Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Wednesday May 22nd, 2024
0:02
edition of the Sans Internet Storms Center's
0:07
Stormcast. My name is Johannes
0:10
Ulrich and I'm recording from
0:12
Jacksonville, Florida. Looking
0:15
for a simple way to use
0:17
the Shodan API from the command
0:19
line? Well look no further than
0:22
nmap. Rob today is writing how
0:24
you can use nmap to actually
0:26
rely on Shodan to do its
0:29
pull port scanning. So instead of
0:31
actually actively going out and port
0:33
scanning a particular target, this feature
0:35
will rely on a port scan
0:38
that Shodan may already have done
0:40
on this target. Of course this
0:42
is not quite as complete
0:45
and of course not as current as
0:47
if you would run a scan right
0:49
now. But number one
0:51
it's more stealthy and then what
0:54
you're seeing from Shodan can actually be quite
0:56
insightful as well because it is not up
0:59
to date. So you may see
1:01
for example ports that were open
1:03
in the past have been closed
1:05
now. Ports that are only part
1:08
of the time open that you may miss
1:10
in a quick scan. That's
1:12
something that you may discover
1:14
with this nmap script. Real
1:17
neat idea here and Rob
1:19
gives you a couple of ideas
1:21
how to tie this in with
1:23
various other systems. Like for
1:25
example how to manipulate the output to
1:28
be more useful. How to
1:30
pass more arguments like hosts
1:32
and such like the scan and how
1:34
to make it even more stealthy by
1:37
for example turning off DNS
1:39
lookups. Only
1:41
if you're using the popular
1:44
Mac terminal emulator iTerm2 you
1:46
may have noticed that the
1:48
new version was released a
1:50
couple days ago and this
1:52
version does fix a number
1:54
of critical vulnerabilities. The
1:56
core issue here is how URLs are
1:58
handled as a whole. part of
2:00
the console. Now many terminal
2:03
emulators are allowing you to
2:05
highlight URLs, making URLs clickable
2:07
and this happens via escape
2:09
codes. Now the problem with
2:11
URLs is always that there
2:13
are a number of different
2:16
URL schemes. It's not just
2:18
HTTP and HTTPS but can
2:20
be things like whois or
2:22
telnet or sh. Some
2:24
of them may actually pass
2:27
part of the URL to
2:30
the command line and that's
2:32
sort of where the problem
2:34
comes in here. For example
2:36
the x-man-page scheme can be
2:38
used to execute arbitrary code.
2:40
sh is problematic as well.
2:43
There are two vulnerabilities related
2:45
to sh that are being
2:47
addressed with this particular update.
2:49
Interesting vulnerabilities here and definitely
2:52
something that if you are
2:54
developing a console software and
2:56
such you should take a
2:59
look at because these
3:01
escape sequences and these URL
3:03
handlers have been problematic in
3:05
the past in other software
3:07
as well. And
3:10
if you're using GitHub Enterprise Server
3:12
which is GitHub's on-premise solution be
3:14
aware that there is a critical
3:17
vulnerability in the SAML integration. Essentially
3:19
this leads to an authentication bypass
3:22
which then can be escalated to
3:25
code execution. Definitely
3:27
update to the latest
3:30
version. And
3:32
if you talk about GitHub only fair
3:34
that we also talk about one of
3:36
the alternatives that's a Bitbucket. Mandyand put
3:39
out a report that they are seeing
3:42
secrets being stolen from Bitbucket.
3:44
Now one thing that
3:46
Bitbucket allows you to do
3:49
is have pipelines. And pipelines
3:51
integrate with your continuous delivery,
3:53
continuous integration services that basically
3:55
allow you to automatically build
3:57
the systems. The problem
3:59
with the this is and that's
4:01
a common problem not unique to
4:04
Bitbucket that you often have to
4:06
pass secrets like API keys and
4:08
the like to these build tools
4:10
and well how are you doing
4:12
so securely one way how people
4:15
often do that is via environment
4:17
variables environment variables isn't the worst
4:19
way necessarily to do it but
4:22
well you have to give access to
4:24
these environment variables and one way that's
4:27
often done is by basically just printing
4:29
them into a text file and
4:31
then passing that text file to
4:34
Bitbucket as an artifact which of
4:36
course means that these credentials are
4:38
exposed in the clear in
4:41
Bitbucket. Bitbucket itself does not really
4:43
have a great solution for this
4:45
this is add-on software that you
4:47
need in order to deal with
4:49
your secrets but that's pretty much
4:51
true for any kind of CI
4:53
CD tool that you need to
4:55
come up with some kind of
4:57
secret management solution in order to
5:00
solve the problem of having
5:02
to pass these secrets to
5:04
various tools without exposing them
5:06
to someone who may compromise
5:08
your pipeline I'm
5:11
talking about leaking secrets a Microsoft
5:13
came out with its new line
5:16
of co-pilot plus PCs what is
5:18
really different about these PCs is
5:20
that they're heavily targeting
5:23
AI and machine learning with
5:25
additional co-processors not just Microsoft
5:27
makes it these PCs but
5:29
there is one specific feature
5:32
that Microsoft supports and that's
5:34
called recall recall essentially records
5:36
what you're doing on the
5:39
PC and allows you to
5:41
search your history think about
5:43
it like bash history but
5:45
including all the GUI interactions
5:48
all the web pages that you may
5:50
have seen and things like
5:52
that one important
5:54
note here from the co-pilot
5:56
plus PC FAQ is that
5:59
this recall feature does
6:01
not actually hide information like
6:03
passwords and financial account numbers.
6:05
So if you're using this
6:08
feature, be aware all of
6:10
it is recorded, even if
6:12
it should be recorded only
6:15
on your system. Well,
6:18
and that's it for today. Thanks
6:21
for listening. I hope you like this
6:23
podcast. I hope you will recommend it. I
6:25
hope you like it also in your favorite
6:27
podcast platform and leave a good review or
6:30
just leave a click on
6:32
the five star mark. Thanks
6:35
and talk to you again tomorrow.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More