Black Hills Information Security

ORIGINALLY AIRED ON FEBRUARY 28, 2022 Articles discussed in this episode: 00:00 – PreShow Banter™ — Off-Brand Trickx 00:43 – BHIS – Talkin’ Bout [infosec] News 2022-02-28 02:40 – BHIS Anti-Vigilante PSA 04:17 – Biden has been presented with options for massive cyberattacks against Russia – https://www.nbcnews.com/politics/national-security/biden-presented-options-massive-cyberattacks-russia-rcna17558?mc_cid=e57638ad42 09:46 – Russia has been preparing to have its internet cut off – https://qz.com/2133643/russia-has-been-preparing-to-have-its-internet-sanctioned/ 12:45 – Conti ransomware gang chats leaked by pro-Ukraine member – https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/ 14:43 – ‘Hundreds of computers’ in Ukraine hit with wiper malware as conflict continues – https://www.theregister.com/2022/02/23/ukraine_wiper_malware/ 18:04 – NVIDIA Hit By Major Cyberattack That May Have ‘Completely Compromised’ Parts of Its Business – https://wccftech.com/nvidia-hit-by-major-cyberattack-that-may-have-completely-compromised-parts-of-its-business/ 22:28 – A SWIFT discussion ( no article ) 28:59 – Russia started blocking Tor – https://ooni.org/post/2021-russia-blocks-tor 32:28 – Elon Musk pledges to send Starlink terminals to Ukraine – https://finance.yahoo.com/news/elon-musk-starlink-ukraine-174449866.html 36:10 – Insurance giant AON hit by a cyberattack over the weekend – https://www.bleepingcomputer.com/news/security/insurance-giant-aon-hit-by-a-cyberattack-over-the-weekend/ 46:02 – People & orgs providing FREE cyber services to Ukrainians – https://twitter.com/chrisculling/status/1497023038323404803?s=21 52:39 – Threatbutt Internet Hacking Attack Attribution Map – https://threatbutt.com/map/ We are self-publishing free Infosec Zines called PROMPT#.

ORIGINALLY AIRED ON FEBRUARY 7, 2022 Articles discussed in this episode: 00:00 – PreShow Banter™ — I’m a Rocket Mail 01:21 – BHIS – Talkin’ Bout [infosec] News 2022-02-07 02:18 – Story # 1: Be Careful When Sharing Data in Photos – https://twitter.com/amateuradam/status/1490394034900197388 03:44 – Story # 2: China-Linked Group Attacked Taiwanese Financial Firms for 18 Months – https://www.darkreading.com/threat-intelligence/china-linked-group-attacked-taiwanese-financial-firms-for-18-months 20:56 – Story # 3: Microsoft to block internet macros by default in five Office applications – https://therecord.media/microsoft-blocks-internet-macros-by-default-in-five-office-applications/ 28:11 – Story # 4: Apple’s Privacy Measures to Cost Facebook $10 Billion in 2022 – https://www.macrumors.com/2022/02/03/facebook-10-billion-in-2022-apple-measures/ 47:27 – Noisy browser plugin – https://noiszy.com 51:15 – Cool Leather Jackets We are self-publishing free Infosec Zines called PROMPT#. PROMPT# will contain:  Infosec articles  Challenging puzzles  Comic book based on real-life hacking adventures  Coloring contests  Bonus Backdoors & Breaches Consultant Cards (print version only)  Other stuffs  You can check out current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/ 

ORIGINALLY AIRED ON JANUARY 31, 2022 Articles discussed in this episode: 00:00 – PreShow Banter™ — Legions of the Undead 01:26 – BHIS – Talkin’ Bout [infosec] News 2022-01-31 04:06 – Story # 1: Hacktivists say they hacked Belarus rail system to stop Russian military buildup – https://arstechnica.com/information-technology/2022/01/hactivists-say-they-hacked-belarus-rail-system-to-stop-russian-military-buildup/ 08:46 – Story # 2: Ukrainian government calls out false flag operation in recent data wiping attack – https://therecord.media/ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack/ 11:18 – Story # 3: Ukrainian cyber defense in need of upgrades as tensions rise – https://therecord.media/ukrainian-cyberdefense-in-need-of-upgrades-as-tensions-rise/ 17:32 – Story # 4: DoD weapons testers to assess cybersecurity of GPS satellites, ground system, and user equipment – https://spacenews.com/dod-weapons-testers-to-assess-cybersecurity-of-gps-satellites-ground-system-and-user-equipment/ 24:50 – Story # 5: FBI Reportedly Considered Buying NSO Spyware – https://www.govinfosecurity.com/fbi-reportedly-considered-buying-nso-spyware-a-18407 28:02 – Story # 6: Hacking the Apple Webcam (again) – https://www.ryanpickren.com/safari-uxss 30:36 – Story # 7: Microsoft Teams users can now chat with any Teams user outside their organization – https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-users-can-now-chat-with-any-teams-user-outside/ba-p/3070832 34:11 – Story # 7b: https://twitter.com/rucam365/status/1487861808081915906 38:15 – Story # 8: Lazarus hackers use Windows Update to deploy malware – https://www.bleepingcomputer.com/news/security/lazarus-hackers-use-windows-update-to-deploy-malware/ 41:38 – Story # 9: Elon Musk Tried To Pay A Teen Thousands Of Dollars To Stop Tracking His Plane –

ORIGINALLY AIRED ON JANUARY 24, 2022 Articles discussed in this episode: 00:00 – PreShow Banter™ — The Monkey Dance 00:25 – BHIS – Talkin’ Bout [infosec] News 2022-01-24 01:49 – Story # 1: New Log4j attacks target SolarWinds, ZyXEL devices – https://therecord.media/new-log4j-attacks-target-solarwinds-zyxel-devices/ 08:18 – Story # 2: New MoonBounce UEFI bootkit can’t be removed by replacing the hard drive – https://therecord.media/new-moonbounce-uefi-bootkit-cant-be-removed-by-replacing-the-hard-drive/ 13:18 – Story # 3: Crypto.com finally confirms major hack, says it lost $34 million – https://therecord.media/crypto-com-finally-confirms-major-hack-says-it-lost-34-million/ 15:53 – Story # 3b: Coinbase Hack – https://www.bleepingcomputer.com/news/security/hackers-rob-thousands-of-coinbase-customers-using-mfa-flaw/ 21:47 – Story # 4: Hackers From North Korea Stole Millions Of Dollars From Cryptocurrency Startups All Across The World. – https://cyberworkx.in/2022/01/17/hackers-from-north-korea-stole-millions-of-dollars-from-cryptocurrency-startups-all-across-the-world/ 26:42 – Story # 5: Mixed Messages: Busting Box’s MFA Methods – https://www.varonis.com/blog/box-mfa-bypass-sms 35:06 – Story # 6: School District reports a 334% hike in cybersecurity insurance costs – https://www.bleepingcomputer.com/news/security/school-district-reports-a-334-percent-hike-in-cybersecurity-insurance-costs/ 38:42 – Story # 7: Europol takes down VPNLab, a service used by ransomware gangs – https://therecord.media/europol-takes-down-vpnlab-a-service-used-by-ransomware-gangs/ 42:12 – Story # 8: Why this threat intelligence expert believes cyberattacks aren’t Ukraine’s biggest concern – https://therecord.media/why-this-threat-intelligence-expert-believes-cyberattacks-arent-ukraines-biggest-concern/ Check out the CoinSecPodcast.com

ORIGINALLY AIRED ON JANUARY 17, 2022 Articles discussed in this episode: 0:00:00 – PreShow Banter™ — Whose Ears Are Buring? 0:01:06 – BHIS – Talkin’ Bout [infosec] News 2022-01-17 0:02:27 – Story # 1: Russia takes down REvil hacking group at U.S. request – https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/ 0:07:00 – Story # 2: White House: Arrested Russian hacker was behind Colonial Pipeline attack – https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/ 0:09:29 – Story # 3: Hotel chain switches to Chrome OS to recover from ransomware attack – https://therecord.media/hotel-chain-switches-to-chrome-os-to-recover-from-ransomware-attack/ 0:15:22 – Story # 4: QNAP issues ransomware warning to users – https://www.techspot.com/news/92909-qnap-issues-warning-users-secure-or-disconnect-unprotected.html 0:19:56 – Story # 5: Backdoor RAT for Windows, macOS, and Linux went undetected until now – https://arstechnica.com/information-technology/2022/01/backdoor-for-windows-macos-and-linux-went-undetected-until-now/ 0:24:50 – Story # 6: Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time – https://www.macrumors.com/2022/01/16/safari-15-webkit-indexeddb-bug/ 0:30:02 – Story # 7: New macOS vulnerability, “powerdir,” could lead to unauthorized user data access – https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/ 0:35:26 – Story # 8: Revealed: UK Gov’t Plans Publicity Blitz to Undermine Privacy of Your Chats – https://www.rollingstone.com/culture/culture-news/revealed-uk-government-publicity-blitz-to-undermine-privacy-encryption-1285453/ 0:36:52 – Story # 9: Apple under fire for iPhone encryption technology – Telegraph.co.uk – https://oltnews.com/apple-under-fire-for-iphone-encryption-technology-telegrap...

ORIGINALLY AIRED ON JANUARY 10, 2022 Articles discussed in this episode: 01:58 – Story # 1: WordPress Core Vulnerabilities – https://www.searchenginejournal.com/wordpress-core-vulnerabilities/432042/#close 11:32 – Story # 2: Card-stealing code on over 100 Sotheby’s luxury real estate sites – https://therecord.media/card-stealing-code-found-on-more-than-100-sothebys-luxury-real-estate-sites/ 14:55 – Story # 3: France hits Facebook & Google with $210 million in fines – https://www.bleepingcomputer.com/news/legal/france-hits-facebook-and-google-with-210-million-in-fines/ 22:14 – Story # 4: Pwn2Own, ShmooCon security conferences postponed due to COVID-19 surge – https://therecord.media/pwn2own-shmoocon-security-conferences-postponed-due-to-covid-19-surge/ 24:48 – Story # 5: BREAKING! Cyber Threat Map – https://www.fireeye.com/cyber-map/threat-map.html 27:21 – Story # 6: Open source developer corrupts widely-used libraries – https://www.theverge.com/2022/1/9/22874949/developer-corrupts-open-source-libraries-projects-affected 34:38 – Story # 7: FTC warns companies to remediate Log4j security vulnerability – https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability 39:58 – Story # 8: Trojanized dnSpy app drops malware cocktail – https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/ 45:33 – Story # 9: Norton 360 Cryptominer – https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/ 55:56 – Hot Takes and Sadness Ready to learn more? Level up your skills with affordable classes from Antisyphon! Pay-What-You-Can Training

ORIGINALLY AIRED ON JANUARY 4, 2022 Articles discussed in this episode: 00:00 – PreShow Banter™ — Who’s Job Is It Anyway? 00:20 – BHIS – Talkin’ Bout [infosec] News 2022-01-04 01:58 – Story # 1: iLOBleed Rootkit – https://thehackernews.com/2021/12/new-ilobleed-rootkit-targeting-hp.html 08:39 – Story # 2: Firmware attack can drop persistent malware in hidden SSD area – https://www.bleepingcomputer.com/news/security/firmware-attack-can-drop-persistent-malware-in-hidden-ssd-area/ 17:35 – Story # 3: OverWatch Exposes AQUATIC PANDA – https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ 21:38 – Story # 4: Experts warn against storing passwords in Chrome – https://nypost.com/2022/01/02/experts-warn-against-storing-passwords-in-chrome/ 42:16 – Official Report: Not Responsible for the Information Super Highway Ready to learn more? Level up your skills with affordable classes from Antisyphon! Pay-What-You-Can Training Available live/virtual and on-demand

This is a special joint webcast from the teams of Black Hills Information Security, Wild West Hackin’ Fest, and Active Countermeasures, presented by John Strand.  In this webcast, we cover the recent wave of attacks we are seeing, and we cover some of the history that got us to where we are. Consider this to be part 2 of the previous webcast I did on the topic. Available now on YouTube: https://youtu.be/wKAQB4Yp-k4?t=1669 Yep, we are going to talk about management and how to change their attitude on security. Yes, we will be talking about compliance. Of course, we will be talking about some simple actions companies can take to be better prepared.  I think it is important for us to talk through the history and see how we got to where we are in the industry. We have done a lot of tests over the years. We have seen technical and political patterns in “hard” and “easy” targets. We will talk about those as well. We may even talk about threat intelligence, just a little… Want to level up your skills and learn more straight from John himself?You can check out his classes below! SOC Core Skills Active Defense & Cyber Deception Getting Started in Security with BHIS and MITRE ATT&CK Introduction to Pentesting Available live/virtual and on-demand

ORIGINALLY AIRED ON DECEMBER 20, 2021 Articles discussed in this episode: 00:00 – PreShow Banter™ — Getting Nerdy With It 04:18 – BHIS – Talkin’ Bout [infosec] News 2021-12-20 – The Final Broadcast … of 2021 05:34 – Story # 1: Apple releases Android app to find rogue AirTags – https://therecord.media/apple-releases-android-app-to-find-malicious-airtags/ 18:24 – Story # 2: A Summary of Sorts – The Tale of 2021 21:40 – Story # 3: Kronos hit with ransomware – https://www.zdnet.com/article/hr-platform-kronos-brought-down-by-ransomware-attack-ukg-warns-of-data-breach/ 22:19 – Story # 4: 300,000 MikroTik Devices Found Vulnerable – https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html 26:51 – Story # 5: WordPress Sites Under Cyberattack – https://thehackernews.com/2021/12/16-million-wordpress-sites-under.html 28:45 – Story # 6: Firefox password leak via Windows Cloud Clipboard – https://therecord.media/firefox-fixes-password-leak-via-windows-cloud-clipboard-feature/ 36:33 – Story # 7: Android Application Testing Using Windows 11 – https://sensepost.com/blog/2021/android-application-testing-using-windows-11-and-windows-subsystem-for-android/ 37:43 – Story # 8: Verizon overrides users’ opt-out – https://arstechnica.com/information-technology/2021/12/verizon-ignored-users-previous-opt-outs-in-latest-push-to-scan-web-browsing/ 43:15 – Story # 9: Volvo cyber security breach – https://www.media.volvocars.com/global/en-gb/media/pressreleases/292817/notice-of-cyber-security-breach-by-third-party-1 Ready to learn more? Level up your skills with affordable classes from Antisyphon! Pay-What-You-Can Training Available live/virtual and on-demand

Ransomware attacks have been growing in popularity, especially in critical infrastructure. Due to the importance of critical infrastructure, the need to secure the environments is an impending issue. The technology used in ICS environments is sensitive and often based on older protocols. The desire for connectivity has created an opportune target for malicious actors. Join Ashley in this adventure to learn about our critical infrastructure, the threats, and how to secure them. At the end of this BHIS webcast, you will have a better understanding of ICS infrastructure, how ransomware affects ICS, and how to protect against threats to ICS. 00:00:00 – PreShow Banter™ 00:37:38 – FEATURE PRESENTATION 01:32:04 – Closing Q&A Ready to learn more? Level up your skills with affordable classes from Antisyphon! Pay-What-You-Can Training Available live/virtual and on-demand

Slides At Black Hills Information Security (BHIS), we make our living doing pentesting, but we’ve never once been paid for a pentest. Penetration Testers get paid for their reports. For their explanations. For their story of the environment as it appears to an attacker. The scanning and testing and exploiting (and failing at those things) is nothing more than input for the report. So if the job of pentesting is all about creating a good report, why is it so common to hear how much testers hate reporting? Is there any way to make it all less difficult, or more attractive? Yes, there is. Come see a better way to think about your report. See examples of common mistakes and missed opportunities in reporting and how you can do better. Consider how a small change in how you think about your report can make it easier to write. We’ll wrap up with a demonstration of how a little time exploring MS Word features can pay you back immediately in saved time, reduced frustration, and improved consistency. If you want to better understand what makes a pentest valuable and how you can make your own work more sought-after, come join us for this webcast. Join us on the BLACK HILLS INFOSEC Discord server for live interaction with Jason and your fellow attendees: https://discord.gg/bhis Part 1 at BSides Cleveland: https://youtu.be/NUueNT1svb8 00:00:00 – PreShow Banter™ 00:48:07 – FEATURE PRESENTATION 01:44:37 – Closing, Questions & Answers We think BB is pretty cool …but we might be biased. Why not find out for yourself and take a class with him? Modern WebApp Pentesting Available live/virtual and on-demand

ORIGINALLY AIRED ON DECEMBER 13, 2021 00:00 – PreShow Banter™ 09:41 – FEATURE PRESENTATION: The Floor is Java – Log4Shell / Log4J 10:26 – Lets Jump In 11:31 – Oh No… 12:28 – None of This is New 15:36 – How Does This Work? 19:48 – Mitigations 21:48 – Find it on Hosts 23:54 – Hal Translator 25:25 – Find it on the Network 26:53 – Miners Beacon 28:24 – Great Write-Ups! 31:47 – Conversation with Q & A Ready to learn more? Level up your skills with affordable classes from Antisyphon! Pay-What-You-Can Training Available live/virtual and on-demand

ORIGINALLY AIRED ON DECEMBER 6, 2021 Articles discussed in this episode: 00:18 – BHIS – Talkin’ Bout [infosec] News 2021-12-06 02:57 – Story # 1: Apple AirTag Car Thefts – https://www.macrumors.com/2021/12/03/airtag-linked-to-car-thefts/ 11:04 – Story # 2: Ubiquiti dev charged for extortion – https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/ 17:09 – Plug: Pay What You Can SOC Training – https://www.antisyphontraining.com/soc-core-skills-w-john-strand/ 18:24 – Story # 3: U.S. State Department hacked with NSO spyware – https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/ 24:15 – Story # 4: The rise of dark web design – https://theconversation.com/the-rise-of-dark-web-design-how-sites-manipulate-you-into-clicking-168347 33:46 – Story # 5: Researcher Found Way to Brute Force Verizon Customer PINs Online – https://www.vice.com/en/article/93bbpy/brute-force-verizon-pins-researcher-video 39:43 – Story # 6: Russia and China attacking US satellites with lasers and jammers – https://www.independent.co.uk/space/russia-china-attack-us-satellites-lasers-b1967516.html?utm_source=reddit.com 44:25 – Story # 7: Ransomware Takeaways: Q3 2021 – https://www.backblaze.com/blog/ransomware-takeaways-q3-2021/ 49:36 – Story # 8: Microsoft prompts try to stop people downloading Chrome – https://www.theverge.com/2021/12/2/22813733/microsoft-windows-edge-download-chrome-prompts 50:36 – Story # 8b: Microsoft Edge will warn users about downloading Google Chrome – https://arstechnica.com/gadgets/2021/12/microsoft-edge-will-now-warn-users-about-the-dangers-of-downloading-google-chrome/ Ready to learn more?

Kent Ickler // Background Over four years ago now, I wrote a blog post on fixing missing Content-Security-Policy by updating configuration on webservers: https://www.blackhillsinfosec.com/fix-missing-content-security-policy-website/. Content-Security-Policies instruct a user’s web browser how it should behave on certain security considerations. Oh, how times have changed. Here at Black Hills Information Security (BHIS), we’ve actually migrated webservers, hosting companies, security platforms — that list goes on and on. The “best practices” for Content-Security-Policies have changed in the last four years too. On our new hosting platform, we need to set up appropriate content security headers again. Since we now use Cloudflare for our CDN and WAF provider, we have some new opportunities for fronting our Content-Security-Policies outside of the web server itself. Initial Testing Before you go about updating your Content-Security-Policies, it’s good to have a clear picture of how your server currently handles/sends Content-Security-Policies. A good way to test this configuration is to use a third-party tool. We can use SecurityHeaders.io to scan our website’s Content-Security-Policy configuration. Link: https://www.securityheaders.io In the case below, we’ve had SecurityHeaders.io scan the WildWestHackinFest.com website. That looks bad, right? Well, maybe. It is important to note that Content-Security-Policies are used to instruct the browser how to handle security concerns within the browser. This is critical on websites where there is user interaction and sensitive information being disclosed. For example, it would be imperative that a banking website, health records portal, or other user-interaction service have appropriate Content-Security-Policy headers. In the scenario where there is no user interaction or no sensitive information disclosed, it becomes less imperative that Content-Security-Policies be configured in a very secured state. Here’s a good example of a “not-great” configuration scenario: The US Social Security Administration has a portal where users can login and access sensitive information about their account. The portal login landing page is https://secure.ssa.gov: Alright, so that’s a picture of what not to do. If you’re looking to correct some of these issues, you have a couple methods afforded to you. The first is to read the blog from four years ago that demonstrates how to fix the issue by configuring your web server with the appropriate Content-Security-Headers. But there is another way. Cloudflare Workers Link: https://workers.cloudflare.com/ Cloudflare Workers are a serverless section of server-side-JavaScript that can perform actions or modify web traffic associated with a Cloudflare CDN/WAF protected site. In the case of our earlier example, https://wildwesthackinfest.com is a website that is served by the Cloudflare network. This allows us to use the Cloudflare Workers service to manipulate web traffic without having to update the backend (“origin”) web servers associ...

ORIGINALLY AIRED ON NOVEMBER 22, 2021 Articles discussed in this episode: Story # 1: Chinese Team Up With Russia To Launch US Cybersecurity Assault – https://hothardware.com/news/chinese-hackers-team-up-with-russian-ransomware-gang Story # 2: The FBI Got Hacked Over a Beef With a Guy Named Vinny? – https://www.thedailybeast.com/was-fbi-email-hack-just-an-elaborate-troll-of-a-guy-named-vinny-troia Story # 3: Insurers run from ransomware cover as losses mount – https://www.reuters.com/markets/europe/insurers-run-ransomware-cover-losses-mount-2021-11-19/ Story # 4: Ransomware gangs rich enough to buy zero-days – https://www.zdnet.com/article/ransomware-gangs-are-now-rich-enough-to-buy-zero-day-flaws-say-researchers/ Story # 5: FBI Alert on FatPipe VPN Zero-Day – https://thehackernews.com/2021/11/fbi-issues-flash-alert-on-actively.html Story # 6: Debunking worthless “security” practices – https://arstechnica.com/information-technology/2021/11/securing-your-digital-life-part-4/ Ready to learn more? Level up your skills with affordable classes from Antisyphon! Pay-What-You-Can Training Available live/virtual and on-demand