Brakeing Down Security Podcast Blog: April 2019

“According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”

“https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/”

You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?

Timeline:
“[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”

What is the line they should not cross in this case?

You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?

[2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.

Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?

Lessons Learned? Anything you’d do differently next time?

Update IR plan?

Did they reach out for additional testing?

Did the people who got admin get removed?

Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*

https://www.wordfence.com/

https://en.wikipedia.org/wiki/Gremlins

Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/

https://www.helpnetsecurity.com/2019/04/12/cybersecurity-incident-response-plan/

https://www.guardicore.com/2018/11/security-incident-response-plan/

https://www.zdnet.com/article/security-risks-of-multi-tenancy/

Upcoming SI events

IANS forum (Wash DC)

ShowmeCon

Webcasts

ISC2 security Congress (Wash DC)

Patreon

Slack

Twitter handles

iTunes

Google

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

Sunday, April 14, 2019

2019-014-Tesla fails encryption, Albany and Sammamish ransomware attacks.

Announcements:
WorkshopCon Training with SpecterOps and Tim Tomes

www.workshopcon.com

redteam operations with SpecterOps

PWAPT with Tim Tomes

Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019

Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time.

https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/

My last car sync’ed the contact list.

Video is a different story, but safety for the vehicle and owner, they’ll probably continue to store it.

Telemetry data is for changing road conditions, navigation, etc

Enable encryption at rest… or pop a fuse to scram the data when/if an accident is detected

Level of difficulty, no fuse, requires hardware upgrade

Encryption at rest, ensuring HTTPS on all incoming/outgoing.

https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/

Annoying “do you want notifications from this site?”

Like an annoying RSS feed… ‘Hey, we added a new banner ad!’

https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches

Why add the switches to allow vulnerabilities?

Slippery slope --disable-dirtycow?

https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/

https://www.wamc.org/post/details-still-few-city-albany-s-ransomware-attack

Threat intelligence and software detections…

Got an email… *Story Time from Mr. Boettcher*

Twitter: why do companies not allow copy/paste in password fields? Tesla

Here is a new episode of Brakeing Down Security Podcast!

Sunday, April 7, 2019

2019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2

Announcements:

SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com

Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/

Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663

SHOW NOTES:

Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.

https://github.com/OWASP/ASVS

“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “

#ASVS team:

Daniel Cuthbert @dcuthbert
Andrew van der Stock
Jim Manico @manicode
Mark Burnett
Josh C Grossman

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx

https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing

https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version

http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode

ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”

What are the biggest differences between V3 and V4?

Why was a change needed?

https://xkcd.com/936/ - famous XKCD password comic

David Cybuck: Appendix C: IoT

Why was this added?

These controls are in addition to all the other ASVS controls?

How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.

You added IoT, but not ICS or SCADA?

https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project

BrakeSec IoT Top 10 discussion:

http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3

http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3

Seems incomplete… (Section 1.13 “API”)

Will this be added later?

What is needed to fill that in? (manpower, SME’s, etc?)

3 levels of protection… why have levels at all?

Why shouldn’t everyone be at Level 3?

I just don’t like the term ‘bare minimum’ (level 1)--brbr

Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling