Unsupervised Learning

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news and articles BAE systems saying that SWIFT hack is linked to the Sony breach [ Link ] Kaspersky is saying ransomware is the #1 threat now [ Link ] Identity thieves grab W-2 data from Equinox [ Link ] Germany claims it was […] -- :: Unsupervised Learning: Episode 39 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news and articles Michigan lawmakers want life sentence for hacking cars | will that apply to changing the speed of your turn signal? SWIFT to get update after Bangladesh hack NSA is so overwhelmed with data that it’s no longer effective FBI now […] -- :: Unsupervised Learning: Episode 38 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news Feds paid over 1M to get into San Bernardino iPhone Continued fallout from Panama papers 3.2 million servers vulnerable to JBoss attack which is being used in SamSam ransomware attacks MIT launches internal bug bounty platform | https://threatpost.com/mit-launches-experimental-bug-bounty-program/117618/ NSA recommends out-of-band taps […] -- :: Unsupervised Learning: Episode 37 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Nothing useful found on Farook’s phone | http://www.theregister.co.uk/2016/04/14/nothing_useful_on_farook_iphone/?utm_source=dlvr.it&utm_medium=facebook | I think they knew this and used it as a lever for something they’ve wanted for a long time [ ] Apple engineers say security threat is hackers, not government | http://www.macrumors.com/2016/04/15/apple-engineers-hackers-security-threat/ […] -- :: Unsupervised Learning: Episode 36 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] The hack of Mossak Fonseca has been tied to a breach of their wordpress install through a plugin called Revolution Slider, leading to the Panama Papers breach. So just to be clear, we might have just seen the biggest data leak […] -- :: Unsupervised Learning: Episode 35 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] — I think a lot about how to become immortal. More than I should, probably. Many think it’s a waste of time. Everyone dies, and it’s foolish to think we can avoid it. This piece takes a different view, and describes a number of ways, with varying levels of requirement and effectiveness, one can either avoid dying or live on after death. They’ll go from most practical to most effective. 1. Live On Through Your Children This one is cheating a bit, mostly because you’re not actually becoming immortal. But the fact remains that this does give many people (probably billions) a genuine feeling of lastingness, and that’s significant. Again, I don’t really count it because it’s an extremely tenuous way of living on, but it deserves mention. 2. Live On Through Your Works This one is kind of like the first, in that you’re not actually getting to continue living. So it’s a bit of a misnomer too. What it deals with, however, can also provide a significant sense of contentment at the end of one’s life. Basically, if you leave behind works and ideas that will be used by significant numbers of people, for a significant period of time, you can think of this as living on. It’ll take some sting off of dying, perhaps. But not much. You’re still dead. 3. Reconstruction Through Reproduction of Variables Ok, now we’re getting into actual survivability. This one works like this: either before you die, or after you are dead, an organization collects a series of inputs about you and uses them to create a working model of you. Here are some of the input types: * Your DNA (this is really important) * Everything there is to know about where you grew up (what was happening in the world then, where you went to high school, what the major news events were, the major themes in culture and art, etc.) * Everything there is to know about the people you grew up with * All your personal, transformational experiences. This can be gathered from a myriad of sources, but your own description of the incidents will be key. It’ll also come from interviews with people who know those experiences and how they affected you * Every piece of output you left behind, e.g. blog posts, Facebook posts, books, essays, schoolwork, letters, videos, whatever. They’re all harvested for evidence of who you are Then, the system takes the environment data and models it against your DNA, which it got from a piece of hair or something. It runs your entire genome and determines how you would respond mentally to these various stimuli. The output is a digital life form that is, as much as it can be, you. You now live in cyberspace somewhere, and you’re introduced to the fact that you were reconstructed using this method, and that you have this rich history, etc. You are you. 4. Preserving Your Brain to Be Put in Another Body in the Future Another method for achieving comfort that you’ll continue to live after death is to have a reliable way to preserve your brain once you pass, with the belief that it’ll be either 1) put into another body later (not my favorite idea), or 2) it’ll be downloaded into a digital form to live permanently in cyberspace. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

News [ ] Panama Papers leak [ ] Hackers targeting major US law firms [ ] Ubuntu has some kernel vuln patches out [ ] 50 million turkish citizens have their information dumped online [ ] Microsoft makes cloud-app security services now available (Adallom) [ ] OSVDB shutting down because nobody would pay them [ ] WhatsApp is now end-to-end encrypted [ ] Critical new Flash bug, expect Ransomware to leverage it [ ] Security salaries skyrocketing due to talent shortage | http://www.csoonline.com/article/3049374/security/survey-with-all-eyes-on-security-talent-shortage-sends-salaries-sky-high.html [ ] Data exfiltration using Smart Lightbulbs | http://www.scribd.com/doc/306620189/Eyal-Ronen-and-Adi-Shamir-Hack-Lightbulbs [ ] Significant Firefox extensions bug, look for a patch soon [ ] $40 attack that steals police drones from 2 kilometers away | http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/ | break wep, disconnect their controller, connect yours, must be within 100 meters [ ] IoT is expected to push the US ahead of China in manufacturing by 2020 | http://www.zdnet.com/article/internet-of-things-analytics-expected-to-push-u-s-ahead-of-china-for-manufacturing/ [ ] 1,400 vulnerabilities found in automated medical supply system | https://www.helpnetsecurity.com/2016/03/30/1400-flaws-automated-medical-supply-system/ | automated cabinets that dispense medical supplies , if you’re locked out it could be bad -- :: Unsupervised Learning: Episode 33 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Verizon Enterprise Solutions had a major data breach of their customer data. This is the group that handles breaches for their customers. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks…” * [ ] Iranians charged with attacks against US banks and a New York dam * [ ] Hackers steal 81 billion from the Federal reserve bank of New York * [ ] Uber launches bug bounty program, describes the surface area. Someone said it was really bad, though. Not sure what that’s about * [ ] New ultra-fast SSD technology coming from Intel soon * [ ] FBI backs off request for Apple backdoor. Says they have it handled. We find out it’s an Israeli company * [ ] Water treatment plant hacked, chemical mix changed for tap supplies | http://www.theregister.co.uk/2016/03/24/water_utility_hacked/ * [ ] German steel mill compromised and wrecked a blast furnace * [ ] This is after a string of attacks against power companies using spear phishing and office malware * [ ] Microsoft’s AI Chatbot was a teenage girl, but it learned from the people who talked to it, so before long it was talking about loving incest, sex, and hitler * [ ] Millions of Android devices vulnerable to root exploit due to Snapdragon chip flaw * [ ] Kentucky-based Methodist Hospital declares state of emergency after it’s wrecked by Locky ransomware * [ ] Credit Card Breaches Linked To Security Cameras * [ ] Chinese national pleads guilty to stealing plans for Air Force aircraft * [ ] Hackers offer Apple’s Ireland staff $23,000 for their login credentials * [ ] Ransomware hitting major vulns: The Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits spread the Flash CVE 2015-7645 exploit; Angler spreads Flash 2015-8446; Angler and Neutrino spread Flash CVE 2015-8651; and Angler spreads Silverlight CVE-2016-0034, an exploit exposed in the Hacking Team breach. * [ ] Microsoft Deploys Macro Blocking Feature in Office to Curb Malware Ideas, updates, and discussion * [ ] Innovation Sandbox | Innovative Security Products (2016 Edition) * [ ] AI and messaging apps are the new mobile apps * [ ] Human Attention as Attack Surface | https://danielmiessler.com/blog/human-attention-as-influence-attack-surface/ * [ ] Most can’t respond to breach: http://blogs.csc.com/2016/03/15/while-majority-of-orgs-fear-big-breach-theyre-not-prepared-to-respond/?utm_content=bufferc043c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer * [ ] How your data is collected and commoditized online by free online services | http://www.troyhunt.com/2016/03/how-your-data-is-collected-and.html Tools, talks, and projects * [ ] Innovation Sandbox | Innovative Security Products (2016 Edition) * [ ] 2016 Data Breach Digest | https://danielmiessler.com/blog/analysis-verizons-2016-data-breach-digest/ * [ ] AI and messaging apps are the new mobile apps | https://danielmiessler.com/blog/ai-assistants-are-the-new-applications/ * [ ] Idea Expansion Format | https://danielmiessler.com/blog/idea-expansion-format-ief/ * [ ] BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. * [ ] IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets and log files using a message queuing protocol.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] FBI saying it will force Apple to hand over source code and signing ability if they don’t comply | http://thehackernews.com/2016/03/fbi-apple-iphone.html [ ] Locky ransomware campaign, JS downloader [ ] X11 forwarding issue in OpenSSH, update now [ ] Seagate Phish Exposes All […] -- :: T1SP: Episode 31 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] [ UPDATE: Much credit to Sam for engaging in the conversation. I’m not sure how people claim he’s closed on this topic when he is clearly open to exploring it. ] I don't agree with all of it. But this is a very good response to my remarks about encryption. https://t.co/rMl8zgtuWN@danielmiessler— Sam Harris (@SamHarrisOrg) February 28, 2016 — I’ve been planning on doing a podcast episode on the Apple encryption debate for some time, but I was unsure of the format I should use. This problem was just solved for me when I listened to Sam Harris—who is someone I respect greatly—miss the mark significantly in a recent podcast. The thing that compelled me to respond was the fact that I don’t often disagree with Sam. His logic is usually impeccable, and we often end up with nearly identical opinions. So it was somewhat surreal to hear him be wrong about something. Or at least disagree with me (which, of course, may not be the same thing). Anyway, being in information security myself I felt like a response was important. This essay takes the form of a retort to his comments, followed by my own points and then a summary. Sam’s points [ The points are summarized, by the way, not necessarily exact quotes. ] * Apple built the lock, but didn’t build the key, and now they’re telling us that building the key would put us all at risk. Self-serving abdication of responsibility. * Community in tech swayed by Snowden. Even when the government gets a court order, they think they shouldn’t give access * Gives cases where text messages could have helped solve a murder, but the texts are unread because the iPhone is unbreakable. Imagine being a family member! * Could someone build an impregnable room inside their own house? * What if you could take a drug that could make your DNA unanalyzable? So you could never be linked to any crime. The only people who would benefit would be criminals! * Apple could maintain the backdoor and it’d be fine, just like banks have your banking information. They’re trading on paranoia. My responses [ NOTE: This will come in the form of a podcast, which I may still record. I wrote it largely in the voice of a spoken conversation. ] First, let’s start with where we agree. You speak of a “Cult of Privacy”, where people are blindly saying that Snowden did nothing wrong whatsoever, that he didn’t set a dangerous precedent, that any violation of privacy in any case is always bad, etc., etc. I absolutely agree with you that this is not an intelligent way to understand and discuss current events. But there’s another cult on the other side, and it’s one that you’re coming dangerous close to membership in. And that’s “The Cult of Safety”. This one works like this: If there is any situation in which some amount of data could be used to help learn where a kidnapped girl is, or where a terrorist’s bomb will detonate, then it’s within the rights of a government to legally seize ...Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Apple calls out FBI on iPhone decryption case * [ ] Trump calls for a boycott of Apple, from an iPhone * [ ] Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers * [ ] Wow. Someone hacked @linuxmint’s website and replaced ISOs with backdoored version today http://blog.linuxmint.com/?p=2994 * [ ] This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe. ~ Dan Kaminsky * [ ] Mint Forum Hacked, website compromised, fake downloads posted * [ ] TeslaCrypt now targeting Joomla sites as well as WordPress * [ ] Hollywood Hospital pays 17K to decrypt files; hope they cleaned up afterwards otherwise they’ll be paying rent * [ ] Patch your vServer; RCE flaw * [ ] Power grid honeypot by MalCrawler Ideas, updates, and discussion * [ ] The San Bernadino health department changed the iCloud password (at the FBI’s request) after having the device for just a few hours * [ ] The FBI didn’t have the other two phones, which were destroyed * [ ] The implications for data security if US companies are told the government must be able to get in is that US citizens will soon be told that they cannot create, purchase, or use tech that is locked down in this way * [ ] There’s another way to the iPhone data: https://threatpost.com/delicate-hardware-hacks-could-unlock-shooters-iphone/116388/ via @IOActive Tools, talks, and projects * [ ] Bitquark is releasing some subdomain research; will be added to SecLists * [ ] Log.io web interface for looking at log files | http://www.tecmint.com/linux-server-log-monitoring-with-log-io/ * [ ] Lobotomy: Automate Android assessment and reversing | https://n0where.net/android-security-toolkit-lobotomy/ * [ ] SSLyze: https://n0where.net/fast-and-full-featured-ssl-scanner-sslyze/ * [ ] SELKS: Full NSM with Suricate and rule manager | https://www.stamus-networks.com/downloads/ Announcements * [ ] I’ll be at the IOAsis at RSA next week; come by and say hello Miscellaneous * [ ] War-games movie prompted Reagan to take cybersecurity action | http://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Major Cisco ASA buffer overflow; patch now [ ] Critical patches for Windows and Flash [ ] The FBI is officially investigating Hillary Clinton regarding her private email server [ ] NSA doing a complete reorg (basically combining defense and offense) […] -- :: T1SP: Episode 28 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Heavy surveillance around the Super Bowl [ ] A new BlackEnergy spear phishing campaign is targeting more Ukrainian companies [ ] Magneto, the popular e-commerce CMS, releases fixes to critical XSS issues [ ] Someone has posted private files of America’s […] -- :: T1SP: Episode 27 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Backdoor found in AMX devices that run corporate and government conference rooms [ ] Autopwn every Android device on your network using BetterCap and addJavascritInterface [ ] Cyber insurance challenged: a lawsuit for failing to cover a 500K loss in Houston […] -- :: T1SP: Episode 26 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] TrendMicro node.js server listening on localhost can execute commands; exposed to the internet * [ ] SSH backdoor found in Fortinet firewalls * [ ] SSH client vulnerability * [ ] Australia’s Cybercrime Online Reporting Network (ACORN) received over 39K reports of criminal activity in 2015 * [ ] Hyatt names 250 hotels hit by malware, includes the one for DerbyCon * [ ] Web sense rebranding as Forepoint, acquires Intel’s firewall business * [ ] Twitter might be ending its 140 character limit * [ ] Major vulns still being found in Health and Fitness mobile apps * [ ] Angler exploit kit continues to evade detection * [ ] LostPass attack is a phishing email attack that works against LastPass (showed at Shmoocon this weekend) * [ ] Virus just took down the Melbourne Health computer system * [ ] Lastpass has found a workaround for the LostPass attack * [ ] A bit match fixing problem has been found in Tennis * [ ] Trustwave is being sued by Affinity for supposedly missing an second hack that was going on while they were there to fix an initial hack Ideas, updates, and discussion * [ ] IR is messy and dangerous; assume compromise; assume continued compromise; be extremely careful saying that things were contained; if you’re not Mandiant you’re probably not doing a great job * [ ] Smartphone encryption and the gun debate: same coin? ISIS supposedly has its own encryption app. What next, make murder illegal? Tools, talks, and projects * [ ] FIR – Fast Incident Response Management Platform * [ ] DIVA damn insecure and vulnerable Android app * [ ] Kill Chain for Kali Linux 2.0 : recon, weaponization, delivery, exploit, installation, c2, actions * [ ] EZ-Wave: exploiting Z-Wave networks using SDR * [ ] GoPhish: open source phishing framework * [ ] V3n0m SQLi scanner * [ ] VScan : uses NSE scripts to find vulns * [ ] SleepyPuppy Burp Extension * [ ] DBDAT — Database Assessment Tool — https://github.com/foospidy/DbDat Announcements * [ ] Speaking at AppSec Cali next week (Tuesday) on ATM * [ ] Shmoocon hiring list: http://www.room362.com/2016/01/2016-shmoocon-hiring-list.html Miscellaneous * [ ] Great security news source: https://security.didici.cc/news * [ ] Thanks to Tripwire for giving a shoutout to the podcast on Twitter [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Norse lays of 20 people; not clear what percentage that is; threat intel not going so well? * [ ] OPM declines to release details on its big breach * [ ] Juniper says it’s going to remove the code that it thinks was developed by the NSA to eavesdrop on traffic * [ ] CVE details lists (OS X, iOS, Flash, Air, IE, Chrome, Firefox) as the software with the most issues * [ ] GM is going to do a bug bounty * [ ] The Hacker Manifesto turned 30 (My crime is that of curiosity) * [ ] Sophos Home free for Windows and Mac users * [ ] SF Yellowcab filling for bankruptcy * [ ] Hackers shut down Ukraine power grid; evidently a malicious word doc sent via email; supposedly the Sandworm Team * [ ] Bicycle Attack on TLS: https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf * [ ] North Korea evidently detonated a hydrogen bomb * [ ] Time warner customers lose email passwords (320K) * [ ] Microsoft killing off IE 8, 9, and 10 on January 12th * [ ] VTech launching new product line after it got hacked and leaked data on 6 million kids * [ ] Big Flash player update, 0-day and 18 other issues Ideas, updates, and discussion * [ ] Back to Ubuntu from CentOS * [ ] Sick for five weeks * [ ] Ikigai (what you love, what the world needs, what you can be paid for, what you are good at) * [ ] Giving books as gifts Tools, talks, and projects * [ ] TOWER-SEC protecting ECUs and Telematics on cars * [ ] AppSensor project; Detection points: https://www.owasp.org/index.php/AppSensor_DetectionPoints * [ ] Where the Science is Taking Us in Cybersecurity, Dan Geer * [ ] Rapid7 Hackazon app (modern) * [ ] DVNA (Damn vulnerable Node Application) * [ ] Argon2 password hashing algorithm * [ ] Dradis * [ ] Kippo SSH honeypot [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Juniper backdoor; could have been found with diff; signs point to NSA * [ ] RCE on FireEye appliances * [ ] Hyatt got hacked; malware on POS * [ ] 45K drones registered with FAA within 2 days * [ ] Industry moving towards password-free logins; still single factor, now the factor is your device; although access to device could require factors * [ ] Microsoft will now tell you if your account has been targeted by government authorities * [ ] Tor announced it’s doing a bug bounty, looks like it’ll be internal * [ ] Steam had a DoS that revealed 34K user details * [ ] Linode has been suffering a massive DDoS on its datacenters, DNS infrastructure * [ ] Spy files found in North Korea’s Operating System Ideas, updates, and discussion * [ ] 3 things you should do every January * [ ] Web Scanner Series: Burp vs. Netsparker * [ ] When you’re interviewing, make sure you make it clear that you’re the asset too, not just them * [ ] Failing at the basics in intelligence and infosec * [ ] Why Trump is Winning * [ ] Sensitive data sent in URL over HTTPS * [ ] Difference between correlation and causation * [ ] Paul Graham’s REFRAGMENTATION post * [ ] The relationship between Relaxation, Fun, and Performance * [ ] Michael Coates makes the argument that false negatives are way better than false positives because false positives create unnecessary work for his team * [ ] Brainstorm questions, not solutions Tools and projects * [ ] BLUTO * [ ] Serpico * [ ] Firmware Extraction from Craig Smith * [ ] Vulnerability Database Resources * [ ] IoT Attack Surfaces Project * [ ] RobotsDisallowed Project * [ ] Nowhere.net (CyberPunk) * [ ] EyeWitness * [ ] REST Security Cheat Sheet * [ ] Censys.io * [ ] GithubDorks * [ ] InstaRecon (DNS lookups, whois, shodan, google dorks, etc) * [ ] twfactorauth.org Announcements * [ ] Speaking at OWASP Cali end of January * [ ] Currently working on an ICS / SCADA primer Miscellaneous * [ ] Need to check out the Benedict Evans blog * [ ] Serial Podcast / Making a Murderer on Netflix * [ ] If you know any Army veterans who are getting out and want to get into InfoSec, let me know * [ ] Twitter account: CISSP Googling * [ ] Sam Altman (Startup Playbook) [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] In this episode I explore the topic of Security and Obscurity by reading my popular essay on the topic. Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] Topics for this episode: News * [ ] Stringing Shodan to exploitation * [ ] Why you need to check HaveIBeenPwned * [ ] Another DELL root cert hacked * [ ] ISIS OPSEC advice (data privacy, tor, crytocat, telegram, proton mail, gps features on mobile devices, etc.) They also mention not to use instagram because Facebook has a poor privacy record. * [ ] Obama wants to make it harder for terrorists to use technology to escape from justice * [ ] DHS giving companies free penetration tests * [ ] Issues in Honeywell gas detectors (path traversal and clear-text passwords) * [ ] UAE Bank declines to pay ransom, data released * [ ] Swift is open source * [ ] Amazon two-factor now available * [ ] Credit freeze vs. monitoring * [ ] Thousands of IoT devices sharing the same SSH keys * [ ] Many people predicting that 2016 is the year that Apple gets targeted by more attackers * [ ] Engine Immobilizers hackable over the internet Announcements * [ ] Speaking at OWASP Cali end of January * [ ] Currently working on an ICS / SCADA primer Productivity * [ ] Algorithmic learning [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * [ ] Ads using high frequency sound to communicate across devices. The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product. * [ ] Conficker in police body cameras (windows brute force tool) * [ ] Siri iOS data extraction. Tv reporter * [ ] The eye of Siri * [ ] Read top stories from the security news site * [ ] Expect to see concealed carry increase in the united states * [ ] Starwood hotels hit with POS malware * [ ] How to Deploy Splunk AD Monitoring in 437 Easy Steps * [ ] PCs being shipped with MiTM certs in them (supply chain security) * [ ] Java Deserialization flaws evidently affect more libraries * [ ] France looking at banning Tor, blocking public WiFi * [ ] Blackberry leaves Pakistan rather than provide backdoor * [ ] EFF launches bug disclosure program for Let’s Encrypt and HTTPS Everywhere * [ ] Flash is really on the way out Ideas and commentary * Personal Github Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Companies don't want employees, and they're doing their best to get rid of them. We should be getting ready for this.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * [ ] A couple of months into my job with IOActive * [ ] Paris Attacks: resilience vs. prevention * [ ] Updating the OWASP IoT Project (no longer the Top 10) It’s an umbrella project. * [ ] Adding to the IoT project the SCADA Top 10 List (read the list), and Nabil Ouchn is going to be project leader on that project * [ ] Pentagon farms coding to Russia * [ ] Crypto email service pays ransom, gets taken out anyway * [ ] Blackout Europe shows vulnerabilities in LTE. Forced leak of location within 2-KM radius. Were also able to block LTE and force 3G or 2G. * [ ] Onapsis talks SAP HANA vulnerabilities. They’re config issues, and aren’t patchable, and include: remote file writes, remote directory deletions, moving files to where they can be access remotely, remote command execution, and remote python execution. To fix, you have to upgrade to the latest version and reconfigure your system. Also two issues with the database that allow HTTP RCE and SQL RCE. * [ ] TPP : how did we even get an agreement that was secret in the first place. Forget the details. This should never be allowed to happen again * [ ] Linux ransomware now hitting websites (broken by Brian Krebs) * [ ] Linux.Encoder.1 has a predictable key for its ransomware, and a tool was released to decrypt victims’ systems. Good to know that even attackers make dumb encryption implementation mistakes. * [ ] Visio smart tracking turned on for 10 million users. Here was the pitch “revolutionary shift across all screens that brings measurability, relevancy and personalization to the consumer like never before!” * [ ] Ring-0 theory of devops: history of the o-ring. Small thing that everything else depends on. for serial tasks you need A players to have an A process. As you lower the whole thing tumbles down * [ ] The Chinese Great Cannon: so we know about the Great Firewall, now learn about the Great Cannon * [ ] Must read article: What ISIS Really Wants, by the Atlantic * [ ] Two must follows: Gunnar Peterson, and Benedict Evans. Gunnar is brilliant in security, and Benedict works for Adresesen Horowitz Updates and announcements * Hit me up at IOActive if you have any security consulting needs. Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * Sonar framework * Schneider Electric SCADA issues revealed at DEFCON * Ashley Madison hack, extortion will become more common, passwords added to SecLists * Hackers attack PR firm and manipulate stocks * Uber is quadrupling their security staff in 2015 * Android vulnerabilities lately Ideas and commentary * Business-based hacking: extortion-based hacking, ransomware, prediction-based hacking, PR releases, etc. Find the leverage, then execute the hack * My problem with threat intelligence * Optimal playlists for getting work done: baroque, no words, medium volume, 60 beats per minute * Ambient sound as two-factor, which goes to my idea of continuous authentication * How standardization and insurance will change security * Miller (mlr) is like sed, awk, join, cut, and sort, but for name:index data such as CSV * Participation in the OWASP IoT Project, Sasa Zdjelar is going to work on an IOT disposition project, Digicert is possibly working on a secure updates project, and we welcome others to add to the mix Updates and announcements * Vegas conferences: two talks, Blackhat Arsenal, DEFCON talk on IoT Attack Surface Areas, Caparser release * If you’re into IoT, be sure to check out Craig Smith’s podcast at IoT Weekly, and Bruce Sinclair’s IoT podcast as well * SecLists has been reorganized, go check it out * Kali Linux 2.0 is out: new kernel, based on debian, rolling release, go get it Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ NOTE: There are spoilers below, not just for this episode but for the show in general. ] Enough people have asked me to start doing reviews of Mr. Robot episodes that I’m going to have a go at it. The deciding factor was the fact that I had such a strong desire to write during the third episode. I’m going to start here with thoughts on the show in general, not just on episode 3. Mr. Robot in general The character The main protagonist is an interesting character. He is what the writer evidently wants to capture, or actually believes to be, the template for a true hacker, which is highly damaged. I am quite struck with the focus that is placed on how truly messed up he is. He has major drama with the way his father was killed. He largely hates society. He has deep personal depression. And he’s a user of narcotics. I’m left thinking along the lines of a Hemingway type of artist, where the best creativity (in this case hacking) comes from those wo are the most tortured internally. Painters, musicians, etc. We’re familiar with the template. This redeeming qualities, which the writers take equal efforts to highlight, are the desire to protect people, his love for the blonde girl, and a general but understated willingness to fight back against the soul-crushing force of our modern, consumerist society. I really enjoy how he is only actually going to see his psychiatrist because he’s trying to help her, and if she’s actually going to help him it’ll kind of be on accident. He deeply analyzes people and sees if they’re good, or weak, or in need of help, and then if they are he kind of hates them less because of this. And he is willing to use his superpowers to help them as a result, like when he pushed that guy out of his psychiatrist’s life. The tech Before going into the various problems, it must be said that the information security writing has been exemplary. I’d say definitely the best we’ve seen in either movies or “television” (whatever that is). That said, there are a number of missing links in the armor. On one of the first episodes, possibly the first, I noticed an IP address with a final octet in the 300’s. That’s just an editing miss, but it did take me out of the fantasy. In Episode 2, which I generally didn’t like, I was quite bothered by the destruction scene. Here’s what I think happened there. They wanted to do a destruction scene, they had it all rigged up, and they wrote the story so that he’d do a quick hack and then get spooked enough to do it. Then they show the infosec writer(s) the story component and they’re like, Um, no. There’s no way anyone of this skill level would be hacking from his actual IP address. And they’re like, Well, we need to do this scene. Most people will miss that, and the scene will be cool enough to make up for it. So the writer stomps out of the room mumbling about how they shouldn’t have hired him for authenticity if they were going to make such obvious mistakes, and they go with it. Who knows if that really happened, but that’s how I imagine it. Comments on modern society I also find the comments on modern society to be quite interesting. I think it’s a big part of the whole hacker feel. Hackers have always had this component to their mystique. Being counter-culture. Being underground. Fighting against the man. So the idea that everything is a conspiracy with the rich exploiting the poor, the strong exploiting the weak, and everything being about selling advertising and the dominance o...Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: Announcements * [ ] New desk, new mic setup News * [ ] SSL vuln spoofing issue, requires mitm * [ ] Sleepy puppy XSS Payload Management Framework * [ ] Troy Hunt on tech presentations * [ ] Stock market attacked and taken down. Anonymous warned about it beforehand * [ ] OPM goes to 21.5 million cards; director steps down * [ ] People need to get fired for this stuff; it’s the only way anyone will care enough to do anything * [ ] National Guard announces data breach Commentary * [ ] Mr. Robot * [ ] Splunk buys Caspida * [ ] Securing web session ids, by Eran Hammer Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: * [ ] Hacking Team Hacked, show which oppressive governments bought their software * [ ] No exploits for non-jailbroken iPhone * [ ] The FBI spent 775K on Hacking Team software * [ ] Citi creating a digital currency, called Citicoin * [ ] Clinton attacking China on hacking, “Said they’re trying to hack into everything that doesn’t move.” * [ ] Eric Holder suggests that Snowden had a positive impact, and that an agreement could be reached * [ ] Critical bug in node.js patched that could lead to DoS * [ ] MasterCard looking to do facial scanning to authenticate purchases * [ ] FBI is offering 4.3 million for help finding top hackers * [ ] A petition for Ellen Pao to leave Reddit has topped 150K signatures Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: * iOS flaw * The Chinese hacking campaign against the US * Breach at Recorded future * Hacking cars through key fobs * NSA/GCHQ hacking of people through security software * Snowden’s documents in the hands of the Chinese and Russians * Samsung re-enabling Windows Update * Mr. Robot * Blackhat/DEFCON Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Play Podcast START CONTENT * Singtel buys Trustwave * Snowden does interview with John Oliver * CheckPoint buys Lacoon * Everyone’s trying to do everything, which gives the big people a major advantage * China melted GitHub * MiTM’d Baidu traffic and modified its analytics JavaScript to make constant requests to GitHub * They did it because GitHub was hosting two mirror repos for content that is banned in China * Also highlights the need for encryption, so that the JS couldn’t have been injected * Obama just came out and said that if you attack us, we’ll sanction you * How does that work exactly, when China makes everything we use? * Then we just found out Russia hacked us through the State Department issue * A major vulnerability was revealed in Inngate routers used in the US and Europe. * It allows attackers to browse and write to the root file system of the devices, changing configuration, distributing malware, etc. * Mostly used in US and European hotels * Attackers are compromising IRS accounts in large numbers. Claim yours to avoid it happening to you * Featuring Brooks Garrett * He’s a friend and co-worker going back 8 years * He’s the smartest IT guy I’ve ever known: sick programmer, Linux ninja, database, networking, everything. Full stack, real deal. * He’s a volunteer firefighter * He blogs at http://brooksgarrett.com: latest posts are Remote Streaming with Pi and MPD, Nagios SMS alerts with Amazon SNS, Cleaning Passwords from Logs, Fixing OhMyZSH prompts in PuTTY * His Twitter is @brooksgarrett * If you’re not following his stuff, you should be END CONTENT Notes * Intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Play Podcast START CONTENT * Twitch, a game streaming service owned by Amazon, was hacked last week * Passwords, emails, usernames, addresses, phone numbers, dates of birth * Amazon bought them last year for almost 1 billion dollars * Bar Mitzvah attack on TLS * Requires that you can sniff traffic * Basically an RC4 problem * Solution is to remove it from your supported algorithms * GitHub Has been hit by a massive DDoS attack * Apparently from China * CSRF vulnerability found in a wind turbine * Allowed you to pull usernames and passwords * Also allowed the password to be changed for the default user, which had admin access * CSRF vulnerability exposes Hilton customer accounts * There was an account rotation issue where you could gain access to their account as long as you could guess their 9-digit username * Snowden says IT workers now the targets of spies * They’re not going after their information, but to use them for access to networks * Premera hacked on same day as Blue Cross (January 29th) * Same story: encryption, know your network, etc. * Also same story: health data is harder to clean up from because it involves PII that cannot easily be changed * More speculation around these attacks is that they’re data gathering for larger attacks on government networks * Apple Acquires FoundationDB * Fast NoSQL database probably to be used for its increasing entry into the services market * Researchers use heat to breach air-gapped systems * Everyone knows that an airgap is the best defense * Ben-Gurion University came out with BitWhisper * Now bidirectional using malware on both systems that controlled heat creation and detection * Only 8-bits per hour * BioCatch, Zumigo, Alibaba release tools to identify users * I used to work with a technology called BioPass * Uses what you do with your mouse, scrolling, how you smile via selfie, compares habits, your current location, etc. Similar to existing fraud detection just with more data points * Really cool tech, needs to be used with the right authentication level * Korea investing 5B in IoT and Smart Cars * Bring Your Own IoT * Recording audio and video are getting increasingly easy * Sensitive meetings might become dead zones soon, and perhaps even sensitive work areas * Some people will say that we already have this risk, but they key is the ease with which it can be done END CONTENT Play Podcast Notes * I skipped a week due to travel in Asia. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Play Podcast START CONTENT * There was another SQL Injection bug found in SEO by Yoast * It required admins to click a malicious link * Was patched quickly * It’s the plugins that make WordPress vulnerable * Attackers are targeting gamers for ransomware * Virlock is one version of ransomware that not only locks the screen, but infects files * It’s also polymorphic, so it changes itself every time it runs * TeslaCrypt goes after gamers, which seems super smart because they are often addicted * The Hello Barbie doll is recording kids voices and sending the recordings over the Internet for voice recognition * I get asked a lot about what to do about this kind of stuff * Start by making a list of everything that can record voice or audio in your home, and determine what kind of controls you have on them * Assume the worst, even though it’s probably not that bad * US industrial systems attacked 245 times between October 2013 and September 2014 * Most attacks were against Critical Manufacturing and Energy * Biggest vectors were spear phishing and port scanning * CloudFlare aims to defeat DDoS with Virtual DNS * They want to proxy DNS before it hits customer name server * The CIA supposedly tried to hack Apple hardware * The article has come under extreme scrutiny * Going to be on the Security Weekly podcast with Pau * Hillary Clinton’s email account dram * OpenSSL is getting an audit * Bout time * Wikimedia is suing the NSA over surveillance * Spoofing the boss is the best way to phish someone, evidently * Had a great time at CactusCon in Phoenix * Did a talk with Jason and saw Dave’s keynote * Dave’s keynote was about struggling with the basics, not APT * He asked when a major breach was NOT a dumb mistake * Someone’s looking to make a Snowden Phone * Looks like I’ll be on the Security Weekly podcast with Paul * Going to talk about IoT security and my our OWASP project END CONTENT Play Podcast Notes * Comments welcome on content and format, as usual. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * Sorry about the audio last week; wireless headsets don’t compare to the Yeti * The CIA is focusing on cyberespionage in its new management * Anthem is refusing an audit by the OIG office–an org that audits health care groups that provide services to federal employees * Nothing says I’m guilty like refusing an audit * Reminds me of the Russians refusing the crash investigation in Game of Cards * There’s been a possible credit card breach at the Mandarin Oriental hotel chain * The incident was reported by Brian Krebs * Three people were indicted in the Epsilon hack * Resulted in around 1 billion email addresses being stolen * Dave Aitel thinks junk hacking is a waste * Basically hacking your blender or whatever * In my opinion he’s missing the point that most conferences are like this * I think there’s a hierarchy of talks * Create new defense tool based on new defense idea * Create new defense idea * Create new attack tool based on new attack idea * Create new attack idea * Create new tool for existing attack or defense idea * Describe existing attack or defense idea * Microsoft has reported it’s vulnerable to FREAK as well, making it even more serious * FREAK has proved to be less alarming than previous SSL vulns simply because of the difficulty of attack END CONTENT Play Podcast Notes * I think I’m going to standardize the intro and outro so that I only end up recording the actual story content each week. * Any recommendations on what else you’d like to see would be appreciated. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense * This seems highly suspect * First you’re putting that data at risk in a personal system * Second you’re obviously trying to hide your conversations * Facebook can access your account without your password * Google no longer encrypting Lollipop by default * Was one of the main selling points for 5, and now it’s gone * They said it was simply a driver issue * DLink routers have a remote command injection bug * Could allow DNS hijacking and other attacks * ISIS has threatened some members of the Twitter team for disabling their accounts * This really puts a point on public presence for me * I’m a strong proponent of the belief that the way to avoid attack is to avoid being a target, not to be hard to attack once people want to * This works for personal attacks, not for countries obviously * There has been some major fraud happening with people connecting stolen cards to ApplePay * The issue isn’t a security problem with ApplePay, but rather with standard bank / card security issue * Up to 18.8 non-Anthem customers exposed in the Anthem breach * This is in addition to the 80 million actual anthem customers * GoPro vulnerability on its website exposes customer Wi-fi passwords * Expect more of this * Uber took over 5 months to issue a breach notification * There was a breach of driver names and license numbers that they just now disclosed * Seagate NAS vulnerability allows unauthorized root access * This raises the cloud storage issue I blogged about last week END CONTENT Play Podcast Notes * Sorry about my voice on this one. I’m a bit sick. :( Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * New stuxnet like piece of malware was discovered * Was found by Kaspersky * Has infected thousands of computers, mostly in Iran * The malware is the most advanced ever found * Can hide on the computer even after reinstall * Many of the names used in the application are known NSA codenames, such as GROK * Wired said those targeted groups were Islamic scholars * The group is called equation group due to the encryption used to hide itself * Car washes hacked by Billie Rios * Bad web software * Default passwords * Submit POST requests * Battery power can be used to track Android phones * Based on the power you use from cell phone tower usage * Obama sides with encryption against government groups * Lenovo laptops spying on you * Can we just say it’s dumb to use things produced in China? END CONTENT Play Podcast ### Notes * Sorry about the pops in the audio. My desk randomly makes loud noises. I’m working on it. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * Ukrainian banks hacked for up to 1 Billion dollars * Evidently installed malware on bank admin machines using phishing * Not sure they have an FDIC * As if the Ukraine didn’t have enough problems * 10 million password project * Mark Burnett posted 10 Million password combinations * Went through a long explanation of why he was doing it * I’ve broken them up and put them in the SecLists project * Jeb Bush leaks personal data * Anthem may have been Heartbleed * Could have been China, but who knows * Reminder about talking about things without information * It’s best to just leave it alone * HP released Home Security Systems report * We found 10/10 systems vulnerable to account harvesting * DARPA Dark Web Search Engine * Stuff not indexed by Google * Tor services, etc. * Obama creating new threat intelligence agency * Unified organization for tracking threats * Looking to partner with private industry as well * Anthem and Cyberinsurance * Up to 200M in cyberinsurance * Probably won’t cover it, but it’ll be a good test of usefulness * Facebook lets you pick who manages your account when you die * Facebook threat sharing program * Uber lost and found database was online with personal data in it * Basically, if you lose something in a car, they know who you are, and they keep your stuff for you * But they had the database exposed online END CONTENT Play PodcastBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * Anthem, the second largest healthcare company, had a major breach * They lost around 80 million socials, addresses, emails, etc., which is roughly double the Target breach * There’s speculation that it was China, trying to penetrate government, but it’s early * Watch for phishing scams related to it * The megabreaches continue…weee! * A WordPress plugin called FancyBox had a serious compromise in it last week, which affected thousands of websites * If you’re going to run WordPress, understand that Plugins are the best way to get yourself hacked * Specifically, the type of plugins that handle user input and do something with it that affects the site’s output * Image manipulation plugins have been particularly vulnerable, usually to XSS * There was another critical Flash vulnerability this week * Like I said last week, and the week before, there’s a first time for everything * Three bug hunters at HP received the 125,000 prize for finding a major vulnerability in Internet Explorer * Because they work for HP they couldn’t take the cash, and instead donated it to charity * Microsoft released Outlook for iOS last week, which looks pretty slick * Unfortunately it is riddled with security flaws * Recommendation: wait for a few updates, and for them to get a security assessment END CONTENT Play PodcastBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * Ghost bug in PHP could affect millions of servers * Flaw is in glibc, which is extensively by all Linux distributions * Patch and reboot using yum or aptitude * The US Army Released DShell, a malware forensics tool * This is an interesting trend where we see tons of formerly secret groups flock to Github. Great to see * Reddit released its first transparency report last week * Says it received 55 requests for user information * Says it complied with 64% of state and federal requests * Says it received 218 requests for content removal, and complied with 31 percent of those * I am pleased to see them releasing these numbers, and I hope more organizations do the same * The GHCQ was using a program called BADASS to collect data leaked by games such as Angry Birds * Luckily it only affected the 11 people still playing that game * Russian dating site, Topface, got hacked for 20 million usernames * The FBI busted up a Tom Clancy book plot in New York City * The plan was to get information about wall street trading algorithms and hopefully destabilize the markets * All they managed to do was embarrass themselves by commenting on how they couldn’t recruit young women * China is demanding to be able to build backdoors into any code sold to its banking sector * Some people call this news, but with China we just call this Wednesday * Apple released a Yosemite update that fixed Thunderstrike, among other things * Anonymous and Lizard Squad are going after each other * Anonymous is the famous hacking group known for all sorts of things * Lizard Squad is known for taking down the XBox and Playstation networks around Christmas time * Anonymous DDoS’d the Lizard Squad website, and then Twitter suspended a couple of their handles * Interesting to see these groups going after each other * BMW and the internet of things is in the news, with BMW owners receiving an automatic push to around 2 million cars * A vulnerability was present that could allow attacks to spoof cell towers and possibly control onboard systems * BMW pushed a patch that ensures all such communications go over HTTPS * It’s interesting that, like printers, cars are likely to become a primary IoT platform just because there are so many of them * The key is to figure out what normal things exist in the world today en mass, and then imagine those things being connected * Printers, cars, furniture, clothing, etc. It’s the regular stuff that makes it interesting because of how much attack surface they represent, and how prevalent the perspective they’ll offer into our daily lives END CONTENT Play Podcast Notes * Intro is from Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * There was an issue with the Marriott website that exposed reservations and payment information. It’s now been fixed * Police are now using a new radar to see into peoples’ homes without a warrant * Security budgets are reportedly going up due to the mega-breaches in 2014 * Also leading to higher pay for CIOs * Anecdotally, I’d say it’s a pretty good time to be in infosec * A new security startup, PFP Cybersecurity, uses power consumption to detect malware * Meant initially to be used for SCADA type systems * The US hacked North Korean computers back in 2010 * This is reportedly the reasons we were so sure they hacked Sony * Recently leaked documents from Snowden show heavy offense * Snowden recently talked to Schneier at Harvard about a number of things * The NSA is becoming increasingly offensively oriented vs. defensive * The NSA supposedly uses compromised systems as jump points * Snowden said most NSA hackers are junior enlisted with limited skills * Russia reportedly hacking for geopolitical gain, not just money * Millions of gas stations could be at risk of shutdown * The Automated Tank Gauges can be remotely accessed by attackers * Could be manipulated to cause alerts * Potentially could be used to stop the flow of fuel * Microsoft gave Charlie Hebdo data to FBI in 45 minutes * Starwood hack based on bad passwords * Bad passwords, password re-use, and a brute forcing tool * Account harvesting is rough: user enumeration, weak passwords, and lack of account lockout * Flash has another major exploit. Update your stuff. * People continue to be worried that the President’s crackdown on hackers could hurt security professionals * Congress is meeting on the 27th of January to discuss breach notification * The wireless in around 2 million cars is highly vulnerable to attack * A polish company has created Mouse-Box, which is an entire computer inside of a mouse enclosure END CONTENT Play Podcast Notes * Sorry about the noise part way through. My girl walked in and started unpacking groceries. But when I say one take, I mean one take. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

START CONTENT * UK police arrest 18-year-old in connection to Playstation and XBox attack * Major ASUS router bug * Local users can take full control without a password * Biggest issue there seems to be DNS hijacking * Legislative attacks on infosec profession and encryption * Anti-hacking law language ambiguous “according to owner” * Obama is said to agree with Cameron, but it’s complicated * Evidence of a plot is different than outlawing encryption * There’s other talk about it being illegal to see hack data * French reporting 19,000 DoS attacks since the shootings * Anonymous is going after ISIS and others * An attack on free speech is an attack on Anonymous * Google releases another Windows flaw that they didn’t fix * Verizon API vulnerability exposes customer email addresses * Issue was with a mobile API used by Android devices * Allowed him to retrieve peoples’ emails and send emails as them * On whether we should trust the FBI regarding the Sony attack * We now find out the attribution came from a previous NSA hack * It’s hard to criticize without data * This doesn’t mean they did it, or that the FBI is always right, or that they should always be trusted * It means be cautious when you don’t have any information, and the person you’re criticizing has all of it * Free speech and the Paris attacks * Where is the line for free speech? * I think it comes down to safety and taste * You can’t yell fire, and art matters * Quote of the week * No one is as happy as they seem on Facebook, as depressed as they seem on Twitter, or as employed as they seem on LinkedIn. END CONTENT Play Podcast Notes * I have a consolidated InfoSec news feed (here) that I use as a source for headlines. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Subscribe to the Podcast: iTunes | Android | RSS START HEADLINES * Google drops security updates for Android 4.3 and below * This is a problem since that’s most of the install-base * Only .1% of users are on Android 5 * Microsoft and Adobe Push Critical Security Fixes * Seems like Google’s been messing up recently, with their attack on Whitehat for the Aviator stuff, their dropping security updates for Android, and now this early release of a bug before there was a fix. * Obama is asking for the removal of a number of state laws that make it harder to get good broadband in the US. * Obama is asking for quicker laws around the disclosure of hacks * One potential law is the Personal Data Notification and Protection Act, which would require companies to notify within 30 days if they get hacked. * The CENTCOM Twitter account got hacked a couple of days ago by some pro-ISIS folks * Obama is looking to improve the sharing of cybersecurity information as a response to the hack * Sammy Kamkar has released a keylogger for Microsoft wireless keyboards, called Keysweeper * David Cameron wants to make encrypted messaging apps illegal * 1) I’m not sure how he thinks this is possible Subscribe to the Podcast: iTunes | Android | RSSBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.