Security Chipmunks

Welcome to Security Chipmunks where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

All Episodes

Security Chipmunks

Episode 10 - Who moved my frog?

September 27, 2021 • Edna • Season 2 • Episode 10

Send us a text

Welcome to the Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

Getting hacked on FB - steps to take

Secure your email account (change password, use MFA)
Screenshots.
Note IP addresses
Log out other people
Change FB pw & add MFA

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/

Socials

Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
Follow us on Twitter: https://twitter.com/SecChipmunk
You can find us online at: https://securitychipmunks.com

UNKNOWN: 0:00

Thank you.

SPEAKER_00: 0:05

Welcome to the Security Chipmunks podcast, where we talk about the development of cybersecurity skills. To stay up to date in today's world, you need to be resilient. That's why as advanced persistent chipmunks, we keep chipping away at it. My name is Miks Edna Johnson. I'm here with my co-host, Neil Smalley. Say hello, Neil.

SPEAKER_03: 0:26

Hello.

SPEAKER_00: 0:27

And my other co-host, Patrick Lowther. Say hello, Patrick.

SPEAKER_02: 0:33

Hello, Patrick.

SPEAKER_00: 0:35

Wonderful. Glad to have you both here today. Now let's jump into it.

SPEAKER_03: 0:42

Do you have the Twitter poll results today?

SPEAKER_00: 0:46

Right. So we have Twitter poll results. On Twitter, we asked, how do you pronounce SIEM? S-I-E-M. And the options were SIM or SIEM. We had 19 people who voted. 19 cybersecurity professionals voted. and this was a close one this was a neck and neck because I would see it and it would change and it would be like sim is taking over sim is taking over and it ended with sim got 52% and sim got 47% so there was like a one vote difference between the two so I looking at those results I'm going to say that the The professionals are pretty torn on how to pronounce it. I do know that if you Google, how do you pronounce sim? It says sim. But I would like to put in that if you have it as sim, there are other things that could be sim, like a sim card. And so sim is a little more distinct. You know that that is only going to be talking about the... secure infrastructure event management tools. So it's a little more distinct than SIEM.

SPEAKER_03: 2:20

Yes, and there were even other votes for other pronunciations as well, such as SIEM.

SPEAKER_00: 2:25

SIEM, SIE, yet another alert. Yes, so that kind of brings up another point is that you can have this alert fatigue. So you're setting your own alerts and creating those based on the network traffic that you're seeing. And you could set a lot of alerts if you're being industrious and you want to make sure that you know about everything that's happening on your network. But then when you're getting those alerts, you can get kind of bogged down in alert fatigue because you're constantly getting, oh, a thing, a thing happened, a thing happened. And so you might actually miss out on something that is important. But because you've got so used to getting all of those alerts, you stop paying attention. So I believe, Patrick, you have some experience with alerting and setting those up.

SPEAKER_02: 3:33

No, I don't.

SPEAKER_01: 3:34

you've never heard

SPEAKER_02: 3:38

of it never heard of it no um uh yeah yeah so coming from my background of like a system administrator and system engineering there are multiple ways you can go about setting up systems like whether it be through uh solar winds uh scom which is system center operations manager which is part of these whole stuff system center suite from Microsoft. There's also SolarWinds, which for some strange reason, a lot of people have been migrating off of SolarWinds. I don't know why. That

SPEAKER_00: 4:17

one puzzles my mind too. Like, what? It's such a great product. No, I'm kidding. We all know what happened with SolarWinds.

SPEAKER_03: 4:27

In case our listeners don't remember, there was a SolarWinds hack within the last year, I believe. I

SPEAKER_02: 4:38

don't know. It could be like last week and seems like it's been a year. Who knows with how this year's going.

SPEAKER_03: 4:46

But that was like basically some sort of supply chain attack where they came in through the whatever SolarWinds was distributing. Was that my understanding?

SPEAKER_02: 4:57

Yeah, I think they actually ended up compromising some of the coding infrastructure again in that way, and they also siloed a couple DLLs and stuff into the install.

SPEAKER_03: 5:12

Okay, so the software build for the Orion updates had a Trojanized component.

SPEAKER_01: 5:21

Yeah.

SPEAKER_03: 5:23

Yep, it was a DLL. Yep.

SPEAKER_02: 5:26

Yeah. But getting back to the alert fatigue stuff, it's really easy to get bogged down especially when you're monitoring systems for like up down or activity like this activity etc that's more operations monitoring with security monitoring you'll have on how poorly tuned your environment is. You may have like a whole bunch of account logins or a whole slew of things that you need to watch and learn how to tweak and monitor and tune for what's normal in your environment. That's where it really comes to be like a fine art of towing like a line of, okay, here's what we've seen in this environment. We know what's the baseline and now we can implement some of these standards that we have right it's pretty interesting since I kind of do that in like my day to day I usually go about this methodology of crawl walk run which is you'll hear a lot in like Microsoft shops where crawl meaning you do a small subset of whatever alerts you're working on say we're tracking down administrator logins right and like out of normal time bandwidth or something of that nature then you'll implement that get that alerting set up and then kind of monitor and make sure that you're within the baseline and then you add into some more alerting so you start walking with it where you add more and more alerts and then finally when you get to like a run methodology is when you're really starting to like automate some of that response and everything like that to your alerts so you don't tie up like your SOC analysts or anything like that with just like menial, like investigation tasks where you can have your seam of choice do what's called SOAR, which is like the new buzzword that's going around, which is a security automation, fun, fun goodness stuff. You know, Azure Sentinel does it. Splunk has a Splunk Phantom, which is pretty, pretty cool in my, And then there's like Securonics, which is bringing out some of the automation as well. But yeah, overall, I mean, it's very much a real thing that can happen. You'll find it happens a lot in IT people, but also to kind of bring it out to like where we're at in today's current environment is alert fatigue happens with like medical machines and everything like that. So like you hear a lot of times about like frontline workers being like so fatigued. from just the constant beeping of everything. So yeah, real thing. Make sure you take breaks.

SPEAKER_00: 8:36

Yeah, breaks are important in taking care of yourself for sure. So recently I had a family member who got their Facebook account hacked. So I was thinking about how to help them and some of the steps they need to take once that happened. So the way that the happened was through their email account being hacked. So I wanted our listeners to know about the website Have I Been Pwned? Because pretty much everybody has been pwned or most everybody has been pwned in the way that there has been a data breach with a company somewhere. They probably do business. And there is this publicly available list to check if you have been involved in breach so that the security researcher downloads information from breaches that are known about, and then you can check if your email exists. And then it tells you about which database that got breached and how severe is it. So is it just your email? Is it your email and password, email, password, and credit card? So of course, some information is more sensitive than others. So the first step is, you know, making sure that you secure your email account. If you haven't turned on multi factor authentication, which you can set up either SMS message or use the Google authenticator app. And make sure you update your password. Once you get into your Facebook account, take screenshots of, like, previous location logs, where you're currently logged in, any messages that Facebook sends that, like, it looks like you may have been, you know, hacked. Take a screenshot of that just so that if you need to talk to law enforcement, you have some evidence. It may be hard to get information from Facebook, so at least you have that evidence and And it has IP addresses. So you want to especially make note of IP addresses because even though you can't tell where somebody is based on their IP addresses, their internet service provider can match that up to a location. So you would be able to find out where they were if you talk to the police and get those IP addresses.

SPEAKER_02: 11:02

Now, did your family member get hacked because they didn't forward a chain post? like on Facebook.

SPEAKER_00: 11:10

Right. So it was not because they did not forward something. Their email account got hacked. So somebody was able to access their email account. They were able to figure out what their password was, log in. And then once they had access to the email account, they sent a password reset request. that gets sent to that email that they now had access to, and they were able to change the password on Facebook. So that's why securing your email is super important. Because if they still have access to your email, they get notifications of all the things that you're doing on Facebook.

SPEAKER_02: 11:56

Good stuff. I mean, good advice. Not good stuff that your family member got hacked on Facebook.

SPEAKER_00: 12:07

Yeah. I'm not able to pull any records of how often this happens. But I'm actually seeing this happening more. So I don't know if this is just becoming more prolific. I'm not sure what the motive is behind it, but I'm seeing more incidents of Facebook getting hacked by people. So that's why I wanted to mention it, how to make sure you're safe. And in my opinion, the best step that you can take now to make sure that it does not happen to you is turn on multi-factor authentication and do that for both your email and your Facebook account

SPEAKER_03: 12:53

okay good stuff yeah good advice for just about any account that you can do it on so we had talked about Azure last week so I thought it would be important to at least mention the news that made headlines this week about Azure so apparently when you you use Azure, if you use any of the following tools, so Azure Automation, Azure Automatic Update, Operation Management Suite, OMS for short, the Log Analytics, the Configuration Management, the Diagnostics, or the Container Insights, you may have been affected by this vulnerability, or there's actually several different vulnerabilities, and there's been a bunch of patches released There's a bunch of different updates that have been made. So the most recent one as of yesterday, they updated their, Microsoft updated their advisory saying that they will have declared an auto update for their platform as a service offerings that use the vulnerable VM extensions by September 22nd. Supposedly there will also be some instances which will require manual patching. Basically the long story short of it is if you used any of these things theoretically the Microsoft would download a agent to the VM silently and the way they had it set up is that the authentication mechanism for it like if you sent in a request to it instead of doing it normally including a password with the authentication header and just excluded the authentication header, it would just log you in without a password. So that's obviously a pretty big deal. So you would want that fixed if you were using any of those services on top of your Azure. Is there anything I've missed that's glaring there that you can think of?

SPEAKER_02: 15:10

Well, yeah, you missed the cool name, though. Oh, my God.

SPEAKER_01: 15:17

Oh, true,

SPEAKER_02: 15:17

true.

SPEAKER_01: 15:17

Yes. Yes.

SPEAKER_02: 15:20

Yeah. Neil's talking about the, the Omegad vulnerability. It gives you remote code execution from even better, unauthenticated remote code execution, where it gives you root access on any of the Linux boxes and pretty interesting. I'm, you know, I was, I was kind of curious about the Azure login on Linux boxes. And I'm curious about it because I was trying to figure out how they were leveraging the OMI agent on the Linux VMs in a server capacity instead of as a client capacity for Azure Log Analytics. That's where I'm a little confused about it. And unfortunately, I have not found any good information about that. I think the advisory is just kind of kind of really broad right now for like, as far as like attack footprint. And I think there'll be tweaking it as we get, you know, further into the week here because how Azure and log analytics works is it doesn't listen for connection inbound. It only talks outbound. So that's why I'm like, I'm just confused about how, it could possibly be used for that. But if they're using the OMI agent, which Microsoft has both a good idea and a kind of a bad idea where they say, okay, hey, you can use the same agent that's already installed. You don't have like multiple agents on a machine. They say, go ahead and use this to forward data up. Now, if they're using the OMI agent, which I assume this is the case. And so we're bringing like Azure Log Analytics into the scope, then yes, I could see it being in scope like that. But if you're just using the standard like Azure Sentinel, Azure Log Analytics, log ingestion client agent, it doesn't sit there and listen to

SPEAKER_03: 17:34

connections. So my understanding from the blog post is that three of the four are just privilege escalations that allow attackers to get the highest privileges on the machine that though am I installed and the fourth is the most serious one. that allows the remote code execution. So some of the products, including the configuration management, that being key exposed HTTPS port 5.9.8.6 that uses that to interact with the OMI. And so that's what makes the RCA possible.

SPEAKER_02: 18:04

Yeah. Yeah. So it's definitely something with the OMI agent, like the actual service and stuff that's running on the boxes. So yeah, sucks.

UNKNOWN: 18:17

But

SPEAKER_02: 18:17

you know, all, all it comes back down to is, you know, make sure you're patching, make sure you're, because I believe Microsoft released a out of band patch for this, right? Like they disclosed it and then they released the patch. They found that the patch doesn't quite work. And so, well, the patch does work, but not in every instance, you know? Yeah. There was a bunch of updates

SPEAKER_03: 18:40

on the, there's like two updates on the 14th, 15th, 16th, 17th, 17th. And then one. Yes. day as well so they've been hard at it

SPEAKER_02: 18:50

yeah they've been hitting it hard but you know once again it all comes down to proper segmentation of your networks and everything like that so

SPEAKER_03: 19:04

yeah and I mean like we talked about before a lot of these things you can lock down with how you're when we talk about segmentation things like not having your virtual network open to just the inner and having it restricted to being a good setup as a network should be and not just have all the things sitting out on the internet but maybe have like one thing like whether that's like your web your load balancer or whatever only having that accessible from the internet so if you're have like the actual servers themselves they might be sitting behind the load balancer might not even be accessible from the internet on those ports

SPEAKER_02: 19:47

Yeah, yeah, I agree. Yeah, it's more about punching holes instead of just having everything wide open, you know. So, yeah. Oh, well, such is the life of security professionals. You know, one fire to the next. Can almost be a, you know, CVE fatigue, right?

SPEAKER_01: 20:17

SPEAKER_03: 20:19

yeah there's always something and then that wasn't like the only thing like there's always multiple things right that depends on what matters to you or your organization another one I thought was interesting was the Travis CI where they had exposed secrets for a bunch of open source projects and we're talking like supposedly over 900,000 open source projects and 600,000 users. So saying that the secure environment variables, just the signing keys and the access credentials, all the stuff you don't, and the API tokens, all the stuff you don't want exposed, able to be accessed. So supposedly they've issued a patch or whatnot, but you would need to go in and rotate your secrets, I would imagine. is what the recommended thing is to do. So if you're using Travis CI, you might want to look into that. But I haven't really used Travis CI myself, but I understand it's a continuous integration thing. So it would go into your workflow when you're trying to deliver code and whatnot. If you're working on a project and you got new things to integrate into the end result, does anyone else know more about continuous integration than i do

SPEAKER_02: 21:53

i don't know i was just gonna let you keep going man see um yeah so i mean i deal a little bit with it i more specifically leverage azure devops uh for it you know surprise the windows guy you see mark soft products but uh yeah um Actually, it's... This reminds me of... I can't think of the tool that somebody... It's a Python tool that somebody wrote that what it does, it'll crawl GitHub for stored passwords and secrets and everything like that. I can't think of the name of the tool, but this is just a new iteration of that, it seems, almost, because... Looking at the Ars Technica

SPEAKER_03: 22:52

article about

SPEAKER_02: 22:54

it, you can see all the Travis YAML files and everything like that. I'm like, oh, this is kind of... Oh, boy. I mean, and there's

SPEAKER_03: 23:05

supposedly tools nowadays. I think even GitHub supposedly has something to check your repository for stuff that you don't want out there there are of course all sorts of third-party ones like get secrets and there's a bunch other ones as well out there but you can continually check for uh things of course the best practice is not to ever put them in the first place but uh as we all know there's bound to be an intern somewhere who may not necessarily have read the documentation that never happens one two three or something you know

SPEAKER_00: 23:49

oh we don't want to pick on the interns though

SPEAKER_03: 23:52

i know i mean that's that's the funny thing right like it's easy it's like easy to blame the intern for something that should be a company uh

SPEAKER_02: 24:00

Yeah, right. Why does the intern have this power to do this when this should be something that's been reviewed by somebody else as well? It's like,

SPEAKER_03: 24:14

why are you expecting your intern to do all this unpaid work or whatever? Maybe actually have some training. Interns are supposed to get some thing out of it but who knows yeah internships are interesting especially if a company hasn't done done it before and then like how much access can we give our intern to make it more than useful than just a job shadow but then again how much you know it's interesting trying to find that balance

SPEAKER_00: 24:53

right

SPEAKER_02: 24:55

yeah i i've never actually had like an internship so unfortunately i I can't like really relate to that. It's, I, I've started more at the bottom of the barrel doing like tier one help desk stuff

SPEAKER_01: 25:09

and

SPEAKER_02: 25:09

just going on up. But

SPEAKER_03: 25:11

yeah. Yeah. Well, we'll just think of an internship as doing tier one help desk, but not actually getting to take the call, but just sitting there and listening to the call. That's the equivalent of some internship.

SPEAKER_02: 25:26

That sounds horrible.

SPEAKER_03: 25:28

Yes.

SPEAKER_00: 25:30

Yeah. have a discord for our fellow security chipmunks make sure you go to securitychipmunks.com and join the discord server we have a wonderful community of chipmunks already there and we all can't wait to have you join us see you there soon so thanks for listening to the security chipmunks and remember if it seems overwhelming just keep chipping away at it