PK Fail – John Loucaides – PSW #837
Full Audio
View Show IndexSegments
1. PK Fail – John Loucaides – PSW #837
John is one of the foremost experts in UEFI and joins us to talk about PK Fail! What happens when a vendor in the supply chain accidentally loses a key? It's one of the things that keeps me up at night. Well, now my nightmare scenario has come true as a key has been leaked. Learn how and why and what you can do about it in this segment!
Announcements
You're invited to InfoSec World 2024 at Disney’s Coronado Springs Resort in Lake Buena Vista, FL, from September 23-25. Join top cybersecurity experts for this premier event! Save 25% on your pass by using code ISW24-SW25 when you register at securityweekly.com/infosecworld2024. Don’t miss out on this exclusive opportunity!
Guest
John has extensive history in hardware and firmware threats from experience at Intel and the United States government. At Intel he served as the Director of Advanced Threat Research, Platform Armoring and Resiliency, PSIRT, and was a CHIPSEC maintainer. Prior to this, he was Technical Team Lead for Specialized Platforms for the US government.
Hosts
2. It’s Always DNS – PSW #837
Hacking traffic lights (for real this time), the Docker API strikes again, access Github deleted data, using EDR to elevate privileges on Windows, computers I need in my life, failed experiments and Raspberry PI access points, sitting ducks and TuDoor - its always DNS times 2, null sessions and a blast from the past, chaining UEFI vulnerabilities, pirates exposed, revoking SSL certificates, and using AI to analyze your brain: Multimodal Automated Interpretability Agent!
Guest
John has extensive history in hardware and firmware threats from experience at Intel and the United States government. At Intel he served as the Director of Advanced Threat Research, Platform Armoring and Resiliency, PSIRT, and was a CHIPSEC maintainer. Prior to this, he was Technical Team Lead for Specialized Platforms for the US government.
Hosts
- 1. Critical Vulnerability in VoWiFi Implementations Exposes Millions to Eavesdropping and Fraud
- 2. Give Me the Green Light Part 2: Dirty Little Secrets — Red Threat
This is fascinating: "In this series of blog posts I’ll be discussing my finding dealing with traffic controllers and other traffic systems. I had hoped to present the information at DefCon but my CFP wasn’t accepted. This multi-part series will start with my attempt at responsible disclosure, finding vulnerabilities in traffic controllers, sourcing hardware and getting it running in a lab, and just how broken and behind the technology curve the traffic industry is. " - We covered this a while back, this is the same researcher that got a nasty letter from the legal department. Now we know he was hacking traffic controllers. And now he is publishing a blog post series with all the gory details (like Telnet, SNMP, etc...). I think this would have been a great Defcon talk!
- 3. Critical Docker vuln lays undetected for 5 years
Just when you think you've fixed it, it comes back: "Now tracked as CVE-2024-41110, the privilege escalation bug was originally discovered in 2018 and patched in January 2019's version 18.09.1. However, the fix wasn't carried over in the following updates, meaning versions from 19.03 and newer remained vulnerable." - Also, so many exploits, or just simple bypasses, exist for the Docker native API. Just disable it if you are not using it as it opens up more attack surface, and is very dangerous as it gives attackers access to all the containers.
- 4. Anyone can Access Deleted and Private Repository Data on GitHub
Super interesting, so many things could be archived on Git (such as the private key that corresponds to the PK from AMI. In case you were wondering, no I could not find it, but yet I did look for a bit LOL).
- 5. Fwupd Linux Firmware Updater Adds Unofficial Support for Raspberry Pi 5 – 9to5Linux
Support for two things in my life: Framework SD and Raspberry Pi 5 (unofficial).
- 6. Zero Day Initiative — Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 2
This is testing that must be done: "Due to paywalls and other obstacles, several vendors and products on the market remain untested and may be vulnerable to the weaknesses we are about to share. We strongly recommend that defenders evaluate their products for these potential issues. Additionally, we encourage vendors who do not currently offer free trials to consider making them available, enabling researchers to conduct this type of research." - Bypasses and LPEs exist for EDR and AV, if they didn't, everyone would just run one and be completely immune to malware and ransomware, which, we are not.
- 7. Radxa X4 Is a Raspberry Pi Sized SBC with Intel N100 Processor and 2.5GbE Ethernet – Electronics-Lab.com
I need this in my life, great price too!
- 8. CVE-2024-41637
/lib/systemd/system/restapi.service has the wrong permssions, allowing the www-data user to modify it and put in commands that allow you to become root. This is an LPE, but only for those who run RaspAP. I did some testing of RaspAP, was not impressed with the stability. I did get it running, finally, but even with a good supported USB dongle with antennas, after a while my connection just dropped. I think there is a reason I use Ubiquiti.
- 9. Ducks Now Sitting (DNS): Internet Infrastructure Insecurity
This is interesting: "A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation. A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service. The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains. The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar." Also a good summary: "Sitting Ducks combines a lame delegation with a vulnerable DNS provider that fails to properly validate that the account holder who claims a domain actually controls it. If you point DNS for your domain to a service, you need to be sure that your account on that service (and only accounts you authorized) claims the domain."
- 10. Malware Exploiting IoT Devices on the Rise, SonicWall Warns
"In the first half of 2024, attacks on IoT devices increased by 107%. On average, these devices were under attack for 52.8 hours. The primary reason for this vulnerability is the low level of security in IoT devices, making them easy targets for cybercriminals."
- 11. How to Make Adversaries Cry: Part 1
" In this blog post series, we’ll delve into high-level security controls within Active Directory that can make an adversary cry tears of frustration when attempting to establish their initial foothold. The areas covered in this blog post are SMB null sessions, username enumeration, password spraying, and abusing NTLM authentication." Funny, I wrote an article on Null Sessions in 2002: https://web.archive.org/web/20080515182640/http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html - And yet here we are... However, I believe there are reasons why this is still enabled on DCs today for backward compatibility. This fix seems easy though, from the Guidepoint article: "To remediate this misconfiguration, remove the “Everyone” and/or “Anonymous Logon” special identity groups from the Pre-Windows 2000 Compatible Access group."
- 12. Insyde Security Advisory 2023040
" A vulnerability in the module that could allow an attacker to modify UEFI variables." - Curious if this could bypass the UEFI variable permissions, allowing an attacker to modify variables from the OS (rather than through the BIOS screen when physically present at the machine). When coupled with this: https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/ - Could allow attackers to chain exploits together to compromise UEFI.
- 1. Data breach exposes US spyware maker behind Windows, Mac, Android and Chromebook malware
The Minnesota-based Spytech snooped on thousands of devices before it was hacked. The data shows that Spytech’s spyware — Realtime-Spy and SpyAgent, among others — has been used to compromise more than 10,000 devices since the earliest-dated leaked records from 2013, including Android devices, Chromebooks, Macs, and Windows PCs worldwide.
- 2. Biggest-ever leak of digital pirates: 10 million exposed by Z-Library copycat
Ten million people thought they were accessing an e-book piracy site called Z-Library. Instead, scammers collected their personal information, passwords, crypto addresses, and, possibly, payments. What’s worse, they leaked all their information, exposing users to other cybercriminals and authorities.
- 3. New DNS attack impacts a quarter of all open DNS resolvers
Named TuDoor, the attack uses malformed DNS packets to trigger logic errors inside DNS software. The attack specifically targets the part of the DNS resolver that prepares DNS responses for user queries.
Academics say they can use a quick succession of malformed packets to poison a DNS resolver's cache, cause a denial of service, or increase a server's resource consumption.
So far, patches have been released by Google, Microsoft, Cloudflare, BIND, Knot, AdGuard, and others.
- 4. Non-Google search engines blocked from showing recent Reddit results
Updated robots.txt file hits Bing and others without a Reddit deal.
- 5. Goodbye? Attackers Can Bypass ‘Windows Hello’ Strong Authentication
Evilginx adversary-in-the-middle (AitM) reverse-proxy attack framework performs downgrade attacks, allowing threat actors to crack into even biometrically protected PCs and laptops.
- 6. Intent to End OCSP Service–Let’s Encrypt
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible. We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.
- 7. PKfail Secure Boot bypass lets attackers install UEFI malware
Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware.
As the Binarly Research Team found, affected devices use a test Secure Boot "master key"—also known as Platform Key (PK)—generated by American Megatrends International (AMI), which was tagged as "DO NOT TRUST" and that upstream vendors should've replaced with their own securely generated keys.
- 8. FYI: Data from deleted GitHub repos may not actually be deleted
Data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn't necessarily deleted. This vulnerability is named Cross Fork Object Reference (CFOR). Clearly this is a problem. But it's not so much of a problem that GitHub considers CFOR a legitimate vulnerability. In fact, the Microsoft-owned code-hosting giant considers it a feature, not a bug.
- 9. Apple Intelligence beta lands in iOS 18.1, macOS 15.1 previews
Brave customers with recent Apple hardware can use AI now. The version of Apple Intelligence in the beta doesn't include all of the service's promised features. At launch, Apple detailed ML-based capabilities such as generating, proofreading, rewriting, and summarizing text, text-to-image and text-to-emoji services, and an upgrade for the Siri digital assistant.
- 10. DigiCert mass-revoking TLS certificates due to domain validation bug
One of the methods used to validate domain ownership is to add a string with a random value in the DNS CNAME record on the certificate and then perform a DNS lookup for the domain to ensure the random values match. Per the CABF baseline requirements, a random value should be separated by the domain name with an underscore. This underscore was omitted for 0.4% of domain validations since 2019, so those customers must generate new Certificate Signing Requests (CSR) for their domains.
- 11. MIT researchers advance automated interpretability in AI models
Imagine if we could directly investigate the human brain by manipulating each of its individual neurons to examine their roles in perceiving a particular object. “MAIA” (Multimodal Automated Interpretability Agent) automates a variety of neural network interpretability tasks on AI systems. The automated agent is demonstrated to tackle three key tasks: It labels individual components inside vision models and describes the visual concepts that activate them, it cleans up image classifiers by removing irrelevant features to make them more robust to new situations, and it hunts for hidden biases in AI systems to help uncover potential fairness issues in their outputs.
- 12. How to Build a Quantum Artificial Intelligence Model – With Python Code Examples
Quantum computing can make Machine Learning faster. This hands-on tutorial shows how to use a Variational Quantum Eigensolver (VQE) in Python on a simulated quantum computer to solve a quantum chemistry problem: finding the ground state energy of the Hydrogen molecule H2. This is amazing and wonderful, and solves a problem I wrote my PhD thesis about 40 years ago. The exact solution was way out of sight then.
- 13. From sci-fi to state law: California’s plan to prevent AI catastrophe
Critics say SB-1047, proposed by "AI doomers," could slow innovation and stifle open source AI. Hopefullly his bill won't become law. If it does, all open-source AI models may become impossible to share, because the creators will be liable for all products derived from them.
- 14. Meta’s AI safety system defeated by the space bar
Prompt injection attacks, the machine learning version of command injection, are a serious risk to all Large Language Models, and there is no known way to completely prevent them. Meta's defense is called Prompt-Guard-86M. However, it can be trivially bypassed by adding spaces between the letters of a prompt.
- 15. People are overdosing on off-brand weight-loss drugs, FDA warns
There is enormous demand for the weight-loss drugs Wegovy and Ozempic. But, given the drugs' daunting prices and supply shortages, many patients are turning to imitations—and those don't always come with the same safety guardrails. However, some of these imitations come with unclear instructions so patients take up to 20 times the recommended dose, risking serious health consequences.
- 16. French internet cables cut in act of sabotage that caused outages across country
Fiber optic internet cables across France have been cut in an apparent act of sabotage, resulting in outages across the country. This attack comes just days after arsonists targeted France's national rail network.
- 17. How Infostealers Pillaged the World’s Passwords
Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target. The malware often finds its way onto people’s machines through downloads of pirated software.
- 18. “EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails
“EchoSpoofing” is a critical in-the-wild exploit of Proofpoint’s email protection service, responsible for securing 87 of the Fortune 100 companies. The critical flaw is that email relays accept emails that claim to come from Microsoft's Office365 without verifying ownership of the originating domain. Proofpoint has updated their systems to stop this attack.