0:00

Hello and welcome to the Wednesday May 22nd, 2024

0:02

edition of the Sans Internet Storms Center's

0:07

Stormcast. My name is Johannes

0:10

Ulrich and I'm recording from

0:12

Jacksonville, Florida. Looking

0:15

for a simple way to use

0:17

the Shodan API from the command

0:19

line? Well look no further than

0:22

nmap. Rob today is writing how

0:24

you can use nmap to actually

0:26

rely on Shodan to do its

0:29

pull port scanning. So instead of

0:31

actually actively going out and port

0:33

scanning a particular target, this feature

0:35

will rely on a port scan

0:38

that Shodan may already have done

0:40

on this target. Of course this

0:42

is not quite as complete

0:45

and of course not as current as

0:47

if you would run a scan right

0:49

now. But number one

0:51

it's more stealthy and then what

0:54

you're seeing from Shodan can actually be quite

0:56

insightful as well because it is not up

0:59

to date. So you may see

1:01

for example ports that were open

1:03

in the past have been closed

1:05

now. Ports that are only part

1:08

of the time open that you may miss

1:10

in a quick scan. That's

1:12

something that you may discover

1:14

with this nmap script. Real

1:17

neat idea here and Rob

1:19

gives you a couple of ideas

1:21

how to tie this in with

1:23

various other systems. Like for

1:25

example how to manipulate the output to

1:28

be more useful. How to

1:30

pass more arguments like hosts

1:32

and such like the scan and how

1:34

to make it even more stealthy by

1:37

for example turning off DNS

1:39

lookups. Only

1:41

if you're using the popular

1:44

Mac terminal emulator iTerm2 you

1:46

may have noticed that the

1:48

new version was released a

1:50

couple days ago and this

1:52

version does fix a number

1:54

of critical vulnerabilities. The

1:56

core issue here is how URLs are

1:58

handled as a whole. part of

2:00

the console. Now many terminal

2:03

emulators are allowing you to

2:05

highlight URLs, making URLs clickable

2:07

and this happens via escape

2:09

codes. Now the problem with

2:11

URLs is always that there

2:13

are a number of different

2:16

URL schemes. It's not just

2:18

HTTP and HTTPS but can

2:20

be things like whois or

2:22

telnet or sh. Some

2:24

of them may actually pass

2:27

part of the URL to

2:30

the command line and that's

2:32

sort of where the problem

2:34

comes in here. For example

2:36

the x-man-page scheme can be

2:38

used to execute arbitrary code.

2:40

sh is problematic as well.

2:43

There are two vulnerabilities related

2:45

to sh that are being

2:47

addressed with this particular update.

2:49

Interesting vulnerabilities here and definitely

2:52

something that if you are

2:54

developing a console software and

2:56

such you should take a

2:59

look at because these

3:01

escape sequences and these URL

3:03

handlers have been problematic in

3:05

the past in other software

3:07

as well. And

3:10

if you're using GitHub Enterprise Server

3:12

which is GitHub's on-premise solution be

3:14

aware that there is a critical

3:17

vulnerability in the SAML integration. Essentially

3:19

this leads to an authentication bypass

3:22

which then can be escalated to

3:25

code execution. Definitely

3:27

update to the latest

3:30

version. And

3:32

if you talk about GitHub only fair

3:34

that we also talk about one of

3:36

the alternatives that's a Bitbucket. Mandyand put

3:39

out a report that they are seeing

3:42

secrets being stolen from Bitbucket.

3:44

Now one thing that

3:46

Bitbucket allows you to do

3:49

is have pipelines. And pipelines

3:51

integrate with your continuous delivery,

3:53

continuous integration services that basically

3:55

allow you to automatically build

3:57

the systems. The problem

3:59

with the this is and that's

4:01

a common problem not unique to

4:04

Bitbucket that you often have to

4:06

pass secrets like API keys and

4:08

the like to these build tools

4:10

and well how are you doing

4:12

so securely one way how people

4:15

often do that is via environment

4:17

variables environment variables isn't the worst

4:19

way necessarily to do it but

4:22

well you have to give access to

4:24

these environment variables and one way that's

4:27

often done is by basically just printing

4:29

them into a text file and

4:31

then passing that text file to

4:34

Bitbucket as an artifact which of

4:36

course means that these credentials are

4:38

exposed in the clear in

4:41

Bitbucket. Bitbucket itself does not really

4:43

have a great solution for this

4:45

this is add-on software that you

4:47

need in order to deal with

4:49

your secrets but that's pretty much

4:51

true for any kind of CI

4:53

CD tool that you need to

4:55

come up with some kind of

4:57

secret management solution in order to

5:00

solve the problem of having

5:02

to pass these secrets to

5:04

various tools without exposing them

5:06

to someone who may compromise

5:08

your pipeline I'm

5:11

talking about leaking secrets a Microsoft

5:13

came out with its new line

5:16

of co-pilot plus PCs what is

5:18

really different about these PCs is

5:20

that they're heavily targeting

5:23

AI and machine learning with

5:25

additional co-processors not just Microsoft

5:27

makes it these PCs but

5:29

there is one specific feature

5:32

that Microsoft supports and that's

5:34

called recall recall essentially records

5:36

what you're doing on the

5:39

PC and allows you to

5:41

search your history think about

5:43

it like bash history but

5:45

including all the GUI interactions

5:48

all the web pages that you may

5:50

have seen and things like

5:52

that one important

5:54

note here from the co-pilot

5:56

plus PC FAQ is that

5:59

this recall feature does

6:01

not actually hide information like

6:03

passwords and financial account numbers.

6:05

So if you're using this

6:08

feature, be aware all of

6:10

it is recorded, even if

6:12

it should be recorded only

6:15

on your system. Well,

6:18

and that's it for today. Thanks

6:21

for listening. I hope you like this

6:23

podcast. I hope you will recommend it. I

6:25

hope you like it also in your favorite

6:27

podcast platform and leave a good review or

6:30

just leave a click on

6:32

the five star mark. Thanks

6:35

and talk to you again tomorrow.