Security Nation

No Rapid Rundown this time! But you can get links to all the past episodes in Season 5, here:Never Mind the Ears, Here's Security Nation

Interview linksJeremi on Password NihilismThe Rails bug Jeremi referencedRapid Rundown linksRisky Business Newsletter on fake PoCs: "GitHub aflood with fake and malicious PoCs"The cited paper: "How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub"Also relevant is Honeysploit by Curtis BrazzellLike the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksPrior Security Nation episode in which loads of PortSwigger references were dropped:https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/New research from James about browser-powered desync attacks:https://portswigger.net/research/browser-powered-desync-attacksRapid Rundown LinksSemi-secret Fortinet advisory: https://twitter.com/Gi7w0rm/status/1578398457227878407CVE Details as they come: https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/Existence of Fortinet CVE-2022-40684 PoC posted, but not the PoC itself:https://twitter.com/Horizon3Attack/status/1579285863108087810The Hidden Harms of Silent Patches: https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out Panasonic's delightful PSIRT page – especially if you have a vulnerability in one of Panasonic's many, many products to report.Rapid Rundown LinksCheck out Inti's research on "oops, we made a surveillance system" at notmyplate.com.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out the CVE blog post on handling cloud vulnerabilities.Read up on the rules for assigning CVEs.See an example cloud CVE affecting Microsoft Azure.Read the Microsoft Security Response Center's blog post on cloud vulnerabilities.Rapid Rundown LinksCheck out Dominic White's tweet on iOS remembered networks.Read the update on the recently released RFC 9293.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out Nmap if, for some reason, you haven't already.Learn about Npcap, the packet capture library tool that Gordon and his company also offer.Watch Gordon and HD Moore, the creator of Metasploit, chat about the evolution of network scanning on YouTube.Rapid Rundown LinksRead the Bleeping Computer story on hackers using DeFi bugs to steal cryptocurrency.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Learn more about some of our favorite presentations from the Vegas conferences, including: Susan Paskey on threat hunting in MFA logsJeremi Gosney on "passwords, but nihilism" (an apparently unscheduled, live threat modeling exercise on password risks)Patrick Wardle on Zoom LPE vulnerabilitiesGaurav Keerthi, Pete Cooper, and Lily Newman on global policy challengesJake Baines on Cisco ASA vulnerabilities and weaknesses (check out the blog post, too)Jonathan Leitschuh on fixing OSS vulnerabilities at scaleEugene Lim on so many iCal standards within standards Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview linksLearn all about Defaultinator.Read up on the Raspberry Pi default password vulnerability.Check out the GitHub repositories for Defaultinator.Rapid Rundown linksRead Derek Abdine's disclosures on Arris and Arris-like routers.Check out the Security Boulevard article on keeping PoCs secret.Peruse Matt Blaze's tweet thread on teaching physical security secrets despite complaints from locksmiths.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksA Closer Look at CVSS ScoresRapid Rundown LinksBleeping Computer story: PyPI mandates 2FA for critical projects, developer pushes backTwitter thread on deleting atomicwrites, and undeleting itPyPi issues mentionedhttps://github.com/pypi/warehouse/issues/11625https://github.com/pypi/warehouse/issues/11805https://github.com/pypi/warehouse/issues/11798Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksRevisit our first episode with Peter and Irene from Season 4.Read the paper on the UK government's cybersecurity strategy through 2030.Rapid Rundown LinksCheck out the article on so-called pig-butchering scams.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksFollow Steve on Twitter, and give the SpiderFoot official account a follow while you're at it.Check out the SpiderFoot website and GitHub page, and learn more about the SaaS version, SpiderFoot HX.Learn about the latest SpiderFoot 4.0 release with YAML correlation rules. Read Steve's blog, especially his posts on the 10 years developing SpiderFoot and the misuse of OSINT to claim election fraud.Rapid Rundown LinksRead the full paper, “A Closer Look at CVSS Scores.”Follow the author, Jacques Chester, on Twitter.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out the latest on HoneyDB.Interested in participating in the project? Head to the HoneyDB Agent Docs.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out Omer and Richard's paper.Learn more about Omer's work and Richard's work.Rapid Rundown LinksRead the news about the change in DOJ policy toward ethical hackers.Visit the Rapid7 blog on the same topic.Dive into Harley's great Twitter thread on the topic.Read up on the HiQ and Missouri cases mentioned.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksLearn more about Kali Linux.Check out what they're up to over at Offensive Security.Follow g0tmi1k on Twitter, and check out his blog.Rapid Rundown LinksRead the Krebs on Security article on the upcoming password changes.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksFollow Whitney on Twitter, and check out her website.Submit a CFP for this year's Crypto & Privacy Village at DEF CON.Rapid Rundown LinksRead Neil Madden's blog post on psychic signatures.Follow Neil Madden on Twitter.Check out Project Wycheproof on GitHub.Learn about Mount Wycheproof (the actual mountain).Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksRead Project Zephyr's blog post on Amnesia33.Get Linux's perspective on SBOM.Listen to our previous episode on SBOM with Josh Corman and Audra Hatch.Check out Zephyr's Renode dashboard.Learn about the Software Package Data Exchange (SPDX) specification from ISO.Rapid Rundown LinksRead the story on the npm protestware.Peruse the issue logged against the project on Github.See Dark Reading's homage to Mike Murray.Watch Mike Murray talk about hiring hackers.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksListen to David's previous Security Nation episodeGive him a follow on Twitter.Read up on the PTSI bill.Learn who the heck Mystic Meg is.Check out ETSI (not the home crafts marketplace).Rapid Rundown LinksDownload Rapid7's Vulnerability Intelligence Report.Check out AttackerKB.Listen to Caitlin Condon, lead author of the report, on Duo's Decipher podcast.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksFollow Bob on Twitter.Check out the DNC Security Checklist.Rapid Rundown LinksRead the paper on VPN influencer ads on YouTube.Give the lead author, Omer, a follow on Twitter.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksLearn more about Metasploit, AttackerKB, and Recog.Read Matthew's blog post on open-source security.Remind yourself about Log4Shell (if you dare).Read up on Linus's Law.Rapid Rundown LinksRead the Bleeping Computer article about DDoS amplification.Check out the original USENIX paper.

Interview LinksFollow Amit on Twitter at @0xAmit.Read Amit's blog post on the Autodiscover leak.Rapid Rundown LinksRead up on the vulnerability disclosure metrics from Google's Project Zero.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksTake up John on the offer to spam him on LinkedIn.Learn more about what intelliflo is up to.Rapid Rundown LinksCheck out CISA's KEV list.Read up on the 8 vulnerabilities recently added to KEV.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksRead GitHub's blog on the Log4j vulnerability, and the follow-up.Check out GitHub's Dependabot.Find out Why Johnny Can't Encrypt.Learn about GitHub's Sponsor Program.Read about the work going on at OpenSSF.Delve into Mike's blog post on GitHub's exploit code policy.Rapid Rundown LinksGet the info on Microsoft's emergency fixes for Windows Server and VPN bugs.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksListen to Chris's podcast, First Impressions.Check out the other, Jane Austen-themed First Impressions podcast.Learn more about MVSP at the official site and in this blog post from Google.Read up on the ETSI standard Jen mentioned.Revisit our previous episode on Disclose.io with Casey Ellis.Rapid Rundown LinksRead about the Sky router vulnerability.If you just can't wait till January to hear from us again, revisit Season 4.

Interview linksLearn more about the UK's Department for International Trade.Rapid Rundown linksCheck out inTheWild, and follow them on Twitter.Grab our 2022 planning resource. (Note! This is a direct PPTX link — don't be alarmed by the sudden download.)Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Apply to phase one of the UK Cabinet Office's Small Business Research Initiative (SBRI): Reducing Public Sector Risk through Culture Change. Want to tell a friend? Feel free to use this friendlier, human-readable and -speakable link:https://r-7.co/cabinet-office-culture-competitionNote the deadline is fast approaching: Monday, November 8, 2021, 17:00 London UK time, and the research initiative is open to all small businesses with strong ties to the United Kingdom.

Interview LinksCheck out the Ransomwhere site.Listen to our previous episode with Jack on election security.Rapid Rundown LinksRead the CISA notification on the critical RCE vulnerability in Discourse.See Discourse's announcement of the vulnerability on GitHub.Peruse Discourse's technical blog post about it.Check out Discourse's security program and policies.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview linksFollow Michael on Twitter @CyAlliancePrezLearn more about the Cyber Threat AllianceCheck out the Ransomware Task Force, which Michael co-chairsRead Jen's position piece on hack backRapid Rundown linksRead the full text of the Cyber Incident Reporting ActRefresh your memory on the SolarWinds data breachSee who's on the House Homeland Security Committee 

Interview NotesRob's live Tweet threadRob's archive of the provided RTFs (hex decoded)Rob's BLX Container ExtractorAll about Dennis Montgomery. Warning: this is a WIki rabbit hole.A Torrent of several gigs of data from the Cyber-Symposium is available at:magnet:?xt=urn:btih:39a9590de21e77687fdf7eacee4dd743f2683d72&dn=cyber-symposium&tr=udp://9.rarbg.me:2780/announceRapid Rundown NotesThe original Bleeping Computer story on Microsoft shutting off Basic AuthThe related story about Amit's Autodiscover bug finding that may have prompted the aboveA somewhat early reference to some WPAD bugsThe earliest reference Tod could find about WPAD exploits... which happened to be written by the very same Tod back in 2009.

Interview LinksCraig is on Twitter, but his OpSec is pretty tight so good luck getting that follow back.You can read up on Cisco Talos, and check their most recent on proxyware here.Rapid Rundown LinksCheck out the Bleeping Computer story on the ATM robbers.Back in 2016, Rapid7's Weston Hecker demonstrated some EMV attacks.But that doesn't matter because about half of all U.S. gas stations still don't operate with EMV payment.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksNational Cyber Security CenterColorado Cyber Resource CenterCybersecurity HSAC SubcommitteeRapid Rundown LinksFirefox follows Chrome and prepares to block insecure downloads by Catalin Cimpanuhxxp://smart4alarm.com/ is the website Tod ran into that plops an APK right in your Downloads with no clicks. Is this okay?

Interview Links:The original Watchfire paper on HTTP Request Smuggling from 2005HTTP request smuggling reborn by James KettleHTTP/2 Request Smuggling from DEF CON 2021Free TCP/IP bugsFree ICS bugsSnyk's Zip Slip researchRapid Rundown Links:All the DEF CON videosTempest Radio Station Presentation by Paz HameiriTempest Radio Station paperHow to get started in cybersecurity AMA on RedditRob Graham's Live Tweeting of the Cyber Symposium 

From the discussion with Richard:Amedisys, Richard's home healthcare employerS02E06: Our first time around with RichardS02E10: The mentioned episode with Oliver DayFrom the Rapid Rundown:The Record on the PyPI bugThe original research from RyotaKJen's Python  joke 

 Philipp Amann is the Head of Strategy at European Cybercrime CenterNo More Ransom, an incredibly useful self-serve library of ransomware crackers, from Alpha to ZiggyNeed some specific guidance on what to do if you suffer a ransomware attack? Check out NMR's publication!Also mentioned was Europol's annual Internet Organised Crime Threat Assessment report, which is a great readInterested in partnering with NMR? Send in a request here!The Rapid Rundown is mostly about the PetitPotam proof of concept NTLM attack, as discovered by @topotam77Microsoft's helpful mitigation KB for the sameThe SANS Diary writeup of this novel NTLM attack quite capably demonstrates the risks of this attack

Want to know more? Check out these links!The very best place to have a few beers while at Infosec Europe in person is, naturally, the Prince of TeckFollow up to the HSE attack in Ireland, from ZDNet's Danny PalmerIreland's first CERT, co-founded by Brian Honan; they announced their intention for IRISSCON 2021 in November on TwitterRob Wright, of SearchSecurity, interviewed Jeremiah Grossman about SentinelOne's cyber warranty programReal quick correction for the Rapid Rundown: In the original recording, Tod once accidentally referred to "14.4" as the current version of iOS, when he should have said 14.6. He edited that correction directly in the audio and tried to make it sound normal. But, with that said, 14.7 was released right before we published this episode, but we still don't know if the DoS was fixed there.Now for the links mentioned in the Rapid Rundown:WifiDemon is described in detail over at ZecOps Apple Developer Support , which notes what's current out in the iOS worldThe mentioned job Rapid7 hiring for is right hereAnd here's where you can learn about the DEF CON IoT Village

Intrigue.IOThe Monpass breachAvast's findings on MonpassApple trusted root certificatesMozilla trusted root certificatesMicrosoft trusted root certificates

https://go.chainalysis.com/2021-Crypto-Crime-Report.htmlTod is not Satoshi. Nor is he HD Moore, nor is he Dustin Trammel. It's wild how many people Tod isn't.Cyberscoop's Tim Stark covers the Hydra dark net marketplace, mentioned by Kim.The Vice story on 2G-era crypto breakage and the research paper it covers.Detroit News on election audits in Cheboygan County, which Tod is… worried about. If you live in Michigan, tell us what you think.

If you're interested in learning more about the Payment Card Industry Data Security Standard (PCI DSS), head on over to https://www.pcisecuritystandards.org/. You should also check out Jeff's regular podcast, Security & Compliance Weekly.If you're wondering how GitHub actually landed on their new acceptable use policy (AUP), check the diff, or read Mike Hanley's explainer blog on the same. To cap it off, see the DoJ's press release about seizing 63.7 Bitcoin, which, at this moment, is worth about USD$2 million.

Follow the Deception Lab on Twitter, and get up to speed on how to leverage the "digital, physical, and psychological" elements of the cyber battle space.As for the news, you can check out the original release from Google (now edited to include the four in-the-wild bugs), as well as read the referenced Ransomware Task Force Report.

After the deep dive on ransomware payments and how to beat back this latest crime wave, we spend several minutes in the Rapid Rundown NOT talking about the Colonial Pipeline ransomware event. Instead, we jump into Google's renewed push for automatic enrollment in 2FA, I mean, 2SV. Hooray MFA!Links:Read the Ransomware Task Force Report (mentioned throughout the episode)See Bleeping Computer's coverage of Google's default 2SVBiographical notes:Megan Stifel is Executive Director, Americas, at the Global Cyber Alliance. She previously served as Cybersecurity Policy Director at Public Knowledge. Prior to her work with nonprofits Megan served as a Director for International Cyber Policy at the National Security Council and in the U.S. Department of Justice, including as Director for Cyber Policy in the National Security Division and as counsel in the Criminal Division’s Computer Crime and Intellectual Property Section.Ms. Stifel was previously in private practice, where she advised clients on sanctions and FCPA compliance. Before law school, Ms. Stifel worked for the U.S. House of Representatives Permanent Select Committee on Intelligence. She received a Juris Doctorate from the Maurer School of Law at Indiana University, and a Bachelor of Arts, magna cum laude, from the University of Notre Dame. She is a partner with Social Venture Partners Charleston.Professor Ciaran Martin, CB, is Professor of Practice at the Blavatnik School of Government at the University of Oxford. He is also an adviser to Paladin Capital in the United States, and Garrison Technology Ltd in the United Kingdom.For six and a half years ending in the middle of 2020, Ciaran led the UK Government’s work on cybersecurity. This included establishing the National Cyber Security Centre in 2016. The UK NCSC is now recognized as one of the leading public authorities in the world for cybersecurity, and Ciaran has been running it for its first four years. During Ciaran’s tenure, the UK rose from eighth to first in the International Telecommunications Union’s Global Cybersecurity Index. The NCSC’s approach to intervening to make technology safer–and easier to use safely–as well as managing national level incidents proactively has been lauded around the world. Ciaran has been honored within the UK, Europe, the United States, and beyond for his groundbreaking efforts to combat cyber threats.Prior to running the NCSC, Ciaran held a series of senior roles in the UK Cabinet Office. As Director of Constitution, he oversaw the agreement for arrangements for the Scottish Independence Referendum in 2014. He also served as Director of Security and Intelligence as well as head of the Cabinet Secretary’s office. Additionally, he has worked in the UK Treasury and National Audit Office. Originally from Northern Ireland, he holds a first-class degree in history from the University of Oxford.

Marina and int80 talk about how they came up with the idea for the Twitch livestream, what they’ve learned along the way, and future plans for the games. We also speak with int80 about his “hacker rapper” gig, Dual Core Music.This episode's Rapid Rundown comes with a rare content warning: We're discussing the life, impact, and passing of Dan Kaminsky. It gets pretty emotional, as you might expect. As Matt Blaze said, may his memory be a blessing.Enjoy the links below for more!Hacking Esports on Twitter and TwitchMore about Dual Core (also on Twitter)Duo's cartoon about the Kaminsky BugDan Kaminsky's New York Times obituaryDan's 2016 r00tz talk, "How the Internet Actually Works" is on YouTube, thanks to  the r00tz  channel.

In our latest episode of Security Nation, we talk to Philip Reiner about his work with the Ransomware Task Force. Stick around for our Rapid Rundown, where Tod talks about a recently released bulletin from CISA about APT exploiting both new and old SAP vulnerabilities.

In our latest episode of Security Nation, we speak with Beau Woods and Fotios Chantzis about their newly released book, "Practical IoT Hacking." Stick around for our Rapid Rundown, where Tod encourages listeners to patch their Apple iOS devices against the recently announced WebKit bug, and to not panic about PHP's compromised Git server.

In our latest episode of Security Nation, we talk with Katie Ledoux about her unconventional journey into the cybersecurity industry—from her marketing agency days to her time at Rapid7, to her current role as Head of Information Security at Starburst Data. Katie talks about imposter syndrome, what it was like to "start over" in her career,  the importance of contributions from non-technical roles—and, of course, what she would want to see out of a "Hackers" sequel. Stick around for our Rapid Rundown, where it's "All Exchange, all the time," in the wake of Microsoft's four critical bugs. Tod and Jen also discuss the recent Github controversy surrounding the ban of exploit code. 

In this week's episode of Security Nation, we interview Adrien Ogee, COO of the CyberPeace Institute.  He discusses what it was like to launch and staff a brand-new nonprofit during the COVID-19 pandemic, and how his team worked to get the cybersecurity industry to trust them and get involved. Adrien also talks about the CyberPeace Institute's recently released "Playing With Lives: Cyberattacks on Healthcare Are Cyberattacks on People" report.Stick around for our Rapid Rundown, where Tod discusses the National Cybersecurity Center's recently released Cyber Action Plan, a short questionnaire that generates actionable recommendations for shoring up your security. He also talks through Portswigger's recently published list of the top 10 web hacking techniques of 2020. 

In our latest episode of Security Nation, Ryan Weeks joined the podcast to discuss deploying thousands of assets into a hostile environment: the home offices of workers everywhere as they were forced remote amidst the pandemic. He’ll discuss how he balances privacy expectations with necessary regulations of workers’ computers and phones as they go remote. We’ll also talk about managing an attack surface you don’t understand as well as how lack of transparency can lead to security organizations earning bad reputations. Plus why Jen thinks the work-from-home culture is here to stay, and what organizations can do to prepare.

In our latest episode of Security Nation, Steve Ragan joined the podcast to discuss his unlikely journey from reluctant security expert to journalist. For Steve, having the tech knowledge is important, but so is crafting a good story.    We take deep dives on topics like where the industry was in the ‘90s plus the unique way he approaches Akamai’s “The State of the Internet” report (and their own podcast). We’ll hear why writing with empathy is a foundation of Steve’s process when tackling deeper technical subjects. Also, the joys of shameless self-promotion...  Stick around for our Rapid Rundown, where we get quite the rapid rundown of three big events in security: North Korea’s campaign targeting security researchers, the takedown of the Emotet botnet, and (most importantly) the long-awaited cracking of Tod’s seven-year-old Dogecoin CTF.     

https://community.signalusers.org/t/signal-should-warn-users-who-are-likely-using-insecure-ime-apps/10272

https://www.ncsc.gov.uk/cyberaware/home

In our latest episode of Security Nation, Rick Holland joined the podcast to discuss how his past informs his present, particularly when it comes to sourcing and hiring the best talent. Rick elaborates on how a lack of direct reports—for several years across multiple companies—led to a bit of imposter syndrome when he became CISO at Digital Shadows and suddenly was tasked with staffing and managing a team. Sometimes smaller talent pools can lead to inspired hiring choices. Stick around for our Rapid Rundown, where Tod delves into Samy Kamkar's NAT slipstreaming mechanism in which an attacker can trick a router into opening straight-shot ports to any listening service on a machine.  

In our most recent episode of Security Nation, we spoke with Maria Barsallo Lynch, Executive Director of the Defending Digital Democracy Project (D3P) at the Belfer Center for Science and International Affairs at the Harvard Kennedy School, about her work informing election officials of the rise of misinformation and disinformation campaigns centered around elections. Stick around for the Rapid Rundown, where Tod cautions against panicking if (completely normal) disruptions occur on Election Day.