So this is my Lumberjack outfit I’m a Lumberjack and I’m okay we just call that fashion in Oregon yeah this is like this is considered to be dressing up in Oregon yeah yeah I saw I saw you got some runs in last week Corey like oh
Yeah bike trails still not good or like oh no bike trails are ready El Nino has given us a gift of February mountain biking that’s nice anywhere on the west coast we um I don’t know it’s just like this P it’s still like this like a
Little bit of snow and it’s muddy and it’s kind of but I did get a wahoo kicker and for the office so I’ve been doing that and I don’t know I’m better than nothing it is much much better than nothing actually so yeah but yeah does that yeah
I actually our power was out here for a little bit and I was like looking into should I just get a bike to like power my house is that a thing turns out you can but they’re really expensive and also it like you know obviously I can’t
Generate like kilow of power yeah would the that sounds like something the power company would give you like money back on right like could you generate enough power to push back into the grid no the amount you could generate would be like charge your phone levels not like
Anything beyond that like it’s like I mean think about it like I can put out what maybe two to 300 watts for like a sustained period that’s like nothing in the if you bought a cat wheel that also generate put Cory in the cat wheel like
It’s got to be big enough fory and a cat maybe has like adjustable Wheels like you take you can extend it to like that would be cool have you considered involving child labor of some kind like opening a daycare a crawl wheel I I’m going to
Need one of those right now like a seesaw that can generate some power right SC scale out go wide I true go wide that’s that’s how it is now I’ll get an anible script going for setting that up all right are we ready to kick this
Off y’all yeah always do it let’s do it we’re always Ready hello and welcome to another edition of Black Hills information security talking about news my name is John Strand and I am back from training week week back to back pay what you can classes I think we trained over 2,000 people or right around 2,000 people it
Was crazy um super excited to be back and we’ve got of course a great show with news stories involving us insurance companies getting hacked the Verizon data breach not the report the Verizon data breach are they goingon to do a report on the report are they gonna do a
Report on that it suppliers being compromised bootloader shims and Linux systems hack exploits for job board stealing millions of resumés and personal data and I think we’re going to get around to still talking about Avante devices being hit by a wave of exploits and security holes it’s just like
They’re they’re they’re coming un strong as far as one of the most hated companies in computer security right now whenever it comes to Brees so hats off to them and also something a little bit different if you’re the audience and you’re chatting if there’s a news story
You would like us just to blindly click on and the form of a link and you’d like to fish us we click links our pre-production team’s job for us if there’s something that’s just burning in your soul and you’re like they really need to talk about this also this particular edition
Of um talking about news is BL brought to you by Black Hills information security and anti- siphon security training we do stuff like I don’t know yes I don’t know I suck at this so go ahead Cory I have a question when are we gonna get our own Super Bowl ad they’re
Only $7 million for 60 seconds now on the content Community team or was it in the business meeting I had an idea for this and the idea was like a 30- second spot right a very sad Sarah mlin song um what’s your like favorite like what’s
The saddest in the arms of the angel in the arms of the Angel right and it’s nothing but the content Community teams picture like fading in and fading out and fading in and fading out and then at the end it says Black Hills information security please do business with us so
We can hire our content Community team back um that’s heartbreaking just wait they get paid $3 million I don’t think it’s quite that much I think sometimes they spend that much they’re like uh is it okay if we do a comic book it’s like yeah do you want me to submit an
Approval just says I need $7 million for a quick Super Bowl ad that sounds like a ransomware note at that point but no we’re a long ways from crowd strike levels of stupidity whenever it comes to spending um I just let’s talk about that
A little bit um how do we feel does that feel feel like like like we used to be the cool kids and now we’re not cool cuz now we’re being advertised in the Super Bowl along with like toilet paper and John we’re not crowd strike we’re not
Crowd strike but I mean the industry I was gonna say as the infos SEC industry well it’s certainly not like I remember the days when no one had heard of information security and were the people who didn’t get invited to meetings so I’d say it’s definitely come a long way
In the last you know yeah it’s gotten a lot worse I’d say I feel like an infos hipster like I I hear about that mgin and it’s just hair oh yeah facial hair in particular I be like I was in computer security before was in the Super Bowl
No I don’t know I don’t I don’t know like I feel like it’s a play right out of their book dude if you got a Formula 1 car like what’s next like Super Bowl like that’s it I don’t know the other thing is the bigger thing for me is if
You’re going to do layoffs maybe you shouldn’t do a super B ad you know did they do layoffs did they announce that no way I think they had some layoffs a little while back oh I’ve got to find got see that yeah so there was a question why are they marketing to the
Common man I don’t think they are right I mean the Super Bowl was quite expensive to go to did you see all those all those celebrities at the Super Bowl like agree Jack dorsy was there right right next to I they’re like they’re like it’s Beyonce and Jay-Z don’t even
Talk about him like he’s just right there so I guess the reason I say it’s not the common man is you know I had it on for most of the day and I noticed there was like a red hat anible commercial coming through like red hat
Yeah like that’s not for the Common Man red hat and anible so I don’t know it’s it’s definitely I mean that might be localized that might be like only for you it could be some of it gets localized uh some of it is they understand how many execs are watching
The super they do but they should know the only way to advertise to execs is to only have them listen to their neighbors that’s the only people exex listen to they’ll be mowing the lawn oh have you heard a crowd strike and then next day hey we need to be buying crowd strike
That’s exactly how it goes the neighbor gets a new Porsche he’s like oh wow that’s weird like Barracuda in the airports do you remember the old bar oh my God they had advertising everywhere and then silence I went through the was it the Phoenix Airport maybe one time
Was an airport in Arizona I think and silence was everywhere in that airport 2018 I love the silence ads though it’s like silence silence as attackers I’m like oh that’s crafty that’s that’s like um that’s like uh like that is so bad from a marketing perspective like
Somebody’s like I don’t know if you guys noticed but silence and silence kind of rhyme and we should play on that and then they did it it’s like it’s like the Farmers commercial I there’s a comedian I can’t remember he’s like you know coming up with like Tunes like the guy
Drinks the entire night and they’re like okay okay you need to come up with a with a song right now for for Farmers they’re like brilliant let’s go with that um that was really bad and then um the other thing with the silence posters they had all of their Executives
Like they had a whole bunch of guys in suits and they’re like you know McLure the CEO of silence and he he believes in silence well of course he does he’s the effing CEO well he quit like a year later I’m pretty sure he didn’t believe that much
You know after the sweet Blackberry money rolled in so so we should talk about the new blackest hold on blackest just said silence because nothing Blackberry owned ever how’s your roller skating game me it’s so if if you saw the halftime show yeah user he was amazing but they
Had they had it on roller skates like the old four-wheel roller SK that was pretty legit and they were they were pretty good I was like all right I’ll give you this like Usher and roller skates that’s next level Usher dancing it was think like solar babies and Usher
Like I don’t know if that’s a too weird of an 80s movie reference but um yeah it is all right let’s do the news let’s do it all right now that we’re done who wants to pick the first article audio I me we already said Aon let’s just pile
Let’s do that one go to it fast basically for those that don’t know ivanti connect secure our favorite VPN um now has another vulnerability that’s being changed with the previous ones um ivanti recently I think took a lot of press because we talked about it last week but siza said unplug your
Ivanti devices they did not say patch them they just said either patch them or turn them off holy [ __ ] I actually agree with sisa on something wow well we talked about it last week and we didn’t have any of like the people who actually knew what they were talking about which
I guess is like somewhat stick yeah but I guess John and Kelly one of the things that was brought up is like does Sia even have the ability to say that like we kind of like went down a rabbit hole apparently they do have executive authority to do that somehow but yeah
Yeah they’re just like unplug it basically you know exploited in the wild the standard thing I think it’s it’s all pretty standard we we talk about this all the time but on when one vulnerability happens in a product it’s so common to see a chain of vulnerabilities come after that like it
Happened with the prince spooler and windows and now here we are it’s happening with ivante so that’s why siza is like cut it and that’s really that’s really really typical right like we talked about this in Java we talked about this in Flash we talk about this
In fortet talk about this with almost any of these different vendors and as soon as you start seeing these class vulnerabilities come out it’s like a dinner bell for every hacker that’s out there because they know that there’s a there’s a strong possibility that those poor coding practices are going to
Persist and not just that thing and that’s trly consistent in the industry now the question I ask you maybe talked about this last week are we just going to go with the V sucks or is it just they’re the ones that are getting analyzed right
Now the ones getting I think a little of both I don’t think they suck we we’ve seen this happen over and over again like once one person gets a once they get a vulnerability the eye of saon turns on them just goes all right show us all your weaknesses and Bam they get
Popped it’s it’s it’s a tail as end his time as we’ve seen in cyber security yeah surprised there isn’t a framework about it as once you get popped about like there’s this level of vulnerability that you have to completely reevaluate your code and go do something there
Probably is and I just don’t know about it because that’s not my thing but it’s I don’t think they’re that bad I I’ve haven’t heard of anything with like gnarly pulse secure or vonti anytime before this like I can’t remember one but so okay so Shadow ninja 85 brought
Up so is forette actually less secure are they more diligent on internal red teaming I don’t know there was a lot of vulnerabilities in Fort net appliances for a while and I think that one of the problems especially whenever you’re looking at like Ford and net as a
Company is they have a tremendous number of different products that are out there and I just like wiso just said this is one product of several and whenever you have development shops in most organizations security organizations included you have this big push to get new technologies out and they really
Don’t backfill and try to secure those things as well as they possibly should because you just get this huge product line footprint that becomes incredibly unmanageable um and it I mean we saw it with fire ey uh years ago before they got bought up by mandiant or I don’t
Know who bought who in that situation but fire eye underneath the hood was cumu as a virtualization hypervisor and we were seeing vulnerability showing up in cumu and then shortly thereafter you would see the same types of vulnerabilities that would show up in fire eye um and this is a long time ago
But it once again goes to that technology footprint and how many products they’re actually trying to maintain with those things and you know Andrew kind of want to throw this year away I I think the thing I I I want to get I have this Vision in my head that
Anytime these vendors start getting these vulnerabilities be it Java be it flash be it fortnet be it Avanti be it whoever I always have this vision of like Cloud providers like laughing nervous like you know what’s what’s his name in the sub um danger like because
They just keep rolling this stuff out so quickly yeah this this one is particularly interesting and concerning I think because uh the the writeup actually says that they were able to execute arbitrary code via a samle bypass that that just that chain of things uh for me is very very concerning
In so many ways it’s like what what the heck third-party library is that client running that allows a command injection via a saml flow it’s definitely Java calling it what’s going on in there um and also that’s just not a very common set of like you you see
All all the time like certificate verification problems you see all these other things with samel where they’re just not doing the right things from a protocol perspective but like what the heck thing is allowing you to escape an actual SLE flow into a unprivileged user and then get to other arbitrary things
On the same system but that that tells me they didn’t purchase any like or they didn’t use any like development kits for samel right like they literally were like hey let’s just write this thing from scratch how bad could that be um and you know we’ve been seeing that for
Years speaking of people that have seen that for years longer than I have Jay um you want to talk a little bit about you know companies trying to like hom grow because seriously if ivante could blame a different third-party vendor for their samel implementation they would like
They would absolutely be doing that they decided that they were going to roll it homegrown and Jay I was wondering if you had any stories or any background on companies trying to like roll their own code whenever they really should just be using a library that’s available to them
Oh yeah definitely I mean I think that’s uh anybody anybody here who’s been testing web apps would say that the you constantly find uh you constantly find vules um when they wrote something that they just should have used out that they should use library for cross-site scripting it’s you know cross- scripting
And SQL injection used to be a lot more popular and cross scripting is still out there but you know they used to be a lot more popular before finally most companies started you know most developers started using libraries that you know took care of output and coding
For you and um stopped trying to roll R their own but everybody’s going to roll their own crypto forever everyone’s going to roll their own XML parsing everyone’s going to roll their own Json parsing I mean you know I I do want to say for this specific B like the um how
Is it that I got from one context to another the the issue is like this is an xxe in um in XML and the hard part you know it’s one of those wonderful uh it’s one of those wonderful features you could have to your parsing where you can
Say I’m going to have an external I’m going I have an external entity definition that’s uh but just you know instead of instead of putting in this text I’m just going to make things easy myself and say go pull it out from the internet and um and so instead of
Pulling code out from the internet and running it in this case you’re saying go pull this from the internet and the what you should pull similar to like an image tag the what you should pull is this other link on the same device so the it’s they call it like confused deputy
It’s where you know as an attack you know as an attacker you’re telling you’re telling this thing hey I’m going to give you some XML and when you go to pars it that’ll cause you to hit links if one of those links is turns it to be
An action um then now I’ve gotten you to take that action that I’m not allowed to take um y I’m actually gonna my hot take on this is that I think part of the problem with these types of devices is that they haven’t done a good enough job
Of putting them in the hands of bug Hunters like so bug bounties are great right because I can just publicly search for bugs and find them and get them fixed this is what all the big tech companies use and rely on in addition to other security things but with these
Paid products I think there’s it’s in the manufacturer’s best interest to be able to get licenses to these people because I genuinely do think part of what happens here is you have an exploit in a device that opens up access to lots of people who previously never had
Access to this device so like as a you know fake AP that I amam now I have access to pulse secure for the first time because I just rooted one of them I’m going to start looking around I’m going to start like is there persistence mechanisms I can take advantage of is
There you know privilege elevations or what can I get out of it this might be my first time or my threat group’s first time ever digging into this and that’s going to lead to more and more vulnerabilities so I think that’s part of it is like that’s another reason we
See these followon vulnerabilities because a bunch of people who are good at finding bugs are now getting access to this via illicit Med and they’re finding more stuff in addition to the security researchers are focusing on it and the company themselves is focusing on it so I think
That’s part of it is like I don’t know what exactly the licensing would look like but you need to give people access to your stuff so they can find bugs because if I have to pay you know how I don’t know how much it costs I’m assuming thousands of dollars to access
The VPN to look for bugs in it I’m not going to do it I’m just going to be like okay I’ll just go look at openvpn instead so I want to ask a question to everybody though you know one of the things we hear a lot of organizations
Talk about specifically in like the C- o levels is they they attend all these talks about supply chain and all this garbage and they’re like I need I need a bill of materials like whenever you’re going through and you’re saying we have a product what are all the open source
Licenses what are all the different libraries that you’re using and many organizations look at that as though it is a um as though it is a problem to have lots of open-source software part of your commercial product that you’re selling is it or is it more terrifying
When a company’s like no no no we we rolled that all on our own by the way Jay just put in Discord a really cool link um with VPN issues um so be sure to check that out with avant’s VPN so be sure to click on that link because you
Can totally trust links from anyone on this show I do so I don’t know what do you guys think like like an infosec bill of materials would that have helped this or would that have not because I I really personally think that they’re of limited utility um but yeah I’d like to
Hear what you all think of that I honestly don’t think that this would have that would have helped in this instance I think the bill of materials helps a lot more from a standpoint of Are We vulnerable to XYZ vulnerability that has just been announced out there
For instance a log for J how many people didn’t know that log for J was that that was going to be part of what they’ve got sitting there oh we’ve got this and this and didn’t realize it that library that system was set up inside of there that’s
Where the esom comes in a little bit more into play I believe as opposed to we’re going to get this we’re not going to get this because I think almost every company out there is using some open- Source software in some fashion or some open- Source library in some fashion
Okay cool and and tire fire whose name I absolutely love I want to party with that guy um said sbom solves a different problem but it may solve a different problem I would definitely agree with that but I think that a lot of Executives think that it would have
Solved this problem which I don’t I agree I don’t think it would have but anybody else have a take on that too I mean I’ve got I don’t want to be too outspoken on this issue I just this is the one I did my homework on so I’m kind
Of um uh I think espa might actually be a little helpful here not I don’t think for all of us that are you know for all the companies out there that are running ivante necessarily but for anybody doing research um I know that so there are
Five you know this is the fifth um vulnerability ni bonti and um for all of these you kind of have to chain two of them together to get anywhere but um this is the fifth one and in reading about the five one of them there was a
Kind of a whole brewhaha because it turned out that that vulnerability there was complaints like hey you’re giving this this CP a new vone um but actually it’s being caused by this component and that component already has a cve for this phone um and and I so I gotta think you know like
Maybe when the first vulnerability comes out in the avonti VPN or in the foret VPN or whatever s bomb’s not as useful but once the vulnerabilities come out and the attackers have started to turn the eye of SAR on over to you know over
To ion now or over to um a given piece of software I think if there’s an as bomb it’s actually useful I mean it’s useful for the attackers it’s useful for all the researchers for all the people you know for all of us um whether we’re
On attack or defense you know we’re all out here on Twitter or what have you um uh trying to catch up to where the zero day you know to where the to where the uh the the creators of the exploits um are already at and in our catchup we’re
Learning all this stuff about oh well that’s you know and I I think that in that catchup we can actually start to get a little ahead of them if we can look at an sbom and say oh first it’s using these you know it’s using these libraries is there anything that’s been
Found in those libraries already ready um are there um you know heck let’s get a hold let’s get ahead of them find the vulnerabilities before they get starking exploit at zero day and publish um so that’s my take so I also feel oh I’ve got a I’ve got a one more question I
Want to roll on that Corey and then I’m gonna kick it over to you all right you’re now the siso of Avante what the hell do you do uh oh you’re asking Cory asking is just an open question to oh good good you the what the hell do you do start networking on
LinkedIn you have a golden par head between your legs and kiss your butt goodbye um well so I mean a better red team that’s where I was going to go with this is like Okay so this has got to be the worst acquisition in vonte history
Yeah like I mean like I’m the joke I was going to make is like do you think the executives that signed off on it still got their bonuses right but like um I I think this is like a question of due diligence and we come we have pen
Testing customers come to us a lot and say we’re doing m&a or we’re doing you know we’re going to acquire this product or whatever we want you to test it and make sure it’s not full of holes so I guess my question is From aon’s perspective when they bought this
Product do you think they did any due diligence testing did they fi did they know these holes were there and say oh these are accepted risks or did they just say uh no it’s it’s moved under our you know product brand and we’re not going to touch
Anymore I can’t imagine that there would be any kind of actual like paper trail that would say that they were having an rce as an accepted risk that would be amazing that’d be a story in itself just uh just to go back for a minute to John’s question about like
Does open source make this better or worse I think the answer is it doesn’t necessarily make it better or worse because I’ve audited projects where the open- source implementation of saml or oidc just like does doesn’t verify a cipher or if you have this specific implementation of this python Library it
Will just fail open so in in many cases on both sides implementing it on your own or using open source we don’t really have inside out testing today for identity stuff that’s applied consistently that you could use even for a report like that and that is the part
That’s lacking and Andrew this is predominantly for Andrew and Jay um what a code analysis like dter stast tool would have helped deal with these particular vulnerabilities I’ve gone through the ones that have been released and a lot of people are like how would a company actually deal with this on the
Ground so if you would have had the right plugins in your development libraries or your right audit uh tools to be able to audit the source code of your products would it have helped with these vulnerabilities it’s not even a uh it’s not even a SAS or dast question I think
At A Primitive level it’s even just an outside in testing issue like go back to primitive synthetics test type stuff does it work does it fail when we expect it to fail does it uh secure when we expect it to secure and we can throw all
The other stuff out the window on like the crypto verification side uh Curious to hear what other folks think J yeah I mean you du you’ve dug around in these exploits and you’ve written auditing tools so what are your thoughts do you think cuz like I said
I’m trying to look at this from aisos perspective and one of the things I would do as a siso is like full stop we’re going to go through we’re going to audit all of our code um we’re just going to do static analysis starting there we’re going to simultaneously ramp
Up a bunch of red teams give them full access to all of our source code and get them liveaction production access to our servers to do this as fast as they possibly can but we’re going to be doing these two things in parallel if I was siso if you’re a siso and you’re
Listening to this something like this happens if you’re from aanti hi I’m a random person on the internet that you should probably listen to Or Not honestly I don’t care um but you should be hiring a red team a damn good red team you should be doing a code audit
All the way beginning all the way through the end with them reporting all the way back up to you but you you you need to be doing simultaneous red teaming with the red team getting full access to all effing source code right now and your internal shop does it but I
Go back to the question for Jay for these vulnerabilities you’ve looked at them you’ve got the GitHub repository do you think like a like a static analysis or dynamic analysis tool would have helped with any of these vulnerabilities because like you said many of them I think Andrew said you
Have to chain two of them together to gain access do you think it would have helped yeah I mean I think honestly I I do think it would have and I think that that’s the question you know the question for vonte right now um is you
Know like as we said like they bought you know they they bought this tool they’ve bought a whole bunch of other things you know we have a have a client right now um who is uh who actually just hired us on on security architecture viewed it to help give advice on a
Different ivanti tool that isn’t a VPN and um so in my mind you know I I do exactly that so first yes I think sast and dast would help um can you guarantee that sast and dast catches everything no but that’s why the that’s why that was a
Great example of you know get a red team get a red team going immediately like get a red team in um and also get your sast and dast work going and of course the hard part and I’m sure that someone over there is thinking about this
Because it’s been a you know it’s been uh more than a month of finding these vulnerabilities um and you know ianti sounds stretched a little thin to be honest um because you know when I when I was reading all of the when I was reading up on each of the
Vulnerabilities as they were found um you know initially vonti said you know we’re working on patches um here’s some mitigations and workarounds by the way you know expect the patches take a little bit but we’re going to try to we’re going to try to create the patches
For the for the uh for the appliance versions that have the you know that have the greatest number of users first so they’re having to they’re really it’s really taking them a while to create all these patches they really don’t seem to have the resources well I have a I have
A transcript here from the Super Bowl ad for Avanti next year uh they’re saying the first organization to ever make siza turn off the entire product that’s awesome pushing new ground we’re breaking as far as I know I don’t I don’t I’ve never that’s unprecedented
That I am aware of I’ve never heard of sisa being like turn it off now I I do know not sisa this predate sisa but I know a long time ago there was Cisco uh networking devices this would have been 200 four or five I think and there were
Specific serial numbers we had to go through when I was working in classified real we had to go through and find those serial numbers because they believed that they had already been back doored and they were like shut these things down even if they’re in Ops even if
They’re in production they need to be shut down immediately that wasn’t sisa that was like a DOD was that public though John um I can try to hunt it down CJ might know because he was there the same time but that might have been a dissa directive um at that point and I
Also know that dis and the NSA they have the approved lowrisk software list which that’s one thing but they also have highrisk like there’s certain software like you’re not going to get kasperski in so there are situations where software does end up on the naughty list and has to get ripped out relatively
Quickly or you need some type of plan of action and milestones for transitioning it out of your environment yeah but this is an emergency directive y I don’t think at least since we’ve been doing the news we’ve never talked about this level no I agree we the last thing I
Want to say on this Rizza we got to highlight his job posting for the ceso at Avanti as as is tradition on the show we have uh job posting for a chief information security officer able to do minimal due diligence testing five plus years of experience in accepting things
As they are and one day of experience with Co code analysis 500k a year that’s pretty low plus bonuses plus like 1.5 in stock and whatever else yeah this goes back to whoever whoever took that role especially whenever they bought the the companies without doing due diligence on
Those companies like you know there wasn’t due diligence like due diligence if you’re acquiring a company you should demand a code audit you should demand Network thread hunting to see if that intellectual property is already being kicked out but a lot of the companies that we work with that are trying to do
Mergers and AC Acquisitions due diligence they’re like ah but all that seems to take time and that seems like that’s going to cost us money and we want their product right now and your compan we want our stock go up we need new yacht so it’s like it’s like fara’s
Salt and willly Wonka on the Chocolate Factory and then you know she gets sucked up into a tube and they’re like how did this happen the suspense is killing me I hope shut down the Chocolate Factory right now shut down the Chocolate Factory well do we want to
Pick on another does anybody have any final point or can we pick on another company and once again nothing but love for the people that are in the trenches at avonti nothing but love for the siso that’s probably having to deal with not not enough resources and getting blamed
For all of this laid off from Avante and this is why and you complained about this please come on the show we love to talk to you um we we will use a voice changer in the Snapchat filter so no one can see you or hear you but it’ll be
Fine all right all right all right what’s the next story we want to talk about here folks pick one do we want to talk about about the job board thing if you want okay go for it this so essentially this is kind of a I don’t
Know the way I see it it’s kind of a sea change or I don’t know what you want to call it it’s basically a new sort of information gathering technique um specifically targeting job boards and this actually cross my radar in the data breach space someone a couple months ago
Posted a bunch of job boards specifically targeting Israeli job boards um you can imagine why that was but so this is kind of something I’ve seen before but never seen publicly talked about um this news article specifically is talking about um basically they’re exploiting vulnerability SQL injections other
Attacks against job posting websites and stealing people’s you know resumés and other things and then posting them in telegram channels so and and the thing is like it kind of I guess this is an open question for the group how much pii do you put in your resume because I
Don’t put I mean some people put their address that’s it email and that’s it that’s what I tell everybody only email the resumes I see it’s emails its addresses it’s address phone numbers phone numbers I mean is address Pi I mean I’m pretty sure you can find my
Address yeah I would put it in there I me I don’t think like for me I looked at this and I looked at it in a completely different way like last week I was doing the intro to S core skills and we were doing this job posting thing and Jason
Does this amazing thing where like you go to LinkedIn you find the job you want you find the skills that that job requires and the Technologies and then you try to build your resume to match that as much as you possibly can ethically I took it a step further in
Class and I can’t remember the name of the company maybe someone that was in my classes on the news but I basically just said did some basic Google hacking where it was like site colon nameof company.com and then minus www minus investors minus this minus that and
After about four minutes we had found out that they used F5 we found out that they were fortet shop because we saw the vpns we saw all these different things all the way down to like the login page for their F5 appliance that we were able to find hadn’t been updated since
2017 and it was very interesting to me how like we kind of walked through going to job posting on Monsters monster.com and things like that where don’t just look at the job posting for security look at the other tech jobs stars there we go it was stars and um and look at
These other job postings to learn the technology profile all of that is straight out of Recon 101 like hacking like that’s yeah but these are candidates these are candidates yeah the resumes for those candidates will say I have previously worked at X company with f
I see you’re saying I go I download this data I look for references to my tetany and see what they did in their previous job I mean that’s like that’s I kind of want to do that now I had never thought of that let me go down that was that was
My first thought my other thought was using this to build rums to them for fake individuals to then what does everybody have experience what are the best resumés look like right when I apply I want to be clearly better than everybody else so when they hire me and
Now as like an Insider threat type deal the best rums have mustaches nice well and I think one of the other things to expand on is that it seems like it’s not just they stole resumés they compromised a resumé hosting site so in some instances they
Were able to get admin access on some of the compromised sites so while we had that question of like how much pii do you put on your resume that might be a small subset but the that you’re giving in the job board for okay so if somebody
Does want to contact you apply and we have this middle man middle uh we’re we’re the middleman here um you know what email does that go to and that might be information that is okay now you have internal phone numbers you have uh of you know hiring companies or you
Have the look I’m not sharing my email or phone number with anybody looking for um you know to hire me but hey it’s it’s this website can be a midal um negotiator this is you’re right it’s so much worse than we outlined with the resume like some jobs when you apply
They require you to give an SSN or like they require you to do a credit check like I mean I will say this article specifically talks about more resources in like Asia Pacific area but we’ve personally seen like looking through data breaches for our customers almost
All of our customers have de job posting websites like they use third party providers usually and they will not enforce MFA for these things so like care they don’t care they’re just random candidates but like you sign into as the job as the candidate and you have access
To their previous application and then you know it has all the information they submitted with their application like that it’s another level of like well job hunting sucks well now it sucks even more but de kind of in a different angle at Black Hills like you know we have
Customers all the all the time that are like we’re going to need a background check investigation for the testers that are going to be doing the assessment right and one of the things that we’ve been kind of doing lately that that works is whenever these companies are
Like yeah we’re going to need social security number date of birth local address for all of your testers are going to be working this engagement and CJ started doing this crazy thing because we’re like sock 2 type two compliant and he’s like that’s great before I send that information to you I
Need to make sure that I’m transmitting it secure how are we going to do that number two I need to know who’s handling that data number three I need to make sure that those people have had a background check investigation and number four I need to see your policies
And procedures for handling that pii for our testers and Phi in some situations in your internal organization and like I would say over half the time the customers are like no we’re good um yeah it’s like never answer a lawyer with without a question or always answer lawyer with another question yeah just
Keep them going it’s like say I don’t remember great well this if we’re going to be giving you our sensitive information for our testers I want you to have and we do have customers by the way that have all of that stuff locked down they’ve got great like procedures
And we’ll happily do that but we’ve had some customers that literally go through customers be like bhis is so hard to work with that they literally are just like yeah I can kind of see the hypocrisy of this like we want you to do all of this but we’re not doing any of
Those things to protect this data um so it’s getting better but it’s just so many organizations just do not care about like the the people that they’re interviewing and the information that they give I mean just just imagine God forbid that this recruit includes recruiter notes on the initial
Screen you know we we Outsource a lot of these initial screenings I I don’t mean we as in like the company I work for or anything but as an industry a lot of us yeah Outsource initial screening and recruiters do put in notes on why candidates do pass fail Etc if that is
Part of the data set that is insane um to have leaked yeah yeah it’s there there’s there’s so first there’s there’s now more privacy stuff that’s going to get out if somebody told the recruiter something that they wouldn’t that they wouldn’t have put in writing um and also
The company using that you know using the screening recruiters that have the recruiter notes May the liability for anybody they didn’t hire just went up heck maybe the liability for the people they did hire John I I love your approach there I love the like oh you
Want to background check us we’re gonna need to background check you too J we were talking I think well we talked briefly you me and Mike talking about Crest certification and all these certifications in the industry and there’s a ton of them like I said sock
Two type two like I think raner just said just insuror sock two type two report includes hiring practice background checks which means that all of your Psy 2 type 2 Report with without exceptions is effectively third party validation of all staff passed background check and all of that so this
Gets into this weird thing where you want us to have this level of security as a company and I agree I think that we should have that right we need that but it’s got to be fair right you can’t ask me to be sock 2 type two as a pent
Testing firm and then have me immediately violate my sock 2 type two for third party you just you can’t have your cake and eat it too and I would say I said 98% of the time the customers totally get that they’re like legit questions good points yeah and then I
Love it when they come to us like do you have any policies templates that we can use on this it’s like oh God and we totally do we totally will share it with them St to type two genetic or it sounds like it right it sounds like some type
Of disease which it totally is it’s basically the accounting industry imposing security standards on the industry and it got picked up and I do want to create uh Kelly I’m talking to you I do want to create a security policy framework for accounting firms since they were so nice to us with sock
2 type we should do the same to them and say these are the security requirements for accounting firms everywhere I like it John I I do wonder and and this is a question maybe for the folks that are more on the compliance and legal side is there a governance framework Beyond just
Like CCPA and gdpr that governs the deletion or automatic exper of data inside of these candidate systems holy hell Kelly um there are a ton of governance Frameworks that a lot of people just don’t talk about there’s there’s specific data governance Frameworks there’s governance Frameworks for um it there’s governance Frameworks for
Security there’s governance Frameworks for organizations as a whole um but they’ve become very industry specific or their siloed um there’s an organization called Arma that does a lot with records retention and they’ve got their own data governance framework but um the American Association of CPAs they’ve also come
Out with a data protection framework so honestly Andrew you probably don’t want to ask that question but like legally as a candidate like if I if I’m job shopping let’s say hypothetically and I apply through one of these Clearing Houses for jobs how long can I expect
That my information lives in that system if I do nothing until they get their I just got hit up by CR strike I got hit up out crow strike and I applied like seven years ago I don’t had that information still I’m sorry you saying you applied
For a job seven years ago and they just called you back it was it was because he saw the Super Bowl ad and they knew and the job was like bottom level job too which was also kind of ter that is so terrifying the concept of like this
Company just kept your resume on file for seven years and someone actually read it like what that had to be a GL let’s let’s just say it was a fish and move on let’s talk about Linux let’s let’s talk about Linux Linux is secure it’s open source God nothing’s bad everything’s
Fine I got to find this article is this the one okay I this is my take on this so basically for those you know the people that don’t know what we’re talking about there’s a shim vulnerability that impacts almost all linuxes and the best part is this is
Linux’s Microsoft moment and the best best part is that it was revealed or disclosed by Microsoft security researchers yeah so and why I say it’s their Microsoft moment is because essentially it’s like a feature that no one asked for which is adding HTTP into the bootloader can does anyone know why
This is a thing like it has has to be in the bootloader because the bootloader has to be able to grab uh preedee files for various things and then pass those on to Second Stage so any automation that’s ever worked in ever has to be able to have HTTP as a protocol inside
Of stage one okay fine maybe it’s not so Microsoft because it is a feature that sounds somewhat legitimate that people would use but it’s it’s been an old grub uh too forever and ever and in Lio yeah so there are patches out for this so tldr patch your Linux stuff um the
Exploit conditions are pretty specific is that right like you need either men in the middle or local access to write EFI is that correct I have no idea I haven’t read this one at all anyone else I was mainly asking Andrew because it sounded like he
Read it yeah it sounds like he knows I love that that white cyberduck says Andrew is so smart but I’m actually not smart I’ve just written lots of automations that build Linux systems for training classes I make and that is the entirety of my understanding here well congratulations that makes you an expert
Um yeah if you’re not smart I’m screwed so um I I I do want to call out like it this is being addressed directly by the big vendors Debbie and red hat Seuss and BTU like yeah it it’s gonna be it’s going to be picked up and fixed very
Very quickly I love the CVS score it was 9.8 which is John did you just say it’s gonna be fixed very quickly I think it will by the vendors that are out there but then you get into the embedded hold on because I have’t I’m still on Aon 2
1204 dude oh dear God I mean I’m I’m just kidding no I’m just kidding but seriously like that okay so this I don’t know I guess this is a a question for the group but is it just me or is patching Linux in like because Linux is typically used as like work workhorses
Right they’re like these are like the compute servers so from my perspective there’s one of two extremes one your Linux is deployed and then burned down and then deployed and then burned down like five times a day or it’s the same box that hasn’t been touched since like
1993 and if you touch it everyone you know the guy retired that used to maintain it so you can’t touch it I don’t know so what I want to know is in a stage one exploit if you’re retrieving something via HTTP how do you initialize networking because that like generally in stage one
You don’t have IP stuff yet I think it’s like yeah I don’t yeah I mean stage one of a boot is usually really tiny yeah it’s a shim teeny teeny tiny shim so are they are they actually putting a patch in there that’s initializing a full Network stack and
Getting an IP address it looks to me like HTTP boot it looks to me like HTTP boot is in that that stage one though so I used to manage a bunch of Linux machines that were in a cluster and we use tftp to boot the system so it reads
Kind of like that right that that you know all the noes so if you’re booting off of HTTP then the attack would have to man in the middle of that traffic to theoretically send you know the the payloads in and so seems like that even
Though it has a high score it seems like that the use cases for this are kind of you know I wouldn’t say limited but it’s not like it’s remote code over the internet and you break in right correct yeah it’s local or mitm so here’s eclips here’s what eclips went through and by
The way shout out to eclips and Paul asadorian who’s that eclips um in a hypothetical attack scenario the threat actor on the same network could Leverage The flaw to load a vulnerable shim bootloader or by local advisory with adequate privileges manipulate the data on the EFI partition
Which if you’re manipulating data on the EFI partition you’re effed anyway it’s you know you’re you’re done an attacker could perform man-in-the-middle attack and The Intercept the HTTP traffic between the victim and the HTTP server used to serve the files to support HTTP boot the attacker could be located on
Any network segment between the victim and the legitimate server but I’m willing to bet the more useful scenario would be layer to um so I don’t know I mean yeah I I’m not going to this is not something that’s remotely exploitable yet um you definitely have to be on the
Exact same network Layer Two or somewhere in between the the HTP boot server I I this is this is neat but I’m not going to freak out over it like I’m going through this once again if the attacker is sitting on that local network with you right if they’re on the
Same network something catastrophically bad has happened now I’m not saying don’t panic I’m saying let’s be very calm let’s be very collected let’s get our stuff patched we’re going to do that but I don’t think we should look at this and be like oh my God you know uh Linux
Is complete garbage they have this critical vulnerability and we shouldn’t be running Linux because we can go over link local multicast name resolution net bios name Services mdns there’s tons of things that you can do at layer 2 you’re Yia Loki style attacks um just tons of
Tools out there this is just going to be another type of attack Vector once you’re on that Network segment for Linux systems that reboot um or hell you know if you get access to a Linux system with root level privileges to write to the EFI partition I guess the world’s your
Oyster um oh you don’t pxe boot on the internet John no I try not to oh I tried to give that up that last week so okay and there’s a little bit of confusion I don’t know anyone knows we might just be making things up but pxe doesn’t use
HTTP does it no no no this sounds like it uses tftp doesn’t it it’s in the same pixie uses tftp but uh I think this is this in particular is a good uh rubber ducky or flipper zero kind of attack if you can trick something into rebooting
And then you can control the arguments to the bootloader and a lot of people believe it or not to this they still don’t protect their bootloaders not encryp right you do full full dis encryption but the boot loader is unprotected yeah yeah so you can still
Pass it but I mean if you’re still if you’re doing full dis encryption on the boot volume all you’ve done is you’ve given over potential control of that end point to an attacker right but that but that pixie boot attack if Network boot is enabled on devices you can run that
Pixie boot attack and you can basically push your own image uh via tftp and push collie instances to those systems gain access to the hard drive this has been an attack methodology that’s been out there for a long time it’s very rarely if ever used like I know of zero actual
Attacks in the wild that we using it and I could be wrong I mean I don’t see the millions of attacks that are out there on the internet but even pentesting how often do we take advantage of Pixie Boot and there’s some very good reasons why
We don’t yeah that that goes in the that goes in the list of the webcasts we were going to do of things we’re not allowed to do during a don’t do this most definitely so okay what you’re saying John is that it’s not the year of the Linux desktop because it seems like
The main main way to exploit this would be it would be if you were actually running this like Andrew said on a client device if if your laptop got stolen and this you know if you’re running Linux on your laptop or whatever and it got stolen and so someone now can
Fully compromise the system so that’s the scary part of it but they can’t if it’s actually encrypted a hard drive encryption it you can still pixie boot um but you’re not going to get access to that encrypted hard drive um and once again I think one of the main reasons
Why we don’t do this and this is kind of what you were getting at too Corey is we don’t do this because there’s a very strong possibility that you will smoke a network device or something on that same network in a way that you don’t want to
Bring that down it’s kind of like a type of attack that is uncontrolled consequences it’s like with responder whenever you fire up responder wpad is off by default for web proxy autod detection attacks not because it’s it’s a crappy attack or it doesn’t work it’s off by default because it’s so EIC
Effective that it’ll bring entire Enterprises to their knees so it’s off by default for very good reason so this type of attack well I agree it’s absolutely we gotta we got to patch it we’ve got to fix it agreed 110% but you shouldn’t be up until 2
O’clock in the morning trying to patch your your crap tonight like John if I can write if I can write a malicious boot kit I can get your fullest incription password 100% yes like just keep that in mind because if I if I can deploy type of encryption that you’re using and
How that key is implemented on the data on the no no I’ll just deploy a boot kit that Harvest your key that’s my thing full dis encryption aside I think about this much uh much more as like a kiosk attack like if if I walk up to a cool
Display unlike the prominade in Las Vegas and it happens to be running Linux and it happens to have a USB port I could gain access to to plug in a rubber ducky or something I could take over that kiosk relatively effectively with a totally controlled by of through stage
One as long as we’re in Vegas looking at these kiosks I’m going to give I hope you’ll give me odds here but I think eight times out of 10 it’s not going to be set up with secure boot in the first place um probably you could just
Probably well sure sure we could all acknowledge that it’s if it’s a kios it’s probably not even you EFI but you know probably not yeah I mean if it’s an airport it’s Windows you know there’s there’s a bunch of different scenarios for this but uh the shst just said does
This kiosk look like a giant Flo can’t wait news right yeah no I think I want tocon and black hat this year like I if I was running that Globe I would you know I I don’t think it’s G to get compromised but I can totally see it was
Up last year and the joke yeah it was there last year of death yeah everyone kept joking that oh it’s not working cuz hackers but like as far as I know that was all just rumor I don’t think holy hell do we want to talk about the flipper zero since we’re talking about
This stuff yeah we should talk about it yeah wait I thought thought knw a great Link in um for uh um defeating defeating bit Locker encryption or for that matter probably Linux encryption uh um P en pul this encryption where the decryption keys on the TPM
Um yeah can we pop the link up there we go this is the link for flipper zero man okay oh we Jay we kind of pivoted to the flippers pivot okay yeah I miss we come back toow so yeah so basically for those you know that for the Canadians
That aren’t in the room um yeah Canada’s Banning is Banning I think it’s it I think it’s yeah did ban like I think it’s done as far as I know like it is banned um supposedly because of car theft um I guess car theft is really bad and
There’s some issues with the um penal code in Canada where car theft isn’t really seen as a very severe crime so people are able to just do it again and again without any kind of repercussions but I guess is this the way to address it it doesn’t feel like it is but it
Absolutely is I think this is the right way to do it sarcasm Banning I love the quote today I announced that we are Banning the importation sale of consumer hacking devices like flipper used to commit these crimes it’s like so there goes berry pies um there goes everything from hack five there
Goes notebook computer we should stop wait you can steal a car with a ponoi does it like get a really big smile on its face a USB drive you can steal a car with the USB drive we’re good you can steal a car with a screwdriver are they
Gonna ban that are they gonna B go steam deck hack rf1 rf1 has got to be you’ve got to Edis fors You’ got to ban Edis you got to ban hack RF you got to Michael osman’s going to be crying okay Devil’s Advocate Devil’s Advocate okay here’s a question I have are the
People using flippers to steal cars smart enough to build their own with a raspberry piie like is it that is it is it like a you find anything on eBay I think that people that are stealing cars are smart enough to work with a group that can replicate that functionality that a
Flipper zero has like you ban The Flipper zero somebody’s gonna develop another device that’s called totally not a flipper zero and you know and then they’re going to go it’s just you know Canadian uh not Canadian the German uh cyber crime law I think it’s like 302 or 202c that was
Basically you know Banning the import creation dis yielding or distrib distribution of tools used in cyber crimes right that was the law and then it got pushed all the way up to the German federal constitutional high court and they basically said well it’s tools created with malicious intent it’s like
What the hell is this medine’s doll what Tim is this medine’s Tim medine’s do example I don’t know maybe does he have a doll that’s got a flipper zero shoved up its ass or something which by the way we need to get that on the that’s called a puppet
That’s called a puppet yeah so um a couple years ago timodine had uh a an animated doll and he actually the doll was banned in Germany under that same law you’re talking about so one of Tim’s favorite tricks is he would put the doll in the middle of a hallway at a big
Conference Center and he would make the doll talk and and say really scary naughty things and he was no like you’d walk by it and it would normally say like I like I like you give me instead it would say teach your children to worship Satan like different MP3 audio files I
Remember this I thought Josh Wright was involved in this too yeah it sounds like could yeah yeah I was trying to um I have an esp32 one of the a couple people mentioned the esp32s um I’ve got one of those in a box next door those are awesome yeah yeah
Are you based in Canada because if Cell you’re committing a crime right now I’m just kidding I I’m I’m not in I’m not in Canada I will say conspicuous watch Jay like I go I know it’s very Inc the hacker here yeah yeah yeah so but I go
To I go to KAC West um every year and uh uh this last year I had to decide whether to leave my flip or behind and I I was like Yeah I’m not can go through customs with the flipper with the flipper zero um because law enforcement
Keeps making uh all kinds of noises about deciding that flipper zero is the equivalent of lock picks um now that’s an interesting thing because aren’t there some states I’m not 100% certain but aren’t there some states that have laws that if you have lock picks you have to have some type of certification
Or something to justify you have you have have a license in Virginia to carry lock pick as an example yeah and one of the fun things is that you have to be at least in Wisconsin you have to be like recognized as a locksmith but there is no Statewide governing body lockmith and
It’s just in some cases it can be like I just have a card that says I’m a locksmith and they’re like good enough it’s like the Ron Swanson authorization note I could do what I want years and years ago years and years ago I was
Going I think it was derbycon 2 I was flying out to and I was in JFK in New York City and I had a full Lockpick Set and a crystal and Southard lock and I had all this stuff because you know I was trying to learn lockpicks and it was
Something I could do on the airplane that wasn’t just like watching TV so I go through customs or not Customs I go through the TSA and someone’s like excuse me you have a bunch of lockpicks and I’m like they’re all under the size they aren’t an edged device they are
Legal and he said do you have any type of license that proves that you need this for your job I still had my cissp business card like back in the day ISC squared would give you this little like credit card side thing that was your cissp certification with your name and
Your certification number on it and I kept that in my wallet I totally pulled that out handed it to him and I said hey I’m a certified information system security professional and he was basically was like you’re good to go thank you very much sir and that was it
That was a good enough certification for him at that time so we actually had this happen at Deadwood uh right after Deadwood I was flying through the airport with with Jeff mcjunkin and he had the bag with 40 lbs of locks and picks in them because he was going to
Germany and TSA opened the bag and they said why do you need this many locks and lock picks and he just said because I’m a teacher and they just looked at him and they were like okay good enough for us that was it I was I was just gonna
Mention I was just gonna mention Jeff um because uh he sent I remember on one of his on one of his flights um he sent a picture of sitting at his sitting at his seat on the plane with a big with a a big pile of uh a big pile of Master
Locks um just tons of them in a set of lockpicks he’s like this is what I’m doing on the plane to I’m gonna tell you if you just heard Jay say that don’t be like Jeff MC junan it’s cool that Jeff does that right but if you think you’ll
Get away with it you won’t because if somebody comes up to Jeff MC junin and they’re like excuse me sir Jeff will just look at them and immediately they melt they’re like there’s no way guy is a bad person he’s one of the nicest people you will ever
Meet in your entire life and Jeff MC junan has Jeff MC junkan magical powers you do not have I know this because I’ve had Pilots literally confiscate my locks mid-flight and hand them back to me when I got off the airplane so J think we call it jme nowadays jme Jeff MC junkan
Energy Jeff MC Jun there we go jme oh we need a shirt okay back to the flipper thing I mean where is this going to go like is it is it going to get struck down is there going to be like a second amendment like whatever the the national flipper
Association is going to start lobbying the Canadian government like is this going to get a lot of Kickback or is like are we are Canadians just going to be like this is fine everything’s fine like what what is going to be the is there a lot of backlash I have I don’t
Mean I don’t social Med I’ve seen some uh some clever ridicule of this with the it’s like okay so you can attach module to it to do something and somebody literally attached a module that had a bik key on it and they go oh look everybody you can now use a flipper zero
To steal a bike and oh they just taped it on or something yeah they just taped it on like look at this module that allows it to do something and I think they were making that argument that like adding on non-standard features to you know to The Flipper zero because it’s
Like even with the uh the apple b spam that was something that you needed that custom firmware and that Des mode to do in order to be able to broadcast on those frequencies the same for like the car uh replay attacks you need it’s it’s locked by default on The Flipper zero
You need to unlock that you need to do some additional modifications so I think there was that argument of it’s like what amount of modifications now puts the onus on you know the device is bad it goes right back to you you can use gnu radio
You can use hack rf1 you can use an Edis board ban the radio waves and the replay of radio waves that’s what they’re going to do that’s what they’re going to do that’s where we’re headed they have rolling code goes back to I this is a whole another conversation probably a
Webcast like you know I really give props to Europe and Crest like creating like their own pentesting certification that’s great we do need some type of pentesting like group that can Lobby against this type of stupidity e but Canadian yeah maybe maybe we need to do
A another road trip y’all like we went to Adele we did security awareness con I can’t remember what the but we went to we should go into onio I think we need to go right to Canada and we need to like talk about what the flipper is how Security
Professionals use the flipper and really try to do an awareness thing and not trying to be like [ __ ] about it but honestly doing it from an awareness and education perspective yeah actually works hit us up talking about the news go to Canada I love it Z let’s make it happen folks
Do first uh uh what’s that March 15 Vancouver if only I knew somebody who knew somebody at conac West that could get us an evening thing what are the odds that they would jail a bunch of Americans and detain us with flipper zeros pretty high I’m not worried about
Them I’m worried about like coming back into the states to where they’re like so you tell us about this talk that you gave on flippers Canadian we’re just permanently Canadian citizens then that they just go the US doesn’t let us back in head over to Windsor pop on in pop back
Out what I thought Liv in Wisconsin Wisconsin’s close enough all right we’re flipper zeros though thank you all for coming we’re spiraling into like trying to figure out how to get into Canada with a bunch of flipper zeros thank you so much and we’ll talk to you all next week
source
