3 Security Buddies

Follow up:No follow upsTopics:NIST changing password requirementsRoundtable how we got into security + suggestionsPaul Rant:Paul is on vacation. No Rants.  Links:https://pages.nist.gov/800-63-3/sp800-63b.html https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiSpecial Guest:Travis McPeak @travismcpeak Post-Production:Matias Brutti @MrBruttiDisclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Follow up:US is elevating ransomware the same level of terrorism.Topics:Apple Security WWDCMove beyond passwords ( iCloud Keychain WebAuthN keys ) Discover account-driven User EnrollmentSecure login with iCloud Keychain verification codes ( domain-binding apple-totp )Polkit PrivEscGrowing abuse of Kubernetes (it's not containers) Paul Rant:Apple Bug Report blackhole  Links:https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/ https://threatpost.com/microsoft-cryptomining-kubeflow/166777/https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiPost-Production:Matias Brutti @MrBruttiDisclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Follow up: - Nothing this weekTopics:Automated Fuzzing Testing in GoStack Overflow Supply Chain AttacksDeps.devUpdate on Github's policies regarding exploits, malware, and vulnerability researchPaul Rant:Pinning dependencies on Libraries Links:https://blog.golang.com/fuzz-betahttps://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400https://deps.devhttps://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiPost-Production:Matias Brutti @MrBruttiDisclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Follow up:Vaxxed || Mask Rant UpdateWhatsApp will not be removing functionality.Topics:OpenSSL RustificationData without context is useless AMD attacks on Virtual Machine Protection System.M1ssing Register Access Controls Leak EL0 StatePaul Rant:QC35 switch is garbage. GARBAGE!Links:https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/https://m1racles.comHosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiPost-Production:Matias Brutti @MrBruttiDisclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode Follow up:Codecov Mercari Audacity Open Source Telemetry Topics:WhatsApp: Give me your privacy or I will stop working. Russian Keyboard as a first line of defense  Craig Federighi MacOS vs iOS Security Model Paul Rant:Vaxxed or Mask. Trust by Verify Rant by Matias Brutti. Links:https://about.mercari.com/en/press/news/articles/20210521_incident_report/https://github.com/audacity/audacity/discussions/889https://blog.malwarebytes.com/privacy-2/2021/05/whatsapp-calls-and-messages-will-break-unless-you-share-data-with-facebook/https://www.schneier.com/blog/archives/2021/05/adding-a-russian-keyboard-to-protect-against-ransomware.htmlhttps://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/https://www.imore.com/craig-federighi-defends-iphone-security-throwing-mac-under-busHosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiPost-Production:Matias Brutti @MrBruttiDisclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode 2 Follow up:CodeCov continues to claim victims. Rapid7 & Twilio. Topics:Rob's python adventuresAlfredos mouse micFragAttackCyberBattleSiemPaul Rant:ZeroTrust Executive Order By Robert Links:https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/ https://www.twilio.com/blog/response-to-the-codecov-vulnerabilityhttps://github.com/ortegaalfredo/mousemic https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiPost-Production:Matias Brutti @MrBruttiDisclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode 1 follow up:Signal continues to make the news. This time hacking Privacy Topics:CocoaPods Trunk: Remote Code Execution found Cosign - container image signing. TBONE hacking Tesla from a drone with zero clicks. SAML XML Injections Tinker Twitter threat on: real & physical occupational hazard for infosec.1Password Secrets Automation Google mandatory MFAPaul's rant:-blockchain tuna tracking Links:https://signal.org/blog/the-instagram-ads-you-will-never-see/https://blog.cocoapods.org/CocoaPods-Trunk-RCE/ https://justi.cz/security/2021/04/20/cocoapods-rce.htmlhttps://blog.1password.com/introducing-secrets-automation/https://kunnamon.io/tbone/https://research.nccgroup.com/2021/03/29/saml-xml-injection/https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html https://twitter.com/TinkerSec/status/1388107620574171140https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBruttiPost-Production:Matias Brutti @MrBruttiDisclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode 0 follow up:- Signal legal consequences. Robert was right.Topics:Hypocrite commits Apple AirDrop PII leakZK proof Vuln DisclosureSoftware RAID recovery rant by PaulLinks:AirDrop Leak paper (https://www.usenix.org/system/files/sec21fall-heinrich.pdf) presented in August at the USENIX Security Symposiumhttps://www.scmagazine.com/home/security-news/vulnerabilities/darpa-is-creating-zero-knowledge-proofs-for-vulnerability-disclosure/Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.