to run commands. I'm not even sure how to fix this ongoing problem, lessons are not learned and vendors just keep cranking out firmware that is vulnerable to the same things. We are losing the battle.
- 2. EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities
EV charging stations represent even more vulnerable devices (IoT?) that contain vulnerabilities. The attack surface, and impact, is interesting: "Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO." - Despite all of the issues and MANY myths, charging stations are becoming critical infrastructure and should be treated as such, with minimum standards for security and integrity.
- 3. Vulnerabilities Identified in LG WebOS
The authentication bypass is interesting: "We can request the creation of an account with no permissions, which will be automatically granted. Then we request another account with elevated permissions, but we specify the companion-client-key variable to match the key we got when we created the first account. The server will confirm that this key exists but will not verify if it belongs to the correct account. Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV." And then two command injection vulnerabilities (authenticated) are present as well. Why are there so many of these TVs exposed to the Internet? Also, now I want to look at the firmware, some quick poking around, I found this: https://github.com/openlgtv/epk2extract - Adding to my long list of projects!
- 4. Security advisory for the standard library (CVE-2024-24576)
Let's move to Rust! Except, like all software, it has flaws too: "The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping." - While this has been fixed, applications could still be vulnerable if not updated. More supply chain fun!
- 5. Thousands of LG TVs exposed to the world. Here’s how to ensure yours isn’t one.
Also, I really want a dumb TV. The problem is TV manufacturers make money on advertising and including apps such as YouTube and Netflix on the TVs OS. This means smart TVs are cheaper, as they are taking a loss on the hardware and making it back in other ways. This article has more details and links to purchase dumb TVs: https://www.tomsguide.com/features/dumb-tvs-heres-why-you-cant-find-them-anymore
- 6. How I discovered a 9.8 critical security vulnerability in ZeroMQ with mostly pure luck and my two cents about xz backdoor
Great article, and I love this quote: "Do you mean a bunch of nerds who don’t really know each other in real life but work like clocks to build the most sophisticated software in the world through the internet and make it free for people to use?"
- 7. It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
I am failing to see how this is new: "Typically, once a device gets compromised by malware, this malware beacons to attacker-controlled C2 domains for instructions. Threat actors can instruct the malware to perform scanning attacks. Then, the malware on the compromised device initiates scanning requests to various target domains." - This is something we can easily detect. Have we lost site of basic network monitoring that can detect activity such as port scanning and vulnerability scanning? I used to detect this behavior all the time when monitoring the network, in fact, I remember one case where a host was compromised and port scanning. My detections at the time flagged this behavior right away. Why? Because it's not "normal". You can monitor host logs and network traffic and pickup on this pretty easily. Are attackers doing more of it now because we've slacked on monitoring network traffic?
- 8. What are the top Active Directory Security vulnerabilities I care about? – PwnDefend
- 9. Kobold letters – Lutra Security
Interesting scenario: "The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible. A phishing email you had to trust because you knew the sender and they even confirmed that they had forwarded it to you." Made possible because an attacker can control the CSS in HTML emails, meaning, the forwarded message will display something different than the original email. Neat trick!
- 10. Confidential VMs Hacked via New Ahoi Attacks
- 11. Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits
- 12. +92,000 Internet-facing D-Link NAS devices can be easily hacked
- 13. U.S. Department of Health warns of attacks against IT help desks
- 14. umair9747/Genzai: The IoT security toolkit to help identify IoT related dashboards and scan them for default passwords and vulnerabilities.
Interesting project, I did a similar one. I still believe that looking for default creds is something that is not done thoroughly enough in most organizations.
- 15. piraija/usb-hid-and-run
This is pretty hot: "In early 2023 an awesome colleague (Andreas) spoke about an incident response case featuring thugs plugging a media keyboard into an ATM, and breaking out of its ATM kiosk software to install malware causing it to dispense $$$. This prompted me to spend some time during spring and summer of 2023 looking into Consumer Control, a subset of USB functionality, which is what allows media keyboards to launch and control various applications over USB with the press of single buttons; so called Consumer Control Buttons (CCBs)."
- 16. Hackers Claiming of Working Windows 0-Day LPE Exploit
- 17. CERT/CC Vulnerability Note VU#421644
- 1. Cryptographers Who Solved Zodiac Killer Cipher Publish Paper About How They Did It
Worth a read if you are interested in cryptography and how cryptanalysis is actually done.
- 2. NSA “Red Team” Hacker | Jeff Man | Ep. 269 – The Team House Podcast
I met one of the hosts of "The Team House", David Parke, at Shmoocon earlier this year. After chatting a bit he invited me to be interviewed on his podcast at some point in the future. That happened last week, and this is the result.
(I took the lead from Paul and spoke for over 3 hours!)
- 3. Home Depot confirms data breach via third-party vendor
It's like déjà vu all over again!
But not really. Technically this was not a breach but an invadvertent disclosure attributed to a third party SaaS provider.
If you recall, Home Depot suffered a payment card breach ten years ago that was caused by a breach of a third-party HVAC provider. Which only makes this recent breach that much more embarassing.
- 4. Omni Hotels confirms cyberattack behind ongoing IT outage
Speaking of déjà vu, Omni Hotels suffered an outage this past week that they attributed to a cyberattack (reportedly a ransomware attack) that impacted operations including credit card payments. Omni also was victim to an attack in 2016 that targeted Point-of-Sale (POS) systems.
- 5. Panera Bread week-long IT outage caused by ransomware attack
Panera Bread's recent week-long outage was caused by a ransomware attack, according to people familiar with the matter.
- 6. AT&T Data Leak: 73 Million Account Passcodes From Prior to 2020 Exposed, Including 7 Million Current Account Holders
Not a new breach disclosure, but rather a report on how 7 million current customers are still impacted - I'm guessing because they never changed their passwors/authentication data.
- 7. Hundreds of people bypassed parts of airport security in last year
Reading this article a week after having my toothpasted confiscated (ironically at TF Green Airport in Providence) I'm even more flummoxed by airport security. PRV has the newer baggage check machines that take about 250 times longer to get your bags through and a really cool automated system that moves questionable bags to a separate queue for inspection. This is what happened to me, and after about 8 minutes of waiting for someone to inpsect my bag they finally took a very detailed look and ulitmately held up my toothpast and said "this is too big!" All I could think at the time was, "thank you for making air travel more secure". Of course, I could have successfully carried on 10 tubes of regulation sized toothpaste that easily exceed the volume of my offending tube, but that wasn't the point. The machine worked and the TSA agents did their job! Of course, I'd been carrying the same tube of toothpaste on probably a dozen other flights over the previous six months...I'll stop now.
- 8. US government blames 2023 Exchange breach on ‘preventable’ security failures by Microsoft
Aren't all security failures preventable????
- 1. I HACKED A CAR IN JAVASCRIPT!!! ????????
- 2. A Fun Exploit For Canon Printers Brings GDB Gifts
- 3. USB HID And Run Exposes Yet Another BadUSB Surface
- 4. netsecfish/dlink
- 5. IRC Client On Bare Metal
- 6. Notepad++ wants your help in “parasite website” shutdown
- 7. X automatically changed ‘Twitter’ to ‘X’ in users’ posts, breaking legit URLs
- 8. Thousands of LG TVs are vulnerable to takeover—here’s how to ensure yours isn’t one
- 1. Former Hospital Administrator Pleads Guilty in Identity Theft Scheme That Spanned Three Decades
The offender and his identity theft victim worked together at a hotdog cart in Albuquerque, New Mexico, in the late 1980s. He assumed the victim’s identity and, for the next three decades, used that identity in every aspect of his life.
- 2. The great rewiring: is social media really behind an epidemic of teenage mental illness?
Jonathan Haidt is telling a scary story about children’s development: that children are being harmed by smartphones and social media. The evidence is unconvincing. This reviewer recommends hiring more school psychologists to help troubled children rather than seeking a single magic-pill solution like age-gating social media.
- 3. Amazon just walked out on its self-checkout technology
Amazon is removing Just Walk Out tech from all of its Fresh grocery stores in the US. The system uses a host of cameras, and over 1,000 real people in India scanning the camera feeds to ensure accurate checkouts.
- 4. A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask
As “P4x,” Alejandro Caceres single-handedly disrupted the internet of an entire country. Then he tried to show the US military how it can—and should—adopt his methods.
- 5. HTTP/2 CONTINUATION Flood: Technical Details
HTTP/2 accounts for around 60% of all human HTTP traffic. The protocol has a design flaw: a HEADERS frame can be sent without the END_HEADERS bit set, followed by an endless stream of CONTINUATION frames, consuming resources on the server, creating a DoS condition.
- 6. XI’S ENIGMA MACHINE Fears China has created terrifying password-busting quantum supercomputer that renders ALL Western cybersecurity useless
This is total nonsense. The hack of government email on Microsoft servers last year used a stolen signing key, and Microsoft proposed dozens of theories about how it was stolen. Apparently one theory is the China has a super quantum computer and the US Sun ran with that idea as if it were supported by any evidence.
- 7. Change Healthcare faces second ransomware dilemma weeks after ALPHV attack
Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack. The details are murky, but it may be the affiliate gang who performed the original attack, but never got paid.
- 8. Confidential VMs Hacked via New Ahoi Attacks
The attack targets hardware-based trusted execution environments, which isolate servers running in the cloud. By using malicious hypervisors and interrupts, the researchers could bypass authentication and gain root access to the targeted Confidential VM. Azure is not affected, but Amazon Linux is.
- 9. Biden administration preparing to prevent Americans from using Russian-made software over national security concern
The Biden administration is preparing to take the unusual step of issuing an order that would prevent US companies and citizens from using Kaspersky software. The move, which is being finalized and could happen as soon as this month, would use relatively new Commerce Department authorities built on executive orders signed by Presidents Joe Biden and Donald Trump to prohibit Kaspersky Lab from providing certain products and services in the US, the sources said.