Memory Safety, Re-Writing Software, and OSS Supply Chains – Omkhar Arasaratnam – PSW #820
Full Audio
View Show IndexSegments
1. Memory Safety, Re-Writing Software, and OSS Supply Chains – Omkhar Arasaratnam – PSW #820
Omkhar Arasaratnam is the General Manager of the Open Source Software Foundation (OpenSSF) and appears on the show to discuss memory safety, why re-writing software isn't always the best option, open-source software supply chains, and more!
Segment Resources:
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Guest
Omkhar Arasaratnam is the General Manager of the Open Source Software Foundation (OpenSSF). He is an experienced cybersecurity and technical risk management executive with over 20 years of experience leading global cybersecurity projects. Omkhar leads organizations to realize their business goals while effectively managing cybersecurity risk and compliance requirements. Previously, he was the Director of Engineering for Regulated Cloud at Google. He has also previously led security organizations at financial and technology institutions, such as JPMorgan Chase, Credit Suisse, Deutsche Bank, TD Bank Group, and IBM. As a seasoned technology leader, he has revolutionized the effectiveness of secure software engineering, compliance, and cybersecurity controls. He is an accomplished author with several granted patents and has led contributions to many international standards. Omkhar is also a member of the NYU Cyber Fellow Advisory Council and a Senior Fellow with the NYU Center for Cybersecurity.
Hosts
2. Printers Are “Not Nice” – PSW #820
In the security News end of life routers and exploits, SCCM mis-configurations lead to compromise, apparently you can hack anything with a Flipper Zero, do source code leaks matter?, visibility is important, printer vulnerabilities that no one cares about, friendship gets you firmware, lock hacking continues, VM escapes and risk, and multiple really cool Bluetooth hacking stories.
Announcements
Dive deeper into the world of cybersecurity with Security Weekly on Instagram! Follow us @SecWeekly to find exclusive clips, hilarious memes, behind-the-scenes sneak peeks, and more! Stay connected, stay informed, and join our growing community!
Hosts
- 1. Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities
- 2. Major CPU, Software Vendors Impacted by New GhostRace Attack
- 3. GhostRace – vusec
- 4. No More Patches: D-Link DIR-822 Vulnerable to Remote Takeovers (CVE-2024-25331)
I've noticed a couple of these vulnerabilities (and exploits) for unsupported D-Link routers. D-Link won't update them and I bet many are not replacing them with newer models. More fuel for Mirai-inspired botnets?
- 5. ICS Patch Tuesday: Siemens Ruggedcom Devices Impacted by 45 Fortinet Vulnerabilities
- 6. Exploited Building Access System Vulnerability Patched 5 Years After Disclosure
- 7. Researchers expose Microsoft SCCM misconfigs usable in cyberattacks
I think this project is really cool because not only are they highlighting problems, but they created a database to help people fix mis-configured SCCM implementations. I really like this one: https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md - It deals with PXE and attackers that can basically pull an image and dump the creds (e.g. "Attackers may recover domain credentials from this process, the difficulty of which is a direct function of the complexity of the password set on the PXE media file. If a weak password is set, cracking the password is relatively computionally "easy," depending on the hardware.")
- 8. Security Researchers Use a Flipper Zero to “Steal” a Tesla Model 3, Fanning the Flames of Ban Plans
OMG, just stop. We know, the Flipper Zero can hack everything (according to the charlatans), but so can a laptop, phone, micro-controllers, Raspberry PIs, etc...
- 9. oss-sec: 5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf
- 10. Multiple vulnerabilities in RT-Thread RTOS – hn security
- 11. Motherboard Revived With Simplest 1.8V SPI Shifter Ever
- 12. Out of the kernel, into the tokens
- 13. Does Confluence Dream of Shells? – Blog – VulnCheck
- 14. Microsoft confirms Russian spies stole source code
Does it matter if the Windows source code is leaked? The Linux kernel is open-source. What exactly does an attacker gain? This Daily Dave post touches on it: https://seclists.org/dailydave/2024/q1/6
- 15. Vulnerabilities in Popular Fonts Allow XXE & Arbitrary Command Attacks
- 16. Badgerboard: A PLC backplane network visibility module
Amazing technical write-up, if nothing else, save this as it could be a reference that will help you with a project in the future. One interesting note came in on the last sentence: "PLC vendors have both the capability and the product expertise to create products that accomplish what Badgerboard set out to do; they just need to be pushed by their customers." - So much yes. We want visibility, not magic boxes that we have to 100% trust the vendor, because, we don't (or at least we shouldn't).
- 17. Canon Printers: Critical CVE-2024-2184 (CVSS 9.8) Flaw Requires Immediate Firmware Update
There is a vulnerability in a printer, it's critical, and no one cares. Moving along.
- 18. GreyNoise Labs – Hunting for Fortinet CVE-2024-21762: Vulnerability Research for Detection Engineering
"Knowing both the affected and patched versions is going to mean a patch diff, but with Fortinet being proprietary software, finding these versions and decrypting them is going to be the first battle… which I was lucky enough to bypass via the power of friendship. However, when friendship is lacking one may also be able to get lucky and find the files they need on Grayhat Warfare (less luck needed with a subscription), and then get a nice start on decrypting them with this Bishop Fox writeup." - I've been down this road, it's fun (and frustrating).
- 19. Trapper trapped! A CSV injection twist in Canarytokens.org
Pretty neat attack: "This payload executes the calculator application (calc) on a Windows system through command injection, while also performing a simple arithmetic operation (10+20). When the canary token owner downloads the logs as a CSV file and opens it on a Windows machine, it results in the execution of the payload (opening the calculator app in this case)." Of course, the Thinkst team fixed it!
- 20. Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 1: functional analysis)
More digital locks are under attack. Tons of details here. It's neat to see researchers going after locks, I don't believe we as a society will greatly benefit from this research, however, there are some amazing tips and tricks that we can apply to other devices.
- 21. Living off the land with native SSH and split tunnelling
This is valid: "Starting with Windows 10 version 1809 (released in October 2018), Microsoft introduced a native SSH client to Windows, which allows users to connect to SSH servers directly from the Windows command prompt or PowerShell. This SSH client is a port of OpenSSH. Ever since we’ve seen that many of our clients have this optional feature enabled by default." - Also, I believe an attacker could easily install SSH (provided they have admin rights) on Windows and use it for all sorts of LOL activities.
- 22. VMware sandbox escape bugs are so critical, patches are released for end-of-life products
We also have one from Microsoft as well: https://duo.com/decipher/microsoft-fixes-critical-windows-hyper-v-flaws. The vulnerabilities are similar in that an attacker has to compromise a guest, and then escape to the host. The thing I keep hearing is just that, somehow downplaying the risk because an attacker needs to be on a guest. Look, it's not the '90s or 2000s any longer, unauthenticated remote code execution vulnerabilities are not as common. The threats we have to look out for occur once an attacker gains control of something in our environments. We have to build our security programs with this in mind: there is already an attacker in our network.
- 1. SBOMing a Substation
- 2. National Vulnerability Database: Opaque changes and unanswered questions
- 3. QNAP fixed 3 flaws in its NAS devices, including an auth bypass
- 4. Docker containers under attack — ShadowStackRE
- 5. Further Adventures in Fortinet Decryption
- 6. GreyNoise Labs – RattaGATTa: Scalable Bluetooth Low-Energy Survey
- 7. Kali NetHunter now supports Bad Bluetooth HID attacks to inject keystrokes wirelessly
- 8. ronibandini/reggaetonBeGone: Detects reggaeton genre with Machine Learning and sends packets to disable BT speakers (hopefully)
- 1. Under New Management
Checks your installed Chrome extensions to see if the developer information listed on the Chrome Web Store has changed. If anything is different, the extension icon will display a red badge, alerting you to the change.
- 2. VMware sandbox escape bugs are so critical, patches are released for end-of-life products
VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.
- 3. Cyber Pros Turn to Cybercrime as Salaries Stagnate
Researchers enlisted the help of a former police officer and covert operative to analyze dark web forum job adverts from June to December 2023. “Our analysis shows that highly skilled individuals are turning to cybercrime. And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge”
- 4. OpenAI Hits Back at Elon Musk’s Lawsuit by Publishing His Emails
It turns out that Elon was not motivated by a high-minded desire to save humanity from an AI apocalypse. Instead, he demanded control of OpenAI and pulled his funding to pressure them into handing control to him. But other investors provided money and his scheme failed.
- 5. Infographic shows who publicly discloses exploited vulnerabilities first
Shadowserver and CISA are the top two, followed by Google, Microsoft, and Palo Alto.
- 6. How Microsoft’s Bing Helps Maintain Beijing’s Great Firewall
The company’s search engine does good business in China, a market Google and Facebook abandoned years ago. Bill Gates has long advocated working closely with China to encourage innovation in health and science—and has dismissed concerns about censorship and the country’s influence on technology.
- 7. Automakers Are Sharing Consumers’ Driving Behavior With Insurance Companies
LexisNexis, which generates consumer risk profiles for the insurers, knew about every trip G.M. drivers had taken in their cars, including when they sped, braked too hard or accelerated rapidly. Drivers feel betrayed. “They’re taking information that I didn’t realize was going to be shared and screwing with our insurance.”
- 8. Secret Backdoor Codes in Safe Locks
Two of the biggest manufacturers of locks used in commercial safes have been accused of essentially putting backdoors in at least some of their products in a new letter by Senator Ron Wyden.
