PSW #761 – Charles Shirer
Full Audio
View Show IndexSegments
1. Linux Rust & Retro – Charles Shirer – PSW #761
In this segment, we are going to discuss linux security and using the Rust programming language with an Offensive MindSet, and our guest Charles Shirer!
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Guest
Charles is a Penetration Tester/RedTeamer/Security Researcher with security certifications. He has 20 years of overall IT experience with the last 8 years in Information Security performing web application, network, and wireless penetration Test. Is a maintainer of the SecBsd Penetration Testing Security Operating System and has appeared on many different podcasts and Security Conferences.
Charles has a podcast called positively Blue team. In his spare time Charles enjoys retro gaming, hanging out with family and friends, and helping other people get into the IT industry.
Hosts
2. Exploiting Hacker Tools, Microsoft “Fixes” Driver Problem, Moles, & Deconflictions – PSW #761
This week in the Security News: rethinking vulnerability severity, exploiting the hacker tools, Microsoft "fixes" the vulnerable driver problem, its what you do with the data that matters, what is comprehensive security, deconflictions, moles are always a problem, checking the certs, oh and there is a vulnerability in OpenSSL, well at least one that we know of, currently!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
Charles is a Penetration Tester/RedTeamer/Security Researcher with security certifications. He has 20 years of overall IT experience with the last 8 years in Information Security performing web application, network, and wireless penetration Test. Is a maintainer of the SecBsd Penetration Testing Security Operating System and has appeared on many different podcasts and Security Conferences.
Charles has a podcast called positively Blue team. In his spare time Charles enjoys retro gaming, hanging out with family and friends, and helping other people get into the IT industry.
Hosts
- 1. What is an Individual Validation Code Signing Certificate?
- 2. Stranger Strings: An exploitable flaw in SQLite
- 3. Log4Shell, Spring4Shell, and Now Text4Shell? – Rezilion
- 4. InfoSec Handlers Diary Blog – SANS Internet Storm Center
" I typically rate privilege escalation, like flaws, as important and code execution flaws as critical. Let me know if you disagree with the rating." - Okay yea, I disagree. I think that a reliable remotely exploitable vulnerability in a major operating system on a service that is exposed to the Internet, in today's landscape, is a Unicorn, that speaks, well, Unicorn. These things are rare. So rare, it's why 15 years ago (or more) we moved to client-side attacks, that is email phishing and exploiting browsers. I think we need to adjust our critical ratings is my point. On a scale of 1 through 10, an RCE in a major OS service exposed to the Internet is an 11. It's not even on the scale. So, sort of like grading on a curve, let's take that out of the equation. This means privilege escalation carries a higher weight because attackers will get in, period.
- 5. Software update for Potential security vulnerabilities in GIGABYTE software
- 6. Exploiting a Flipper Zero
This wasn't earth-shattering research (I don't believe they even got code execution). However, it serves as a warning that we trust our tools way too much. When we run a debugger, a fuzzer, or a SPI programmer, we TRUST that this tool works as it should. Trust but verify. Who is verifying? Who is looking at the code to determine that flashrom hasn't been backdoored and each time I run it the software is now programmed to brick my device? I know I'm talking with the evil bit enabled, but all too often we just implicitly trust that the software we use will operate the way we expect. Unless, of course, it's Linux and you are dealing with audio drivers. Then expectations are really low, like really low...
- 7. CNAME Cloaking: Disguising Third Parties Through the DNS
- 8. Scientists Test “Intelligent” Robot Lasers To Kill Cockroaches
I still don't trust computers to determine if it's a cockroach or it's my foot or my eyeball. I mean, I'm a human and I can't tell if that's a fire hydrant or not to prove I am a human and not a bot...
- 9. Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals
This is a great tutorial (though I am not a browser architecture expert, so could be inaccurate but I hope it's not).
- 10. Exploited Windows zero-day lets JavaScript files bypass security warnings
- 11. How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell
- 12. [CVE-2022-1786] A Journey To The Dawn
"Technically, this bug (CVE-2022-1786) is the first bug that I found, analyzed, exploited, and reported alone. This blog is written to commemorate this moment. Thus, this blog will not be in the style of “what is the correct way to exploit the bug”. Instead, it will document all the frustration and excitment in the crazy 7 days that I spent developing the exploit. I hope you will enjoy the ride!" - Great post, I strive to understand all of the technical details.
- 13. Dozen High-Severity Vulnerabilities Patched in F5 Products
- 14. Microsoft fixes driver blocklist placing users at risk from BYOVD attacks
To me, this is still far from fixed. This is more of a promise to streamline the updates: "This has been done, and the “gap in synchronisation across OS versions” has been closed. According to Tech Radar, issues related to blocklist updating will be tackled in “upcoming and future Windows updates”."
- 15. Google announces GUAC open source project on software supply chains
"Google shared a proof of concept of the project, which allows users to search data sets of software metadata. The three explained that GUAC effectively aggregates software security metadata into a database and makes it searchable. " - A good first step! Now what queries do we run against this data?
- 16. 4 Ways To Achieve Comprehensive Security
"Commit to a Zero-Trust Strategy, Manage Compliance, Risk, and Privacy, Use a Combination of XDR + SIEM Tools, Using MFA Whenever and Wherever Possible" - Huh, really?
- 17. Hardware Makers Standardize Server Chip Security With Caliptra
- 18. Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn – Krebs on Security
- 19. Reverse Engineering the Apple MultiPeer Connectivity Framework
- 20. HTTP/3 connection contamination: an upcoming threat?
- 21. Ghostwriter v3.1 Now Available
Interesting: "When performing any offensive assessment work, you are likely to trigger an alert or generate anomalous logs that will get someone’s attention. If the system owner cannot identify you as the source, they will likely reach out to you to deconflict the event. You can now record deconfliction events under a project’s Deconflictions tab."
- 22. Microsoft Office Online Server Remote Code Execution – MDSec
- 23. BlueBleed: Microsoft confirmed data leak exposing customers’ info
- 24. Researchers Warn about PowerShell Backdoor Exploited by Hackers
- 25. Fantastic Rootkits: And Where to Find Them (Part 1)
I'm not bashing Cyberark here, they did an amazing job with this article and have a talented research team and I have worked with them in the past and having nothing but nice things to say. One things that gets me is the Windows-centric view of the security world. The title says "Fantastic Rootkits", when it means "Fantastic Windows Rootkits". There are other operating systems, such as Linux, macOS, and many embedded OSes. They run on different hardware too. Most articles seem to focus on Windows on x86. I do see this changing, especially as we use less desktop software (really just a browser for so many). It opens the door for more OSes and different hardware (like ARM), perhaps with better security features and protections against rootkits?
- 26. This is a ransomware hacker’s biggest weakness – CyberTalk
"A REvil insider sent an email – revealing sensitive information about the group’s operations – to a group of security researchers. The researchers then shared this information with law enforcement, which helped lead to the arrests of REvil-affiliated hackers." - This is every criminal's biggest weakness. From the mafia to drug lords, insiders leaking information is often their downfall. Remember the line "Fredo, I know it was you...". Now I can spare you from having to read this article.
- 27. Announcing Jetstack Paranoia: A New Open Source Tool for Container Image Security
This is a great tool! Perhaps, an example of one of the most useful security tools out there. I've been ranting about trust, how we just blindly trust things. One of those things is the CA certificate list that comes with our OS or container. Who checks that to make sure there are no expired or revoked certs? In theory, you are supposed to check that, and update it. This is where paranoia comes in (literally and figuratively). It checks the certs in containers and gives us data that we can use to determine if we still trust that cert or CA certificate. Grinds my gears that we have the capabilities that enable us to verify integrity and trust, but we don't complete the loop.
- 1. Daixin Team Ransomware Group Actively Targeting Healthcare Sector
Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190],” the advisory stated.
“In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.”
Once they have obtained access, Daixin actors can move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). The Daixin Team’s software is likely based on Babuk Locker source code, the advisory explained. The advisory contained detailed indicators of compromise (IOCs) and pictures of common Daixin ransom notes.
CISA, FBI, and HHS urged the healthcare sector to take action to protect against Daixin Team activity. Healthcare organizations should install updates and prioritize patching VPN servers, remote access software, known vulnerabilities, and virtual machine software.
- 2. USPS Forever Stamp Women Cryptologists of WWII
During World War II, some 11,000 women helped to process and decipher an endless stream of enemy military messages. Both frustrating and exhilarating, their work was one of the conflict’s best-kept secrets.
- 1. Passkeys—Microsoft, Apple, and Google’s password killer—are finally here
Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.