The Impacts Of Cryptocurrency – Nicholas Weaver – PSW #829
Full Audio
View Show IndexSegments
1. The Impacts Of Cryptocurrency – Nicholas Weaver – PSW #829
Has cryptocurrency done more harm than good? Our guest for this segment has some interesting views on its impacts!
Announcements
Dive into cybersecurity with CyberRisk Alliance for exclusive insights from RSA Conference 2024. Explore executive interviews with industry leaders, uncovering visionary perspectives on threats and strategies. Delve into curated articles on trends and innovations, equipping yourself with essential knowledge for today's cyber landscape. Visit securityweekly.com/RSAC for expert guidance and inspiration in navigating cybersecurity challenges confidently.
Guest
Nick Weaver is a lecturer at UC Davis, a researcher at the International Computer Science Institute, and the Chief Mad Scientist of his one-man drone startup, Skerry Technologies. He likes to think of himself as a “bang on it widda stick” system and security person, taking an interest in everything as long as the systems are digital (no noise), explainable (no AI), and commonly adversarial, because that is where the fun, interesting, and possibly (for him) solvable problems lie.
Hosts
2. Vulnrichment, Hardware Hacking, VPNs – PSW #829
Vulnrichment (I just like saying that word), Trustworthy Computing Memo V2, SSID confusion, the Flipper Zero accessory for Dads, the state of exploitation, Hackbat, Raspberry PI Connect, leaking VPNs, exploiting faster?, a new Outlook 0-Day?, updating Linux, and a 16-year-old vulnerability.
Announcements
Get ready for an electrifying experience at the 15th annual Identiverse! Join 3,000+ identity professionals at the ARIA Resort & Casino in Vegas on May 28-31, 2024, for 4 days packed with dynamic learning & collaboration. Don't miss out on keynote speakers including Denee Defiore, CSIO of United Airlines; Tucker Bryant, Entrepreneur and Former Googler; George Roberts, Director of Identity and Access Engineering at McDonald's and many more!
As a community member, receive 25% off your Identiverse 2024 tickets using code IDV24-SW25!
Register today: securityweekly.com/idv2024
Hosts
- 1. DIY Keyboard Can Handle Up To Three Host Devices
Really neat DIY project, then Tyler told me you can buy keyboards and mice that will pair to up to 3 devices from Logitech. Still a really cool project though!
- 2. Linux Kernel 6.9 Released with Critical Fixes & Upgrades
I've updated my 3 main machines to the latest Manjaro stable, which also makes 6.9 available. There are some performance and security enhancements in the latest kernel, and all seems to be well so far as my machines are now on 6.9. Before you update Manjaro, read the docs! Python has been updated and there are some extra steps involved to keep your AUR packages up-to-date. If you run KDE, make sure you read the forum for user experiences as some people reported losing customizations (so backups are important, e.g. timeshift). I was also able to get my Framework 16 back in operation, repairing the damaged power button (user error) and the heat shrink that was hitting the fan (LOL moment).
- 3. Beware! Threat Actor Selling Outlook RCE 0-Day on Hacking Forums
I have no idea if this is legit or not: "A threat actor has reportedly put up for sale a Remote Code Execution (RCE) 0-day exploit targeting various versions of Microsoft Outlook, with a staggering asking price of $1.8 million."
- 4. SSD Advisory – D-Link DIR-X4860 Security Vulnerabilities
Consumer routers will just become part of botnets forever: "The vendor has been reached out three times in the past 30 days and have not responded to any of our attempts." - Also, there is a PoC here as well.
- 5. 16 years of CVE-2008-0166 – Debian OpenSSL Bug
In May of 2008 there was a bug in Debian's openssl that led to keys being created with predictable not-so-random numbers. Many people created keys using the vulnerable openssl from 2008, and still have not replaced the keys for things like DKIM. This results in the following: " This trivially allowed sending emails with forged DKIM signatures for those hosts and thereby also passing DMARC checks." The author has a tool to check for bad keys. Key issues such as this have a long tail for sure!
- 6. Hackers Exploiting Vulnerabilities 50% Faster, Within 4.76 Days
"A new report from Fortinet found that in the second half of 2023, the average time between a vulnerability being disclosed and actively exploited in the wild shrunk to just 4.76 days – a staggering 43% decrease compared to the first half of the year." - This is a relatively short timeframe to measure this. It could mean so many things, and more likely that in this 6-month timeframe there just happened to be a series of vulnerabilities that were easily exploitable, the exploits were known and published. To more accurately measure this you'd need data from a longer timeframe to prove that vulnerabilities are being exploited more quickly.
- 7. Passwordless Authentication Standard FIDO2 Flaw Let Attackers Launch MITM Attacks
- 8. Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS
- 9. TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
Summary: DHCP option 121 can be used to push more specific routes and override the routes for the VPN tunnel, essentially decloaking VPN tunnels. My opinion is the best way to prevent this is to ignore DHCP option 121 (as with Android). Attackers have to be on the same network and set up a malicious DHCP server. Lastly, you can configure namespaces with Wireguard to avoid this vulnerability (Ref: https://www.wireguard.com/netns/#the-new-namespace-solution).
- 10. ax/apk.sh: apk.sh makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK.
- 11. Offensive IoT for Red Team Implants – Part 1 – Black Hills Information Security
Great stuff here, on my project list now!
- 12. Security advisory: QStringConverter
- 13. CISA Announced Vulnrichment : Project to Enrich CVE Records
Great comment: "CISA’s ‘Vulnrichment’ initiative is a pivotal step in the right direction,” said Immanuel Chavoya, CEO of RiskHorizon.ai. “However, true resilience lies in preemptive enrichment of all CVEs before exploitation occurs. Waiting for indicators of exploitation to populate CVEs still introduces delays downstream." - Also, I like the idea of having ONE source for vulnerability tracking, categorizing, and scoring. "Vulnirichment" seems to be yet another data source I have to pull from.
- 14. Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor
- 15. Meet Raspberry Pi Connect, a New Tool to Access Your Raspberry Pi Remotely – 9to5Linux
"Under the hood, the tool uses the WebRTC protocol to establish a secure peer-to-peer connection between the web browser and your Raspberry Pi device. At the moment, the remote service uses a single relay (TURN) server located in the UK, which may lead to high latency." - While I don't believe this will lead to a security disaster, it could provide a more secure remote access method than most RPI users are able/willing to create. Experienced users will opt for SSH/VNC in a secure configuration (although articles do reference some of the challenges with this, specifically Wayland messing things up, and I experienced issued with certain VNC clients and servers not being able to negotiate the security protocols correctly). You do need to create an Raspberry PI ID, and make sure you enable and configure MFA for this account if you plan to use RPI connect.
- 16. The Raspberry Pi RP2040 Hackbat is an open source swiss army knife pen testing tool
This looks like a really cool project, keep in mind it's still 2.4Ghz Wifi only and it looks like you are on your own for the code that actually makes the hardware do useful things (at least a quick look at the Github repo only reveals the schematics to create the hardware platform, not the actual code to make menus and such).
- 17. Multiple vulnerabilities in RIOT OS – hn security
- 18. JTAG Hacking with a Raspberry Pi – Introducing the PiFex
I'm curious how this compares to the Bus Pirate 5... (Other than JTAG support)
- 19. State of Exploitation – A Peek into the Last Decade of Vulnerability Exploitation
This is really interesting: "Expanding our analysis to encompass weaponized vulnerabilities uncovers that between 2014 and 2023, 2% of all disclosed vulnerabilities have been weaponized. Given their heightened risk, weaponized vulnerabilities naturally warrant prioritized attention for remediation, as they possess a high likelihood of being exploited in the wild, if not already. What defines a weaponized vulnerability? It's one that has either been exploited in the wild or has an available exploit capable of delivering a significant payload." - Given this research, are we making a big deal about the increase in the number of vulnerabilities? Can't we just focus on the 2%?
- 20. Tinyproxy HTTP Connection Headers use-after-free vulnerability
- 21. CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM – LRQA Nettitude Labs
- 22. Breaking down Microsoft’s pivot to placing cybersecurity as a top priority
- 23. Here’s your chance to own a decommissioned US government supercomputer
The current bid is now up to $480,085.00 - What a bargain!
- 24. Flipper Zero Holster Case (silicone sock version) by Brandywine MFG on Tindie
This one should come with cargo shorts, New Balance sneakers, and a Dad joke book. Perfect father's day gift!
- 1. Supercon 2023: Alex Lynd Explores MCUs In Infosec
- 2. ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices
- 3. Millions of IPs remain infected by USB worm years after its creators left it for dead
- 4. Threat actor says he scraped 49M Dell customer addresses before the company found out
- 5. Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale
- 6. New WiFi Vulnerability: The SSID Confusion Attack
- 7. Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices
- 1. Malicious Go Binary Delivered via Steganography in PyPI
Researchers at Phylum have detected a malicious Python package masquerading as a fork of the “requests” package. The package, “requests-darwin-lite,” contained a backdoor hidden in a PNG file. The package was downloaded more than 400 times before it was taken down. his exploit targets Macs. The exploit is a Golang library hidden in a 13Mb logo file (originally 300Kb. All versions of "requests-darwin-lite" were immediately removed after being reported by the Phylum team. If you're using the requests PyPy package, make sure that you don't have copies of the bogus package, irrespective of the platform.
- 2. Europol Investigating Breach After Hacker Offers to Sell Classified Data
Europol is investigating a threat actor’s claims that they stole data from the Europol Platform for Experts (EPE), a collaborative platform for law enforcement for sharing best practices and other information. EPE has been offline since Friday, May 10. A Europol spokesperson has told multiple news sites that they are “aware of the incident and [are] assessing the situation.”
The attacker seems to have accessed a test environment using their Zscalar proxy to access production data. With efforts tied to ZTA such as Zscalar facilitating access to internal systems, it's more important than ever to make sure that you have the same bar on access control, particularly authentication, to your non-production environments. While we could argue that dummy data should be used outside production, there are valid use cases for real data for acceptance testing or other activities, it makes sense to implement the same security on all platforms for such use cases.
- 3. A Global View of the CISA KEV Catalog: Prevalence and Remediation
A report from Bitsight examines the effect the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known exploited Vulnerabilities (KEV) catalog has had on the speed of vulnerability remediation, both at Federal Civilian Executive Branch (FCEB) agencies and at private sector organizations. The report says that KEV-listed vulnerabilities are patched within an average of 175 days (around six months), while vulnerabilities not in the catalog are patched within an average of 621 days (one year, eight months).
While agencies struggle to meet the KEV timelines, on average only 40% are able to do so, the overall health of agency networks is improved as a result of the KEV, which is what is intended. It also provides insight into vulnerabilties being actively exploited, making it a valuable metric when assessing risk/prioritizing updates/fixes. Note that to be listed in the KEV, there has to be a remediation, evidence of exploitation and CVE number. The 175 day average, even caveated that more severe issues are resolved more quickly, still is an opportunity to improve.
- 4. Google Fixes Another Chrome Zero-day
Google has updated their Chrome browser to address a high-severity use-after-free vulnerability. The browser’s Stable channel has been updated to 124.0.6367.201/.202 for Mac and Windows and 124.0.6367.201 for Linux. Google is aware that there is an exploit for the flaw available in the wild. This is the fifth zero-day vulnerability Google has patched in Chrome so far this calendar year.
As my boss Matt would say, "We've seen this movie before." You already have processes to make sure the end-users have the update, and have set limits on how long they can ignore the restart prompt, just verify that it's done, hopefully you don't have to force/kill too many running browsers.
- 5. FBCS Updates Number of Individuals Affected by February Breach
Financial Business and Consumer Solutions (FBCS), a Pennsylvania-based debt collection agency, has updated the breach report they submitted to the Maine Attorney General’s office (AGO). DFBCS has identified an additional 724,000 individuals affected by the breach that occurred earlier this year, bringing the total of affected individuals to 2.68 million. The notification letters FBCS sent to affected people says that the compromised data include Social Security numbers and account information. FBCS informed the Maine AGO that driver’s license and identification card numbers may also have been compromised.
FBCS consinues to notify affected users, even so, don't wait to see if you're in scope. You should already be getting notifications from your credit monitoring/ID protection service about breaches such as this, make sure you're following up to see if you are included. This is an area we all need to be proactive for both ourselves and family members not as well versed in what's at stake.
- 6. Kaspersky identifies significant security risks in widely-used Cinterion modems
Researchers at Kaspersky ICS CERT are warning of multiple vulnerabilities in Telit Cinterion cellular modems. Exploitation of the flaws could lead to information leaks, privilege elevation , sandbox escape, arbitrary code execution, and unauthorized access to files and directories. Kaspersky initially detected the vulnerabilities more than a year ago, notified Cinterion in February 2023, and published advisories in November 2023. IJN this month’s report, Evgeny Goncharov, head of Kaspersky ICS CERT, notes that “since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging.”
- 1. Why Your VPN May Not Be As Secure As It Claims
A malicious DHCP server can add routes to the routing table that redirect traffic outside the VPN. The targeted user will have no way to detect this attack. It's not a bug, it's DHCP operating as designed. The only mitigations are to use Android, work in a virtual machine, or stay off shared wireless networks.
- 2. Security above all else—expanding Microsoft’s Secure Future Initiative
Microsoft's cloud security has been exposed as inadequate by recent hacks, so they are making a big push to improve security. This move is intended to reassure government and other customers, and it looks pretty good, although it's just general principles at this point.
- 3. Read Satya Nadella’s Microsoft memo on putting security first
This is the new version of Bill Gates' 2002 Trustworthy Computing memo, which really did lead to a major improvement in Microsoft's security.
- 4. Announcing Zero Trust DNS Private Preview
WIndows 11 machines with this feature activated will be forced to use only a "Protective DNS" server which will limit resolutions to only an allow-list of sites. The feature is in development and not publicly available yet.
- 5. Qualcomm’s Snapdragon X chips in Dell XPS 13 Plus laptops will nearly double battery life over Intel, cost half as much
Windows 11 laptops with ARM processors! This should be great, like the Apple ARM laptops.
- 6. Microsoft Zscaler
Zscaler seems to be a viable commercial zero-trust solution. Instead of connecting nearby devices to a switch or router, every device connects only to a central cloud service. Each device is individually evaluated and granted access only to resources matching the security policy. I don't have experience using this, but perhaps other hosts do.
- 7. CISA Announces CVE Enrichment Project ‘Vulnrichment’
Its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data. CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to CVE.org.
- 8. The Dangerous Rise of GPS Attacks
Thousands of planes and ships are facing GPS jamming and spoofing. Experts warn these attacks could potentially impact critical infrastructure, communication networks, and more. It mainly affects areas near Russia now, but there's no reason to expect it to stay contained. Aircraft navigation systems using atom interferometry are being developed, which work without GPS, but they are not yet commercially available.