Super Admins, Ancient Language Codes, Great Leakage, & Mirai Vs. Tomcat – PSW #793
In the Security News: Canon shoots out your Wifi password, I want to be Super Admin, you don’t need fancy hacks to bypass air gaps, U.S. Senator attacks Microsoft, Tenable CEO attacks Microsoft, we should all be hopeful despite the challenges in infosec, SEC requires reporting Cyberattacks within 4 days, Mirai attacks Tomcat, scanning a car before stealing it, a little offensive appliance, no Internet access for you and that will solve the problem, Ubuntu blunders, it’s so secure no one can actually use it, and yet another CPU data leak! All that and more on this episode of Paul’s Security Weekly!
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Hosts
- 1. Jenny’s Daily Drivers: FreeBSD 13.2
The daily driver debate continues. It's a balance.
- 2. Canon warns of Wi-Fi security risks when discarding inkjet printers
Okay so your Canon printer may store your Wifi network details (and credentials). I am just failing to see why this is such a big deal. You can change your password. Also, the likelihood of someone using this attack against you is pretty low. Sure they could pretty easily map the SSID back to your location (Wigle?), but then they have to be in physical proximity. Also, you can just change the password too.
- 3. CVE-2023-35078 Exploit POC
- 4. Prefetch: The Little Snitch That Tells on You – TrustedSec
- 5. Another CPU data-leak flaw found. Luckily, it’s impractical
"Unlike similar side-channel attacks like PLATYPUS and Hertzbleed, which require specific knowledge of the cryptographic algorithms running on the victim's machine, Collide+Power is claimed to be a generic attack that works on any modern CPU which allows co-location of attacker and victim data in the same memory cache space." - While slow, some estimates a month to capture a 40-bit key, we could still see this in the wild, though unlikely. I would not be up in arms about it.
- 6. Air-Gapped ICS Systems Targeted by Sophisticated Malware
"The exfiltration of data from air-gapped networks is a common routine for many APTs and targeted cyberespionage campaigns. And, despite the existence of a broad variety of exfiltration methods, in most cases threat actors choose TTPs based on infecting removable media." - No super-fancy exfil such as audio pulses from system fans or flashing HDD LED lights, nope. Just removable media. Because it works.
- 7. Super Admin elevation bug puts 900,000 MikroTik devices at risk
I want to be Super Admin, always: "While exploiting this vulnerability requires an existing admin account, it elevates you to a higher privilege level called "Super Admin." Unlike the admin account, which offers restricted elevated privileges, Super Admin gives full access to the RouteOS operating system. "By escalating to super admin, the attacker can reach a code path that allows them to control the address of a function call," - Then you could, potentially, pull off attacks that persist through reboots, OS upgrades, or even full re-installs of the OS.
- 8. WDAC policy for BYOVD Kernel mode only protection
- 9. Windows RDP Session Hijacking
- 10. Every company has its own version of ChatGPT now
- 11. Tomcat Under Attack: Exploring Mirai Malware and Beyond
- 12. Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks
- 13. The man who won the lottery 14 times
Interesting story (and not new).
- 14. New SEC rule requires public companies to disclose cybersecurity breaches in 4 days
"Technically, the clock doesn’t start ticking on the four-day window for reporting until companies have determined a breach is material." - Yea, the meaning of "material" is a hot topic now, great thoughts here: "But these measures don’t fit every situation. “We have all seen instances where an organization missing forecasts, positively or negatively, impacts earnings per share by pennies, and their stock soars or sinks almost immediately,” he writes. “Calculation of the materiality can be a complex task and requires the use of professional judgment." (Source: https://www.extrahop.com/company/blog/2023/what-constitutes-a-material-security-breach/)
- 15. Exploring Security Commits in Python
"The hidden security fixes pose a threat to the security and privacy of users, since attackers may exploit the undisclosed vulnerabilities to comprise the unpatched software systems." - I believe it is super important for users to know when a fix is security related (or not). The above links to the paper, here is a description of said paper: https://www.theregister.com/2023/07/26/pythonsilentsecurity_fixes/
- 16. Introduction: A Secure Arch Linux Install
Keep in mind there is a lot of maintenance with this method. Also, several techniques for keeping Linux more secure and private means you will have extra work and maintenance to keep things updated. Also, keep in mind when you do more work on your own it may not be that much more secure or private than trusting someone else. Its a balance.
- 17. Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable
- 18. IoT Security: Device and firmware encryption options
- 19. Two New Vulnerabilities Could Affect 40% of Ubuntu Cloud Workloads
Yep, this is the problem: "“Subtle changes in the Linux kernel introduced by Ubuntu many years ago have unforeseen implications,” explains Ami Luttwak, co-founder and CTO at Wiz. “We found two privilege escalation vulnerabilities caused by these changes and who knows how many other vulnerabilities are still lurking in the shadows of the Linux kernel spaghetti?" - And I hate this problem. Everyone thinks they are an expert. Problems get fixed upstream, but then are reversed when downstream maintainers make changes without regression testing. You don't just trust Linux, you trust everyone and anyone who has had a hand in the creation and packaging of the software. The more hands, the more likely issues will crop up.
- 20. Dragon863 – Rooting the Amazon Echo Dot
- 21. The Complete List Of Hacker Video Games
- 22. Google’s new security pilot program will ban employee Internet access
I don't think this works.
- 23. Microsoft…The Truth Is Even Worse Than You Think
Amit takes the gloves off when confronting MS: "What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a culture of toxic obfuscation. How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought." - Do you agree? Also, read this article as well: https://cyberscoop.com/tenable-microsoft-negligence-security-flaw/
- 24. P4wnP1-LTE – “A Little Offensive Appliance”
"I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly excellent P4wnP1. The most common deployment scenario involves a Raspberry Pi Zero W, or possibly a FriendlyArm NanoPi R1S. The downside of these platforms is that you need to be in fairly close physical proximity in order to access the WiFi interface, or even closer to access Bluetooth. The NanoPi R1S can support an LTE modem, to give you much bigger range, but the downside to that is that it looks pretty clunky."
- 1. Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
There's no such thing as final.
- 2. US Chamber of Commerce opposes new SEC cybersecurity reporting rule
The U.S. Chamber of Commerce announced its opposition to a new Securities and Exchange Commission rule requiring public companies to annually disclose "material information regarding their cybersecurity risk management, strategy, and governance."
- 3. White House unveils ‘whole of society’ push to expand cybersecurity workforce
A sweeping partnership comprising nine government agencies and more than 200 nonprofits, corporations, colleges and universities will together build an organized “whole of society” approach to expanding the cybersecurity workforce, the Office of the National Cyber Director (ONCD) announced Monday.
- 4. Wyden Requests Federal Agencies Investigate Lax Cybersecurity Practices by Microsoft That Reportedly Enabled Chinese Espionage
U.S. Senator Ron Wyden, D-Ore., today requested the Justice Department, Federal Trade Commission and Cybersecurity and Cyber Safety Review Board investigate whether lax security practices by Microsoft enabled the recent Chinese government hack of multiple U.S. government agencies and high-ranking federal officials.
- 5. Rethinking culture in healthcare cybersecurity strategy
It's not just about "matching wits" with external attackers, but also establishing trust among patients, employees and families....
- 6. Average Healthcare Data Breach Cost Reaches Nearly $11M
The average cost of a healthcare data breach is now $10.93 million, up from $10.10 million in 2022, according to a new report. Healthcare has the highest data breach costs of all industries — breaches are second costliest in the financial sector, where the average cost is $5.9 million.
- 7. Medicare beneficiaries alerted to contractor data breach
A May data breach involving MOVEit Transfer software on Medicare contractor Maximus Federal Services’ corporate network may have exposed an estimated 612,000 Medicare beneficiaries’ personally identifiable information and/or protected health information, the Centers for Medicare & Medicaid Services announced July 28.
- 8. AI reduces data breach lifecycles and costs
Do you think AI wrote this article?
- 9. Strategies for ensuring compliance and security in outdated healthcare IT systems
According to the Cybersecurity and Infrastructure Security Agency (CISA), using improperly maintained legacy software is one of the most dangerous practices for organizations. Hmmmm...
- 10. Top 5 Risk and Compliance Trends for 2023
Cybersecurity remains a critical focus for organizations worldwide. With an ever- evolving threat landscape and increasing sophistication behind cyber attacks, adherence to security regulations and standards is now more important than ever.
- 11. Drata Selected as KnowBe4’s Exclusive GRC Partner and Preferred Compliance Automation Platform for KnowBe4 customers
Drata, a continuous security and compliance automation platform, today announced it has been selected by KnowBe4 as the company's exclusive GRC partner. KnowBe4 is transitioning its KnowBe4 Compliance Manager (KCM) offering to a support-only model and endorses Drata as the preferred offering for migration. Note: I've just started using Drata in the past week. Ask me what I think about it.
- 12. 10 Reasons for Optimism in Cybersecurity
"Another data breach, a new virulent variant of ransomware, burnt out employees, too little money, and too many threats -- the world of cybersecurity can seem grim. While there is no denying the prevalence of these challenges, there is reason to be hopeful." Is there now...
- 1. U.S. Hunts Chinese Malware That Could Disrupt American Military Operations
- 2. Why the California Delete Act Matters
- 3. Retail chain Hot Topic discloses wave of credential-stuffing attacks
- 4. Voyager 2: Nasa picks up ‘heartbeat’ signal after sending wrong command
- 5. SEC requires reporting cyberattacks within 4 days, but not everyone may like it.
- 6. OWASP Top 10 for Large Language Model Applications
- 7. Thieves use tech devices to scan cars before breaking into them
- 8. Canon warns printer users to manually wipe Wi-Fi settings before discarding
- 9. Unpacking the Threats Within: The Hidden Dangers of .zip Domains – Avast Threat Labs
- 10. Best Practices for Enterprise Private 5G Security
- 11. Unpatched Apache Tomcat servers spread Mirai botnet malware
- 12. UK Military Embraces Security by Design