Pen Testing As A Service – Seemant Sehgal – PSW #830
Full Audio
View Show IndexSegments
1. Pen Testing As A Service – Seemant Sehgal – PSW #830
The Security Weekly crew and special guest Seemant Sehgal explore what PTaaS involves, how it differs from traditional penetration testing, and why it's becoming a crucial service for companies of all sizes to protect their digital assets. We'll discuss the how PTaaS is using the latest technologies (e.g machine learning), the benefits of having a third-party service, and real-world scenarios where PTaaS has successfully thwarted potential security breaches. PTaaS can be a game-changer in enhancing your organization’s security posture!
This segment is sponsored by Breachlock. Visit https://securityweekly.com/breachlock to learn more about them!
Announcements
Dive into cybersecurity with CyberRisk Alliance for exclusive insights from RSA Conference 2024. Explore executive interviews with industry leaders, uncovering visionary perspectives on threats and strategies. Delve into curated articles on trends and innovations, equipping yourself with essential knowledge for today's cyber landscape. Visit securityweekly.com/RSAC for expert guidance and inspiration in navigating cybersecurity challenges confidently.
Guest
Seemant Sehgal founded BreachLock with two things: 18+ years of experience in the cybersecurity industry and a dream to create a solution that would make cyberspace safer. As the former Head of Cybersecurity at ING Bank who held a multi-million-dollar cybersecurity budget, he dealt with the pain of traditional pentesting approaches falling short of what modern businesses today need for a strong security posture. A go-getter by nature, Seemant was motivated to solve these pain-points for people walking the same shoes, and he went on to create the world’s first, full-stack Penetration Testing solution with a strong company culture that has helped BreachLock gain momentum and scale rapidly.
Hosts
2. Exploits Make You More Secure – PSW #830
An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs!
Announcements
Get ready for an electrifying experience at the 15th annual Identiverse! Join 3,000+ identity professionals at the ARIA Resort & Casino in Vegas on May 28-31, 2024, for 4 days packed with dynamic learning & collaboration. Don't miss out on keynote speakers including Denee Defiore, CSIO of United Airlines; Tucker Bryant, Entrepreneur and Former Googler; George Roberts, Director of Identity and Access Engineering at McDonald's and many more!
As a community member, receive 25% off your Identiverse 2024 tickets using code IDV24-SW25!
Register today: securityweekly.com/idv2024
Hosts
- 1. GitHub – aliask/dinkleberry: Patch your D-Link device affected by CVE-2024-3272
This is one of my favorite things I've found on the Internet in quite some time. I just love everything about this:
- It uses an exploit to patch a vulnerability that has no patch from the vendor
- The name is amazing
- The description and disclaimer is on point and funny
- References to code that is so insecure it needs to be re-written
- I have not dug in to see if both vulnerabilities are remediated, or just the system() call (also has hardcoded creds)
- 2. Pardon the Interruption… A Brief History of Interrupts
This is a great nerdy read!
- 3. How I upgraded my water heater and discovered how bad smart home security can be
Great read, and I wish I had smart controls for my own water heater at home (but also kind of glad that I don't given the vulnerabilities that were present). Also, I believe its code where I live that a hardware-based temp regulator be installed that prevents water hotter than 120 F from coming out, at least that's how my system is setup.
- 4. Millions of IoT Devices Vulnerable After Researchers Uncover Flaws in ThroughTek Kalay Platform
This is a supply chain security nightmare example.
- 5. Introducing Squeegee: The Microsoft Windows RDP Scraping Utility – Black Hills Information Security
This is a great technique (and I see many tools and techniques each week, this one is a home run): "Bloodhound session data isn’t as reliable as it used to be, and, in modern Windows environments, session enumeration tends to get caught. What about cataloging users with active RDP sessions? Squeegee can help in both of these situations. The first step is to collect RDP screen captures using a tool like NCC Group’s scrying. Once you have the RDP screen captures, you can process the entire group of results using Squeegee by just pointing the tool at the correct folder."
- 6. QNAP QTS – QNAPping At The Wheel (CVE-2024-27130 and friends)
- 7. Ripple Issues Urgent Warning on Quantum Computing’s Threat to Blockchain Security and Encryption
- 8. Two students uncovered a flaw that allows to use laundry machines for free
Free laundry for all: "CSC quietly wiped out the researchers’ account balance of several million dollars after they reported their findings, but the researchers said the bug remains unfixed and it’s still possible for users to “freely” give themselves any amount of money." - The researchers added $1 million dollars to their account, and the company's response was to just wipe out their funds. That's not all, you don't need funds in your account to activate the washer (or dryer for that matter) as the API has vulnerabilities, which are not fixed despite going through US CERT.
- 9. You Can Now Jailbreak A PS4 With An LG TV
Creative: "Once installed, you just need to hook up your PS4 to the TV via the Ethernet port. Then, with the exploit running on the TV, telling the PS4 to set up the LAN via PPPoE will be enough to complete the jailbreak."
- 10. Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI
- 11. Offensive IoT for Red Team Implants (Part 2) – Black Hills Information Security
- 12. Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
- 13. Ebury is alive but unseen
- 1. Multiple vulnerabilities in RIOT OS – hn security
- 2. Are you being tracked? What new privacy features from Apple and Google can (and can’t) tell you
- 3. New Windows 11 features strengthen security to address evolving cyberthreat landscape
- 4. Why Your Wi-Fi Router Doubles as an Apple AirTag – Krebs on Security
- 5. How I upgraded my water heater and discovered how bad smart home security can be
- 6. Severe Vulnerabilities in Cinterion Cellular Modems Pose Risks to Various Industries
- 1. 2.4 Million Impacted by WebTPA Data Breach
Texas-based WebTPA Employer Services says that a cybersecurity incident has compromised personal information of more than 2.4 million individuals. WebTPA is a third-party administrator for health insurance and benefits plans. WebTPA discovered the incident in late December. The compromised data include contact information, dates of birth, insurance information and Social Security numbers.
The investigation showed the data was exfiltrated in April 2023, but the attack was not discovered until December, and customer notifications just started this April. While healthcare breaches continue to be a challenge, indications are that there will be numerous lawsuits designed to force the industry to raise the bar on protecting healthcare data. Don’t wait for the lawsuit to make sure your house is in order, leverage your ISAC or CISA resources to make sure that you’re on top of things, don’t wait for that demand to report to the board or comment to the media on your incident.
- 2. 2 D-Link router bugs added to CISA’s exploited vulnerabilities catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a pair of vulnerabilities affecting end-of-life D-Link routers to their Known Exploited Vulnerabilities (KEV) catalog. One of the flaws (CVE-2014-100005) is a cross-site request forgery issue affecting D-Link DIR-600 routers; the other (CVE-2021-40655) in an information disclosure issue affecting D-Link DIR-605 routers. The vulnerabilities have been exploited in the wild. CISA advises that the vulnerable equipment be retired or replaced.
The KEV lists a remediation date of 6/10/24, whereby agencies are expected to either discontinue use of or secure the affected products. In this case these are EOL devices, the right move is to replace them. Even if you’re not bound by the KEV, you still need to replace these if you have any.
Alternately consider Paul's Dinkleberry story above.
- 3. Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit – CVE-2024-4323)
A memory corruption vulnerability in the Fluent Bit logging utility could be exploited to create denial-of-service conditions, allow information disclosure, and possibly allow remote code execution according to a report from Tenable. Fluent Bity has been downloaded billions of times. The vulnerability affects versions 2.0.7 through 3.0.3, and has been fixed in Fluent Bit version 3.0.4.
If you’re using Fluent Bit, make sure you’ve updated to 3.0.4. The harder question will be asking your cloud providers if they are and which version is in place. If you’re referencing a provided SBOM, make sure that it is both current and that you’re checking the Vulnerability-Exploitability eXchange (VEX) data for applicability of vulnerabilities.
- 4. MediSecure Data Breach Impacts Patient and Healthcare Provider Information
Australian digital prescription services company MediSecure has disclosed a ransomware attack that compromised patient data through November 2023. Once MediSecure became aware of the incident, they took their website offline. The incident appears to have originated through a third-party vendor. MediSecure was one of two companies that provided digital prescription services through Australia’s public digital health network until last November.
Of note here is that MediSecure’s contract with Australia’s health network was awarded to another provider last May, and the transition completed in November. It appears customer data was still available in their systems.
- 5. More than 70% of surveyed water systems failed to meet EPA cyber standards
A US Environmental Protection Agency (EPA) Enforcement Alert provides information for community water systems (CWSs) to help them comply with Safe Drinking Water Act (SDWA) Section 1433, which requires most CWSs to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA. According to the Enforcement Alert, 70 percent of CWSs EPA has inspected since September 2023 did not meet all of the SDWA Section 1433 requirements.
While the 1433 section only applies to systems with over 3300 users, it’s still a good idea to have your arms around where your risks are and what you can do to keep from being a victim. Regardless of size, leverage the Water ISAC resources. - https://waqterisac.org. Membership is based on customer base, starting at $105/year, and even has a 60 day trial so you can see if it is a fit. Given that critical infrastructure like this is a constant target, opting out or ignoring your security posture really isn’t an option.
- 6. Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal
Researchers at Check Point have detected a design flaw in the Foxit PDF Reader that can be exploited to deliver malware. The flaw is being actively exploited by multiple threat actors to deliver a range of malware including Agent Tesla, AsyncRAT, DCRat, and XWorm. The issue does not affect Adobe Acrobat Reader.
Foxit positions themselves as more affordable drop-in replacement for Acrobat. This attack relies on social engineering, prompting the user to enable/allow behavior which may seem innocuous, but in totality allows for the malware to be installed and executed. The root cause is in how Foxit is designed rather than a coding error. Even so, educating users on how to handle the unexpected prompts for privilege or command execution, similar to your existing social engineering preventative training, are your current best mitigations.
- 7. When Online Content Disappears
According to a report from the Pew Research Center, 25 percent of web pages that existed between 2013 and 2023 were not accessible as of October 2023. Most of the instances of what Pew researchers are calling digital decay, are due to pages being removed from websites that are still functioning. The study looked at government and news websites and social media posts. Local government websites had the highest inci9dence of broken links.
This is an interesting observation. If you own a site, you control the lifecycle and have the say on what is left vs archived/deleted. The question is what is the obligation to sites referencing that content? How far should sites go to maintain continuity/pointers to the most current versions? This is something you should discuss and document at your shop. Having a consistent approach which is written down is more important than the decision you make. Give consideration to publishing that on your site.
- 8. ARRL Systems Service Disruption
The American Radio Relay League (ARRL) has disclosed a cybersecurity incident that affected some of their services, including the Logbook of The World® and the ARRL Learning Center. (ARRL is the National Association for Amateur Radio.) The organization does not store payment card information and does not collect Social Security numbers. Their membership database contains publicly available information, including names, addresses, call signs, and email preferences.
ARRL is saying they don’t believe the member database is affected. And while the information is public, much is available from the FCC, that database represents an authoritative connection of that information to the member. If you’re an ARRL member, be on the watch for phishing emails leveraging your information.
- 9. Financial institutions have 30 days to disclose breaches under new rules
On May 15, 2024, the US Securities and Exchange Commission (SEC) has adopted changes to their Regulation S-P, which requires financial organizations “to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” The amendments require certain financial institutions to report breaches within 30 days of detection.
Expeditious reporting may not be on your radar when you’re focused on detection and reducing dwell times. Make sure that you’re partnering with folks like your CFO who are tracking SEC requirements so you can work together to meet them.
- 1. Congratulations to the Top MSRC 2024 Q1 Security Researchers!
- 2. New Attack Against Self-Driving Car AI – Schneier on Security
- 3. Black Basta ransomware group is imperiling critical infrastructure, groups warn
- 4. Raspberry Pi Launches the M.2 HAT+, Improves NVMe Boot Support in the Raspberry Pi 5 Firmware
- 5. CVE-2024-1661 – OpenCVE
- 6. New capabilities to help you secure your AI transformation
- 7. Kaspersky Anti-Ransomware Day report 2024
- 8. AI raises CIO cyber anxieties
- 9. The Windows Registry Adventure #2: A brief history of the feature
- 10. apple-releases-ios-175-macos-145-and-other-updates-new-ipads-launch
- 11. Cybersecurity Expert Jailed For Hacking 400K Smart Homes, Selling Videos
- 12. CVE-2023-50718 – GitHub Advisory Database
- 13. Citrix warns customers to update PuTTY version installed on their XenCenter system manually
- 14. Cinterion Modem Vulnerabilities Leave IoT and Industrial Networks Exposed
- 15. Verizon’s 2024 DBIR Report – Mapping Mitre Att&CK tactics and techniques to Incident Classification Patterns
- 1. Arizona woman accused of helping North Koreans get remote IT jobs at 300 companies
She compromised the identities of more than 60 people living in the US and used their personal information to get North Koreans IT jobs across more than 300 US companies. She operated a "laptop farm"; the laptops were issued by the employers. By using proxies and VPNs, the overseas workers appeared to be connecting from US-based IP addresses.
- 2. Hives For U.S. Drone Swarms Ready To Deploy This Year
The Hive Expedition weighs 400 pounds and can operate twelve or more drones depending on their size. The Hive XL is a 13,000-pound trailer which can house and deploy up to 80 drones. Both types of Hive allow a single operator to control the entire fleet via a simple tablet interface, and they remove the need for any physical drone handling. According to Sentien, an operator can drive a Hive to a location and have a pop-up security system running in five minutes.
- 3. China Builds World’s First Dedicated Drone Carrier
The design is smaller than regular aircraft carriers, with a flight deck approximately one third the length and half the width of a super carrier. The flight deck is wide enough to comfortably operate aircraft or drones with a wingspan of around 20 meters (65 feet) such as Chinese equivalents of the Predator drone.
- 4. Britain says it is developing a radio-wave weapon that can take out a swarm of drones for just $0.12 a shot
The Radio Frequency Directed Energy Weapon, or RFDEW, uses radio waves to detect, track, and disable electronic components at a range of up to 1000 meters. "The war in Ukraine has shown us the importance of deploying uncrewed systems, but we must be able to defend against them too"
- 5. Last summer was the hottest in 2,000 years. Here’s how we know.
Researchers rely on tree rings, glaciers, and fossil records to put our current climate in context.
- 6. I’ve been testing OpenAI’s new ChatGPT-4o Mac app — this is a game changer
I gave it a screenshot of a game of Pong and asked it to help me find a way to play the game. Within about 30 seconds it generated all the necessary code for a fully functional game of Pong and instructions on how to run that code. It worked perfectly so I tried it with Breakout, the block-breaking game, and it created a perfect replica of that classic as well. It even created a version of Space Invaders and so I’ve put all three on GitHub. It struggled with Asteroids but got it right after I shared the error code.
- 7. ChatGPT 4o vs Gemini 1.5 Pro: It’s Not Even Close
ChatGPT 4o performs much better than Gemini 1.5 Pro in a variety of tasks including reasoning, code generation, multimodal understanding, and more. In one of my tests, ChatGPT 4o created a Python game within seconds, but Gemini 1.5 Pro failed to generate the correct code.
- 8. Backlogs at National Vulnerability Database prompt action from NIST and CISA
Backlogs at the NVD have reached crisis proportions, prompting federal agencies to seek help from the private sector. It appears that the NVD has completely given up on adding CPE-matches to CVEs since sometime around February 15. A big contributor to the NVD backlog is the flood of vulnerabilities reported to the repository — more than 100 per day in 2024. There were more than 4,000 critical severity vulnerabilities reported in 2022, up more than 59% over the previous year.
- 9. CISOs Grapple With IBM’s Unexpected Cybersecurity Software Exit
BM has agreed to sell the QRadar SaaS portfolio to Palo Alto Networks. IBM's QRadar is the third largest next-generation SIEM provider based on revenue, behind Microsoft and Splunk. "For IBM to then turn around and sell QRadar to Palo Alto Networks, seemingly with little to no warning for customers, is shocking and frankly not in line with the customer-centric ethos IBM is known for. I would imagine there are many confused and frustrated QRadar customers [now] looking for answers."
- 10. Nikesh Arora on Why Palo Alto Networks Is Buying IBM QRadar
QRadar SaaS SIEM Customers Will Be Migrated to XSIAM. The "much larger prize" is QRadar's on premise customer base, and IBM has incentive to encourage those customers to migrate to Palo Alto Networks' cloud-based offering.
- 11. Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit – CVE-2024-4323)
Fluent Bit is a logging utility heavily used by all major cloud providers. This heap buffer overflow allows DoS attacks and possibly RCE under some circumstances. A patched version is available.
- 12. New Windows 11 features strengthen security to address evolving cyberthreat landscape
Secured-core PCs provide advanced firmware safeguards and dynamic root-of-trust measurement to help protect from chip to cloud, using a Microsoft Pluton security processor. Pluton is a chip-to-cloud security technology. NTLM will be deprecated in the second half of 2024. Smart App Control uses AI to decide whether an app is safe.
- 13. New Windows AI feature records everything you’ve done on your PC
Recall uses AI features "to take images of your active screen every few seconds." Someone with access to your Windows account could potentially use Recall to see everything you've been doing recently on your PC, which might extend beyond the embarrassing implications of pornography viewing and actually threaten the lives of journalists or perceived enemies of the state.
- 14. Copilot+ Recall has been enabled by default globally in Microsoft Intune managed users, for businesses.
You need to enable DisableAIDataAnalysis to switch it off. Why is this a feature at all, and why is it enabled by default? Every security expert is saying Microsoft has lost its mind.
- 15. Windows 11 UAC Bypass in Modern Malware
Modern techniques used by malware: Exploitation of COM interfaces with the Auto-Elevate property Modification of the ms-settings registry branch Infinite UAC Prompt Loop (social engineering)
- 16. Advanced AI evaluations at AISI: May update
Four unidentified LLMs were tested, finding that they can solve high-school level CTF problems, but not college-level ones, and that they are all still vulnerable to prompt injection jailbreaks. Several very good charts present the results.
- 17. DNSBomb
DNSBomb is a new practical and powerful pulsing DoS attack. It exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited.
- 18. On self-driving, Waymo is playing chess while Tesla plays checkers
Tesla's cars are fully autonomous, but make errors, requiring a human driver. But Google's Waymo cars have remote human operators to handle situations too complex for the onboard AI systems, which seems to be working out far better than the Tesla system.
- 19. Research finds electric cars are silent but violent for pedestrians
Pedestrians are three times as likely to be injured by an electric or hybrid (E-HE) car than by one with an internal combustion engine (ICE) in cities and towns.
- 20. Why Your Wi-Fi Router Doubles as an Apple AirTag
Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates. But Apple’s API will return the geolocations of up to 400 more BSSIDs that are nearby the one requested. Researchers spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.
- 21. Securing Git: Addressing 5 new vulnerabilities
A "git clone" operation on Windows can execute arbitrary code included in a malicious Git repository. Patches are now available.