PSW #746 – Joseph Menn
Full Audio
View Show IndexSegments
1. Cult of the Dead Cow & the Best Cybersecurity Journalism – Joseph Menn – PSW #746
Veteran cybersecurity journalist and author Joseph Menn, now at the Washington Post, talks about his books and the best reporting on hacking and defense today. Since he began writing on the subject in 1999, Menn has broken some of the biggest stories in the industry and written two of most widely read books in the Cybersecurity Canon.
Segment Resources: https://www.amazon.com/Joseph-Menn/e/B001HD1MF6%3Fref=dbsamngrwtscns_share
https://www.washingtonpost.com/technology/2022/05/01/russia-cyber-attacks-hacking/
https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/
https://www.reuters.com/article/us-usa-security-rsa/exclusive-secret-contract-tied-nsa-and-security-industry-pioneer-idUSBRE9BJ1C220131220 https://www.reuters.com/article/microsoft-china/insight-microsoft-failed-to-warn-victims-of-chinese-email-hack-former-employees-idUKL1N14I1LU20151231
https://www.wired.com/story/cult-of-the-dead-cow-at-stake-hackers-excerpt/
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest
A security journalist for more than two decades, Joseph Menn is the author of the bestseller “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World,” published in 2019. It revealed that then-presidential candidate Beto O’Rourke had belonged to the oldest surviving and most influential group of U.S. hackers and explained the origins of hacktivism and ethical security work. The New York Times Book Review called it “a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age.” It was named one of the 10 best nonfiction works of the year by Hudson Booksellers as well as one of the five cybersecurity books everyone should read by the Wall Street Journal, and it was inducted into the Cybersecurity Canon project’s Hall of Fame.
Menn now covers digital threats for the Washington Post, having joined in early 2022 after working at Reuters, the Financial Times and Los Angeles Times, where he began writing about cybersecurity in 1999. Menn also wrote the 2010 bestseller “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” a real-life thriller that brought the modern face of cybercrime to a mainstream audience. Fatal System Error revealed collaboration between major governments and organized crime. It was placed on the official reading list of the US Strategic Command, while the New Yorker magazine compared it to the “Dragan Tattoo” novels of Stieg Larsson. Before that, he wrote the definitive inside account “All the Rave: The Rise and Fall of Shawn Fanning’s Napster,” named one of the best three books of the year by Investigative Reporters & Editors Inc.
Hosts
2. Destructive Firmware, Keys to the Kingdom, the Device Level, & 5 CyberSec Myths – PSW #746
In the Security News for this week: ICS training bill, 5 myths, VoIP devices and ransomware, miracle exploits, UnRAR and Zimbra, guess what the most common weakness is, security at the device level is NOT simple, keys to the kingdom, and HP says Destructive firmware attacks pose a significant threat to businesses!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. House Passes ICS Cybersecurity Training Act"CISA must ensure its efforts include: Virtual and in-person training and courses provided at no cost to participants; Training and courses available for different skill levels, including introductory-level courses; Training and courses that cover cybersecurity defense strategies for industrial control systems, including an understanding of the unique cybersecurity threats facing industrial control systems and the mitigation of security vulnerabilities in industrial control systems technology..."
- 2. Top 5 Myths Of Cyber Security Debunked"I have a firewall, so I’m safe from attacks."
- 3. CrowdStrike: Ransomware Actor Caught Exploiting Mitel VOIP Zero-Day"According to CrowdStrike researcher Patrick Bennett, the ransomware actor performed a novel remote code execution exploit on the Mitel MiVoice Connect appliance and went to lengths to perform anti-forensic techniques on the VOIP appliance to cover their tracks. The vulnerability, patched by Mitel without acknowledgement of the zero-day exploitation, is rated “critical” and affects a component of Mitel’s MiVoice Connect"
- 4. Mitel VoIP Bug Exploited in Ransomware Attacks
- 5. Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services"Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems. Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’."
- 6. New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers"This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network. The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., "......tmp/shell") so as to bypass current checks and extract it outside of the expected directory."
- 7. New ‘FabricScape’ Bug in Microsoft Azure Service Fabric Impacts Linux Workloads
- 8. Cyberattack halted the production at the Iranian state-owned Khuzestan Steel company
- 9. The curious tale of a fake Carrier.app
- 10. NSA, CISA say: Don’t block PowerShell, here’s what to do instead
- 11. Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills – Schneier on Security
- 12. SEC Proposes New Cybersecurity Rules for Public Companies
- 13. 7-Zip Now Includes Mark-of-the-Web Security Feature Support
- 14. A wide range of routers are under attack by new, unusually sophisticated malware
- 15. FCC commissioner wants Apple, Google to remove TikTok from App Stores
- 16. Firefox 102 fixes address bar spoofing security hole (and helps with Follina!)
- 17. Cybersecurity Researchers Launch New Malware Hunting Tool YARAify
- 18. LockBit 3.0 Ransomware Launches ‘Bug Bounty Program’
- 19. Mitre shared 2022 CWE Top 25 most dangerous software weaknessesAnd the winner is, still, and you guessed it: Out-Of-Bounds Write (e.g. memory corruption, buffer overflow) https://cwe.mitre.org/data/definitions/787.html
- 20. Implementing Zero-Trust? Don’t Forget About PrintersYea no, this is like advice from 20+ years ago, and its not complete zero trust: "Unlike other IT systems, zero-trust for printing primarily involves putting printers into a separate, controlled environment (network) and closely regulating and monitoring who has access to those printers." Fight me.
- 21. How APTs Are Achieving Persistence Through IoT, OT, and Network Devices"The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. " Except when you can't do any or all of those things because you can't change the password (esp. if its a backdoor in the firmware), the device does not have authentication at all, there is a web application vulnerability (or 10), and you can't update the firmware because its no longer supported by the vendor and they stopped making updates.
- 22. The Keys to the Kingdom"The signature check was performed only on the code region specified in the header. As long as the original header, code, and signature were unmodified, the bootloader would boot the image. A quick test proved this to be the case. An image with extra data appended booted successfully, with the extra data being ignored. Since all flash memory on this device is executable, I could simply jump to extra code appended to a valid update image." and then: "My payload was simple: Erase the original public key from flash and write the new key in its place. On subsequent reboots, the bootloader would accept new firmware images signed with the new key—one the client now keeps in a couple of safe places." - nice hack!
- 23. Destructive firmware attacks pose a significant threat to businesses – Help Net SecurityAccording to an HP survey: "(83%) IT leaders say firmware attacks against laptops and PCs now pose a significant threat, while 76% of ITDMs said firmware attacks against printers pose a significant threat." and "More than two-thirds (67%) of IT leaders say protecting against, detecting, and recovering from firmware attacks has become more difficult and time-consuming due to the increase in home working, with 64% saying the same of analyzing the security of firmware configuration." and "Despite the clear risks that destructive firmware attacks pose to organizations, device security is not always a major consideration in the hardware procurement process, with many organizations continuing to use technologies that are not built with security in mind. " - Like my MSI laptop, which has not seen a firmware update in years, because well, they haven't made one. Talk to me about updating the DBX...