Cyber Humanity

NPM packages are getting hacked – so naturally we get Kev on the case to explain the whole thing. If you didn't know, NPM is the official package manager for Node libraries, a JavaScript language. We've seen a big uptake in recent weeks, and some of those NPM packages have been compromised by hackers. They're clearly targeting developers – and with a collective 28 million downloads every week, this is pretty big, wide-spread stuff. Next up, the raft of ransomware stories from this week: from the UK's Labour Party to a…“cyber heist”?  We've also noticed a bit of a theme emerging with an increase in government and law enforcement involvement in disrupting ransomware and other cyber criminal enterprises. BlackMatter is our example here.  *** https://www.dailymail.co.uk/news/article-10148265/Massive-cyber-heist-rocks-high-society-jeweller-Graff.html https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-claims-to-be-shutting-down-due-to-police-pressure/ https://thehackernews.com/2021/10/popular-npm-package-hijacked-to-publish.html

A plethora of articles have been lighting up our newsfeeds and letting us know that there are new threats on the block: killware, RansomCloud, and extortion.  Killware: the next thing we need to worry about. Apparently this is defined as anything that has an outcome resulting in death…Seems quite broad really, and ranges from hackers targeting a water treatment plant and poisoning the water flow to a ransomware attack that takes a hospital offline, forcing patients to be rerouted. It's less about the technique and more about the outcome.  RansomCloud: Kev gets into a good ranty flow on this one. Kevin Mitnick coined the term “RansomCloud” in a video a few years ago – and honestly, Kev (*our* Kev) does the best job of explaining the “threat”, so we won't try to explain it here. Just listen to the episode.  Extortion: the one comes off the back of the Twitch takedown, which highlighted the idea that it is as beneficial to a cyber criminal to access a trove of useful sensitive personal data and look to extort a company for that as it is to go through the effort of ransomware. Double extortion – which you can read about here – is already a thing, so this technique is almost a step back. Or is it?  So what does the team think? Are these threats, risks, or just a bit of good old-fashioned FUD? Is Ransomware a thing of the past – or is it still the big bad wolf of cyber?  *** https://securityboulevard.com/2021/10/killware-hype-is-bigger-than-the-threat-for-now/ (https://securityboulevard.com/2021/10/killware-hype-is-bigger-than-the-threat-for-now/) https://techcrunch.com/2021/10/14/twitch-takedown-is-extortion-the-new-ransomware/ (https://techcrunch.com/2021/10/14/twitch-takedown-is-extortion-the-new-ransomware/) https://research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/ (https://research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/) https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/ (https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/)

First story is about someone who was “relieved” of their Bitcoin by some kids wielding malware back in 2018, when it was worth an awful lot less than it is now. There are some techie bits to this, as well as a few ethical and legal issues with the way the perps are being sued, so it's a cracking story to get stuck into.  What do NFTs – non fungible tokens – and Banksy have in common? It's pretty confusing as far as stories go, but our resident clearer-upperer, Kev, is on hand to help, leaving us to wonder if this is just Banksy himself having a bit of fun.  Sticking to the currency theme, we get knee deep in China's digital Yuan in our next segment, and finally wrap up with a beautiful bit of OSINT from the Twitter Infosec community.  *** https://www.bbc.co.uk/news/technology-58399338 (https://www.bbc.co.uk/news/technology-58399338)  https://www.reuters.com/world/china/china-rolls-out-new-rules-minors-online-gaming-xinhua-2021-08-30/ (https://www.reuters.com/world/china/china-rolls-out-new-rules-minors-online-gaming-xinhua-2021-08-30/) https://twitter.com/brechtcastel/status/1432642649312333829?s=20 (https://twitter.com/brechtcastel/status/1432642649312333829?s=20)

It's a tasty ransomware week this week! Conti face their own internal threat in the shape of a disgruntled affiliate and LockBit has its claws in Accenture. Apple have been fiddling with their privacy settings again which is sending privacy advocates into a frenzy, and Kev tries very hard not to get ranty... *** https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/ (https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/ ) https://bgr.com/tech/apple-just-announced-a-major-change-that-has-privacy-advocates-totally-freaked-out/ (https://bgr.com/tech/apple-just-announced-a-major-change-that-has-privacy-advocates-totally-freaked-out/) https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/ (https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/)

As you probably guessed from the title of this episode, this week is all about spyware and the Pegasus project.  This all kicked off when a consortium of 16 media outlets reported the alleged widespread and continuing abuse of NSO's hacking spyware called Pegasus. The company insists that it is only used against criminals and terrorists – but is it? There's a lot of depth to this story, and we cover it all.  *** https://www.theguardian.com/news/series/pegasus-project (https://www.theguardian.com/news/series/pegasus-project) https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781 (https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781) https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor (https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor)

Kaseya, Kaseya, Kaseya... How could we release an episode this week WITHOUT talking about the calamity at Kaseya? If you hadn't heard, the ransomware gang REvil has leveraged a vulnerability in Kaseya's VSA software against multiple MSPs and their clients. Oh dear. So what is it? Bog standard ransomware? Supply chain compromise? Zero-day exploit? It's all a bit murky, so Kev gets his 'Cyberattacks for Dummies' hat on. Also featured is the news that audio-editing software Audacity has been accused of being 'possible spyware'. *** https://www.youtube.com/watch?v=XfAyutRfy2A (https://www.youtube.com/watch?v=XfAyutRfy2A) https://www.bbc.co.uk/news/technology-57721967 (https://www.bbc.co.uk/news/technology-57721967) https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service (https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service)

There's a lot to cover in this week's episode, so brace yourself because we've got newsflashes and stone-cold facts flying your way.  First up, despite what Chris thinks, people do still use printers. Now, researchers in China have found (and accidentally disclosed) a critical Windows zero-day affecting Print Spooler. Cue much printer hate, as well as some actually useful insights into what has occurred.  Next on the agenda, we take a look at the HSE Ireland ransomware attack, with a special focus on what the heck has been going on with Virus Total. Also coming up is the somewhat intriguing “fact” that the USA is the most cyber-secure nation in the world.  And it wouldn't be an episode of Cyber Humanity without a juicy ‘hackers could' feature starting with a NEWSFLASH! Homes filled with smart devices could be exposed to hundreds of hacking attempts a WEEK. To which we say: no sh*t, Sherlock. *** https://www.infosecurity-magazine.com/news/printnightmare-zero-day/ (https://www.infosecurity-magazine.com/news/printnightmare-zero-day/) https://www.theregister.com/2021/06/30/america_global_cyber_security_index_2020/ (https://www.theregister.com/2021/06/30/america_global_cyber_security_index_2020) https://www.bleepingcomputer.com/news/security/microsoft-finds-netgear-router-bugs-enabling-corporate-breaches/ (https://www.bleepingcomputer.com/news/security/microsoft-finds-netgear-router-bugs-enabling-corporate-breaches/) https://www.bleepingcomputer.com/news/security/virustotal-ordered-to-reveal-private-info-of-stolen-hse-data-downloaders/ (https://www.bleepingcomputer.com/news/security/virustotal-ordered-to-reveal-private-info-of-stolen-hse-data-downloaders/)

EA have been hacked to the tune of 780GB of their source code which has now found itself for sale on various dark web forums. While they confirmed that they'd suffered a data breach, they'd offered no insight into how it happened. Until now… Moving from EA to AI, research shows that AI can now convincingly mimic cybersecurity and medical experts, which, naturally, sparks some lively debate.  We also get into a discussion about disclosure, following Kev's discovery of a number of vulnerabilities in NetGear's routers. NDAs are flying everywhere and if you stay very still and quiet, you can even hear the sound of someone in legal crying. And, of course, we have a cracking ‘Hackers Could' section this week!  *** https://www.wired.com/story/ea-hack-fifa-frostbite-source-code/ https://www.cbsnews.com/news/peloton-bike-treadmill-security-vulnerability-hackers/ https://www.bbc.co.uk/news/technology-57345632

From fake antivirus to scareware, ransomware has been around and evolving for…a while. But only now has it really hit the mainstream headlines, with attacks on critical infrastructure and "mega breaches" apparently becoming a weekly occurrence. And we're now in the age of ‘Ransomware as a Service', with affiliates and gangs becoming more prolific than ever. So how did we get here? Where is ransomware heading next? In this episode, our crack team of cyber experts digs deep into the ever-shifting world of ransomware.

The topic of the day is cryptocurrency – and whether banning it could help fight ransomware. We know that criminal gangs (OCGs for all those Line of Duty fans out there) are big fans of crypto for their nefarious deeds, so the issue goes much further than ransomware. Even so, a ban on crypto wouldn't stop ransomware – it would just be a bump in the road for the operators. After all, ransomware has been around since long before crypto came on the scene. Maybe gift cards would make a comeback! The team also delves into Nobelium, the group behind the SUNBURST attacks in Solarwind. Kev gets his tech head on to give us the full low down on this sophisticated threat actor. *** https://newrepublic.com/article/162589/ban-bitcoin-cryptocurrencies-stop-hacker-ransomware https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

So it turns out that https://www.immersivelabs.com/imperfect-people-vulnerable-applications/ (81% of developers have knowingly released vulnerable applications) into the wild. Worrying, right? And that's the topic of conversation on today's episode: how do imperfect people lead to vulnerable applications and, most importantly, what we can do about it. Chris is joined by https://owasp.org/ (OWASP) experts, https://www.linkedin.com/in/vanderaj/ (Andrew van der Stock) and https://www.linkedin.com/in/brianglas/ (Brian Glas), as well as our own in-house AppSec whisperer, https://www.linkedin.com/in/seanwright01/ (Sean Wright), to discuss all things application security.

Welcome back to Cyber Humanity! We've got our shades on and we're ready for a busy summer of cyber. And what better way to herald our return than with a news story that's been hitting every headline? Unless you've been living under a rock, you must have heard of the Colonial Pipeline ransomware attack. Basically, ransomware hit pipeline, pipeline got shut down, America entered a state of emergency, and then someone did something about it, and...here we are. Despite what Paul thinks, there's more to it than that. Tune in to discover what happens when IT meets OT – and what the DarkSide has to do with it. *** https://www.rt.com/russia/523798-kaspersky-cia-colonial-pipeline-attack/ https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims https://www.nytimes.com/2021/05/08/us/cyberattack-colonial-pipeline.html

We haf to talk about HAFNIUM. You can't have missed the news of the Exchange Server hack that's been running the InfoSec world in circles for the past few weeks. Of course we had to get the crew together to go through all things Exchange! From attribution and exploitation to... deception? We dip our toes in some tasty conspiracy theories (because who doesn't love a good conspiracy theory?!) and take a dive into the tech behind it all to see how this incident went from small fry to 'holy sh*t it's everywhere!'. *** https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) https://www.zdnet.com/article/microsoft-exchange-zero-day-vulnerabilities-exploited-in-attacks-against-us-local-govts-university/ (https://www.zdnet.com/article/microsoft-exchange-zero-day-vulnerabilities-exploited-in-attacks-against-us-local-govts-university/)

We love looking at how to hack things you didn't think would or could be hacked. Last time, it was an election. This time, it's cars. We're joined by car hacking expert, https://www.linkedin.com/in/cybermaggedon/ (Mark Adams), to help us navigate our way through these murky waters. From car jacking to car hacking, we take a deep dive into CANBus, the potential motivations for hacking a vehicle (or a fleet of vehicles), and the kind of damage that can be done. We cover everything from cyber extortion to good old-fashioned theft, and explore how uniquely vulnerable vehicles can truly be. If you'd rather read – and get hands-on with CANBus – https://www.immersivelabs.com/resources/blog/introducing-your-vehicles-nervous-system-canbus/ (head over to our latest blog) to learn more about how to hack a car. Find out more: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (Hackers Remotely Kill a Jeep on the Highway—With Me in It) https://www.thedrive.com/tech/32170/meet-the-man-who-sells-devices-to-hack-your-cars-keyless-entry (Meet the Man Who Sells Devices to Hack Your Car's Keyless Entry)

Have you ever lost an irretrievable password? Max knows that pain – as does a certain programmer from San Francisco who is one lost password away from $250million in Bitcoin. Ouch... Next up, the Parler palaver. Trump has been 'de-platformed' and Parler is seeing huge back-lash for its role in recent political happenings. And just when you thought you'd had enough of it, we come back round to SolarWinds. Kev delves into the third malware strain directly involved in the SUNBURST attack: SUNSPOT. *** Lost Bitcoin: https://technology.inquirer.net/107293/man-locked-out-of-his-bitcoin-account-with-250-million-has-two-password-guesses-left Parler deplatforming: https://www.forbes.com/sites/jemimamcevoy/2021/01/10/parler-at-risk-of-going-offline-after-bans-from-amazon-apple-and-google/?sh=151f2c3c312b SolarLeaks: https://www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/ "Hacking" Titan 2FA: https://thehackernews.com/2021/01/new-attack-could-let-hackers-clone-your.html

SolarWinds and SUNBURST are still consuming the Infosec community and a few things have happened since our last episode. Since the Department of Justice has admitted that they were breached and that email inboxes were accessed, Kev tells us just how bad it is. We cover the saga from all angles, from Jetbrains to attribution and techniques to stock prices.  And a cybersecurity podcast in 2021 wouldn't be a cybersecurity podcast in 2021 if we didn't talk about WhatsApp and the Twittersphere histrionics that have been going on. We shed some light over whether the changes to their privacy policy truly heralds a U-turn – or whether it's all just another excuse for some #outrage. Next up, cyber crackdowns and criminal marketplaces as the UK's National Crime Agency goes softly, softly. And finally, in "Hackers Could ..." Google's ReCaptcha can hack itself? *** JetBrains in Solarwinds supply chain https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html (https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html) Justice Department breached  https://www.theguardian.com/technology/2021/jan/06/doj-email-systems-solarwinds-hackers (https://www.theguardian.com/technology/2021/jan/06/doj-email-systems-solarwinds-hackers) WhatsApp, Facebook, and our data  https://www.talkandroid.com/361823-whatsapp-facebook-data-privacy/ (https://www.talkandroid.com/361823-whatsapp-facebook-data-privacy/) Hacking audio ReCaptcha with Google speech to text  https://www.youtube.com/watch?v=xh145UIeN9M&feature=emb_title (https://www.youtube.com/watch?v=xh145UIeN9M&feature=emb_title) 21 arrests in cyber crackdown  https://www.nationalcrimeagency.gov.uk/news/21-arrests-in-nationwide-cyber-crackdown (https://www.nationalcrimeagency.gov.uk/news/21-arrests-in-nationwide-cyber-crackdown)

Unless you've been living under a rock for the past few days, you would have heard about Sunburst – a sprawling cyberattack allegedly masterminded by Russian nation-state hackers, UNC2452 (also known as Cozy Bear). Because we love talking about stuff like this, we couldn't resist getting the crew together to go over the events of the past few days with a fine-tooth comb. There'll be no cruising into Christmas for us!  From what SolarWinds is exactly all the way through to the impact of the attack, Chris, Kev and Paul take a proper look at Sunburst, SolarWinds, and what this means for 2021. And, because we're a generous bunch and it is Christmas after all, we've created a series of labs dedicated to helping you understand and get hands-on with Sunburst – that you can access entirely for free. https://community.immersivelabs.online/browse/category/cyber-threat-intelligence/sunburst-supply-chain-compromise (Check them out here.) *** Fireeye summary (including detections):  https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) First reports of Solarwinds compromise:  https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/ (https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/)

All aboard the hype train! We jump straight into the latest news that the supply "cold chain" for the much-awaited COVID vaccine could have been compromised. Apparently, a cyber espionage campaign has targeted the supply chain for the cold storage. BUT – and this is a big but – this all sounds a little tenuous to the team. Considering we didn't even know we had a vaccine by September, which is when the campaign was supposed to have started, how could attackers have already started targeting the supply chain? The team also strays into 'flat earth' territority for a brief and surprising pitstop – listen out for Kev "the Director of Truth's" excellent rant, it's very enjoyable. We also get into firmware. When was the last time you updated your firmware? From anti-adultery mattresses (yup, you read that right) to smart mugs (and you read that right too!), we somehow end up with a long episode of 'hackers could...'. *** https://www.bbc.co.uk/news/technology-55165552 https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/

As part of our series on the Psychology of Cyber, we're joined by special guests, Rebecca McKeown and Swati Singh to discuss the human challenges that are inherent in cyber crises. We take a deep dive into how do organizations prepare for the worse – and how their all important human capabilities factored in. https://www.linkedin.com/in/rebeccamckeowncpsychol/ (Rebecca McKeown) is a Psychologist specialising in how humans respond in pressurised situations. She is a guest lecturer at Cranfield University and has worked with the UK's Ministry of Defence to help the armed forces build more agile human assets. https://www.linkedin.com/in/swati-singh-79a54219/ (Swati Singh) is the Head of Business Information Security and Resilience at Close Brothers, and has 20 years of IT industry experience working in multinational companies. Oh and we have Chief Cyber Officer, Max Vetter too, who might pipe up at some point...

You might have guessed from the title, but in this episode, we're looking at how to hack an election. It's basically one long “hackers could…” feature.  We cover everything from outright deception to social engineering to power cuts to…well, real hacking. Naturally, we couldn't have this conversation without Cambridge Analytica, the 2016 election and Brexit coming into it. Does what Cambridge Analytica did count as ‘hacking an election' or is it just political campaigning in the 21st Century? What would happen if someone were to take control of the algorithm of a social media platform that people trust for their news? 

Things are a little different chez Cyber Humanity this week, as we're joined by cyber start-up savants, https://www.linkedin.com/in/graceacassy/ (Grace Cassy) of Cylon and https://www.linkedin.com/in/robnewby/ (Rob Newby) of Procordr. We hear about how our guests fell into cybersecurity (always an interesting topic of conversation) and what's being done to produce and nurture more quality security start ups, particularly in the UK and EU. We take a look at the differences between US and UK-founded cyber start ups and the relationship between the public and private sectors in both. What can the government do to encourage innovation in start ups? Next we hear from Rob about the transition between a cushy full time job and starting up your own company. What does it take to bite the bullet and jump into the unknown like that? Grace Cassy Grace co-founded CyLon in 2015, having worked in the UK Diplomatic Service and as an advisor to Prime Minister Tony Blair. Read her story here: https://cylonlab.com/our-team/grace-cassy/ Rob Newby Rob was CISO for SmartDCC, the company responsible for rolling out Smart Meters across the UK, before founding Procordr this year. Read his story here: https://www.procordr.com/about

First up in today's episode: 16,000 confirmed COVID-19 cases mysteriously go missing from an Excel spreadsheet as part of the UK's 'track & trace' system. We don't like to speculate, but it looks like someone might have been using a legacy version of Excel... But Kev tries hard to stay upbeat about it all. Experienced fraudsters have made off with $15m from an American company after gaining access to email conversations about a commercial conversation with "surgical precision". Kev talks us through what a 'man in the email' attack – which is what this was – entails and how to mitigate it (spoiler alert: JUST USE 2FA!). Next, Cisco got hit with a $1.9billion judgement in a security patent lawsuit and the team struggles to pronounce 'Centripetal'. Said impossible-to-pronounce company raised the complaint against Cisco for infringing on four security patents related to encrypted traffic and packet filtering technology them. Of course, Paul is thrilled (we all know his feelings on Webex – and if you don't, you're about to...). And in this week's 'Hackers could...', we have an absolutely ridiculous (*ahem*) story about hackers locking users into a product called Cellmate – which is a male chastity gadget. Cue much giggling... *** Excel-ent security: https://www.theverge.com/2020/10/5/21502141/uk-missing-coronavirus-cases-excel-spreadsheet-error Man in the email: https://www.infosecurity-magazine.com/news/experts-warn-of-15-million-global/ Cisco's expensive week: https://www.networkworld.com/article/3584836/cisco-slapped-with-19-billion-judgement-in-security-patent-lawsuit.html Cellmate: https://www.bbc.co.uk/news/technology-54436575

It's that time of the month: Patch Tuesday October 2020 has just passed so naturally we need to talk about it. Kev has clearly been bottling up some feelings about Bad Neighbor/ping of death attacks, and we wonder whether the hype is really merited. Next up, the most famous ballerina in cyber. If you've been anywhere near Twitter over the past few weeks, you've probably seen the advert we're talking about, which depicts a ballerina and the caption "Fatima's next job could be in cybersecurity (she just doesn't know it yet)". Naturally outrage – and many many memes – ensued, and there's nothing we like talking about more than Twitter-based fury. Although interestingly we did spot some tumbleweed in the infosec community... Who nuked Trickbot? U.S. Cyber Command said it was them – then Microsoft and co piped up and said they should get the credit! We take a deep dive into just what's going on. *** Microsoft fixes Ping of Death Flaw in Windows: https://duo.com/decipher/microsoft-fixes-ping-of-death-flaw-in-windows "Fatima" Advert: https://www.infosecurity-magazine.com/news/fatima-advert-removed-backlash/ Trickbot: https://securityboulevard.com/2020/10/u-s-cyber-command-says-it-nuked-trickbot-but-microsoft-and-chums-claim-credit/

We love stories about the Dark Web – and we're apparently not alone in that. This week, we're talking about HackTown, which seems to be Hogwarts for wannabe hackers (just without the...magic). HackTown promises to teach registrants how to become professional cyber criminals in 2020, which is both amusing and intriguing. The HackTown/Dark Web chat brings us neatly onto REvil, who have deposited $1m in Bitcoin on a Russian-speaking hacker forum to attract new hacker talent to join their criminal activities. Also featuring this week is HP. A researcher uncovered a severe vulnerability in HP Device Manager – yeah, not that exciting in itself. What is exciting, however, is all the tantrums and drama around the disclosure process that followed. Maybe next time HP will learn to lock the backdoor. *** HackTown: https://www.forbes.com/sites/daveywinder/2020/09/28/this-hacker-university-offers-dark-web-cybercrime-degrees-for-125/#41c700c145f2 REvil are hiring: https://www.cpomagazine.com/cyber-security/revil-ransomware-gang-deposits-1-million-for-recruitment-on-a-russian-speaking-hacker-forum/ HP forgot to lock the backdoor: https://www.bleepingcomputer.com/news/security/hp-device-manager-backdoor-lets-attackers-take-over-windows-systems/

This episode is a little different to normal – and all because Kev went poking around in Fitbit.  Kev, doing what Kev does, found a flaw in the Fitbit App Store that allowed him to deliver a malicious application from http://fitbit.com/ (fitbit.com). The spyware/stalkerware was capable of stealing everything from location and personal body data to to connection got company networks for a range of malicious actions – and because it was delivered from http://fitbit.com/ (fitbit.com), it bypassed protections and installed inside the Fitbit app as if it were legitimate. The flaw was reported to Fitbit who have since moved to mitigate it.  In this special edition of Cyber Humanity, we join Chris Pace, Kev Breen and our guest cyber PR Svengali, Anthony D'Alton, to discuss Kev's findings and their implications from every perspective. If you're more of a reader than a listener, you can check out https://www.immersivelabs.com/resources/blog/fitbit-spyware (this blog post) on Kev's research. 

First up in this week's episode is news that, as part of its ‘notarization' process, Apple approved code used by Shlayer, the most common threat faced by Macs last year. Is it reasonable to expect Apple – or any app store – to keep their entire ecosystem squeaky clean at all times, or is it up to the user to always be sceptical about what they're downloading?  Next up, another perfect 10 vulnerability. This one, Zerologon, was (luckily) patched back in August, but had the potential for eye-watering consequences. Considering the details of the vulnerability were not made public at the time, users and admins never knew how severe it really was – until now. Thanks to Kev, we get to see it in all its glory. Oh and by the way, we have a lab on this vulnerability, so if you're a user, log on to check it out. And if you're not a user…well, maybe you should be.  APT 41 makes an appearance next as five alleged Chinese citizens have been accused of hacking over 100 companies. Paul borders on seriously ranty territory (nothing new here) and Kev sheds some light on the ridiculous Zone-H.  And finally, our ever-popular ‘Hackers could…' feature covers everything from the fairly noteworthy to the downright groan-inducing. Do people *really* still share photos of their shiny new credit cards?  *** Apple vs Shlayer: https://arstechnica.com/information-technology/2020/09/mac-malware-gets-apples-seal-of-approval-thanks-to-notarization-goof/ Zerologon: https://www.zdnet.com/article/zerologon-attack-lets-hackers-take-over-enterprise-networks/ APT 41: https://techcrunch.com/2020/09/16/justice-department-charges-apt41-chinese-hackers/

We want to talk about Edward Snowden. It's harder than you would imagine, considering most of the Cyber Humanity team have at some point worked for government agencies and therefore can't quite remember what they do and “don't” know about him. Even so, he's still in the public eye even after all this time, and there are certainly some lessons to be learnt and ridiculous happenings to puzzle over.  Hopefully Paul, Immersive Labs' resident International Man of Mystery, won't be facing a prison sentence by the end of this episode.  *** https://www.theguardian.com/us-news/2020/sep/03/edward-snowden-nsa-surveillance-guardian-court-rules https://www.wired.com/story/edward-snowden-in-his-own-words-why-i-became-a-whistle-blower/

What's been bugging the team recently? Slack's bug bounty – if it can even be called that – causes some consternation in this episode and raises serious questions about bug bounty programs. The bug in question was classified as a ‘critical' RCE vulnerability and yet the researcher who discovered it only got $1750. Yup, you read that right. Apparently doing the right thing doesn't always pay, but if you're like Kev you might end up with some free chicken or a heartfelt ‘thank you'. We're absolutely certain that such rewards are enough to keep people on the responsible disclosure side of the fence… Also covered in this episode is the strange news that a Russian national was arrested for trying to convince a Tesla employee into installing malware onto the company's network for the tasty sum of $1m. Color us intrigued… *** Slack Bug Bounty: https://mashable.com/article/slack-fixes-critical-remote-code-execution-vulnerabilitybug-bounty/?europe=true (https://mashable.com/article/slack-fixes-critical-remote-code-execution-vulnerabilitybug-bounty/?europe=true) Tesla Hacking Plot: https://www.zdnet.com/article/elon-musk-confirms-russian-hacking-plot-targeted-tesla-factory/ (https://www.zdnet.com/article/elon-musk-confirms-russian-hacking-plot-targeted-tesla-factory/)

We have a vaccine! No, not that one. The Emotet vaccine has been quietly doing the rounds over the last few months. Kev gives a nice overview of malware vaccines and how this particular one works. We also chat about circles of trust, old boys' networks and secret handshakes, and the part they pay in intelligence sharing and international collaboration on cybersecurity. Who decides who's inside the circle?  Next up, the secret service has been buying location data. This in itself isn't new; however, they're now getting around getting warrants by buying location data off private companies. Sure, it's publicly available – but should governments and law enforcement be buying it when they should be held to a higher standard? Of course the ex gov type believes that governments couldn't possibly break the law (listen carefully – this might be the only time Chris has ever been shocked to silence), so isn't it in safe hands?  And finally, could hackers hack your car?! Hack your kettle?! Listen to your keys?! GASP! More to the point: why would they want to? If you're looking for some light entertainment, these articles are well worth a read. Emotet Vaccine: https://threatpost.com/emocrash-exploit-emotet-6-months/158414/ (https://threatpost.com/emocrash-exploit-emotet-6-months/158414/) Australia's new cybersecurity strategy: https://www.itnews.com.au/news/govt-finally-unveils-australias-new-cyber-security-strategy-551358 (https://www.itnews.com.au/news/govt-finally-unveils-australias-new-cyber-security-strategy-551358) Secret Service buys location data that would otherwise need a warrant: https://arstechnica.com/tech-policy/2020/08/secret-service-other-agencies-buy-access-to-mobile-phone-location-data/ (https://arstechnica.com/tech-policy/2020/08/secret-service-other-agencies-buy-access-to-mobile-phone-location-data/) Hackers could hijack lane keeping systems to control your car: https://www.autoevolution.com/news/hackers-could-hijack-lane-keeping-systems-to-control-your-car-experts-warn-147642.html (https://www.autoevolution.com/news/hackers-could-hijack-lane-keeping-systems-to-control-your-car-experts-warn-147642.html)

If you notice the team being a little bit more careful with their words than usual, it's because the topic of this episode is...a SANSitive one. We'll leave it like that, shall we? We also chat about the NCC/CREST/GitHub debacle, which sparks debate over how valuable certifications are when they can be played with 'leaked' step-by-step guides. Is there any real-world value in simply learning how to pass an exam? Does a certification truly indicate aptitude? The topic turns next to facial recognition in law enforcement, following the news that Liberty won the first international case banning the use of facial recognition technology for policing. It's a serious debate – that gets a bit dystopian at times – and we take a look at it from every angle. *** SANS data breach: https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/ (https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/) NCC/Crest: https://www.theregister.com/2020/08/14/crest_investigates_ncc_group/ (https://www.theregister.com/2020/08/14/crest_investigates_ncc_group/) Liberty wins facial recognition technology case: https://iottechnews.com/news/2020/aug/11/liberty-wins-case-banning-police-facial-recognition/ (https://iottechnews.com/news/2020/aug/11/liberty-wins-case-banning-police-facial-recognition/)

The dust from Garmin's scrimmage with WastedLocker is just about settling – potentially at the cost of $10 million dollars. Kev sheds light on the matter from a technical standpoint, and we learn why it's really unlikely Garmin would have been able to decrypt their files without paying up to the perpetrators. It seems we can't go a week without talking TikTok and privacy – and if anyone will let Max get a word in sideways, we might even hear his thoughts on it. Privacy advocates be warned! Maze makes another appearance. In an altruistic turn of events, they're giving their targets a chance to pay up before outing them to the public. They'll only encrypt the important bits...colour us intrigued. Oh and PSA: if you haven't checked out our WastedLocker labs yet, you can https://immersivelabs.online/ (log in here) or https://www.immersivelabs.com/get-a-demo/ (book a demo) to check them out.

As you might have guessed from the title, the Twitter hack is the focus of this episode – specifically, the kids behind the attack. Why are youngsters so much more likely to turn to cyber crime? How can we guide them onto a more ethical path, while still giving them the opportunity to explore their incredible cyber talents?  Kev shares a blast from the past and tells us about his path to cyber. Buckle up, because it's a good'un! Of course, he maintains that he's stayed firmly away from any shades of grey during his early cyber years. We totally believe you, Kev!  We couldn't cover the Twitter hack story without discussing the somewhat salacious interlude during the court case. How is it that Max can't even share his screen on Zoom due to security restrictions, but someone can get onto a major court case and share porn?  Finally, and most importantly, we puzzle over why these kids merited an entire task force when there are entire criminal organizations out there monetizing malware and doing real harm. Tune in to find out!  UK and US Teens Arrested over Twitter Hack https://www.theguardian.com/technology/2020/jul/31/twitter-hack-arrests-florida-uk-teenagers Twitter Hack Hearing Zoom Bombed https://www.bloomberg.com/news/articles/2020-08-05/twitter-hacker-s-virtual-bail-hearing-is-hacked-by-porn-bombs

He ransomware, she ransomware, they all ransomware! Yup, you guessed it: this week's episode is all about ransomware. We start with Garmin's interesting handling of their recent tryst with WastedLocker, which largely involved them saying nothing at all to anyone. Then we move on to Blackbaud, who took the opposite stance by telling everyone everything and promising that absolutely on no account has the breached data gone any further than the cybercriminals responsible. Because criminals are renowned for their honesty, right? Staying on the ransomware theme, we wonder whether Garmin could – or should – have learned lessons from Travelex's new year nightmare and Norsk Hydro's run in with LockerGoga in 2019. We also take a look at app sec with Sean Wright, Mr App Sec himself at Immersive Labs and our guest for this week. Incidentally, Immersive Labs released three new labs on WastedLocker this week, so if you want to learn more about how it works and the part it played in the Garmin hack, https://www.immersivelabs.com/resources/blog/from-decisions-to-decryption-live-the-garmin-ransomware-attack-with-immersive-labs/ (head over to this blog). If you already have a license (alright, no need to boast), https://immersivelabs.online/ (log in here). Garmin WastedLocker attack https://www.forbes.com/sites/leemathews/2020/07/23/garmins-alleged-ransomware-wastedlocker-evil-corp Blackbaud pay the ransom https://www.computerweekly.com/news/252486910/List-of-Blackbaud-breach-victims-tops-120

Imagine our surprise when we were casually browsing Twitter one evening and then got offered $2,000 for every $1,000 we sent to Jeff Bezos. Now that's a good deal... Naturally our curiosity was piqued and in today's episode we take a deeper look at this high profile hack. Apparently you can now hack chargers to destroy devices. What a world we live in! And Charming Kitten – the cyberwarfare group also known as APT35 – has hit headlines this week as IBM X-Force discovered videos of the group's hackers teaching others to efficiently take control of social media accounts, email accounts etc. It's basically cybersecurity training for state-sponsored hackers... Colour us intrigued. Twitter hack: https://www.bbc.co.uk/news/technology-53425822 BadPower https://gizmodo.com/new-hack-can-trick-power-bricks-into-starting-fires-1844441247 Charming Kitten videos https://www.zdnet.com/article/iranian-cyberspies-leave-training-videos-exposed-online/

The one that got Huawei. We discuss the controversy around the Chinese company and the role it plays in the UK's network, which has been rumbling on for years. Now it seems to be coming to a head – and headlines proclaiming the potential for the ‘9/11 of cybersecurity' aren't helping matters… Next, we need to do talk about TikTok. Or do we? Is it as much of a sh*t storm as the media is making it out to be, or does all it boil down to good old fashioned paranoia with a sprinkling of personal vendetta from a certain politician thrown in?  Kev reaches level 10 on the rant-o-meter over his latest findings in F5 – you have been warned – and another two CVEs with perfect 10 CVSS scores hit the headlines.  Huawei kit to be removed from UK 5G: https://www.bbc.co.uk/news/technology-53403793 (https://www.bbc.co.uk/news/technology-53403793) Trump wants TikTok ban: https://www.theguardian.com/technology/2020/jul/16/tiktok-video-sharing-app-should-you-delete-it (https://www.theguardian.com/technology/2020/jul/16/tiktok-video-sharing-app-should-you-delete-it)

In this week's episode, we take a look at the recent critical vulnerabilities in F5, which scored a perfect 10 CVSS score, and Kev sheds some light on what made it such a perfect storm.  We also have a little think about why companies with the most security tools and platforms in place feel the least secure. Does more always mean better? Next, we debate the fact that there's surely no debate around changing names like ‘blacklist' and ‘whitelist' for far more logical and inclusive terminology. Approve and deny lists, anyone?  And what do £54m in cash, a lot of drugs, a torture chamber, and an encrypted phone system have in common? Let us – or the NCA – tell you. And no, it's not a really great party.  F5 vulnerability: https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/ (https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/) IBM security technology report: https://www.zdnet.com/article/the-more-cybersecurity-tools-an-enterprise-deploys-the-less-effective-their-defense-is/ (https://www.zdnet.com/article/the-more-cybersecurity-tools-an-enterprise-deploys-the-less-effective-their-defense-is/) NCA cracks EncroChat: https://www.independent.co.uk/news/uk/crime/encrochat-phone-network-encryption-organised-crime-uk-arrests-police-a9597501.html (https://www.independent.co.uk/news/uk/crime/encrochat-phone-network-encryption-organised-crime-uk-arrests-police-a9597501.html)

In this week's episode, we revisit the thin blue line, this time with a focus on a Wikileaks-style data dump called ‘Blue Leaks'. 270GB of police data – 24 years' worth from over 200 departments – was leaked in what has been dubbed ‘a more transparent alternative to Wikileaks'. Could it be a catalyst for change or a danger to life?  We also spin the Random Ransom Generator and try to wrap our heads around Maze's recent official announcement that they're disappointed to see companies trying to decrypt their files themselves. Yup, you read that one right.  And what's going on Down Under? The Australian government grapples with a sophisticated state-based actor. We take a look at their advisory to see what we can find out.  Blue Leaks https://www.forbes.com/sites/thomasbrewster/2020/06/22/blueleaks-huge-leak-of-police-department-data-follows-george-floyd-protests/#1a5f6d1b509b (https://www.forbes.com/sites/thomasbrewster/2020/06/22/blueleaks-huge-leak-of-police-department-data-follows-george-floyd-protests/) Maze Ransomware announcement https://securityboulevard.com/2020/06/stuck-between-a-data-breach-and-a-ransom/ (https://securityboulevard.com/2020/06/stuck-between-a-data-breach-and-a-ransom/) Australian Advisory includes MITRE T-numbers https://portswigger.net/daily-swig/know-thine-enemy-australian-cyber-security-centre-spotlights-most-popular-cyber-attack-techniques (https://portswigger.net/daily-swig/know-thine-enemy-australian-cyber-security-centre-spotlights-most-popular-cyber-attack-techniques)

In this episode, we take a look at some recent faux-pas that have been making headlines. Facebook helps develop a zero-day exploit in Tails to catch a prolific predator and then keeps it all very quiet. A South African bank discovers what happens when a single master key can decrypt literally everything – and one of their employees decides to print it out. And it's fappening all over again as 845GB of explicit pictures, audio files and dirty laundry are leaked from a number of dating sites' insecure AWS buckets. Oh, and we find out what Kev really thinks about the internet. Warning: it's explicit. Facebook vs Predator: https://www.schneier.com/blog/archives/2020/06/facebook_helped.html (https://www.schneier.com/blog/archives/2020/06/facebook_helped.html) Postbank's master key nightmare: https://www.zdnet.com/article/south-african-bank-to-replace-12m-cards-after-employees-stole-master-key/ (https://www.zdnet.com/article/south-african-bank-to-replace-12m-cards-after-employees-stole-master-key/) More reasons to avoid Herpes Dating: https://www.wired.com/story/dating-apps-leak-explicit-photos-screenshots/ (https://www.wired.com/story/dating-apps-leak-explicit-photos-screenshots/)

In this episode we take a much closer look at the applications of Open Source Intelligence (OSINT) in both offensive and defensive operations, including Paul's growing excitement about the dark web (mainly because he thinks it sounds like Geocities. Google it, kids).

Now it's automotive giant Honda's turn to fall victim to what seems to be a fairly crippling cyberattack. And while they aren't giving anything away, it seems cloud malware analyzer VirusTotal did have enough accessible information to tip off security researchers that Snake ransomware was the culprit. We also dive into Dark Basin with a look at The Citizen Lab's hacker-for-hire intelligence analysis. And Call Stranger: cool name, great logo, but how bad is it? Honda attack: https://www.darkreading.com/attacks-breaches/ics-threat-snake-ransomware-suspected-in-honda-attack/d/d-id/1338075 (https://www.darkreading.com/attacks-breaches/ics-threat-snake-ransomware-suspected-in-honda-attack/d/d-id/1338075) Dark Basin report: https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/ (https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/) Call Stranger: https://www.zdnet.com/article/callstranger-vulnerability-lets-attacks-bypass-security-systems-and-scan-lans/ (https://www.zdnet.com/article/callstranger-vulnerability-lets-attacks-bypass-security-systems-and-scan-lans/)

We all really hope no government agencies are listening as Paul gets excited about a new career as a cyber vigilante. How do the police actually go about investigating cybercrime? And a lawsuit filed against Google says that it's really Chrome's Incognito that's spying on us. 5G Bioshield: https://www.bbc.co.uk/news/technology-52810220 (https://www.bbc.co.uk/news/technology-52810220) Exim vulnerability: https://www.us-cert.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim (https://www.us-cert.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim) Incognito lawsuit: https://www.forbes.com/sites/daveywinder/2020/06/03/google-chrome-privacy-lawsuit-could-you-get-a-5000-payout-incognito-mode-class-action/#cf9a4df1485d (https://www.forbes.com/sites/daveywinder/2020/06/03/google-chrome-privacy-lawsuit-could-you-get-a-5000-payout-incognito-mode-class-action/)

Cyberattacks are the darling of both mainstream and industry media. But this is a double-edged sword? It seems like too often the hype around a new type of threat overtakes the real risk it poses. We take a cheeky look at some vulnerabilities from yesteryear as Paul plays quizmaster.

This episode could be entitled: REvil III as they make a further unwelcome appearance on our show. Now they are demanding a huge ransom from no lesser figure than the President of the United States himself, does that make them terrorists? And Kev went digging around in the Anubis Android malware only to make a quite shocking discovery. REvil and Trump: https://www.forbes.com/sites/daveywinder/2020/05/18/hackers-claim-trump-dirty-laundry-data-has-been-sold-to-interested-party/#421b47377bca (https://www.forbes.com/sites/daveywinder/2020/05/18/hackers-claim-trump-dirty-laundry-data-has-been-sold-to-interested-party/#421b47377bca) Kev's Anubis research: https://immersivelabs.com/2020/06/16/new-vulnerability-in-popular-android-banker-anubis-reported-to-authorities/ (https://immersivelabs.com/2020/06/16/new-vulnerability-in-popular-android-banker-anubis-reported-to-authorities/) Hacked supercomputer: https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/ (https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/)

It is weird that we each picked different threats to talk about and two of them were named after near-eastern gods, including the patron of lost souls and the helpless. Speaking of helpless, Max gets mired in a MAR. And just why are there so many bits of Brazilian banking malware?

There was much flailing of arms recently as an international examination body decided to rank a CISSP at the same level as a Master's Degree. Kev flexes his honeypots and talks Saltstack. And Paul takes a closer look at a newly discovered Evil Maid with a distinctly Bond-esque moniker.

The first of our episodes recorded in lockdown. We take a closer look at accusations of poor security thrown at Zoom, the plucky little video conferencing company that has eaten the world. Is it really all that bad or just a storm in the infosec twitter-cup? Also, as a little bonus we round up the very worst COVID-19 scams.

At the dawn of 2020, foreign exchange company Travelex had something of a New Year cyber nightmare. In this episode we discuss what happened, how they responded and whether paying the ransom is ever the right thing to do.