PSW #777 – Nico Waisman
Full Audio
View Show IndexSegments
1. Vulnerability Research (& Other “Things”) – Nico Waisman – PSW #777
We sit down with Nico Waisman to discuss vulnerability research and other security-related topics!
Announcements
Security Weekly listeners: Identiverse 2023 is heading to Vegas! Join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 30th to June 2nd. Identiverse is a must-attend annual event that brings together over 2,500 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, you’re able to receive 20% off your Identiverse 2023 tickets using code IDV23-SW20!
Register today: securityweekly.com/identiverse2023
Guest
Nicolas Waisman is currently the Chief Information Security Officer at Lyft. In this role, Waisman leads the Information security and privacy program responsible for the companies cyber security efforts to secure and protect personal and customers information.
Nico has more than 20 years in the security industry, previously held security leadership roles at GitHub, Semmle, Cyxtera, and Immunity. Nico is a recognized security expert and has taught governments and commercial sector students from all over the world in both private and public classroom settings, presenting some of his research at conferences such as Black Hat, Pacsec, Syscan, Ekoparty, and many others.
He had been involved in all the different aspects of his past successful business, from recruiting and team building, to product conception, design and engineering along with running and managing a successful consulting team. Nicolas was one of the driving forces involved in the acquisition of Immunity by Cyxtera Technologies in 2018.
Hosts
2. 7″ Laptop, Trojans in Chips, Samsung’s Faux Moon, & The 4 C’s – PSW #777
In the Security News: Windows MSI tomfoolery, curl turns 8...point owe, who doesn't need a 7" laptop, glitching the ESP, your image really isn't redacted or cropped, brute forcing pins, SSRF and Lightsail, reversing D-Link firmware for the win, ICMP RCE OMG (but not really), update your Pixel and Samsung, hacking ATMs in 2023, breaking down Fortinet vulnerabilities, Jamming with an Arduino, it 315 Mega hurts, analyzing trojans in your chips, and the 4, er 1, er 3, okay well how to suck at math and the 4 Cs of Cybersecurity! All that, and more, on this episode of Paul’s Security Weekly!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Hosts
- 1. Windows Installer EOP (CVE-2023-21800) · Doyensec’s Blog
- 2. CVE-2023–26604
"On one of the pentest project, an unprivileged account was accessed on rhel 8. It was spelled out in sudoers that the command /usr/bin/systemctl status *random_service could be run from mine user. Coincidentally, the size of my terminal turned out to be small. There is a feature in systemctl which outputs information to pager less instead of cat if the size of the terminal is less than the length of any line output. Pager less has the ability to execute commands, in example you can triger new shell with command !sh."* - Note this did not work on Manjaro; it told me, "Command not available".
- 3. Espressif ESP32: Glitching The OTP Data Transfer
"In this blog post, we describe how we were able to successfully execute an EMFI attack on the OTP transfer process of the ESP32 using commercially available tooling. We presented this work at hardwear.io USA 2022."
- 4. Producing a POC for CVE-2022-42475 (Fortinet RCE) – Sec Team Blog
- 5. How to Build the Perfect Red Team Hardware Implant
I learned a lot from these slides, now I want to build one just for fun!
- 6. Google Pixel flaw allowed recovery of redacted, cropped images
"The problem is believed to stem from how the image file was opened for editing, causing truncated data to be left behind in a saved image and allowing roughly 80% of the original version to be recoverable."
- 7. Bitwarden PINs can be brute-forced – ambiso’s blog
"A proof of concept exploit for Linux only can be found here. It uses the fact that the encryption is authenticated and checks whether the MAC verifies using the key derived from the guessed PIN. It only tests the PINs 0000 through 9999, so you will have to use one of those if you want it to succeed. Make sure to uncheck the "Lock with master password on restart" option (otherwise the required information would need to be read from the Bitwarden application's memory (quite a different attack scenario)). It finds any 4 digit PIN in less than 4 seconds"
- 8. Microsoft fixes Outlook zero-day used by Russian hackers since April 2022
- 9. Harvesting Active Directory credentials via HTTP Request Smuggling
I don't know if this is old or new, but its really cool: "Are you starting to get excited yet? If an Exchange server is configured to use ActiveSync with Basic Auth, users are sending username and passwords in every single HTTP request. As we are able to perform HRS, we might be able to intercept these credentials!" - Not gonna lie, I was excited :)
- 10. Finding Hundreds of SSRF Vulnerabilities on AWS
Why I was skeptical of AWS Lightsail...
- 11. Reconnaissance 103: Host and Port Discovery
Tools just keep evolving here, largely from bug bounty hunters.
- 12. CVE-2023-23415 – Security Update Guide – Microsoft – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
OMG! The sky is not falling (from: https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerability-mitigations-which-is-not-a-cyber-meltdown-78a9f7e3e538 ): "You need an app listening on raw sockets to be vulnerable — think a port sniffer (app processing all network traffic) or similar. To be clear, this will exist in enterprises (hi people running Wireshark etc)… but it shouldn’t be every Windows PC on earth as a scope. For an app to be listening on raw sockets, it needs admin rights. You need to allow ICMP inbound to be vuln, and the packets to trigger are quite unusual."
- 13. NIST 800-53 vs ISO 27002 vs NIST CSF
I flagged this for later so I could come up to speed on some compliance frameworks.
- 14. Debugging D-Link: Emulating firmware and hacking hardware
Blog post of the week for sure! This is a fantastic tutorial, I'm still picking it apart and adding it to my reversing techniques and such.
- 15. Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
"The attackers, the company says, exploited a vulnerability in the master service interface that Bitcoin ATMs use to upload videos, which allowed them to upload a JavaScript script and execute it with batm user privileges." - Hacking ATMs is do different now.
- 16. MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
This is neat...Who doesn't need a tiny Linux laptop for "things" and "stuff"?
- 17. curl 8.0 Released To Celebrate Project’s 25th Birthday – Phoronix
FYI, curl has around 250 command line switches. I would not want to be responsible for this code, let alone anything to do with security. I give the team a ton of credit!
- 18. Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. " - Yea, I updated my phone recently LOL. (Google Project Zero Post: https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html )
- 1. Debugging D-Link: Emulating firmware and hacking hardware
- 2. Cyberattackers Continue Assault Against Fortinet Devices
- 3. Building a 315 MHz Jammer with an Arduino
- 4. Ferrari discloses data breach after receiving ransom demand
- 5. Oops! ChatGPT Shares AI Chat Histories with the Wrong Crowd
- 6. What are the 4 C’s of Cyber Security?
- 7. Researchers Spot Silicon-Level Hardware Trojans in Chips, Release Their Algorithm for All to Try
- 8. Federal agency hacked by 2 groups thanks to flaw that went unpatched for 4 years
- 9. Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
- 10. CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes
- 11. Google Pixel flaw allowed recovery of redacted, cropped images
- 12. Attackers are starting to target .NET developers with malicious-code NuGet packages
- 13. Beloved hacking veteran Kelly ‘Aloria’ Lum passes away at 41
- 1. Flaw in Pixel’s Markup tool allows hackers to un-redact edited screenshots
A security flaw in Pixel’s Markup utility allows hackers to un-redact and uncrop edited screenshots. Google has fixed this and released an update to AOSP 13
- 2. Best and worst data breach responses highlight the do’s and don’ts of IR
- 3. Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020.
- 4. UT Southwestern scientists discover agent that reverses effects of intoxication
Hormone called FGF21 (undrunk.io) speeds recovery from alcohol poisoning in mice, has potential to save countless lives, researchers say
- 1. Dark Reading https://www.darkreading.com › zer… Zero-Day Bug Allows Crypto Hackers to Drain $1.6M From Bitcoin ATMs
In what the ATM owner called a security incident of the highest severity, threat actors were able to exploit a zero-day flaw by uploading "his own java application remotely via the master service interface used by terminals to upload videos, and run it using batm user privileges," the advisory released by General Bytes stated.
