Bishop Fox Happenings: July and August 2019
by Britt Kemp, on Aug 27, 2019 10:12:00 AM
July and August are usually busy months in cybersecurity, and it was no different at Bishop Fox. We embarked on our tenth consecutive year of presenting at Black Hat, DEF CON, and BSides Las Vegas, where our highlights included launching new tools and unveiling groundbreaking research into security automation and machine learning.
Hacker summer camp 2019 was a landmark one for us, and we will strive to up the ante in the years to come. But until then, here’s everything else that happened these past few weeks.
Eyeballer – As seen at Black Hat Arsenal, this AI-powered tool helps penetration testers assess large-scale external perimeters with ease.
GitGot – GitGot scrapes GitHub for a target organization’s potentially sensitive secrets with this open source tool.
ZigDiggity – As seen at both Black Hat and DEFCON, this tool follows in the tradition of previous Diggity projects (like Search and RFID). ZigDiggity takes Zigbee hacking up to 11.
Figure 1 - Francis Brown and Matthew Gleason presenting ZigDiggity at DEF CON
Blog Posts We Dropped
Going Semi-Automated in an Automated World: Using Human-in-the-Loop Workflows to Improve Our Security Tools – In this blog post, Jake Miller describes his development of GitGot, a semi-automated, feedback-driven tool that helps penetration testers rapidly search through troves of public data on GitHub for a target organization’s potentially exposed secrets.
Cybersecurity Fatalism - How It Poisons Your Decision Making – Sure, it’s an easy trap to fall into – we live in a world of near-daily breaches and emerging threats that can easily be turned into security bogeymen. Dan Petro explains why being a cybersecurity fatalist ultimately does more harm than good.
10 Must-See Talks at Black Hat and DEF CON – Here are the talks we saw this past year – and, of course, all the Bishop Fox appearances during the Vegas conferences, too.
Every Sign Has a Story – In this blog post, Thiago Campos shares some insights about the Google G Suite’s Developer Guide – and why security warnings shouldn’t be ignored. A must-read for developers.
Customer Stories, News Features, and Assorted Miscellany
TechCrunch - What Security Pros Need to Know from Black Hat and DEF CON 2019 – With a simple misconfiguration, Amazon EBS instances can be made public. Ben Morris’s research into these publicly exposed Amazon EBS instances (and the dangers they cause) made this best-of list from TechCrunch. Morris’s research also was the subject of this TechCrunch piece.
Below are some more recognitions of Ben Morris’s research. Check out these notable signal boosts from Security Boulevard and The Register:
And if you’re into that kind of thing, here are his slides from DEF CON. (A proof of concept is slated to come out soon.)
Wall Street Journal - Capital One Breach Casts Shadow Over Cloud Security – CEO Vincent Liu weighed in on one of the largest breaches in history.
TechBeacon - Weaponized Machine-Learning Tool Adds Punch to Pen Testing – Bishop Fox consultant Gavin Stroy and lead researcher Dan Petro describe Eyeballer, a new penetration testing tool that applies machine learning to ‘visually’ identify the web pages most likely to contain actionable leads.
Axios - Counter-Drone Defenses – “Drone Defenses: What do they do, really?” According to Bishop Fox CTO Fran Brown, not a whole lot.
How Bishop Fox Enables Wickr’s Security Assurance – Wickr, a leader in secured communications, enlisted the help of Bishop Fox to deliver the third-party security transparency guaranteed by their Customer Security Promise. This customer story explains how we worked together to ensure Wickr delivers secure products to the countless users who depend on them.
Cyber.Dic – Brianne Hughes not only led the second-ever hacker spelling bee at DEF CON this year, but she and Technical Editor Catherine Lu brought to life Cyber.Dic, an auxiliary spellcheck dictionary that corresponds with the Bishop Fox Cybersecurity Style Guide. Special shoutout to the two-years-in-a-row winner of the spelling bee, Breanne Boland.
CVEs/Advisories We Released
InterSystems Cache 2017.2.2.865.0 and 2018.1.2 Multiple Vulnerabilities – Bishop Fox researchers identified high and medium-risk vulnerabilities in the InterSystems Cache Database Management System, which we worked with their team to remediate in the responsible disclosure process.
Dolibarr Version 9.0.1 — Multiple Vulnerabilities – A Bishop Fox researcher discovered high and medium-risk bugs in Dolibarr ERP & CRM, an open source and free software package. Exploiting these vulnerabilities would allow a low-privileged application user to execute malicious code on the server or escalate their privileges to become an administrative user. As an admin, the attacker could compromise all other user accounts and application data. (Read more in the advisory, and a more condensed version in the corresponding blog post.)
AeroGarden Version 1.3.1 - Multiple Vulnerabilities – “Bishop Fox: Even your plants aren’t safe.” A Bishop Fox researcher found some bugs in AeroGarden that could a.) capture traffic or b.) inflict damage to plant life.
That’s all for now – but we’ll have more for you next month. See you then!