Defending Public Infrastructure While At War – Antranig Vartanian – PSW #795
View Show IndexSegments
1. Defending Public Infrastructure While At War – Antranig Vartanian – PSW #795
The 2020 Armenian war with Azerbaijan called into action over 100 volunteer incident responders from across the country (and the globe) into action. Our guest for this segment was one of the leads during the 40-day conflict and helped organize teams that responded to everything from websites being attacked and country-wide Internet outages.
Announcements
Security Weekly listeners: Now is your chance to join the infosec community as they come together at InfoSec World 2023, September 23 – 28, 2023 at Disney's Coronado Spring Resort in Lake Buena Vista, FL. Hear keynotes from Scott Shapiro, Founding Director at Yale CyberSecurity Lab’s and Rachel Wilson, Managing Director and Head of Cybersecurity at Morgan Stanley.
As a Security Weekly community member, you’re able to receive 20% off your InfoSec World 2023 tickets using code ISW23-SECWEEK20! Register today: securityweekly.com/infosecworld2023
Guest
Antranig started his career 10 years ago as a system administrator and part-time OS developer. After spending a couple of years in operations he started working as the only security engineer at Armenia’s National Computer Emergency Response Team (CERT-AM), having responsibilities, including and not limited to, detecting active bots, botnets, vulnerable servers and to inform the public and the private sector about the security posture. Through his experience in security and operations, Antranig worked as a system engineer and later as CTO for multiple start-ups. Antranig currently serves as the CEO of illuria Security, a Cyber Deception company aiming to make deception the next standard in InfoSec. He uses, loves and contributes to FreeBSD, the Operating System made by Unix people, for Unix people
Hosts
2. NIST CSF, JTAG vs (OG) Xbox, Tricked Ya, Intel’s Security, & Josh Debates Jeff – PSW #795
In the Security News: You should read the NIST CSF, JTAG hacking the original Xbox, tricked into sharing your password, attacking power management software, the vulnerability is in the SDK, tearing apart printers to find vulnerabilities, a pain in the NAS, urllib.parse is vulnerable, hacking the subway, again, how not to implement encryption from OSDP, Intel does a good job with security, and hacking card shuffling machines! All that and more on this episode of Paul’s Security Weekly!
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape. We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register. Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Hosts
- 1. Raspberry Pi Used To Hijack Casino Card Shuffler
"Moreover, you don't even to be a card-playing genius to make sense of the Deckmate 2's data, it even has a built-in camera, for deck verification purposes. IOActive found that the camera feed could be accessed to learn the entire order of the deck in real time. An obvious cheating method which could stem from this is that visual data could be sent to a nearby smartphone via Bluetooth, which the IOActive team also tested. The second person could work in cahoots with the player at the table, to signal a decision or strategy. "
- 2. Intel’s Arc Alchemist GPUs Have Hidden Security Flaws
"It certainly hasn't been a good week for Intel. After a year-long embargo, the chipmaker had finally lifted the curtains Downfall, a vulnerability with costly performance penalties that impacts multiple generations of Intel processors. And now, Intel's internal team has discovered vulnerabilities with Arc A770 and Arc A750 graphics cards sold between October and December 2022. The advisory seemingly indicates that the flaw isn't widespread but only affects batches sold during the mentioned timeframe." - Grossly overstated. Intel has done an outstanding job ensuring the security of their platforms. Lets not forget AMD has also suffered from speculative execution-style vulnerabilities recently as well. Also, the graphics card vulnerabilities are not a huge deal and are in the DoS category.
- 3. AMD Zen 1 Vulnerability Not Properly Fixed, Second Pass Issued
- 4. JTAG ‘Hacking’ the Original Xbox in 2023
Really amazing article: "This blogpost revisited an old idea that the original Microsoft Xbox could have been hacked through Intel’s x86 CPU JTAG interface. A custom CPU interposer PCB was created to breakout the JTAG signals to a CodeTAP hardware debugger. The secret Xbox bootrom was successfully dumped via Intel JTAG, with real debug capabilities from the very first instruction of execution - closing the chapter on a 20 year old theory."
- 5. Next-gen OSDP was supposed to make it harder to break in to secure facilities. It failed.
Awesome research, and a huge failure in the implementation of crypto: "Unfortunately, the fix OSDP developers devised does nothing to solve that problem. When transmitting an SCBK to a new device, the standard encrypts it with a default key, known as an SCBK-D. Since the SCBK-D is known to all devices—including the researchers’ covert listening device—it’s trivial for the attackers to obtain a valid SCBK. From there, the attackers can view all messages transmitted on the network, including secret credentials stored on badges presented at security checkpoints."
- 6. Mac malware can easily bypass Apple’s Background Task Manager
- 7. Teens Hacked Boston Subway Cards to Get Infinite Free Rides—and This Time, Nobody Got Sued
This is a pretty crazy story.
- 8. Python Parsing Error Enabling Bypass CVE-2023-24329
"Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc."
- 9. A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition
This is a must read article on this research. Really well done. I like this part: "However, when we took a closer look, we noticed that something did happen: a new connection to our device was created. This meant that we did not get blocked by Western Digital cloud, instead we reached the device and did not have permissions. This was actually a pretty big deal, because we actually reached the device which was sitting in an internal network and was not network exposed. This meant that by only knowing a device GUID, we could interact with it. While this did not give us immediate control over the device, just gaining access was a good point to start." - And how they used the CTL to enumerate the GUID of all NAS devices!
- 10. Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022
"We sacrificed our first printer to desolder the flash chip and dump the firmware and used the second one to test against. Unfortunately, both of our printers had toner issues which disabled large parts of the functionality of the printer including PJL."
- 11. GitHub – hardenedvault/ved-ebpf: VED-eBPF: Kernel Exploit and Rootkit Detection using eBPF
- 12. Microsoft finds vulnerabilities it says could be used to shut down power plants
"The vulnerabilities affect the CODESYS V3 software development kit. Developers inside companies such as Schneider Electric and WAGO use the platform-independent tools to develop programmable logic controllers, the toaster-sized devices that open and close valves, turn rotors, and control various other physical devices in industrial facilities worldwide." - Similar to vulnerabilities in reference code, I think this is a bigger deal than people realize. Again, the supply chain comes into play in order to get a fix rolled out.
- 13. Data centers at risk due to flaws in power management software
"Using multiple vulnerabilities found in the software, the researchers bypassed authentication allowing them to see and configure devices on that network. With initial access to the software, hackers could then to pivot to power distribution unit’s that are essentially glorified smart power strips that monitors energy usage"
- 14. Reflecting on supply chain attacks halfway through 2023
"For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way." - Let's not forget the hardware supply chain. Recent vulnerabilities in CPUs I would dub as supply chain-related vulnerabilities as you have to navigate the complex supply chain to get a fix.
- 1. What’s New in the NIST Cybersecurity Framework 2.0
I can't believe NIST CSF is almost 10 years old! The draft v2.0 is now available for review. This article highlights some of the changes, but heck - go find the draft and take a look for yourself.
- 2. The NIST Cybersecurity Framework 2.0
Here - I made it easy for you. Enjoy!
- 3. DARPA, White House launch $20M AI, cybersecurity challenge
Note the connection to DEF CON: "DARPA will host an open competition for AIxCC where up to 20 teams will advance to the semifinals next August at the DEF CON 2024 conference, followed by up to five teams advancing to the finals, according to the agency’s website. In August 2025, three winners will be chosen at DEF CON 2025."
- 4. Fresh Blow to PSNI Security as Second Data Breach Disclosed
Remember the other week we were talking about the legal term, "data breach"? This is an example, and it wasn't even a cyber attack.
- 5. Did the NSA create Bitcoin?
"There’s a small sect of Bitcoiners that believes Satoshi Nakamoto — the creator of Bitcoin — is, in fact, the United States National Security Agency in disguise."
- 6. Bomb threat causes mass evacuation at DEF CON hacking convention
I wasn't actually around for the evacuation, but thanks for the diligence of DEF CON organizers and local authorities.
- 7. Strength in Numbers: NVIDIA and Generative Red Team Challenge Unleash Thousands to Vet Security at DEF CON
Lots of cool stuff at DEF CON this year. Seems like there were a dozen new villages, too.
- 8. For the first time, U.S. government lets hackers break into satellite in space
This was probably the coolest thing that happened at DEF CON last week. Aside from the huge, free pen test that was targeted at the "Sphere".
- 9. Health Data of Millions Impacted by MOVEit Exploit at IBM
Et tu, IBM?
- 1. Is this the next NextGenHacker101?
- 2. This $70 device can spoof an Apple device and trick you into sharing your password
- 3. Android 14 introduces first-of-its-kind cellular connectivity security features
- 4. TunnelCrack: Widespread design flaws in VPN clients
- 5. JTAG ‘Hacking’ the Original Xbox in 2023
- 6. What’s New in the NIST Cybersecurity Framework 2.0
- 7. Discord.io suffers massive data breach, announces closure