Software Flea Market – PSW #725
Full Audio
View Show IndexSegments
1. Cracks in the Castle – Jimmy Sanders – PSW #725
Enterprises today has an ever expanding attack surface. Jimmy Sanders, Head of Security for DVD.com, joins to discuss how Organizations are constantly trying to stay ahead of the latest known and unknown risks!
Announcements
CRA's Business Intelligence Unit has launched its next survey on Zero Trust! What are Your Barriers to Zero Trust Implementation? Take our survey and enter to win a $500 Tango card by visiting https://securityweekly.com/zerotrust. Report results will be released at our upcoming Zero Trust E-Summit in March!
Guest
Jimmy Sanders, Head of Information security at Netflix DVD. Jimmy has spent his career creating holistic and innovative security program as well as learning security ideas from some of the industries brightest minds. In addition to his duties at DVD.com, Jimmy currently serves as the San Francisco Bay Area chapter president of the Information Systems Security Association (ISSA) since 2014. He is also on the ISSA International Board of Directors, a Board Member for the ISSA Education Foundation, a Board member of the Information Security Leaders Foundation (ISLF), and a member of the Office of the CIO. Furthermore, he has been a keynote speaker at BlackHat, RSA, SecureWorld, InfoSec World as well as other notable events. Prior to DVD.com, Jimmy Sanders has also held key roles at organizations that include Samsung, Fiserv, and SAP. He is a Cyber Security Committee advisor for Merritt College, Ohlone College as well as on advisory board for other colleges and non-profits.
Hosts
2. Securing Ubiquiti WiFi Systems – PSW #725
Ubiquiti has become a crown favorite for WiFi (and many other solutions). Learn how to do some basic security, update the software, change passwords and more!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
3. 12 Year Linux Bug, Recovering Bitcoin, Lulzsec’s Impact, & Pimp My Cubicle – PSW #725
This week in the Security News: More QR codes you shouldn't trust, race conditions in Rust, encrypting railways, Pwnkit - the latest Linux exploit, tricking researchers into crashing, cybersecurity is broken?, the best cybersecurity research paper, evil Favicons, escaping Kubernetes, pimping your cubicle and someone who actually recovered their crypto wallet!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. PwnKit
- 2. TrickBot malware now crashes researchers’ devices to evade analysis"The third line of defense is the most interesting one as malware operators have added an anti-debugging script that triggers a memory overload when a security researcher performs a Code Beautifying technique."
- 3. A bug lurking for 12 years gives attackers root on most major Linux distros"The Qualys researchers aren't the only ones to stumble upon this vulnerability, or at least a very similar bug. In 2013, researcher Ryan Mallon publicly reported much the same bug and even wrote a patch, although he ultimately could find no way to exploit the vulnerability. And last June, Github security researcher Kevin Backhouse also reported a privilege escalation vulnerability. It received the tracking designation of CVE-2021-3560 and a patch from major Linux distributors." - FYI, K. Backhouse bug looks totally different. R. Mallon's discovery analyzed the same code block, but did not publish an exploit. Are we now compelled, give the success of Pwn2Own and Dragos's recent comments, to make sure we weaponize all exploits?
- 4. Cybersecurity Is Broken: How We Got Here & How to Start Fixing It"By the end of the third quarter, the number of data breaches was 17% higher in 2021 than the previous year. The manufacturing and utilities sector was affected the most, followed by healthcare, which saw more than 40 million patient records breached. Ransomware attacks are also seeing a precipitous rise, having earned an estimated $590 million in the first half of 2021, which already surpasses 2020's total estimated earnings of $416 million." - Could it be that we've gotten better at detecting breaches and/or you know your breached because the attackers are using extortion more than before? Are more patient records breached because our records are, more than ever before, being stored digitally? Ransomware payouts have increased due to cyber insurance and breach reporting laws? Not everything, especially statistics, are due to failures in defending networks...perhaps?
- 5. Is Google tracking your location even when you think you’ve turned it off? US states sue over “deception”
- 6. Open-source code: How to stay secure while moving fast – Help Net Security
- 7. Best Cybersecurity Research Paper Revealed"Titled On One-way Functions and Kolmogorov Complexity, the winning paper was published at the 2020 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Foundations of Computer Science. " - Wow, from the paper: "A one-way function [13] (OWF) is a function f that can be efficiently computed (in polynomial time), yet no probabilistic polynomial-time (PPT) algorithm can invert f with inverse polynomial probability for infinitely many input lengths n."
- 8. An Armful of CHERIs – Microsoft Security Response Center
- 9. Apple paid me $100k bounty for Safari UXSS super-bug
- 10. McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges
- 11. 10 Years Later, What Did LulzSec Mean for Cybersecurity?"Because there is no predictability — perhaps that’s a part of their point — there is the idea that they can hit anyone at any time for whatever reason,” Coroneos said. “That seems to be what they are actually trying to show: that they are not restricted to one ideology or cause."
- 12. Segway Hit by Magecart Attack Hiding in a Favicon"Also of interest is the fact that the threat actors are embedding the skimmer inside a favicon.ico file. Favicons are small icon images that link to other websites. “If you were to look at it, you’d not notice anything because the image is meant to be preserved,”"
- 13. How I Got Pwned by My Cloud Costs
- 14. PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
- 15. Linux kernel bug can let hackers escape Kubernetes containersOh you would be surprised: "However, for the exploit process to work, the attacker needs to leverage an unprivileged namespace or use "unshare" to enter a namespace with the CAP_SYS_ADMIN permission. This capability isn't the default setting on Docker, and using the "–privileged" flag when starting the container isn't common practice."
- 16. Webcam Hacking (again) – Safari UXSS
- 17. ‘Cyberpartisans’ hack Belarusian railway to disrupt Russian buildup
- 18. Apple’s AirTag uncovers a secret German intelligence agency
- 19. A hacker recovered a crypto wallet worth $2 million for the owner who forgot the password: report
- 20. We talked to the guy who turned his cubicle into a cabin
- 21. argv silliness
- 1. Apple Releases iOS 15.3 and iPadOS 15.3Apple updated iOS/iPadOS/watchOS/tvOS and macOS to resolve kernel and webkit vulnerabilities. 10 CVEs addressed in iOS and iPadOS. Code reuse means the updates hit many of the product lines.
- 2. Security advisory for the standard library (CVE-2022-21658)An update for the Rust programming language fixes a bug that could be exploited to delete files and directories from unpatched systems. This is a TOCTOU (time of check/time of use) race condition. Updating to version 1.58.1 is the only fix, as adding code to check prior to calling the “remove_dir_all” function will not mitigate the problem as those calls will also be subject to the same race condition.
- 3. FBI warns of malicious QR codes used to steal your moneyThe FBI warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes in attacks designed to redirect victims to malicious website designed to steal targeted victims' financial information and login credentials.
- 4. CISA adds 17 vulnerabilities to list of bugs exploited in attacksThis week, CISA has added 17 actively exploited vulnerabilities to its "Known Exploited Vulnerabilities" catalog that was established under "Binding Operational Directive (BOD) 22-01" and lists vulnerabilities that have been successfully exploited by hackers and are required to be patched by Federal Civilian Executive Branch (FCEB) agencies.
- 5. OpenSubtitles data breach impacted 7 million subscribersOpenSubtitles suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.
- 6. Attackers are actively targeting critical RCE bug in SonicWall Secure Mobile AccessThreat actors are actively exploiting a critical flaw (CVE-2021-20038) in SonicWall’s Secure Mobile Access (SMA) series 100 gateways addressed in December. Remember the SMA 100 series of appliances include the SMA 200, 210, 400, 500v products. This is a high risk vulnerability as it allows for remote code execution. Sonicwall Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
- 7. Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware ImplantThreat hunters at Kaspersky have spotted a well-known Chinese government-linked "APT41" (Winnti) APT group has been leveraging a UEFI implant dubbed "MoonBounce" in order to evade detection across system reboots while operators conduct state-sponsored cyber espionage activity.
- 8. Hackers say they encrypted Belarusian Railway servers in protestThe Belarusian Cyber-Partisans says it successfully breached and encrypted servers belonging to the state-owned Belarusian Railway after it learned that Russia was using the rail transport network to move military personnel and equipment into Belarus.