Tag Archives: fun

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:37 Elevation of Privilege – Microsoft Streaming Service (CVE-2024-30090)
🔻 01:46 Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250)
🔻 02:38 Spoofing – Windows MSHTML Platform (CVE-2024-43573)
🔻 03:43 Remote Code Execution – XWiki Platform (CVE-2024-31982)
🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.
🔻 05:22 Social “Attack on the complainer
🔻 06:35Ford’s method” for motivating IT staff to fix vulnerabilities: will it work?
🔻 08:00 About the digest, habr and the question contest 🎁
🔻 08:29 Backstage

На русском

Ford won’t work?

Ford won't work?

Ford won’t work? There were a lot of comments about “paying vulnerability fixers only when they are in the break room“. I’ll say right away that the post was a joke. Staff motivation is too delicate a topic to give serious recommendations. 🙂

But I will sort out the objections:

🔻 IT staff will sabotage the vulnerability detection process by tweaking host configs. So that the scanner will produce only green reports. But IT staff can do this at any time, and we need to take this into account. 🤷‍♂️

🔻 IT staff will simply turn off hosts. If they can do this without harming the business, that’s great. 👍 And if this will break the production environment, then let them deal with their IT management. 😏

🔻 There is an opinion that the method is good, but only 2% of vulnerabilities used in attack chains need to be fixed. I traditionally DO NOT agree with the possibility of reliably separating these mythical 2% of vulnerabilities. Everything needs to be fixed. 😉

На русском

Vulnerability Remediation using the “Ford Method”

Vulnerability Remediation using the Ford Method

Vulnerability Remediation using the “Ford Method”. There is a popular story in the Russian segment of the Internet. Allegedly, an experiment was carried out at Henry Ford’s plant: conveyor repair workers were paid only for the time they were in the break room. And as soon as the conveyor stopped 🚨 and the repair workers went to fix it, they stopped getting paid. Therefore, they did their work quickly and efficiently, so that they could quickly (and for a long time) return to the break room and start earning money again. 👷‍♂️🪙

I did not find any reliable evidence of this. 🤷‍♂️

But what if the specialists responsible for vulnerability remediation were paid only for the time when vulnerabilities are not detected on their hosts. 🤔 This can have a very positive impact on the speed and quality of remediation. Unsolvable problems will quickly become solvable, and automation of testing and deployment of updates will develop at the fastest pace. 😏

На русском

Generating names for vulnerabilities

Generating names for vulnerabilities

Generating names for vulnerabilities. Colleagues who work on attack attribution have a funny habit of naming attack groups according to some scheme. For example, Midnight Blizzard or Mysterious Werewolf. 🙂 I thought, why can’t we name vulnerabilities in a similar way?

For example, Remote Code Execution – Windows NAT (CVE-2024-38119)

🔹 We transform vulnerability types into consonant names of animals. RCE – let it be Racoon. For EoP it can be Elephant, for Memory Corruption – Monkey, etc.

🔹 Based on software names, we automatically select adjectives that begin with the same letters. “Windows NAT” -> “Windy Nautical”.

🔹 There can be many vulnerabilities of the same type in the same product. Therefore, we generate combinations of adverbs and past participles (6940230 combinations), and then map CVE identifiers into them. CVE-2024-38119 -> 202438119 -> “2438119”: “inquisitively underspecified”

Thus we get: “Inquisitively Underspecified Windy Nautical Racoon”. 🙂

На русском

I also made a meme with the cool Yusuf Dikeç

I also made a meme with the cool Yusuf Dikeç

I also made a meme with the cool Yusuf Dikeç. 😅

🔹 Every vulnerability existing in the infrastructure must be detected.
🔹 For each detected vulnerability, a patching task must be created.

This is the base. And when they tell you that you don’t have to do this because there is some super-modern vulnerability assessment and prioritization tool, you should be skeptical. 😉

На русском

No Boot – No Hacker!

No Boot – No Hacker! Updated track. It seems that the case with the CrowdStrike BSODStrike incident is coming to a logical conclusion. Why this happened is already more or less clear. All that remains is long legal battles between clients and the vendor. Therefore, I am closing this topic for myself with an updated track made in Suno. It’s in Russian, but subtitles are available on YouTube.

My position is that BSODStrike was not the problems of a specific company, but rather the problems of cloud CyberSecurity services with agents, whose architecture is vulnerable. Such services literally force customers to overtrust them. 🤷‍♂️ I don’t think it’s right to keep silent about this. We need to call for improving the security, transparency and controllability of such services.

It should be understood that this was just a small and relatively harmless failure, but someday we will see a case with a full-scale attack through a hacked cloud vendor. And, as it seems to me, at the moment, on-premise solutions have their advantages.

На русском