Paul's Security Weekly

Black Hats & White Collars: We know criminal hacking is big business because we've spied on them! Ken comes on the show to talk about chasing and stalking criminals, even if it means sacrificing some of your own personal safety.

Fast cars kill people, Apple 0-Days, memory safety, poisoning the well, babble babble and malware that tries really hard to be stealthy, Palto Alto and Fortinet have some serious new vulnerabilities, open-source isn't free, but neither is commercial software, get on the TPM bus, find URLs with stealth, stealing credentials with more Palto Alto and Fortinet, the first zoom call, and one person's trash is another person's gaming PC!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Alright, so we dove deep into some pretty wild stuff this week. We started off talking about zip files inside zip files. This is a variation of old-school zip file tricks, and the latest method described here is still causing headaches for antivirus software. Then we geeked out about infrared signals and the Flipper Zero, which brought back memories of the TV-B-Gone. But the real kicker was our discussion on end-of-life software and the whole CVE numbering authority mess. Avanti's refusal to issue a CVE for their end-of-life product sparked a heated debate about cybersecurity accountability and conflicts of interest.

Ed Skoudis joins us to announce this year's Holiday Hack Challenge!

Segment Resources:

• https://sans.org/holidayhack

Visit https://www.securityweekly.com/psw for all the latest episodes!

We chatted with Kayne about education systems security, funding for cyber tools and services, and what the future of education might look like to fill more cyber roles.

In the news: Pacific Rim, Linux on Windows for attackers, one of the worst cases of a former employee's retaliation, Zery-Day FOMO, we predicted that, hacking for fun, working hard for no PoC, an LLM that discovers software vulnerabilities, absurd fines, long usernames and Okta, and paying a ransom with dough!

Visit https://www.securityweekly.com/psw for all the latest episodes!

We had the pleasure of finally having Dave Lewis on the show to discuss shadow IT and security debt. Dave shared some fascinating insights from his long career in cybersecurity, emphasizing the importance of addressing fundamental security issues and the human aspect of security. We delved into the challenges of managing shadow IT, the complexities of security debt, and the need for organizations to prioritize security practices. Overall, it was a great conversation that highlighted the ongoing struggles in our industry and the importance of learning from past mistakes to build a more secure future.

Google's cookie encryption drama, Microsoft accusing Google of shady antitrust tactics, AI shenanigans, the rejected Defcon talk and hacking traffic lights, vulnerabilities in Realtek SD card readers, the never-ending debate on quantum computing vs. cryptography, backdoors are not secrets and where we are pushing attackers, firmware leakage, more on Windows Downgrade (and UEFI locks), super nerdy Linux things, EDR is dead, well not really but more on how to make it not phone home, bypassing memory scanners, couple of Bluetooth hacking things, and a really awesome article about an IoT 0-Day that is no longer on the Internet.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Andy drops some Microsoft Windows and 365 knowledge as we discuss the details on how we get to secure by default in our Windows and cloud environments.

This week: The USB Army Knife that won't break the budget, I don't want to say EDR is useless (but there I said it), Paul's list of excellent hacking tips, FortiJump - an RCE that took a while to become public, do malware care if it's on a hypervisor?, MicroPython for fun and not for hacking?, an unspecified vulnerability, can you exploit speculative execution bugs?, scanning the Internet and creating a botnet by accident.

Visit https://www.securityweekly.com/psw for all the latest episodes!

New security and vulnerability research is published every day. How can security teams get ahead of the curve and build architecture to combat modern threats and threat actors? Tune-in to a lively discussion about the threat landscape and tips on how to stay ahead of the curve.

Segment Resources: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

Air gaps are still not air gapped, making old exploits new again, chaining exploits for full compromise, patching is overrated, SBOMs are overrated, VPNs are overrated, getting root with a cigarette lighter, you can be any user you want to be, in-memory Linux malware, the Internet Archive is back, we still don't know who created Bitcoin, unhackable phones, and There's No Security Backdoor That's Only For The "Good Guys" !

Visit https://www.securityweekly.com/psw for all the latest episodes!

"Code of Honor: Embracing Ethics in Cybersecurity" by Ed Skoudis is a book that explores the ethical challenges faced by cybersecurity professionals in today's digital landscape. The book delves into the complex moral dilemmas that arise in the field of cybersecurity, offering guidance on how to navigate these issues while maintaining integrity. The authors provide practical advice and real-world examples to help readers develop a strong ethical framework for decision-making in their cybersecurity careers.

Segment Resources:

• Code of Honor: https://www.montreat.edu/cybersecurity-code/
• Purchase Ed's book here: https://a.co/d/gb3yRxU

Get ready for a wild ride in this week's podcast episode, where we dive into the latest security shenanigans!

• Default Credentials Gone Wild: We’ll kick things off with a look at how default credential scanners are like that friend who shows up to the party but never brings snacks. They're everywhere, but good luck finding one that actually works!
• Critical Vulnerabilities in Tank Gauges: Next, we’ll discuss how automated tank gauges are now the new playground for hackers. With vulnerabilities that could lead to environmental disasters, it’s like giving a toddler a box of matches—what could possibly go wrong?
• Cisco Routers: The Forgotten Gear: Cisco's small business routers are like that old car in your driveway—still running but definitely not roadworthy. We’ll explore why you should check your network before it becomes a digital junkyard.
• Firmware Updates: A Love Story: Richard Hughes has dropped some juicy updates on fwupd 2.0.0, making firmware updates as easy as ordering takeout. But let’s be real, how many of us actually do it?
• Stealthy Linux Malware: We’ll also uncover Perfctl, the stealthy malware that’s been creeping around Linux systems since 2021. It’s like that one relative who overstays their welcome—hard to get rid of and always looking to borrow money!
• PrintNightmare Continues: And yes, the PrintNightmare saga is still haunting Windows users. It’s like a horror movie that just won’t end—grab your popcorn!
• Cyber Shenanigans at Comcast and Truist: We'll wrap up with a juicy breach involving Comcast and Truist Bank that compromised data for millions. Spoiler alert: they didn’t have a great plan for cleaning up the mess.

Tune in for all this and more as we navigate the wild world of security news with a wink and a nudge!

Visit https://www.securityweekly.com/psw for all the latest episodes!

This episode of Paul Security Weekly features John Hammond, a senior security researcher from Huntress, discussing malware analysis. Hammond dives into the analysis of Ocean Lotus attacks, highlighting the use of stealthy techniques like alternate data streams and DLL side-loading. The conversation also touches on the challenges of combating attackers who leverage ‘bring your own vulnerable driver’ techniques to gain kernel-level privileges. The hosts discuss the need for secure-by-default configurations and the ongoing struggle to combat attackers who exploit vulnerabilities. The episode concludes with a discussion on how to improve the security of the industry.

Segment Resources:

• https://www.huntress.com/blog/the-hackers-in-the-arena-the-huntress-ctf-retrospective
• https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software

Automated tank gauges are leaking more than just fuel, while CUPS is serving up a steaming hot brew of vulnerabilities. Meanwhile, Supermicro's BMC firmware is giving away root access like it's going out of style. If you thought your Kia was safe, think again - all it takes is a license plate and 30 seconds to turn your car into a hacker's joyride. China's been busy building a massive IoT botnet called Raptor Train. It's been chugging along undetected for four years. NIST has decided that your password doesn't need to be a cryptographic masterpiece anymore. No more special characters or arbitrary changes - just make it long and don't use "password123". A Texas hospital is playing a game of "hot potato" with ambulances thanks to a ransomware attack. More thoughts on known exploited vulnerabilities, firmware unpacking tools lowdown, Aruba, Bahama, come-on command injection, and kids changing the name of their school!

Visit https://www.securityweekly.com/psw for all the latest episodes!

This week in the security news, Dr. Doug and Larry explore various technological advancements and their implications with a healthy dose of nostalgia, particularly focusing on health monitoring through Wi-Fi signals, the misconceptions surrounding 5G connectivity, the importance of understanding internet speed needs, and the cybersecurity threats facing water systems. They also discuss the potential chaos that could arise from infrastructure failures and the vulnerabilities present in automated tank gauges, emphasizing the need for better asset management and security measures.

Kayla Williams, Chief Security Information Officer at Devo, discussed the role of AI in cybersecurity and the ongoing issue of burnout for SOC analysts. Working with Wakefield Research, Devo discovered that 83% of IT professionals feel burnt out due to stress, lack of sleep, and anxiety. Many also report that their burnout leads to breaches.

This segment is sponsored by Devo . Visit https://securityweekly.com/devo to learn more about them!

Segment Resources: SOC Analyst Appreciation Day: https://www.socanalystday.com/ Kayla's LinkedIn: https://www.linkedin.com/in/kaylamwilliams1/

Visit https://www.securityweekly.com/psw for all the latest episodes!

Apple drops a lawsuit to avoid exposing secrets, what does it mean for the security industry if MS locks down the kernel?, exploding pagers, more things from the past: Adobe Flash exploits, robots get rid of your data, PKFail is still a thing, Android TV malware is back: now with conspiracy theories, DMA attacks, gamers are not nation-state attackers, the story of a .MOBI Whois server, a better bettercap, and when not to trust video baby monitors.

Gain insights into the CISA KEV straight from one of the folks at CISA, Tod Beardsley, in this episode of Below the Surface. Learn how KEV was created, where the data comes from, and how you should use it in your environment.

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!