Amanda Berlin, co-author of 'Defensive Security Handbook: Best Practices for Securing Infrastructure', discusses incident response, SMB challenges, cloud event logging, multifactor authentication, configuring SMB systems, transitioning to the cloud, Linux vs Windows security, fixing a vulnerability in CPI, compression algorithms, Signal app vulnerability, concerns about Chinese hardware, a book club, assessors and auditors for PCI compliance, and automotive safety evolution.
Cloud adoption can be challenging for SMBs due to hidden costs and psychological shift in control.
Securing open-source software becomes difficult when stakeholders cannot be reached or do not respond to vulnerability reports.
Inconsistent vulnerability scoring and reporting raises questions about the effectiveness of the process.
Exploiting vulnerabilities in software, like WinRAR, highlights the ease with which attackers can target unsuspecting users.
Deep dives
SMBs still have limited cloud adoption
Despite the push for cloud adoption, many SMBs are still using on-premises infrastructure, including Exchange servers. Cloud technologies are expensive and the hidden costs of storage can be a deterrent for smaller businesses. Additionally, there is a psychological shift in control when moving to the cloud, which can be uncomfortable for some SMBs. API security is also becoming an important focus as more companies write their own APIs. Mental Health Hackers recently held a successful Blue TeamCon in Chicago and will be hosting remote painting sessions. Their ambassadors will also be participating in conferences such as GeauxRicon and SpiceWorld, among others.
Busybox CPI vulnerability highlights challenges in reaching developers and package maintainers
A directory traversal vulnerability in Busybox's CPI utility has been discovered, but the developer and package maintainer cannot be reached to fix it. The vulnerability, which allows arbitrary files to be written to arbitrary locations, poses a potential remote code execution risk. This highlights the challenges in securing open-source software when the necessary stakeholders cannot be reached or do not respond to vulnerability reports.
Curl maintainer faces challenges with undetected CVE and disputed severity rating
The maintainer of Curl, a widely used command-line tool, faced challenges when an undetected CVE affecting the software was reported. The maintainer was unaware of the vulnerability as it had not been properly communicated or addressed. Furthermore, the severity rating assigned to the CVE was disputed by the maintainer, who argued that the issue was more of a bug rather than a security problem. The CVE is currently undergoing reanalysis, which raises questions about the effectiveness and consistency of vulnerability scoring and reporting.
WinRAR vulnerability exploited through file spoofing technique
A vulnerability in WinRAR allowed attackers to exploit the software by using file spoofing techniques. By creating a ZIP archive that contained both malicious and non-malicious files, attackers could trick users into executing a script disguised as an image file. The vulnerability highlighted the level of ease with which attackers could take advantage of the software and posed a significant threat to unsuspecting users.
Misunderstanding of PCI in the Phoenix Project
The book, The Phoenix Project, inaccurately portrays the requirements of PCI and the role of auditors. It refers to PCI auditors, when in fact they are called qualified security assessors (QSAs). Additionally, the book presents incorrect information about the distinction between level one and other merchant levels, as well as the significance of the PCI requirements.
Penetration Testing in PCI Compliance
Penetration testing is a key component of PCI compliance, particularly for larger merchants and service providers. It is required to be conducted at least once a year, both internally and externally. The pen test should aim to exploit vulnerabilities and the merchant or service provider must address any vulnerabilities that were successfully exploited or are considered exploitable.
Controversy over Rapid7's request to remove YouTube video on Ford's bug bounty
A YouTube video by TheHamsack demonstrates the use of an AI tool to generate endpoint URLs that could reveal information. Rapid7, acting as a legal representative of Ford Motor Company, flagged the video as aiding criminals in fraudulent activity. TheHamsack argued that the techniques shown were within the scope of Ford's public bug bounty and that they did not disclose any additional proprietary information. Casey Ellis from Bugcrowd chimed in, questioning the situation. This controversy highlights potential false positives and the need for manual review of automated detection systems.
Trademark defense and intellectual property enforcement on YouTube
A creator received a legal notice from Rapid7, representing Ford Motor Company, requesting removal of a YouTube video. The Hamsack defended the video, claiming it was within the scope of Ford's public bug bounty program and did not disclose any unauthorized information. Rapid7 is likely using automated detection systems to flag potential infringement. This incident raises questions about defending trademarks and copyrights, automated detection accuracy, and the need for human review in legal disputes.
Amanda joins us to discuss aspects of incident response, including how to get the right data to support findings related to an incident, SMB challenges, cloud event logging, and more! Amanda works for Blumira and is the co-author of "Defensive Security Handbook: Best Practices for Securing Infrastructure." In the Security News: How not to send all your browser data to Google, apparently Microsoft needs pressure to apply certain fixes, the mutli-hundred-billion-dollar-a-year industry that tries to secure everything above the firmware, security through obscrurity doesn’t work, should you hire cybersecurity consultants, pen testing is key for compliance, defense contractor leaks, inside a McFlurry machine, Barracuda is still chasing hackers, why Linux is more secure than windows, more details on WinRar and middle-out compression, a Wifi worm?, CVE-2020-19909 is almost everything that is wrong with CVE, Tacos, and hacking through a Fire stick!
All that and more on this episode of Paul’s Security Weekly!
