Getting Control Of Your Security Data Pipeline – JP Bourget – PSW #790
Full Audio
View Show IndexSegments
1. Getting Control Of Your Security Data Pipeline – JP Bourget – PSW #790
Getting the correct data in the right place for incident response is challenging. JP comes on the show to talk about how he is helping companies with these challenges, getting control of the security data pipeline while helping save costs!
Announcements
Dive deeper into the world of cybersecurity with Security Weekly on Instagram! Follow us @SecWeekly to find exclusive clips, hilarious memes, behind-the-scenes sneak peeks, and more! Stay connected, stay informed, and join our growing community!
Guest
JP is a recovering SOAR founder, Security Data Pipeline junkie, EIR at Lytical Ventures, and President of Blue Cycle, a boutique consulting firm focusing on SecOps Maturity and modernizing MSSPs and SOCs to the era of devOps, Config as Code and other current and nascent approaches to getting more done with less resources. JP is also a cyclist (was on PauldotCom 10 years ago), and still runs the Defcon bike ride, which you can sign up for at cycleoverride.org.
Hosts
2. It’s Alive!, Slow Migrations, Hiding on the Net, BlackLotus Source, & Gaslighting – PSW #790
In the security news: Someone is going to get hurt, slow migrations, hiding on the Internet is hard, more Fortinet vulnerabilities, BLackLotus source code, the difficulties with roots of trust, stealthy rootkits, patching made easy?, rowhammer and gaslighting, signing with time machines, memory is complicated, and it’s alive!!! It's alive!!!
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape. We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register. Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution
This really grinds my gears: "Fortinet noted that the bug was addressed in a previous release, without an advisory." - Unless they fixed it without knowing it was a security issue.
- 2. ESET Research Podcast: Finding the mythical BlackLotus bootkit
Haven't listened yet. In other news, the BlackLotus source code is now available on Github: https://github.com/ldpreload/BlackLotus (or at least something that is very similar as the debate continues https://twitter.com/vxunderground/status/1679197452522356738?s=20)
- 3. StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability
"As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging." and "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."
- 4. Roots of Trust are difficult
This: "A straightforward implementation of a verified boot implementation has the firmware verify the signature on the bootloader or kernel before executing it. In this scenario, the firmware is the root of trust - it's the first thing that makes a determination about whether something should be allowed to run or not[2]. As long as the firmware behaves correctly, and as long as there aren't any vulnerabilities in our boot chain, we know that we booted an OS that was signed with a key we trust.But what guarantees that the firmware behaves correctly? What if someone replaces our firmware with firmware that trusts different keys, or hot-patches the OS as it's booting it? We can't just ask the firmware whether it's trustworthy - trustworthy firmware will say yes, but the thing about malicious firmware is that it can just lie to us (either directly, or by modifying the OS components it boots to lie instead). This is probably not sufficiently trustworthy!" - Awesome insights in the rest of the article too.
- 5. Hunting for A New Stealthy Universal Rootkit Loader
This: "Malicious actors who are actively seeking high-privilege access to Windows operating systems use techniques that attempt to combat the increased protection that endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies provide users and processes. Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer or even lower levels. This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon."
- 6. An In-Depth Look at the Latest Vulnerability Threat Landscape (Part 1)
"The prioritization of vulnerabilities should be a multifaceted approach. The focus should be given to those known to be exploited in the wild (CISA KEV), those with a high likelihood of exploitation (indicated by a high EPSS score), and those with weaponized exploit code available." - Turns out this is a pretty small number of vulnerabilities in comparison to the 200k documented in NVD.
- 7. Exploiting XSS in hidden inputs and meta tags
- 8. Serious Security: Rowhammer returns to gaslight your computer
Amazing article: "Simply put, merely by reading from the same block of DRAM memory over and over in a tight loop, you automatically cause it to be rewritten at the same rate, thus greatly increasing the chance that you’ll deliberately, if unpredictably, induce one or more bit flips in nearby memory cells. Using this sort of treachery to provoke memory errors on purpose is what’s known in the jargon by the self-descriptive name rowhammering."
- 9. Old certificate, new signature: open-source tools forge signature timestamps on Windows drivers
"The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority. If a driver is successfully signed this way, it will not be prevented from being installed and started as a service. As a result, multiple open source tools have been developed to exploit this loophole." and in case you're wondering: "Microsoft, in response to our notification, has blocked all certificates discussed in this blog post. Please refer to the advisory published by Microsoft for further information on their response."
- 10. Supercon 2022: Joe Grand And The Thinnest Boombox
So cool
- 11. The ThinkPad You All Wish You Had, With A Brain That’s Not Ancient
It's alive!!!!!! - "so far, he’s taken the display panel from an iPad and made it work with the Framework board, and designed an entirely new lower case for the Thinkpad. This will hold the Framework board with its USB-C ports at the edge, so in the place of its USB-based expansion modules, he’s made a custom external port replicator. Meanwhile, a Teensy handles that unique keyboard. We’re told that the design files will all eventually be put online should anyone else want to try."
- 12. Raspberry Pi Pico Intelligently Warms Your Butt
Because we all need a butt warmer built from a pico :)
- 13. Smuggler Nabbed with 306 CPUs Stuffed in Girdle
"Chinese customs have apprehended a man attempting the biggest on-the-person CPU smuggling feat we have seen reported. The perp was stopped at Qingmao Port as he sought to cross from Macau to mainland China with 306 CPUs fashioned into a girdle around his waist." Apparently he was caught because he was walking funny, LOL.
- 14. Unveiling the secrets: Exploring whitespace steganography for secure communication
- 15. CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup – MDSec
- 16. Overview of Modern Memory Security Concerns
"Almost all modern memory devices themselves contain computing elements, microcontrollers, and firmware to tame the complexities of modern interfaces and the complicated physics of the memory technology itself. Link training, wear leveling, caching, sleep and power management, manufacturing-related test functionality, are just some examples of these complexities. This functionality is backed by deeply-embedded firmware within the memory controller. This firmware is frequently written in the C language, where memory safety concerns pose a significant risk. These concerns increase as the firmware complexity increases, driven by modern memory protocols (such as NVMe) becoming increasingly complicated. "
- 17. Connected Medical Devices – The Next Target for Ransomware Attacks
"It is not hard to imagine the magnitude of impact if malicious actors obtain control over medical systems and remove them from operation at a hospital with hundreds of beds." - I think this is problem, we have to imagine these scenarios While I would never wish someone gets hurt, someone will get hurt and then we'd see a huge increase in security of medical devices with all parties (manufacturers, hospitals, software developers, IT departments, etc..).
- 18. RecycledInjector
- 19. AIDE 0.18.5 ≈ Packet Storm
- 20. No-NOC Networking Part 2 – The Hacker Factor Blog
I don't think just disabling ICMP will help with discoverability. I think what we are talking about here is Attack Surface Management and reducing your footprint.
- 21. No-NOC Networking Part 1 – The Hacker Factor Blog
*"Attackers identify an exploit and come up with some kind of delivery mechanism (weaponize). They do reconnaissance to find out where to apply the exploit. Then they apply the exploit, compromise the system, and repeat the cycle. My solution focuses on the reconnaissance step, since that's the first time the attacker sends a packet to the server." - This is some interesting thoughts and research into how we can combat threats.
- 22. SSD Advisory – EdgeRouters and AirCube miniupnpd Heap Overflow – SSD Secure Disclosure
- 23. +PROTECTING LINUX AT KERNEL LEVEL WHY AND HOW
- 24. Mitigate Top 5 Common Cybersecurity Vulnerabilities
I actually really like this article (which is not typical based on the title). However, the author did a nice job, agree?
- 25. JumpCloud resets customer API keys citing ‘ongoing incident’
- 26. Multiple Vulnerabilities Patched In Siemens Automation Device
- 27. Ghostscript bug could allow rogue documents to run system commands
- 28. Cisco urges stop using weak crypto algorithms with OSPF
This will be a slow migration: "“In order to continue to use such weak cryptographic encryption algorithms, explicit configuration is required,” Cisco stated in a field Notice. “Otherwise, OSPF neighborship will fail to establish and cause service disruption as a result.”
- 29. Experts released PoC exploit for Ubiquiti EdgeRouter flaw
- 30. Critical Vulnerability Can Allow Takeover of Mastodon Servers
- 31. Actively Exploited Industrial Control Systems Hardware – SolarView Series – Blog – VulnCheck
- 32. Introducing Slinky Cat – Living off the AD Land