September 27, 2021 • 26 mins
Welcome to the Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.
Getting hacked on FB - steps to take
- Secure your email account (change password, use MFA)
- Screenshots.
- Note IP addresses
- Log out other people
- Change FB pw & add MFA
https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/
Socials
- Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
- Follow us on Twitter: https://twitter.com/SecChipmunk
- You can find us online at: https://securitychipmunks.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
UNKNOWN (00:00):
Thank you.
SPEAKER_00 (00:05):
Welcome to the Security Chipmunks podcast,
where we talk about thedevelopment of cybersecurity
skills.
To stay up to date in today'sworld, you need to be resilient.
That's why as advancedpersistent chipmunks, we keep
chipping away at it.
My name is Miks Edna Johnson.
I'm here with my co-host, NeilSmalley.
Say hello, Neil.
SPEAKER_03 (00:26):
Hello.
SPEAKER_00 (00:27):
And my other co-host, Patrick Lowther.
Say hello, Patrick.
SPEAKER_02 (00:33):
Hello, Patrick.
SPEAKER_00 (00:35):
Wonderful.
Glad to have you both heretoday.
Now let's jump into it.
SPEAKER_03 (00:42):
Do you have the Twitter poll results today?
SPEAKER_00 (00:46):
Right.
So we have Twitter poll results.
On Twitter, we asked, how do youpronounce SIEM?
S-I-E-M.
And the options were SIM orSIEM.
We had 19 people who voted.
19 cybersecurity professionalsvoted.
and this was a close one thiswas a neck and neck because I
(01:11):
would see it and it would changeand it would be like sim is
taking over sim is taking overand it ended with sim got 52%
and sim got 47% so there waslike a one vote difference
between the two so I looking atthose results I'm going to say
(01:35):
that the The professionals arepretty torn on how to pronounce
it.
I do know that if you Google,how do you pronounce sim?
It says sim.
But I would like to put in thatif you have it as sim, there are
other things that could be sim,like a sim card.
(01:58):
And so sim is a little moredistinct.
You know that that is only goingto be talking about the...
secure infrastructure eventmanagement tools.
So it's a little more distinctthan SIEM.
SPEAKER_03 (02:20):
Yes, and there were even other votes for other
pronunciations as well, such asSIEM.
SPEAKER_00 (02:25):
SIEM, SIE, yet another alert.
Yes, so that kind of brings upanother point is that you can
have this alert fatigue.
So you're setting your ownalerts and creating those based
on the network traffic thatyou're seeing.
(02:46):
And you could set a lot ofalerts if you're being
industrious and you want to makesure that you know about
everything that's happening onyour network.
But then when you're gettingthose alerts, you can get kind
of bogged down in alert fatiguebecause you're constantly
(03:07):
getting, oh, a thing, a thinghappened, a thing happened.
And so you might actually missout on something that is
important.
But because you've got so usedto getting all of those alerts,
you stop paying attention.
So I believe, Patrick, you havesome experience with alerting
(03:28):
and setting those up.
SPEAKER_02 (03:33):
No, I don't.
SPEAKER_01 (03:34):
you've never heard
SPEAKER_02 (03:38):
of it never heard of it no um uh yeah yeah so coming
from my background of like asystem administrator and system
engineering there are multipleways you can go about setting up
systems like whether it bethrough uh solar winds uh scom
(03:59):
which is system centeroperations manager which is part
of these whole stuff systemcenter suite from Microsoft.
There's also SolarWinds, whichfor some strange reason, a lot
of people have been migratingoff of SolarWinds.
I don't know why.
That
SPEAKER_00 (04:17):
one puzzles my mind too.
Like, what?
It's such a great product.
No, I'm kidding.
We all know what happened withSolarWinds.
SPEAKER_03 (04:27):
In case our listeners don't remember, there
was a SolarWinds hack within thelast year, I believe.
I
SPEAKER_02 (04:38):
don't know.
It could be like last week andseems like it's been a year.
Who knows with how this year'sgoing.
SPEAKER_03 (04:46):
But that was like basically some sort of supply
chain attack where they came inthrough the whatever SolarWinds
was distributing.
Was that my understanding?
SPEAKER_02 (04:57):
Yeah, I think they actually ended up compromising
some of the codinginfrastructure again in that
way, and they also siloed acouple DLLs and stuff into the
install.
SPEAKER_03 (05:12):
Okay, so the software build for the Orion
updates had a Trojanizedcomponent.
SPEAKER_01 (05:21):
Yeah.
SPEAKER_03 (05:23):
Yep, it was a DLL.
Yep.
SPEAKER_02 (05:26):
Yeah.
But getting back to the alertfatigue stuff, it's really easy
to get bogged down especiallywhen you're monitoring systems
for like up down or activitylike this activity etc that's
more operations monitoring withsecurity monitoring you'll have
(05:51):
on how poorly tuned yourenvironment is.
You may have like a whole bunchof account logins or a whole
slew of things that you need towatch and learn how to tweak and
monitor and tune for what'snormal in your environment.
That's where it really comes tobe like a fine art of towing
(06:14):
like a line of, okay, here'swhat we've seen in this
environment.
We know what's the baseline andnow we can implement some of
these standards that we haveright it's pretty interesting
since I kind of do that in likemy day to day I usually go about
this methodology of crawl walkrun which is you'll hear a lot
(06:39):
in like Microsoft shops wherecrawl meaning you do a small
subset of whatever alerts you'reworking on say we're tracking
down administrator logins rightand like out of normal time
bandwidth or something of thatnature then you'll implement
that get that alerting set upand then kind of monitor and
(07:01):
make sure that you're within thebaseline and then you add into
some more alerting so you startwalking with it where you add
more and more alerts and thenfinally when you get to like a
run methodology is when you'rereally starting to like automate
some of that response andeverything like that to your
(07:23):
alerts so you don't tie up likeyour SOC analysts or anything
like that with just like menial,like investigation tasks where
you can have your seam of choicedo what's called SOAR, which is
like the new buzzword that'sgoing around, which is a
security automation, fun, fungoodness stuff.
(07:47):
You know, Azure Sentinel doesit.
Splunk has a Splunk Phantom,which is pretty, pretty cool in
my, And then there's likeSecuronics, which is bringing
out some of the automation aswell.
But yeah, overall, I mean, it'svery much a real thing that can
happen.
You'll find it happens a lot inIT people, but also to kind of
(08:09):
bring it out to like where we'reat in today's current
environment is alert fatiguehappens with like medical
machines and everything likethat.
So like you hear a lot of timesabout like frontline workers
being like so fatigued.
from just the constant beepingof everything.
So yeah, real thing.
(08:32):
Make sure you take breaks.
SPEAKER_00 (08:36):
Yeah, breaks are important in taking care of
yourself for sure.
So recently I had a familymember who got their Facebook
account hacked.
So I was thinking about how tohelp them and some of the steps
they need to take once thathappened.
So the way that the happened wasthrough their email account
(08:57):
being hacked.
So I wanted our listeners toknow about the website Have I
Been Pwned?
Because pretty much everybodyhas been pwned or most everybody
has been pwned in the way thatthere has been a data breach
with a company somewhere.
They probably do business.
And there is this publiclyavailable list to check if you
(09:18):
have been involved in breach sothat the security researcher
downloads information frombreaches that are known about,
and then you can check if youremail exists.
And then it tells you aboutwhich database that got breached
and how severe is it.
(09:38):
So is it just your email?
Is it your email and password,email, password, and credit
card?
So of course, some informationis more sensitive than others.
So the first step is, you know,making sure that you secure your
email account.
If you haven't turned on multifactor authentication, which you
can set up either SMS message oruse the Google authenticator
(10:01):
app.
And make sure you update yourpassword.
Once you get into your Facebookaccount, take screenshots of,
like, previous location logs,where you're currently logged
in, any messages that Facebooksends that, like, it looks like
(10:21):
you may have been, you know,hacked.
Take a screenshot of that justso that if you need to talk to
law enforcement, you have someevidence.
It may be hard to getinformation from Facebook, so at
least you have that evidence andAnd it has IP addresses.
So you want to especially makenote of IP addresses because
(10:43):
even though you can't tell wheresomebody is based on their IP
addresses, their internetservice provider can match that
up to a location.
So you would be able to find outwhere they were if you talk to
the police and get those IPaddresses.
SPEAKER_02 (11:02):
Now, did your family member get hacked because they
didn't forward a chain post?
like on Facebook.
SPEAKER_00 (11:10):
Right.
So it was not because they didnot forward something.
Their email account got hacked.
So somebody was able to accesstheir email account.
They were able to figure outwhat their password was, log in.
And then once they had access tothe email account, they sent a
(11:30):
password reset request.
that gets sent to that emailthat they now had access to, and
they were able to change thepassword on Facebook.
So that's why securing youremail is super important.
Because if they still haveaccess to your email, they get
(11:51):
notifications of all the thingsthat you're doing on Facebook.
SPEAKER_02 (11:56):
Good stuff.
I mean, good advice.
Not good stuff that your familymember got hacked on Facebook.
SPEAKER_00 (12:07):
Yeah.
I'm not able to pull any recordsof how often this happens.
But I'm actually seeing thishappening more.
So I don't know if this is justbecoming more prolific.
I'm not sure what the motive isbehind it, but I'm seeing more
(12:31):
incidents of Facebook gettinghacked by people.
So that's why I wanted tomention it, how to make sure
you're safe.
And in my opinion, the best stepthat you can take now to make
sure that it does not happen toyou is turn on multi-factor
authentication and do that forboth your email and your
(12:51):
Facebook account
SPEAKER_03 (12:53):
okay good stuff yeah good advice for just about any
account that you can do it on sowe had talked about Azure last
week so I thought it would beimportant to at least mention
the news that made headlinesthis week about Azure so
(13:15):
apparently when you you useAzure, if you use any of the
following tools, so AzureAutomation, Azure Automatic
Update, Operation ManagementSuite, OMS for short, the Log
Analytics, the ConfigurationManagement, the Diagnostics, or
(13:36):
the Container Insights, you mayhave been affected by this
vulnerability, or there'sactually several different
vulnerabilities, and there'sbeen a bunch of patches released
There's a bunch of differentupdates that have been made.
So the most recent one as ofyesterday, they updated their,
(13:58):
Microsoft updated their advisorysaying that they will have
declared an auto update fortheir platform as a service
offerings that use thevulnerable VM extensions by
September 22nd.
Supposedly there will also besome instances which will
require manual patching.
Basically the long story shortof it is if you used any of
(14:18):
these things theoretically theMicrosoft would download a agent
to the VM silently and the waythey had it set up is that the
authentication mechanism for itlike if you sent in a request to
(14:39):
it instead of doing it normallyincluding a password with the
authentication header and justexcluded the authentication
header, it would just log you inwithout a password.
So that's obviously a pretty bigdeal.
So you would want that fixed ifyou were using any of those
(15:04):
services on top of your Azure.
Is there anything I've missedthat's glaring there that you
can think of?
SPEAKER_02 (15:10):
Well, yeah, you missed the cool name, though.
Oh, my God.
SPEAKER_01 (15:17):
Oh, true,
SPEAKER_02 (15:17):
true.
SPEAKER_01 (15:17):
Yes.
Yes.
SPEAKER_02 (15:20):
Yeah.
Neil's talking about the, theOmegad vulnerability.
It gives you remote codeexecution from even better,
unauthenticated remote codeexecution, where it gives you
root access on any of the Linuxboxes and pretty interesting.
I'm, you know, I was, I was kindof curious about the Azure login
(15:47):
on Linux boxes.
And I'm curious about it becauseI was trying to figure out how
they were leveraging the OMIagent on the Linux VMs in a
server capacity instead of as aclient capacity for Azure Log
Analytics.
(16:07):
That's where I'm a littleconfused about it.
And unfortunately, I have notfound any good information about
that.
I think the advisory is justkind of kind of really broad
right now for like, as far aslike attack footprint.
And I think there'll be tweakingit as we get, you know, further
(16:28):
into the week here because howAzure and log analytics works is
it doesn't listen for connectioninbound.
It only talks outbound.
So that's why I'm like, I'm justconfused about how, it could
possibly be used for that.
(16:49):
But if they're using the OMIagent, which Microsoft has both
a good idea and a kind of a badidea where they say, okay, hey,
you can use the same agentthat's already installed.
You don't have like multipleagents on a machine.
They say, go ahead and use thisto forward data up.
(17:11):
Now, if they're using the OMIagent, which I assume this is
the case.
And so we're bringing like AzureLog Analytics into the scope,
then yes, I could see it beingin scope like that.
But if you're just using thestandard like Azure Sentinel,
Azure Log Analytics, logingestion client agent, it
(17:32):
doesn't sit there and listen to
SPEAKER_03 (17:34):
connections.
So my understanding from theblog post is that three of the
four are just privilegeescalations that allow attackers
to get the highest privileges onthe machine that though am I
installed and the fourth is themost serious one.
that allows the remote codeexecution.
So some of the products,including the configuration
(17:54):
management, that being keyexposed HTTPS port 5.9.8.6 that
uses that to interact with theOMI.
And so that's what makes the RCApossible.
SPEAKER_02 (18:04):
Yeah.
Yeah.
So it's definitely somethingwith the OMI agent, like the
actual service and stuff that'srunning on the boxes.
So yeah, sucks.
UNKNOWN (18:17):
But
SPEAKER_02 (18:17):
you know, all, all it comes back down to is, you
know, make sure you're patching,make sure you're, because I
believe Microsoft released a outof band patch for this, right?
Like they disclosed it and thenthey released the patch.
They found that the patchdoesn't quite work.
And so, well, the patch doeswork, but not in every instance,
(18:38):
you know?
Yeah.
There was a bunch of updates
SPEAKER_03 (18:40):
on the, there's like two updates on the 14th, 15th,
16th, 17th, 17th.
And then one.
Yes.
day as well so they've been hardat it
SPEAKER_02 (18:50):
yeah they've been hitting it hard but you know
once again it all comes down toproper segmentation of your
networks and everything likethat so
SPEAKER_03 (19:04):
yeah and I mean like we talked about before a lot of
these things you can lock downwith how you're when we talk
about segmentation things likenot having your virtual network
open to just the inner andhaving it restricted to being a
good setup as a network shouldbe and not just have all the
(19:25):
things sitting out on theinternet but maybe have like one
thing like whether that's likeyour web your load balancer or
whatever only having thataccessible from the internet so
if you're have like the actualservers themselves they might be
sitting behind the load balancermight not even be accessible
(19:45):
from the internet on those ports
SPEAKER_02 (19:47):
Yeah, yeah, I agree.
Yeah, it's more about punchingholes instead of just having
everything wide open, you know.
So, yeah.
Oh, well, such is the life ofsecurity professionals.
You know, one fire to the next.
(20:12):
Can almost be a, you know, CVEfatigue, right?
SPEAKER_01 (20:17):
oh
SPEAKER_03 (20:19):
yeah there's always something and then that wasn't
like the only thing like there'salways multiple things right
that depends on what matters toyou or your organization another
one I thought was interestingwas the Travis CI where they had
exposed secrets for a bunch ofopen source projects and we're
(20:43):
talking like supposedly over900,000 open source projects and
600,000 users.
So saying that the secureenvironment variables, just the
signing keys and the accesscredentials, all the stuff you
don't, and the API tokens, allthe stuff you don't want
exposed, able to be accessed.
(21:05):
So supposedly they've issued apatch or whatnot, but you would
need to go in and rotate yoursecrets, I would imagine.
is what the recommended thing isto do.
So if you're using Travis CI,you might want to look into
(21:25):
that.
But I haven't really used TravisCI myself, but I understand it's
a continuous integration thing.
So it would go into yourworkflow when you're trying to
deliver code and whatnot.
If you're working on a projectand you got new things to
integrate into the end result,does anyone else know more about
(21:49):
continuous integration than i do
SPEAKER_02 (21:53):
i don't know i was just gonna let you keep going
man see um yeah so i mean i deala little bit with it i more
specifically leverage azuredevops uh for it you know
surprise the windows guy you seemark soft products but uh yeah
(22:16):
um Actually, it's...
This reminds me of...
I can't think of the tool thatsomebody...
It's a Python tool that somebodywrote that what it does, it'll
crawl GitHub for storedpasswords and secrets and
(22:39):
everything like that.
I can't think of the name of thetool, but this is just a new
iteration of that, it seems,almost, because...
Looking at the Ars Technica
SPEAKER_03 (22:52):
article about
SPEAKER_02 (22:54):
it, you can see all the Travis YAML files and
everything like that.
I'm like, oh, this is kind of...
Oh, boy.
I mean, and there's
SPEAKER_03 (23:05):
supposedly tools nowadays.
I think even GitHub supposedlyhas something to check your
repository for stuff that youdon't want out there there are
of course all sorts ofthird-party ones like get
secrets and there's a bunchother ones as well out there but
(23:28):
you can continually check for uhthings of course the best
practice is not to ever put themin the first place but uh as we
all know there's bound to be anintern somewhere who may not
necessarily have read thedocumentation that never happens
one two three or something youknow
SPEAKER_00 (23:49):
oh we don't want to pick on the interns though
SPEAKER_03 (23:52):
i know i mean that's that's the funny thing right
like it's easy it's like easy toblame the intern for something
that should be a company uh
SPEAKER_02 (24:00):
Yeah, right.
Why does the intern have thispower to do this when this
should be something that's beenreviewed by somebody else as
well?
It's like,
SPEAKER_03 (24:14):
why are you expecting your intern to do all
this unpaid work or whatever?
Maybe actually have sometraining.
Interns are supposed to get something out of it but who knows
yeah internships are interestingespecially if a company hasn't
(24:37):
done done it before and thenlike how much access can we give
our intern to make it more thanuseful than just a job shadow
but then again how much you knowit's interesting trying to find
that balance
SPEAKER_00 (24:53):
right
SPEAKER_02 (24:55):
yeah i i've never actually had like an internship
so unfortunately i I can't likereally relate to that.
It's, I, I've started more atthe bottom of the barrel doing
like tier one help desk stuff
SPEAKER_01 (25:09):
and
SPEAKER_02 (25:09):
just going on up.
But
SPEAKER_03 (25:11):
yeah.
Yeah.
Well, we'll just think of aninternship as doing tier one
help desk, but not actuallygetting to take the call, but
just sitting there and listeningto the call.
That's the equivalent of someinternship.
SPEAKER_02 (25:26):
That sounds horrible.
SPEAKER_03 (25:28):
Yes.
SPEAKER_00 (25:30):
Yeah.
have a discord for our fellowsecurity chipmunks make sure you
go to securitychipmunks.com andjoin the discord server we have
a wonderful community ofchipmunks already there and we
all can't wait to have you joinus see you there soon so thanks
for listening to the securitychipmunks and remember if it
(25:51):
seems overwhelming just keepchipping away at it
Thank you.
SPEAKER_00 (00:05):
Welcome to the Security Chipmunks podcast,
where we talk about thedevelopment of cybersecurity
skills.
To stay up to date in today'sworld, you need to be resilient.
That's why as advancedpersistent chipmunks, we keep
chipping away at it.
My name is Miks Edna Johnson.
I'm here with my co-host, NeilSmalley.
Say hello, Neil.
SPEAKER_03 (00:26):
Hello.
SPEAKER_00 (00:27):
And my other co-host, Patrick Lowther.
Say hello, Patrick.
SPEAKER_02 (00:33):
Hello, Patrick.
SPEAKER_00 (00:35):
Wonderful.
Glad to have you both heretoday.
Now let's jump into it.
SPEAKER_03 (00:42):
Do you have the Twitter poll results today?
SPEAKER_00 (00:46):
Right.
So we have Twitter poll results.
On Twitter, we asked, how do youpronounce SIEM?
S-I-E-M.
And the options were SIM orSIEM.
We had 19 people who voted.
19 cybersecurity professionalsvoted.
and this was a close one thiswas a neck and neck because I
(01:11):
would see it and it would changeand it would be like sim is
taking over sim is taking overand it ended with sim got 52%
and sim got 47% so there waslike a one vote difference
between the two so I looking atthose results I'm going to say
(01:35):
that the The professionals arepretty torn on how to pronounce
it.
I do know that if you Google,how do you pronounce sim?
It says sim.
But I would like to put in thatif you have it as sim, there are
other things that could be sim,like a sim card.
(01:58):
And so sim is a little moredistinct.
You know that that is only goingto be talking about the...
secure infrastructure eventmanagement tools.
So it's a little more distinctthan SIEM.
SPEAKER_03 (02:20):
Yes, and there were even other votes for other
pronunciations as well, such asSIEM.
SPEAKER_00 (02:25):
SIEM, SIE, yet another alert.
Yes, so that kind of brings upanother point is that you can
have this alert fatigue.
So you're setting your ownalerts and creating those based
on the network traffic thatyou're seeing.
(02:46):
And you could set a lot ofalerts if you're being
industrious and you want to makesure that you know about
everything that's happening onyour network.
But then when you're gettingthose alerts, you can get kind
of bogged down in alert fatiguebecause you're constantly
(03:07):
getting, oh, a thing, a thinghappened, a thing happened.
And so you might actually missout on something that is
important.
But because you've got so usedto getting all of those alerts,
you stop paying attention.
So I believe, Patrick, you havesome experience with alerting
(03:28):
and setting those up.
SPEAKER_02 (03:33):
No, I don't.
SPEAKER_01 (03:34):
you've never heard
SPEAKER_02 (03:38):
of it never heard of it no um uh yeah yeah so coming
from my background of like asystem administrator and system
engineering there are multipleways you can go about setting up
systems like whether it bethrough uh solar winds uh scom
(03:59):
which is system centeroperations manager which is part
of these whole stuff systemcenter suite from Microsoft.
There's also SolarWinds, whichfor some strange reason, a lot
of people have been migratingoff of SolarWinds.
I don't know why.
That
SPEAKER_00 (04:17):
one puzzles my mind too.
Like, what?
It's such a great product.
No, I'm kidding.
We all know what happened withSolarWinds.
SPEAKER_03 (04:27):
In case our listeners don't remember, there
was a SolarWinds hack within thelast year, I believe.
I
SPEAKER_02 (04:38):
don't know.
It could be like last week andseems like it's been a year.
Who knows with how this year'sgoing.
SPEAKER_03 (04:46):
But that was like basically some sort of supply
chain attack where they came inthrough the whatever SolarWinds
was distributing.
Was that my understanding?
SPEAKER_02 (04:57):
Yeah, I think they actually ended up compromising
some of the codinginfrastructure again in that
way, and they also siloed acouple DLLs and stuff into the
install.
SPEAKER_03 (05:12):
Okay, so the software build for the Orion
updates had a Trojanizedcomponent.
SPEAKER_01 (05:21):
Yeah.
SPEAKER_03 (05:23):
Yep, it was a DLL.
Yep.
SPEAKER_02 (05:26):
Yeah.
But getting back to the alertfatigue stuff, it's really easy
to get bogged down especiallywhen you're monitoring systems
for like up down or activitylike this activity etc that's
more operations monitoring withsecurity monitoring you'll have
(05:51):
on how poorly tuned yourenvironment is.
You may have like a whole bunchof account logins or a whole
slew of things that you need towatch and learn how to tweak and
monitor and tune for what'snormal in your environment.
That's where it really comes tobe like a fine art of towing
(06:14):
like a line of, okay, here'swhat we've seen in this
environment.
We know what's the baseline andnow we can implement some of
these standards that we haveright it's pretty interesting
since I kind of do that in likemy day to day I usually go about
this methodology of crawl walkrun which is you'll hear a lot
(06:39):
in like Microsoft shops wherecrawl meaning you do a small
subset of whatever alerts you'reworking on say we're tracking
down administrator logins rightand like out of normal time
bandwidth or something of thatnature then you'll implement
that get that alerting set upand then kind of monitor and
(07:01):
make sure that you're within thebaseline and then you add into
some more alerting so you startwalking with it where you add
more and more alerts and thenfinally when you get to like a
run methodology is when you'rereally starting to like automate
some of that response andeverything like that to your
(07:23):
alerts so you don't tie up likeyour SOC analysts or anything
like that with just like menial,like investigation tasks where
you can have your seam of choicedo what's called SOAR, which is
like the new buzzword that'sgoing around, which is a
security automation, fun, fungoodness stuff.
(07:47):
You know, Azure Sentinel doesit.
Splunk has a Splunk Phantom,which is pretty, pretty cool in
my, And then there's likeSecuronics, which is bringing
out some of the automation aswell.
But yeah, overall, I mean, it'svery much a real thing that can
happen.
You'll find it happens a lot inIT people, but also to kind of
(08:09):
bring it out to like where we'reat in today's current
environment is alert fatiguehappens with like medical
machines and everything likethat.
So like you hear a lot of timesabout like frontline workers
being like so fatigued.
from just the constant beepingof everything.
So yeah, real thing.
(08:32):
Make sure you take breaks.
SPEAKER_00 (08:36):
Yeah, breaks are important in taking care of
yourself for sure.
So recently I had a familymember who got their Facebook
account hacked.
So I was thinking about how tohelp them and some of the steps
they need to take once thathappened.
So the way that the happened wasthrough their email account
(08:57):
being hacked.
So I wanted our listeners toknow about the website Have I
Been Pwned?
Because pretty much everybodyhas been pwned or most everybody
has been pwned in the way thatthere has been a data breach
with a company somewhere.
They probably do business.
And there is this publiclyavailable list to check if you
(09:18):
have been involved in breach sothat the security researcher
downloads information frombreaches that are known about,
and then you can check if youremail exists.
And then it tells you aboutwhich database that got breached
and how severe is it.
(09:38):
So is it just your email?
Is it your email and password,email, password, and credit
card?
So of course, some informationis more sensitive than others.
So the first step is, you know,making sure that you secure your
email account.
If you haven't turned on multifactor authentication, which you
can set up either SMS message oruse the Google authenticator
(10:01):
app.
And make sure you update yourpassword.
Once you get into your Facebookaccount, take screenshots of,
like, previous location logs,where you're currently logged
in, any messages that Facebooksends that, like, it looks like
(10:21):
you may have been, you know,hacked.
Take a screenshot of that justso that if you need to talk to
law enforcement, you have someevidence.
It may be hard to getinformation from Facebook, so at
least you have that evidence andAnd it has IP addresses.
So you want to especially makenote of IP addresses because
(10:43):
even though you can't tell wheresomebody is based on their IP
addresses, their internetservice provider can match that
up to a location.
So you would be able to find outwhere they were if you talk to
the police and get those IPaddresses.
SPEAKER_02 (11:02):
Now, did your family member get hacked because they
didn't forward a chain post?
like on Facebook.
SPEAKER_00 (11:10):
Right.
So it was not because they didnot forward something.
Their email account got hacked.
So somebody was able to accesstheir email account.
They were able to figure outwhat their password was, log in.
And then once they had access tothe email account, they sent a
(11:30):
password reset request.
that gets sent to that emailthat they now had access to, and
they were able to change thepassword on Facebook.
So that's why securing youremail is super important.
Because if they still haveaccess to your email, they get
(11:51):
notifications of all the thingsthat you're doing on Facebook.
SPEAKER_02 (11:56):
Good stuff.
I mean, good advice.
Not good stuff that your familymember got hacked on Facebook.
SPEAKER_00 (12:07):
Yeah.
I'm not able to pull any recordsof how often this happens.
But I'm actually seeing thishappening more.
So I don't know if this is justbecoming more prolific.
I'm not sure what the motive isbehind it, but I'm seeing more
(12:31):
incidents of Facebook gettinghacked by people.
So that's why I wanted tomention it, how to make sure
you're safe.
And in my opinion, the best stepthat you can take now to make
sure that it does not happen toyou is turn on multi-factor
authentication and do that forboth your email and your
(12:51):
Facebook account
SPEAKER_03 (12:53):
okay good stuff yeah good advice for just about any
account that you can do it on sowe had talked about Azure last
week so I thought it would beimportant to at least mention
the news that made headlinesthis week about Azure so
(13:15):
apparently when you you useAzure, if you use any of the
following tools, so AzureAutomation, Azure Automatic
Update, Operation ManagementSuite, OMS for short, the Log
Analytics, the ConfigurationManagement, the Diagnostics, or
(13:36):
the Container Insights, you mayhave been affected by this
vulnerability, or there'sactually several different
vulnerabilities, and there'sbeen a bunch of patches released
There's a bunch of differentupdates that have been made.
So the most recent one as ofyesterday, they updated their,
(13:58):
Microsoft updated their advisorysaying that they will have
declared an auto update fortheir platform as a service
offerings that use thevulnerable VM extensions by
September 22nd.
Supposedly there will also besome instances which will
require manual patching.
Basically the long story shortof it is if you used any of
(14:18):
these things theoretically theMicrosoft would download a agent
to the VM silently and the waythey had it set up is that the
authentication mechanism for itlike if you sent in a request to
(14:39):
it instead of doing it normallyincluding a password with the
authentication header and justexcluded the authentication
header, it would just log you inwithout a password.
So that's obviously a pretty bigdeal.
So you would want that fixed ifyou were using any of those
(15:04):
services on top of your Azure.
Is there anything I've missedthat's glaring there that you
can think of?
SPEAKER_02 (15:10):
Well, yeah, you missed the cool name, though.
Oh, my God.
SPEAKER_01 (15:17):
Oh, true,
SPEAKER_02 (15:17):
true.
SPEAKER_01 (15:17):
Yes.
Yes.
SPEAKER_02 (15:20):
Yeah.
Neil's talking about the, theOmegad vulnerability.
It gives you remote codeexecution from even better,
unauthenticated remote codeexecution, where it gives you
root access on any of the Linuxboxes and pretty interesting.
I'm, you know, I was, I was kindof curious about the Azure login
(15:47):
on Linux boxes.
And I'm curious about it becauseI was trying to figure out how
they were leveraging the OMIagent on the Linux VMs in a
server capacity instead of as aclient capacity for Azure Log
Analytics.
(16:07):
That's where I'm a littleconfused about it.
And unfortunately, I have notfound any good information about
that.
I think the advisory is justkind of kind of really broad
right now for like, as far aslike attack footprint.
And I think there'll be tweakingit as we get, you know, further
(16:28):
into the week here because howAzure and log analytics works is
it doesn't listen for connectioninbound.
It only talks outbound.
So that's why I'm like, I'm justconfused about how, it could
possibly be used for that.
(16:49):
But if they're using the OMIagent, which Microsoft has both
a good idea and a kind of a badidea where they say, okay, hey,
you can use the same agentthat's already installed.
You don't have like multipleagents on a machine.
They say, go ahead and use thisto forward data up.
(17:11):
Now, if they're using the OMIagent, which I assume this is
the case.
And so we're bringing like AzureLog Analytics into the scope,
then yes, I could see it beingin scope like that.
But if you're just using thestandard like Azure Sentinel,
Azure Log Analytics, logingestion client agent, it
(17:32):
doesn't sit there and listen to
SPEAKER_03 (17:34):
connections.
So my understanding from theblog post is that three of the
four are just privilegeescalations that allow attackers
to get the highest privileges onthe machine that though am I
installed and the fourth is themost serious one.
that allows the remote codeexecution.
So some of the products,including the configuration
(17:54):
management, that being keyexposed HTTPS port 5.9.8.6 that
uses that to interact with theOMI.
And so that's what makes the RCApossible.
SPEAKER_02 (18:04):
Yeah.
Yeah.
So it's definitely somethingwith the OMI agent, like the
actual service and stuff that'srunning on the boxes.
So yeah, sucks.
UNKNOWN (18:17):
But
SPEAKER_02 (18:17):
you know, all, all it comes back down to is, you
know, make sure you're patching,make sure you're, because I
believe Microsoft released a outof band patch for this, right?
Like they disclosed it and thenthey released the patch.
They found that the patchdoesn't quite work.
And so, well, the patch doeswork, but not in every instance,
(18:38):
you know?
Yeah.
There was a bunch of updates
SPEAKER_03 (18:40):
on the, there's like two updates on the 14th, 15th,
16th, 17th, 17th.
And then one.
Yes.
day as well so they've been hardat it
SPEAKER_02 (18:50):
yeah they've been hitting it hard but you know
once again it all comes down toproper segmentation of your
networks and everything likethat so
SPEAKER_03 (19:04):
yeah and I mean like we talked about before a lot of
these things you can lock downwith how you're when we talk
about segmentation things likenot having your virtual network
open to just the inner andhaving it restricted to being a
good setup as a network shouldbe and not just have all the
(19:25):
things sitting out on theinternet but maybe have like one
thing like whether that's likeyour web your load balancer or
whatever only having thataccessible from the internet so
if you're have like the actualservers themselves they might be
sitting behind the load balancermight not even be accessible
(19:45):
from the internet on those ports
SPEAKER_02 (19:47):
Yeah, yeah, I agree.
Yeah, it's more about punchingholes instead of just having
everything wide open, you know.
So, yeah.
Oh, well, such is the life ofsecurity professionals.
You know, one fire to the next.
(20:12):
Can almost be a, you know, CVEfatigue, right?
SPEAKER_01 (20:17):
oh
SPEAKER_03 (20:19):
yeah there's always something and then that wasn't
like the only thing like there'salways multiple things right
that depends on what matters toyou or your organization another
one I thought was interestingwas the Travis CI where they had
exposed secrets for a bunch ofopen source projects and we're
(20:43):
talking like supposedly over900,000 open source projects and
600,000 users.
So saying that the secureenvironment variables, just the
signing keys and the accesscredentials, all the stuff you
don't, and the API tokens, allthe stuff you don't want
exposed, able to be accessed.
(21:05):
So supposedly they've issued apatch or whatnot, but you would
need to go in and rotate yoursecrets, I would imagine.
is what the recommended thing isto do.
So if you're using Travis CI,you might want to look into
(21:25):
that.
But I haven't really used TravisCI myself, but I understand it's
a continuous integration thing.
So it would go into yourworkflow when you're trying to
deliver code and whatnot.
If you're working on a projectand you got new things to
integrate into the end result,does anyone else know more about
(21:49):
continuous integration than i do
SPEAKER_02 (21:53):
i don't know i was just gonna let you keep going
man see um yeah so i mean i deala little bit with it i more
specifically leverage azuredevops uh for it you know
surprise the windows guy you seemark soft products but uh yeah
(22:16):
um Actually, it's...
This reminds me of...
I can't think of the tool thatsomebody...
It's a Python tool that somebodywrote that what it does, it'll
crawl GitHub for storedpasswords and secrets and
(22:39):
everything like that.
I can't think of the name of thetool, but this is just a new
iteration of that, it seems,almost, because...
Looking at the Ars Technica
SPEAKER_03 (22:52):
article about
SPEAKER_02 (22:54):
it, you can see all the Travis YAML files and
everything like that.
I'm like, oh, this is kind of...
Oh, boy.
I mean, and there's
SPEAKER_03 (23:05):
supposedly tools nowadays.
I think even GitHub supposedlyhas something to check your
repository for stuff that youdon't want out there there are
of course all sorts ofthird-party ones like get
secrets and there's a bunchother ones as well out there but
(23:28):
you can continually check for uhthings of course the best
practice is not to ever put themin the first place but uh as we
all know there's bound to be anintern somewhere who may not
necessarily have read thedocumentation that never happens
one two three or something youknow
SPEAKER_00 (23:49):
oh we don't want to pick on the interns though
SPEAKER_03 (23:52):
i know i mean that's that's the funny thing right
like it's easy it's like easy toblame the intern for something
that should be a company uh
SPEAKER_02 (24:00):
Yeah, right.
Why does the intern have thispower to do this when this
should be something that's beenreviewed by somebody else as
well?
It's like,
SPEAKER_03 (24:14):
why are you expecting your intern to do all
this unpaid work or whatever?
Maybe actually have sometraining.
Interns are supposed to get something out of it but who knows
yeah internships are interestingespecially if a company hasn't
(24:37):
done done it before and thenlike how much access can we give
our intern to make it more thanuseful than just a job shadow
but then again how much you knowit's interesting trying to find
that balance
SPEAKER_00 (24:53):
right
SPEAKER_02 (24:55):
yeah i i've never actually had like an internship
so unfortunately i I can't likereally relate to that.
It's, I, I've started more atthe bottom of the barrel doing
like tier one help desk stuff
SPEAKER_01 (25:09):
and
SPEAKER_02 (25:09):
just going on up.
But
SPEAKER_03 (25:11):
yeah.
Yeah.
Well, we'll just think of aninternship as doing tier one
help desk, but not actuallygetting to take the call, but
just sitting there and listeningto the call.
That's the equivalent of someinternship.
SPEAKER_02 (25:26):
That sounds horrible.
SPEAKER_03 (25:28):
Yes.
SPEAKER_00 (25:30):
Yeah.
have a discord for our fellowsecurity chipmunks make sure you
go to securitychipmunks.com andjoin the discord server we have
a wonderful community ofchipmunks already there and we
all can't wait to have you joinus see you there soon so thanks
for listening to the securitychipmunks and remember if it
(25:51):
seems overwhelming just keepchipping away at it
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.