The Threatpost Podcast

Researchers - as well as the U.S. Cybersecurity Infrastructure Security Agency (CISA) - are warning of a set of serious vulnerabilities affecting TCP/IP stacks. The flaws impact millions of Internet-of-Things (IoT) devices and embedded systems, including smart thermometers, smart plugs and printers, Forescout researcher Daniel dos Santos said during this week's Threatpost podcast.

Peter Lowe, security researcher with DNSFilter, talks to Cody Hackett on this week's Threatpost Podcast about how DNS filtering tactics are evolving to keep up with new cybercriminal tricks, as well as how companies can protect themselves.

Matt Lewis, research director at NCC Group discloses serious security and privacy in 11 different smart doorbells, which could be exploited by attackers to physically switch off the devices.

Cybercriminals are recognizing that the data that automotive companies have to offer - from customer and employee personal identifiable information (PII) to financial data - are invaluable. Paul Proudhomme, cyber threat intelligence analyst at IntSights, warns that this is translating into cyberattacks - whether it's aimed at Intellectual Property (IP) theft, or ransomware. And, with the ongoing pandemic shaking up both the sales and supply chain across the automotive industry, the risks of cyberthreats are only adding on to an existing pile of problems.

Cybercriminals behind botnets are increasingly shifting their infrastructure from the cloud to Internet of Things (IoT) devices, according to Derek Manky, Chief of Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs.

Threatpost talks to Dragos' Lesley Carhart about the top cybersecurity challenges facing manufacturers during the pandemic.

This Halloween week, Threatpost editors break down the scariest stories haunting the security space, including: A wave of ransomware attacks targeting a number of hospitals, sparking worries about healthcare security and the impact on patents during COVID-19 "Zombie" vulnerabilities - including Zerologon and SMBGhost - that continued to haunt system admins this week Election security scares, from disinformation campaigns to cyberattacks hitting election infrastructure.

Chris Eng, chief research officer with Veracode, warns that the deluge of in-person shoppers during the pandemic has pushed restaurants, boutique shops and other retailers to utilize new online software ecommerce platforms - but they aren't prepared for implementing the correct security measures for these platforms.

Derek Manky, Chief of Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs, said that cybercriminals cashed in on the surge of COVID-19 earlier this year with phishing emails purporting to be from healthcare professionals offering more resources and information about the pandemic.

The Threatpost editors break down the top security stories of the week ended Oct. 16, including: Patch Tuesday insanity, with Microsoft and Adobe releasing fixes for severe vulnerabilities - including a critical, potentially wormable remote code execution Microsoft vulnerability Barnes and Noble being hacked - and why some readers are unhappy with how the book purveyor announced the cyberattack DDoS extortion email threats hitting various companies across the globe - including Travelex Zoom finally rolling out end-to-end encryption on the video conferencing platform - and why this is different than the video conferencing application's earlier "full encryption" claims

Larry Cashdollar shares his craziest bug finding stories, including a flaw (CVE-1999-0765) found during his position as a UNIX Systems Administrator, which existed in the SGI IRIX midikeys program - and accidentally threw a wrench in a demo for a navy admiral on the Aegis destroyer class ship.

Sharon Brizinov, the principal vulnerability researcher with Claroty, who discovered vulnerabilities a software component used by various critical infrastructure systems, talks about why patching is a headache for manufacturers and other industrials firms.

The Zero Day Initiative team talks about the biggest vulnerability disclosure challenges that ethical hackers are facing - particularly in markets like the industrial world and IoT.

With the U.S. presidential elections looming, disinformation is a top challenge. In the four years since the previous 2016 presidential election, threat actors have created an entire sophisticated and intricate industry around misinformation - raising the bar for social media companies to detect and protect against this threat, new Wednesday Cisco Talos research found.

Threatpost editors Lindsey O'Donnell-Welch and Tara Seals discuss the top security news stories of the week ended Aug. 21, including: IBM, the owner of the Weather Channel mobile app, has reached a settlement with the Los Angeles city attorney's office after a 2019 lawsuit alleged that the app was deceiving its users in how it was using their geolocation data. A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Researchers are urging connected-device manufacturers to ensure they have applied patches addressing a flaw in a module used by millions of Internet-of-Things (IoT) devices.

Researchers are warning of an active campaign that utilized HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies and firewalls. Because HTML smuggling is not necessarily a novel technique - it's been used by attackers for awhile - this campaign shows that bad actors continue to rely on older attack methods that are working. Learn more about this latest attack and how attackers are raising the bar during this week's Threatpost podcast.

Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs, said that the semi-annual FortiGuard Labs Global Threat Landscape Report for the first half of 2020, released Wednesday, reveals an "unprecedented cyber threat landscape."

Information technology (IT) and operational technology (OT) may have many of the same objectives - but too often they don't see eye-to-eye when it comes to priorities, said Andrew Ginter, VP Industrial Security at Waterfall Security Solutions in this sponsored podcast.

Despite the coronavirus pandemic pushing the Black Hat USA 2020 conference onto a virtual platform for the first time ever, you can expect the same hot security research and threat intel, high-profile speakers, and vulnerability research being disclosed. Threatpost editors Tom Spring, Tara Seals and Lindsey O'Donnell-Welch break down the top sessions, keynotes, speakers and themes to look out for in this week's podcast.

From the coronavirus pandemic breaking out, and corporate workforces going remote, "uncertainty is a key word" for 2020, Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs said. Manky talks about the biggest lessons learned so far from 2020, including the most dire threats to date - from sophisticated social engineering lures, to Internet of Things (IoT) vulnerabilities to targeted ransomware attacks.

In this week's Threatpost news wrap podcast, editors Tara Seals and Lindsey O'Donnell-Welch break down the top security news stories, including: Hackers accessed direct messages (DMs) for 36 of the 130 high-profile users whose accounts were hacked in an unprecedented account breach last week, Twitter confirmed Wednesday. Privacy commissioners worldwide urged video conferencing systems like Microsoft, Cisco and Zoom to adopt end-to-end encryption, two-factor authentication and other security measures. Apple's Security Research Device program is now open to select researchers – but some are irked by the program's vulnerability disclosure restrictions.

Christoph Hebeisen, with Lookout, reveals the behind-the-scenes threat intel efforts for discovering a 7-year-old surveillance campaign that was targeting the Uyghur ethnic minority group.

A newly discovered, sophisticated threat group that targets organizations without DMARC implemented and relies on business email compromise is heralding what researchers call "a new age" of business email compromise. The group, called Cosmic Lynx, is the first reported Russian BEC cybercriminal ring, and it's bringing the once run-of-the-mill email scam attack vector to the next level. The group has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. It uses clear, articulate emails -- with vocabulary like "accretive" and "synergistic" -- that purport to be related to an a "merger and acquisition," keeping with a sensitive theme that targeted employees likely won't discuss.

Jesus Molina, with Waterfall Security, talks to Threatpost host Cody Hackett about the risks that rail operators are facing - from the security issues in railways to the trains themselves - and how railways can stay up-to-date on the best cybersecurity measures by adopting unidirectional gateways and separating enterprise and operational networks.

Mac expert Thomas Reed talks about how the newly discovered EvilQuest ransomware is ushering in a new class of Mac malware.

After months of public concerns surrounding facial recognition's implications for data privacy, surveillance and racial bias, tech companies and governments alike are putting stoppers down on the technology until adequate regulation is proposed. Threatpost talks to Paul Bischoff, consumer privacy expert with Comparitech, about recent research showcasing flaws in the accuracy of Amazon's facial recognition platform - and why concerns around racial bias and data privacy aren't going away anytime soon.

For the week ended June 19, Threatpost editors Lindsey O'Donnell Welch, Tom Spring and Tara Seals break down the top cybersecurity stories. This week's top news stories include: Google removing 106 Chrome browser extensions from its Chrome Web Store in response to a report that they were being used to siphon sensitive user data. An internal investigation into the 2016 CIA breach condemning the agency's security measures, saying it "focused more on building up cyber tools than keeping them secure." How the insider threat landscape is changing due to work from home - a topic that Threatpost will continue to discuss in its webinar coming up next week (register here).

As a world afflicted by the coronavirus pandemic begins to re-open restaurants, retail stores and more, public health officials remain concerned about the spread of the virus. Technology for contact-tracing apps, intended to help citizens track whether they were exposed to someone who has tested positive for the virus, have been created by countries, U.S. states (like Utah) and by tech giants like Apple and Google. But behind the public health benefits of contact tracing are privacy worries, technology issues like interoperability, and other challenges. Threatpost discusses the benefits - and the challenges - of contact tracing apps with Steve Moore, chief security strategist at Exabeam.

Threatpost editors Lindsey O'Donnell-Welch and Tara Seals discuss the top security news stories of the week, including: Reports emerged earlier this week that the Minneapolis police department had been breached by hacktivist group Anonymous. Security expert Troy Hunt debunked the reports, however. Zoom sparked debate after announcing that it would offer end-to-end encryption to paying users only - explaining that it couldn't offer it to everyone as it needs to work with law enforcement to crack down on platform abuse.

With the proliferation of cloud in enterprise environments, identity today is very different than how it used to be. Threatpost host Cody Hackett talks to Brian Johnson, CEO and co-founder of DivvyCloud, about how identity access management (IAM) is rapidly changing - and how businesses can keep up.

Verizon's 2020 Data Breach Investigations Report (DBIR), released Tuesday, analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals. While cyber-espionage attacks and malware decreased, other trends, such as security "errors" (like misconfigurations, etc.), denial of service (DoS) attack and web application attacks saw startling growth.

Threatpost editors discuss the top news stories of the week ended May 15, including: Recent ransomware attacks, including ones targeting healthcare giant Magellan, the IT office that supports Texas appellate courts and judicial agencies, and a popular law firm that works with several A-list celebrities, including Lady Gaga, Drake and Madonna. "Double extortion" methods being increasingly used by ransomware actors - and new research that found paying a ransom to unlock systems can actually cost companies more financially than recovering data themselves in the long run. The state of Utah announcing it has settled on a contact-tracing mobile app that collects detailed user location information to track the spread of COVID-19 among citizens – eschewing the API model proposed by Apple and Google in April. The roadmap for a COVID-19 contact-tracing app, to be rolled out by the UK's National Health Service (NHS), thrust into the spotlight thanks to sensitive documents being leaked via a public Google Drive link.

Companies are increasingly dealing with a slew of security and compliance issues across cloud services and containers – from AWS to Azure to GCP. Infrastructure as Code (IaC) security capabilities can help companies "shift left" to improve developer productivity, avoid misconfigurations and prevent policy violations. Threatpost host Cody Hackett talks to Chris Hertz, vice president of cloud security sales at DivvyCloud by Rapid7, about the top trends he's seeing around cloud security and how IaC is helping companies handle security and compliancy.

Threatpost editors Tom Spring, Tara Seals and Lindsey O'Donnell-Welch talk about the biggest news stories of the week ended May 1, including: A "PhantomLance" espionage campaign discovered targeting specific Android victims, mainly in Southeast Asia — which could be the work of the OceanLotus APT. A highly targeted phishing campaign, uncovered this week, with a Microsoft file platform twist, that successfully siphoned the Office 365 credentials of more than 150 executives since mid-2019. A Microsoft vulnerability found in Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization's Teams accounts.

Thousands of recycled Zoom credentials have been unearthed on underground forums as cybercriminals tap into remote workers. In this week's podcast, Threatpost does a deep dive into how these credentials are being collected, shared and used.

For the week ended April 24, Threatpost editors discuss a bevy of recent cybersecurity news stories, including: Apple zero days were disclosed in the iPhone iOS; researchers say they have been exploited for years, but Apple has pushed back and said there's no evidence to support such activity Nintendo confirming that over 160,000 accounts have been hacked, due to attackers abusing a legacy login system With the NFL's virtual draft kicking off this week, security researchers and teams have been sounding off on security issues leading to data theft or denial of service attacks

In this week's Threatpost Podcast, Threatpost talks to Dan Dahlberg, director of security research at BitSight, about new research that found that work from home remote office networks are 3.5 times more likely than corporate networks to have a malware infection present.

Researchers with Cisco Talos created threat models outlining how fingerprint scanners could be bypassed utilizing 3D printing technology, and tested them on various mobile devices (including the iPhone 8 and Samsung S10), laptops (including the Samsung Note 9, Lenovo Yoga and HP Pavilion X360) and smart devices (a smart padlock and two USB encrypted pen drives). Craig Williams, director of Cisco Talos Outreach, walks through the results on the Threatpost podcast.

For the week ended March 20, Threatpost editors break down the top security stories, including: The various cybercriminal activity - from malware, phishing and other scams - tapping into the coronavirus pandemic The security risks of businesses working from home due to the virus' spread Privacy concerns as more governments use facial recognition and mobile apps for tracking the virus The results of Pwn2Own, which took place this week

A recent 2020 IoT report found that more than half of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers. Threatpost talks to Ryan Olson, vice president of Threat Intelligence for Unit 42 at Palo Alto Networks, and May Wang, senior distinguished engineer at Palo Alto Networks and former Zingbox CTO, about the top IoT threats.

The RSA 2020 conference kicks off next week in San Francisco, this year with a theme looking at the "human element" of cybersecurity. As they prepare to cover the show, Threatpost editors Lindsey O'Donnell-Welch, Tom Spring and Tara Seals break down the biggest news, stories and trends that they expect to hear about at RSA 2020 this year - from trends in the industrial cybersecurity landscape, to connected medical device security issues that will be flagged.

Threatpost editors Tara Seals and Lindsey O'Donnell-Welch break down the top stories for this week, ended Feb. 14, including: Recent phishing scams - including ones with a romance hook - continue to trick victims, showing that phishing tactics still work in stealing millions from individuals, corporations, and even government agencies. Emotet has a newly discovered feature that hacks nearby Wi-Fi networks, allowing the prolific malware to spread rapidly, like a worm. The operators behind the Robbinhood ransomware are using a new tactic called "bring your own bug," which researchers think will continue in future campaigns. Patch Tuesday craziness this week included 99 patches from Microsoft, as well as vulnerability fixes from Adobe, Intel and Mozilla Firefox.

Bug bounty programs continue to increase in popularity – but that popularity has its downsides. Since the launch of the Hack the Pentagon program in 2016, bug bounty programs have quickly grown in popularity. However, as more programs are created, some companies are forgetting the real reason behind bug bounties. That is, instead of making their systems more secure, companies want to merely hunt bugs. Threatpost talked to Katie Moussouris, founder and CEO of Luta Security, to hear more about her thoughts about the challenges in developing – and launching – bug bounty programs.

Researchers on Wednesday disclosed five critical vulnerabilities in Cisco Discovery Protocol (CDP), the Cisco Proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. Threatpost talked to Ben Seri, VP of Research at Armis, who discovered the flaws, about the CDPwn flaws, their impact, and why Layer 2 protocols are an under-researched area. Researchers say that the vulnerabilities, which they collectively dub CDPwn, can allow attackers to remotely take over millions of devices. The flaws specifically exist in the parsing of CDP packets, in the protocol implementation for various Cisco products, from its software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.

Oded Vanunu, head of products vulnerability research at Check Point research, has seen his share of WhatsApp vulnerabilities – the researcher at Black Hat 2019 demoed several flaws in the messaging platform could be used to manipulate chats, for instance. However, Vanunu told Threatpost at CPX 360, Check Point's annual security conference that takes place this week, WhatsApp is a prime example of how mobile devices are increasingly becoming targeted by nation state actors, in stark contrast to previous, less serious threats mobile devices have faced like adware.

Threatpost talks to Nick Biasini, a threat researcher at Cisco Talos, about a recently-uncovered threat actor, dubbed Vivin, has made thousands of U.S. dollars through a large-scale cryptomining campaign.

This week's news wrap podcast breaks down the biggest Threatpost security stories of the week, including: Various proof-of-concept exploits being released for serious vulnerabilities this week - including for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. Multiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture, dubbed "Cable Haunt," that would allow an attacker full remote control of the device. Google's continual battle against attackers who are infiltrating Google Play with Android apps (more than 17,000 apps to date) distributing the Joker malware. Google setting an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser.

A major Microsoft crypto-spoofing bug impacting Windows 10 made waves this Patch Tuesday, particularly as the flaw was found and reported by the U.S. National Security Agency (NSA). Microsoft's January Patch Tuesday security bulletin disclosed the "important"-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source. Threatpost talked to Pratik Savla, senior security engineer at Venafi, about the vulnerability, whether the hype around the flaw was warranted, and what the disclosure means for the NSA.

The California Consumer Privacy Act is being touted as one of the strongest privacy regulations in the U.S. enacted so far. However, though the CCPA was adopted on January 1, 2020, the act still has several loose ends and privacy loopholes that need to be fleshed out. At a high level ,the CCPA mandates strict requirements for companies to notify users about how their user data will be used and monetized along with giving them straightforward tools for opting out. However, one of the bigger challenges with the CCPA is the question of tracking the location of that user data, Terry Ray, SVP and fellow with Imperva, tells Threatpost.

In 2019, diversity in the cybersecurity was thrust to the forefront with recognition from both vendors and experts. The tech industry is facing challenges around diversity in general, but women are particularly underrepresented. And with an estimated 3.5 million jobs are expected to remain unfilledby 2021, infosec is certainly a lucrative space for women. Threatpost sat down with Jessica LaBouve, a pen tester with A-LIGN, to discuss the personal challenges she's faced in the cybersecurity industry and the opportunities in the space that she sees for improvement.