Paul's Security Weekly #528 - DDos Campaign for Memes

Public information about exploits and vulnerabilities alone is not enough to inform prioritization, especially with the growing rate and variety of CVEs. Dan DeCloss, founder and CTO of PlexTrac, joins the show to discuss solving the challenges of risk prioritization to drive faster, more strategic assessment cycles. Spoiler: The key is adding context and prioritization to risk-scoring equations.  

Segment Resources:
https://plextrac.com/get-ready-to-prioritize-risk-with-our-new-contextual-scoring-engine/?utm_medium=tech_ptr&utm_source=security_weekly 

https://plextrac.com/video/priorities/?utm_medium=tech_ptr&utm_source=security_weekly 

This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!

BiaSciLab from DEF CON joins us to discuss DCNextGen! In the security News: MouseJacking still works, CISA recommends a complete rebuild, memory safety and re-writing code, not all doorbells are created equal, putting a firewall in front of your LLM, rugged gear and vulnerabilities, PLCs are not safe, neither are Windows kernels..

Segment Resources:
https://www.defcon.kids 
https://www.BiaSciLab.com 
https://www.GirlsWhoHack.com 
https://www.SecureOpenVote.com 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-819

Jayson joins us to discuss how he is using, and social engineering, AI to help with his security engagements. We also talk about the low-tech tools he employs to get the job done, some tech tools that are in play, and the most important part of any security testing: Talking to people, creating awareness, and great reporting.

The latest attacks against WiFi, its illegal to break encryption, BLE Padlocks are as secure as you think, when command not found attacks, how did your vibrator get infected...with malware, the OT jackpot, the backdoor in a random CSRF library, it’s a vulnerability but there is no CVE, car theft and Canada, Glubteba, and settings things on fire!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-818

Join us in this illuminating podcast episode as we sit down with Wendy Nather, a distinguished thought leader and cybersecurity strategist, who has left an indelible mark on the ever-evolving landscape of digital security.

Wendy's journey in cybersecurity is a narrative woven with expertise, innovation, and a deep understanding of the intersection between technology and risk. With a career that spans strategic roles in both the public and private sectors, Wendy has become a trusted voice in the industry, offering insights that resonate with cybersecurity professionals and enthusiasts alike.

As the Head of Advisory CISOs at Cisco, Wendy Nather brings a unique perspective to our conversation. Explore with us as she shares her experiences navigating the complex cybersecurity challenges faced by organizations today. Wendy's strategic vision has helped shape cybersecurity policies, risk management frameworks, and resilient strategies for a myriad of enterprises.

Dive into Wendy's wealth of knowledge as she discusses the dynamic nature of cyber threats, the importance of proactive cybersecurity measures, and the evolving role of technology in safeguarding our digital future. Her commitment to demystifying complex security concepts and fostering a culture of resilience makes this podcast episode a must-listen for anyone passionate about cybersecurity.

Beyond her corporate role, Wendy is a prolific writer, speaker, and educator, contributing to the collective cybersecurity knowledge base. Join us as we explore her insights on emerging trends, best practices, and the human element in cybersecurity—a facet often overlooked but crucial in building robust defense strategies.

Don't miss this opportunity to gain valuable perspectives from one of the industry's leading minds. Tune in to our podcast and discover the wisdom and foresight that Wendy Nather brings to the world of cybersecurity.

Show Notes: https://securityweekly.com/vault-psw-8

In this segment, we discuss topics related to physical security and social engineering. We also touch on the challenges and strategies for implementing effective security measures. The discussion highlights the importance of understanding the relationship between physical security and social engineering. The panel emphasizes the need for a comprehensive approach to security, acknowledging that social engineering and physical security often go hand in hand. We stress the significance of testing physical security measures and conducting threat assessments to ensure robust protection against potential threats. The conversation touches on the concept of usability versus security, acknowledging that security measures should provide a balance between effective protection and practical usability. We explore the vulnerabilities of certain security technologies, such as biometrics, and underscore the need for continuous evaluation and adaptation of security measures to mitigate emerging threats.

Welcome to a riveting episode of Hacker Heroes, where we sit down with Toby Miller, a distinguished figure in the realm of cybersecurity. Toby brings a wealth of experience and a passion for fortifying digital landscapes against ever-evolving threats.

Armed with a profound understanding of cybersecurity intricacies, Toby has spent years honing his skills in the field. As a seasoned professional, he has not only weathered the storms of the digital frontier but has emerged as a beacon of knowledge and resilience in the face of cyber challenges.

Join us as we delve into Toby's journey, from the early days of his career to his current role as a cybersecurity expert. Gain valuable insights into the dynamic nature of cyber threats, the evolving tactics employed by malicious actors, and the strategies Toby employs to stay one step ahead in the ever-changing cybersecurity landscape.

Toby's expertise extends across a spectrum of cybersecurity domains, including risk management, threat intelligence, and incident response. Discover the mindset that propels him forward in the pursuit of securing digital infrastructures and safeguarding sensitive information.

In this podcast episode, Toby Miller shares anecdotes from the front lines of cybersecurity, offering our listeners a firsthand account of the challenges faced by professionals in the industry. Whether you're a cybersecurity enthusiast, a fellow professional, or someone navigating the digital landscape, Toby's insights are sure to enlighten and inspire.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-817

As a computer-smitten middle-schooler in the former Soviet Union in the 1970s, to his current and prominent role in the cybersecurity research community, Bratus aims to render the increasingly prevalent and perilous software, hardware, and networks in our lives much safer to use. His fascination with computer security started for real in the 1990s as a mathematics graduate student when a computer he was programming and responsible for at Northeastern University in Boston was taken over by a hacker. That experience set him on his life’s mission to learn as much as he can about the vulnerabilities of software and hardware with the goal of learning how to best minimize or eliminate those vulnerabilities. Noting his embrace of the hacker community for its deep and innovative expertise in this context, Bratus’s portfolio at DARPA could help reduce or entirely remove even some of the most stealthy and unexpected vulnerabilities that reside in software and its logical, computational, and mathematical foundations.

Segment Resources:

• Overall Portfolio: https://www.darpa.mil/staff/dr-sergey-bratus

• Safe Documents: https://www.darpa.mil/news-events/2023-06-14

• Enhanced SBOM for Optimized Software Sustainment: https://sam.gov/opp/d0af3e325a594a8191b94e3f80b6bdcd/view

• V-SPELLS program:  https://www.theregister.com/2023/08/18/darpalegacybinary_patching/

• Digital Corpora Project:  https://www.jpl.nasa.gov/news/jpl-creates-worlds-largest-pdf-archive-to-aid-malware-research

• SocialCyber:  https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/

• Weird Machines:  https://www.darpa.mil/program/hardening-development-toolchains-against-emergent-execution-engines

• Safe Docs: https://www.darpa.mil/news-events/2023-06-14

• Exploit programming:  https://www.usenix.org/publications/login/december-2011-volume-36-number-6/exploit-programming-buffer-ove

 

In the Security News: - Shim Shady, Up Shims Creek, whatever you want to call it, there’s a vulnerability affecting pretty much all Linux distributions (and other operating systems as well), when your toothbrush attacks the Internet, or some claim, glibc has some vulnerabilities, not all got a CVE, and one is for the algorithm lovers, Google shows some love for Rust, beating Bitlocker in 43 seconds, DEF CON was canceled, then uncancelled, and I’m not even joking this time, and the Government is here to "unhack" your router,

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-816

When an RCE really isn’t, your kernel is vulnerable, calling all Windows 3.11 experts, back to Ebay, Turkish websites and credentials, 10 public exploits for the same vulnerability, hacking Bitcoin ATMs, another vulnerability disclosure timeline gone wrong, Flipper Zero tips and how you should not use it to change traffic lights, Windows 11 S mode, and you’re dead (but like in the movie Hackers dead), and more!

Danny Jenkins, CEO & Co-Founder of ThreatLocker, a cybersecurity firm providing Zero Trust endpoint security, is a leading cybersecurity expert with over two decades of experience building and securing corporate networks, including roles on red and blue teams. He is dedicated to educating industry professionals about the latest cyber threats and frequently speaks on the topics of ransomware and Zero Trust.

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-815

Matt Coose is the founder and CEO of cybersecurity compliance firm Qmulos, previously the director of Federal Network Security for the National Cyber Security Division of the (DHS).

CISOs carry the ultimate burden and weight of compliance and reporting and are often the last buck. Says Coose, best-of-breed is better described as best-to-bleed-the-budget: it’s a bottom-up, tech-first, reactive approach for acquiring technology as opposed to managing risk. Coose shares his top considerations below for how CISOs can navigate the crowded market of cybersecurity tools when cost is highly scrutinized, but regulations keep growing.

Platforms are what every vendor dreams of being called, but no platform does it all, says Coose.

Coose shares what smart CISOs and mature organizations understand, that others don’t:

• There’s no “buying their way out of security issues or into a better risk posture.” They understand the need to evolve to a top-down, risk-driven, inherently business-aligned, dynamically adaptable, and evidence-based security management strategy.

• That looking at technology choices through the lens of risk controls (and the related data provided by technology that implements those controls) enables credible and transparent strategic tech portfolio management decisions that are immune to vendor preferences or the latest market(ing) fads.

• The need for meaningful security and risk measurement and the difference between leading and lagging indicators.

• The original intent of security and regulatory compliance as a model for proactive and consistent risk management (leading indicator), not just a historical reporting and audit function (lagging indicator).

• That managing risk, compliance, and security as distinct and separate functions is not only wasteful and inefficient, but denies the enterprise the ability to cross-leverage significant people, process, and technology investments

In the Security News: Don’t expose your supercomputer, auth bypass and command injection FTW, just patch it, using OSQuery against you, massive credential stuffing, backdoors in Harmony, looking at Android, so basically I am licensing my printer, hacking Tesla, injecting keystrokes over Bluetooth, and remembering the work of David L. Mills.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-814

With a recent increase in government attention on K–12 cybersecurity, there is a pressing need to shed light on the challenges school districts face in implementing necessary security measures. Why? Budgeting constraints pose significant obstacles in meeting recommended cybersecurity standards. Brian Stephens of Funds For Learning will discuss:

• The financial constraints K–12 schools face and the critical role of funding from federal and state governments in addressing cybersecurity concerns.
• Efforts by Funds For Learning to petition the FCC to expand E-rate funding to support next-generation firewalls and other cybersecurity services.
• By expanding the technologies and solutions eligible for E-rate funding, schools can obtain the necessary resources to protect against the growing threat of third-party data breaches.

Here are links to the most current blog posts about Cybersecurity Notice of Proposed Rulemaking  https://www.fundsforlearning.com/news/2023/11/dont-miss-your-chance-to-impact-e-rate-cybersecurity/, Wi-Fi hotspots https://www.fundsforlearning.com/news/2023/11/wi-fi-hotspots-proposed-for-e-rate-program/ and school bus Wi-Fi https://www.k12dive.com/news/fcc-approves-school-bus-wifi-e-rate/697337/. Funds For Learning also facilitated an informational webinar on the Cyberserucrity Notice for Proposed Rulemaking https://fundsforlearning.app.box.com/s/5gp9qr938qtgs0ug92nkgfvrjvtil4sf. Funds For Learning also conducts an annual survey for E-rate applicants to provide their feedback on the E-rate program. The responses are shared with the FCC through the Funds For Learnings annual E-rate Trends Report. https://www.fundsforlearning.com/e-rate-data/trendsreport/. Lastly, here is an article from Brian about cybersecurity and why it should be funded through E-rate https://www.eschoolnews.com/it-leadership/2023/09/29/will-cybersecurity-receive-e-rate-funding/

In the Security News: Bricked Xmas, If you can hack a wrench, PixieFail and disclosure woes, exposing Bigpanzi (more Android supply chain issues, 20 years of OpenWRT, Jamming, traffic lights, and batteries don’t work that well in the extreme cold. All that and more on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-813

Jared would like to discuss the evolution of purple teaming. Put bluntly, he believes traditional purple team approaches don’t test enough variations of attack techniques, delivering a false sense of detection coverage. He would like to talk about: The shortcomings of red team assessments and why most purple team assessments are too limited. How the testing landscape and requirements have changed (especially as organizations now look to validate vendor tools defense claims). How purple team assessments are evolving with the use of new frameworks like Atomic Testing. And the importance of building and selecting good test cases that cover the many ways attack techniques can be modified.

The Exploit Prediction Scoring System is Awesome, or so some say, Reflections on InfoSec, Why some people don’t trust science, SSH-Snake, Back in the Driver’s seat, I Hacked My Internet Service Provider, States & Congress wrestle with cybersecurity, Combining AI with human brain cells, analyzing linux-firmware, detecting BLE SPAM, and The I in LLM.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-812

Unleashing the Power of Crowdsourced Cybersecurity: A Conversation with Casey Ellis, Founder of Bugcrowd

️Meet Casey Ellis, the visionary entrepreneur who has redefined the landscape of cybersecurity through the groundbreaking platform he built – Bugcrowd. As the Founder and Chief Technology Officer of Bugcrowd, Casey Ellis has not only revolutionized the way organizations approach cybersecurity but has also championed the concept of crowdsourced security testing.

With an innate passion for hacking and a deep understanding of the evolving threat landscape, Casey embarked on a mission to democratize cybersecurity. In our upcoming podcast interview, delve into the dynamic journey of a self-proclaimed hacker turned cybersecurity pioneer.

Casey's brainchild, Bugcrowd, serves as a global community of ethical hackers and security professionals who collaborate to uncover and address vulnerabilities in digital systems. Learn how this innovative approach has empowered organizations across industries to proactively secure their digital assets, embracing the power of the collective in the fight against cyber threats.

A trailblazer in the cybersecurity space, Casey Ellis brings a unique perspective to the podcast as he shares insights on the challenges and triumphs of building Bugcrowd from the ground up. Explore the intersections of technology, security, and community-driven solutions with a leader who has not only disrupted the status quo but has also fostered a culture of continuous improvement and collaboration.

Join us for a riveting conversation as we uncover the secrets behind Bugcrowd's success, the evolving role of ethical hacking in today's digital landscape, and Casey's vision for a more secure and interconnected future. Whether you're a cybersecurity enthusiast, a tech aficionado, or simply curious about the forces shaping our digital world, this podcast episode with Casey Ellis is a must-listen.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Show Notes: https://securityweekly.com/vault-psw-7