Podcasts about misconfigured

- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are?- We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at?- When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform?- There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space?- We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?

Join us over the next ten weeks as we discuss the top ten cybersecurity misconfigurations and review ways you can keep your organization safe from cyberattacks! In this episode we'll discuss one of the ten ways: Weak or Misconfigured Multifactor Authentication (MFA) Methods. MFA is an important layer of protection that helps keep your information safe from bad actors.   Connect with us:  https://www.linkedin.com/company/envisionitllc   marketing@envisionitllc.com

This episode reports on new backdoors, a new paper giving advice to OT network operators and more

The use of Large Language Models (LLMs), like ChatGPT has skyrocketed, infiltrating multiple facets of modern life. In today's podcast episode, Andy and Paul Schnackenburg explore Microsoft 365 Co-Pilot and some surprising risks it can surface. Microsoft 365 Co-Pilot is more than just a virtual assistant: it's a powerhouse of productivity! It is a versatile generative AI tool that is embedded within various Microsoft 365 applications, and as such, it can execute various tasks across different software platforms in seconds.  Amidst discussions about Co-Pilot's unique features and functionalities, many wonder: How does M365 Co-Pilot differ from other LLMs, and what implications does this hold for data security and privacy? Tune in to learn more! Timestamps: (4:16) – How is Co-Pilot different from other Large Language Models?  (11:40) – How are misconfigured permissions a special danger with Co-Pilot?  (16:53) – How do M365 tenant permission get so “misconfigured”?  (21:53) – How can your organization use Co-Pilot safely?  (26:11) – How can you easily right-size your M365 permissions before enabling Co-Pilot?  Episode Resources: Paul's article on preparing for Co-Pilot Webinar with demo showcasing the theft of M365 credentials Start your free trial of M365 Total Protection Effortlessly manage your Microsoft 365 permissions  

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows. A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication. Listener questions whether all stolen LastPass vaults will eventually be decrypted. Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit

In this episode we're talking about misconfigured and dangerous logon scripts. Spencer and Brad discuss 4 common examples, based on real-world engagements, of how logon scripts can be misconfigured and how they can allow for all sorts of bad things. Do you know what's hiding in your logon scripts?  Read the blog post that goes along with this episode here: https://offsec.blog/hidden-menace-how-to-identify-misconfigured-and-dangerous-logon-scripts/https://github.com/techspence/ScriptSentryBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

The Vulkan papers offer a glimpse into Mr. Putin's cyber war room. The 3CXDesktopApp vulnerability and supply chain risk. A cross site scripting flaw in Azure Service Fabric Explorer can lead to remote code execution. Rob Boyce from Accenture Security on threats toEV charging stations. Our guest is Steve Benton from Anomali Threat Research, sharing a ‘less is more' approach to cybersecurity. And AlienFox targets misconfigured servers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/62 Selected reading. A Look Inside Putin's Secret Plans for Cyber-Warfare (Spiegel) Secret trove offers rare look into Russian cyberwar ambitions (Washington Post)  7 takeaways from the Vulkan Files investigation (Washington Post) ‘Vulkan files' leak reveals Putin's global and domestic cyberwarfare tactics (the Guardian) Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan (Mandiant) 3CX DesktopApp Security Alert - Mandiant Appointed to Investigate (3CX) Information on Attacks Involving 3CX Desktop App (Trend Micro) 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component  (SecurityWeek) There's a new supply chain attack targeting customers of a phone system with 12 million users (TechCrunch) Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383) (Orca Security) Dissecting AlienFox | The Cloud Spammer's Swiss Army Knife (SentinelOne)

DDoS as misdirection. NSA shares lessons learned from cyber operations observed in Russia's war against Ukraine. Advice from CISA on Zimbra.. A misconfigured Microsoft storage endpoint has been secured. Notes from a study on the Cybersecurity Workforce . The cost to businesses of phishing. Betsy Carmelite from Booz Allen Hamilton on managing mental health in the cyber workforce. Our guest is Ismael Valenzuela of Blackberry with insights on "The Cyber Insurance Gap". And updates to the ransomware leaderboard. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/202 Selected reading. Bulgarian cyberattack: Sabotage as a cover for spying? (Deutsche Welle) Bulgarian websites impacted by Killnet DDoS attack (SC Media)  Lessons From Ukraine: NSA Cyber Chief Lauds Industry Intel (Meritalk) NSA Cybersecurity Director's Six Takeaways From the War in Ukraine (Infosecurity Magazine)  NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry (CyberScoop)  Investigation Regarding Misconfigured Microsoft Storage Location (Microsoft Security Response Center) 2019 Cybersecurity Workforce Study ((ISC)²)  The Business Cost of Phishing (Ironscales) Leading Ransomware Variants Q3 2022 (Intel471)

Cloud Security News this week 14 July 2022 To read more about this week's stories head to https://cloudsecuritypodcast.tv/cloud-security-news/ Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News

This episode reports on hackers exploiting misconfigured MFA, Asus routers targeted by a botnet, a tool for detecting infected MikroTik routers and more

Check Point Research has found over 2,000 mobile apps are using a cloud-based database incorrectly, leaking millions of people's data. This episode goes into the details and a reminder on your cloud responsibilities. Be aware, be safe. Get ExpressVPN, Secure Your Privacy And Support The Show Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Binary Blogger Website Security In Five Website Security In Five Podcast Page - Podcast RSS Twitter @securityinfive iTunes, YouTube, TuneIn, iHeartRadio,

More hacktivism appears to have hit Iran. Misconfigured Power Apps portals expose data on millions. The FBI warns of the activities of a ransomware affiliate gang. Mr. White Hat really does seem to have given back all that stolen alt-coin. Ben Yelin checks in on Apple's CSAM plans. Our guest is Charles DeBeck from IBM Security on the true cost Cost of a Data Breach. And, finally, dog bites man: criminals cheat other criminals. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/163

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. Recognized as a leader in the container market, Kubernetes is an open source microservices cluster manager used by millions of companies worldwide. Bolstering its popularity is its considerable ability in managing container workloads, as it allows for the easy deployment of numerous servers with appropriate scaling as they grow. To show you just how dominant Kubernetes truly is, reports show that of the more than 109 tools used to manage containers, over 89% of companies use various Kubernetes versions. Not a bad statistic for a technology that's only eight years old! And as Kubernetes usage grows, so does interest about, and skepticism concerning, the security of the platform. Companies of many different types, from small developers to big-name brands, use Kubernetes to help deploy systems both easily and in a uniform fashion. And the most common cause of all Kubernetes-related security incidents by far is a familiar threat in the cybersecurity field, misconfigurations. Roughly seven out of ten companies report having detected a misconfiguration in their Kubernetes environment. For our new blog series Blast Radius, security professionals, researchers and experts deep dive into different attacks and vulnerabilities, explore how they can impact the entire internet ecosystem, and examine what they mean for organizations of all sizes, across all industries. As Kubernetes grows in popularity, so do the security concerns around its usage. To talk more about the blast radius of misconfigured Kubernetes, we are joined by Robert Wiggins, better known as Random Robbie. Robbie was featured on our blog in the past when he showed us all the ProTips on Bug Bounty Hunting that he has up his sleeve. Active in the security and bug bounty community, Robbie shares with us his research and techniques for finding misconfigured Kubernetes, and elaborates on the different types of impact he's seen them have on various companies. How many misconfigured Kubernetes are there? On average, there are around 800 misconfigured Kubernetes servers around the world exposing secrets and other fun data. These systems are generally connected to a lot of internal cloud systems, so if they're misconfigured they can handily grant access to a lot of sensitive information to an attacker. Security incidents involving misconfigurations in Kubernetes are a serious matter. As cited by DivvyCloud in their 2020 Cloud Misconfigurations Report, 196 separate data breaches were a result of cloud misconfigurations between January 1, 2018 and December 31, 2019. More than 30 billion records were exposed in these data breaches, creating $5 trillion in losses over that period. How to find misconfigured Kubernetes servers Also on average are around 400 systems exposed via Shodan on port 443 and many more on port 8080. The ones on port 8080, however, generally seem to have been attacked and have an XMR miner on them. Many of the attacked or infected servers have been up for a while, with a large number of them appearing to be located in China. To find exposed Kubernetes systems, you can search via Shodan using the search term http.html:/apis/apiextensions.k8s.io for any HTTP 200 response. That response should give you a list of API endpoints and you can browse to /api/v1/secrets to uncover all of the server's secrets. Here's an example: By running the following bash command you can see which tokens have permission to gain access to the pods. You should now see an output showing you the pods. Once you've found the pod you wish to access, you can run the following command to gain access to that pod, then explore it. To confirm it has access to the pod, it should dump out something like this: Impact of misconfigured Kubernetes While scanning and learning about Kubernetes three years ago, I found a Kubernetes server that belonged to Snapchat. This server was so full of se...

We speak with Paul Hadjy, CEO and Co-Founder of Horangi on how organisations in Southeast Asia can best safeguard their digital assets amid the shift to WFH and Cloud platforms. Why Cloud Security Posture Management (CSPM) applications are considered essential today, and how these tools improve organisational risk postures by enabling proactive identification and remediation of vulnerabilities. Paul also provides insights from Southeast Asia's cybersecurity landscape, and the key trends impacting the region's organisations. #cybersecurity #mysecuritytv #horangi #ASEAN #Singapore #SaaS #cloudcomputing #compliance Recorded 28 July 2021 for MySec.TV Tech & Sec Weekly - to watch visit https://mysecuritymarketplace.com/av-media/cybersecurity-risk-due-to-misconfigured-cloud-infrastructure/

RansomEXX threatens to release stolen proprietary data. Some looks at the C2C market, the criminal division of labor, and a splashy carder marketing ploy. Misconfigured Salesforce Communities expose organizational data. Our guest is Ron Brash from Verve International on a CISA advisory regarding GE ICS equipment. Ben Yelin on the proposed U.S. Bureau of Cyber Statistics. Huawei faces sanctions-induced headwinds. Mexico's investigation of Pegasus abuse continues, but so far without arrests or resignations. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/153

All links and images for this episode can be found on CISO Series Great, you just purchased the cloud. Are you a little confused as to what you're going to do with it? Not a problem. Let's get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they're fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. Why do we hear so many stories about poor & misconfigured cloud services? The benefits of Infrastructure as Code (IaC) What makes a vendor meeting worth your time? What's the best way to learn about a company's culture in a job interview?    

Watch the live stream: Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training pytest book Patreon Supporters Special guest Guy Royse Brian #1: How to make an awesome Python package in 2021 Anton Zhiyanov, @ohmypy Also thanks John Mitchell, @JohnTellsAll for posting about it. Great writing taking you through everything in a sane order. Stubbing a project with just .gitignore and a directory with a stub __init__.py. Test packaging and publishing use flit init to create initial pyproject.toml set up your ~/.pypirc file publish to the test repo Make the real thing make an implementation publish Extras Adding README.md & CHANGELOG.md and updating pyproject.toml to include README.md and a Python version selector. Adding linting and testing with pytest, tox, coverage, and others Building in the cloud with GH Actions, Codecov, Code Climate Adding badges Task automation with a Makefile Publishing to PyPI from a GH Action Missing (but possibly obvious): GitHub project Checking your project name on PyPI early Super grateful for: Do all of this early in the project Using flit publish --repository pypitest and spelling out how to set up a ~/.pypirc file. Start to finish workflow Example project with all filled out project files Michael #2: Kubestriker Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations Focuses on running in production and at scale. kubestriker is Platform agnostic and works equally well across more than one platform such as self hosted kubernetes, Amazon EKS, Azure AKS, Google GKE etc. Current Capabilities Scans Self Managed and cloud provider managed kubernetes infra Reconnaissance phase checks for various services or open ports Performs automated scans incase of insecure, readwrite or readonly services are enabled Performs both authenticated scans and unauthenticated scans Scans for wide range of IAM Misconfigurations in the cluster Scans for wide range of Misconfigured containers Scans for wide range of Misconfigured Pod Security Policies Scans for wide range of Misconfigured Network policies Scans the privileges of a subject in the cluster Run commands on the containers and streams back the output Provides the endpoints of the misconfigured services Provides possible privilege escalation details Elaborative report with detailed explanation Guy #3: wasmtime WebAssembly runtime with support for: Python, Rust, C, Go, .NET Documentation here: https://docs.wasmtime.dev/ Supports WASI (Web Assembly System Interface): WASI supports IO operations—it does for WebAssembly what Node.js did for JavaScript Brian #4: Depend-a-lot-bot Anthony Shaw, @anthonypjshaw A bot for GitHub that automatically approves + merges PRs from dependabot and PyUp.io when they meet certain criteria: All the checks are passing The package is on a safe-list (see configuration) Example picture shows an auto approval and merge of a tox version update, showing “This PR looks good to merge automatically because tox is on the save-list for this repository”. Configuration in a .yml file. I learned recently that most programming jobs that can be automated eventually devolve into configuring a yml file. Michael #5: Supreme Court sides with Google in API copyright battle with Oracle The Supreme Court has sided with Google in its decade-long legal battle with Oracle over the copyright status of application programming interfaces. The ruling means that Google will not owe Oracle billions of dollars in damages. It also has big implications for the broader software industry The ruling heads off an expected wave of lawsuits over API copyrights. The case dates back to the creation of the Android platform in the mid-2000s. Google independently implemented the Java API methods, but to ensure compatibility, it copied Java's method names, argument types, and the class and package hierarchy. Over a decade of litigation, Google won twice at the trial court level, but each time, the ruling was overruled by the Federal Circuit appeals court. The case finally reached the Supreme Court last year. Writing for a six-justice majority, Justice Stephen Breyer held that Google's copying of the Java API calls was permissible under copyright's fair use doctrine. Guy #6: RedisAI Module for Redis that add AI capabilities Turns Redis into a model server: Supports TF, PyTorch, and ONNX models Adds the TENSOR data type ONNX + Redis has positive architectural implications Extras Michael git for Windows JupyterLab reaches v3 (via via Allan Hansen) Why not support Python letter by Brian Skinn Django 3.2 is out & is LTS PyCharm 2021.1 just dropped with Code With Me Brian The PSF is hiring a Developer-in-Residence to support CPython! Joke Vim Escape Rooms Happiness -

How do I find God's will for my life? The answer is simple and found in Romans 12:2. Don't be conformed to the world. Be transformed by the renewing of your mind. THEN, by testing, you can discern that. We will NEVER find God's will for our lives by trying to shove Biblical concepts into a worldly worldview.  It just doesn't fit!

How do I find God's will for my life? The answer is simple and found in Romans 12:2. Don't be conformed to the world. Be transformed by the renewing of your mind. THEN, by testing, you can discern that. We will NEVER find God's will for our lives by trying to shove Biblical concepts into a worldly worldview.  It just doesn't fit!

How do I find God's will for my life? The answer is simple and found in Romans 12:2. Don't be conformed to the world. Be transformed by the renewing of your mind. THEN, by testing, you can discern that. We will NEVER find God's will for our lives by trying to shove Biblical concepts into a worldly worldview.  It just doesn't fit!

A new second-stage backdoor has been found in a SolarWinds compromise victim. Those exploiting the now-patched Exchange Server zero days seem to have done so to establish a foothold in the targeted systems. India continues to investigate a Chinese cyber threat to its infrastructure. Misconfigured clouds leak mobile app data. A major airline IT provider sustains a cyber attack. Dinah David helps us prevent account takeover attacks. Our guest is Troy Hunt from NordVPN. And criminals hack other criminals. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/43

With the increasing attack surface of web applications, it's become even more important to identify and understand the most common attack surfaces and how easily problems in your own web application can develop. Growing complexity and the dependence on unknown libraries, assets and larger development teams means the attack surface has never been larger. But following smarter development practises like Devsecops and maintaining better cybersecurity culture and frequent scanning makes it possible to keep your web applications secure. Popular problems with your attack surface Some of the most popular attack surface problems are often the most overlooked, yet easily seen. And while some are inherited by your web application (like complexity and unknown assets), some are created by misconfiguring services and not following cybersecurity practises. Let's look at some of the most common problems you might find with your attack surface. Complexity With modern applications getting more complex because of the way they're developed and deployed, the attack surface has gotten larger on all fronts. For example, most web applications include multiple add-on libraries, which are often developed by third-party developers. This introduces possible vulnerabilities if those libraries aren't scanned, kept secure and up-to-date. Similarly, deploying web applications is done by leveraging modern containerization tools like Docker, LXC or LXD. Using each of these introduces another layer of complexity with the possibility of vulnerabilities present. When developing web applications, CI, CD tools like Jenkins, Travis CI, and others are frequently used, which poses another security threat. If your CI, CD tool has a vulnerability and the attacker is able to insert code into your web application, this weakness could be integrated, processed and deployed all over your infrastructure, all being automated. The above examples demonstrate that when our complexity of development and deployment increases, our attack surface increases dramatically as well. Unknown assets Often, modern web applications leverage third-party party libraries to handle various tasks. For example, web applications often use third-party party libraries to handle invoicing, billing via payment gateways, user authentication, and more. If these libraries contain vulnerabilities and, or are untested before putting them into production, using them runs the risk of growing your attack surface. Stay on the safe side regarding unknown or unfamiliar assets like libraries, plugins and themes, all of which should only be used when fully scanned and determined to be safe. Unknown vulnerabilities Scanning and checking for vulnerabilities is frequently overlooked, yet the most important step when trying to reduce your attack surface. Simply put, it's only when a user scans their web application that they find out vulnerabilities exist. These could be in the web server, in programming language being used to develop the web application, or simply in the web application itself. Therefore, frequent scanning is necessary for reducing your web application's attack surface. Misconfigured services Misconfigured services are a frequent source of entry for attackers. These include running services as a privileged user, often seen on Linux based systems with users running services as "root"—which, when combined with other vulnerabilities in the software running on the system, can lead to a massive increase in your attack surface. For example, if the script which takes user input does not sanitize or filter input from users, running a web server as root which executes commands input from users on the OS level can lead to destructive or dangerous commands being executed anywhere on the operating system (since the web server was running as root). Similarly, configuring your software, services with incorrect memory limits can cause system crashes and DoS-like attacks as ...

Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations. During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization. Joining us in this week's Research Saturday to discuss the report for Palo Alto Networks' Unit 42 is CSO of Public Cloud, Matt Chiodi. The research can be found here: Highlights from the Unit 42 Cloud Threat Report, 2H 2020

Welcome! Craig discusses problems that businesses can face when using VPNs and why you should be looking to a Zero-trust network if you are running a business today. For more tech tips, news, and updates, visit - CraigPeterson.com --- Traders set to don virtual reality headsets in their home offices What's on Your Enterprise Network? You Might Be Surprised Malware Attacks Declined But Became More Evasive in Q2 One of this year’s most severe Windows bugs is now under active exploit The VPN is dying, long live zero trust Shopify's Employee Data Theft Underscores Risk of Rogue Insiders Microsoft boots apps out of Azure used by China-sponsored hackers WannaCry Has IoT in Its Crosshairs Love in the time of Zoom: Why we’re in the midst of a dating revolution --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] So we know a little bit about VPNs and what they are. So what's zero-trust and how's a zero-trust network run. What are we looking for here in the near future? More than half of businesses will be zero-trust. Hi everybody. Craig Peterson here. Thanks for being with us today. Of course, you'll find me online as well. You can just go to Craig peterson.com.  I've started to do some three-minute training. So the first one went out on Wednesday and I was really surprised just how much work it takes to make a three-minute training. But we did it, we got it accomplished. We're going to try and have a couple of those a week, plus the weekend newsletter, which is, of course, a fair amount of work, but we're doing it for you. Hopefully, you got a lot out of it. I got a crazy number of responses to the first video. So thank you. Thank you. Thank you for your responses. Hopefully, I got back to you in a reasonable amount of time here, and we're able to help you out a little bit. Anyhow, if you missed it, go look back on Wednesday this week that's when I put out the first one. So it should have been in your email box Wednesday. As usual, it's from me@craigpeterson.com. So if you're not getting them and you think you should be double-checking to make sure I am in your contact list or whitelist me somehow so that you get those. They're important. I'm going to be doing more of those a week just to kind of a light touch. Let you guys know what's up. So VPNs have been around now for more than a couple of decades, they've been fantastic. They've saved a lot of businesses a lot of money. Now course, they tend to be kind of dangerous, particularly these free VPNs and the commercial ones that you're using, to somehow try and make yourself more secure. I just shake my head every time I hear these ads that are misleading. They are lying to you it's really not going to protect you that much, frankly, if at all. It gives a little bit of privacy in certain situations, but not in others. I had a great call with Doug in fact, this week. And he was having some problems. He is a small business guy been in business for a long time, sold his business and now he's almost 80. I think he said he was 78. He's kind of back in business, again, keeping himself busy and occupied. He was wondering and worried about trying to keep some of this stuff secure. So we went through it a little bit with him. He uses macs, so it is definitely easier to keep secure. When he's on the road, he has one of these little devices he takes with him that allows him to connect to the internet from Verizon. One that directs you directly connects you to the internet, which is dangerous.  Another one that provides you with what's called Nat or network address translation that's a little bit safer. So he's going to send me a model number in particulars of what he's using so that I can help him out a little bit. By doing that, he's no longer tying into the wifi at the airport or on the airplane or at the coffee shop, wherever he's going. He's got his daughter doing that too, which I think is a very good idea. I know a lot of people, as well that do that. I do it as well. I have one of those little devices. I just replaced the battery in mine because it started swelling. The lithium-ion battery starts to swell, you've got to replace them.  What can happen is when they swell they will short out and can start a fire. So be very careful about that. So he's smart enough to know that you don't want to use public wi-fi. He effectively brings his own little wifi device with him, which is again, a great idea. Some people try and use VPNs when they are out there on the road and connecting back into the main office or into their homes. I have that as well, and that lets me get directly in. Most of the time now, what we've been doing for our office and for our customers is putting together zero trust networks. These are far more secure than anything else we have out there right now, as far as firewalls and everything else goes.  The idea is, just like its name implies, that we're looking at everything. We're no longer just trying to do what's called a perimeter security approach where we have a firewall at the perimeter. Now we are trying to protect ourselves and our businesses from any kind of attack, including insider attacks, including the lateral movement that I've talked about so many times before. Where a bad guy gets a foothold inside of a network and that bad guy immediately tries to start spreading things. Very dangerous. Very, very dangerous. There's a number of other flaws too. Perimeter security just doesn't do a good job of counting for any third parties any vendors you might be working with contractors, all of your supply chain partners. If attackers steal somebody's VPN credentials, now the attacker can get into the network and roam freely. Like I've talked about many times. Many of us use the same username and password on pretty much every device out there.  That's a problem because when it gets onto the dark web, now the bad guys have it. Plus the VPNs over time have become a lot more complex and very difficult to manage. It's rare. I say rare but I've never seen an exception. In other words, it seems that these businesses have misconfigured VPNs. It seems to be a pandemic out there, frankly. A lot of pain around VPNs. So this is going to change it all. You are. We're going to have different equipment internally. Your devices are not gonna be able to connect to each other directly. So the way we have it set up all of the devices on a network, instead of speaking directly with each other, have to go through at least a firewall. The firewall watches what they're trying to do even inside the network. So it's no longer just out there at the perimeter. Frankly, what we've been doing with VPNs, it's just clunky. It's outdated. Frankly, kind of dangerous. So keep all of that in mind. All right if you need a little help, if you have some questions, I am more than glad to get on the phone with you guys and chat a little bit and help steer you in the right direction. You can just email me M E @craigpeterson.com and I'd be more than glad to get back with you. So keep all of that in mind. VPN is dying. Zero-Trust is what's coming down the road. Now, I just mentioned the problems of potential internal threats, and that can include bad guys that are in your network, spreading laterally, as I just mentioned, but it can also mean that your employees are the problem. I've seen that before I had it happen to me, where I had an employee who took all of my customer records and took my customers with him. I could not believe it. I still can't believe it to this day. What he did I don't understand it. What does he think he's doing? He may have built up a relationship with my customers. I don't think he brought a single customer in. In fact, he built up a relationship with my customers, and then he figured, they're his customers now because he has a relationship with them. So forget it, Craig. They're his customers. It is just absolutely amazing. Shopify, which many of you have heard of before and many people are using. Has found that two of their support team employees were involved in a scheme to steal customer transaction records from specific merchants. It affected apparently fewer than 200 merchants, but there's an example of where zero-trust can really come into play. Do your sales guys have access to information they shouldn't have? How about some of your support people? We have to make sure we're monitoring where they're going and what people are doing within our networks. Okay. When we come back, we've got a couple more things to talk about Microsoft, Wanna Cry is coming back up again.  We'll be right back. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

Welcome! Craig discusses how you can find out if you have been hacked and when it happened.  Then he tells you how you can test your skills at picking out Phishing emails and more. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: Musk says that Neuralink implants are close to ready for human testing Is China the World’s Greatest Cyber Power? Russian tourist offered employees $1 million to cripple Tesla with malware Ransomware Red Flags: 7 Signs You’re About to Get Hit IT blunder permanently erases 145,000 users' personal chats in KPMG's Microsoft Teams deployment – memo Apple won’t let Facebook tell users about 30% Apple tax on events Tesla with Autopilot hits cop car - driver admits he was watching a movie iOS 14 Privacy settings will tank ad targeting business, Facebook warns --- Automated Machine-Generated Transcript: Okay. I've got a couple of sites I want you to visit. We'll be telling you about those. These have to do with your own cybersecurity and also your business is cybersecurity. We're going to get in also right now into China. Are they the world's greatest cyber power? Hey everybody. Thanks for joining me today. This is Craig Peterson here on WGAN appreciate you being here with me. Of course. You can also find me online. Craig peterson.com got a whole new website a brew'in. We're almost done. It's amazing how long some of the stuff takes, right? Yeah. I have a real job too. Securing businesses. So anyhow, you'll be seeing that coming up here pretty soon. If you miss this early, I'm going to give out a couple of URLs here in just a second I want you guys to write these down because these are websites that not only do I want you to visit, I want you to make sure your coworkers visit them, particularly if they're working from home. These are also sites that I think you as an individual. Should visit. They're absolutely phenomenal. So the first one I talk about fairly frequently, I want you guys to visit right now is Have I Been Poned.com? Have I been poned and PWNED is spelled- P W N E D. Dotcom. So you're going to go there and you're going to type in your email address. I'm going to do it right now. So I'm going to say me at Mainstream,  Mainstream is my company. me@mainstream.net. Me at Craig Peterson.com and let's see, guess what? No pwnage found. So let me use my Email address that I've had for 30 years, craig@mainstream.net let's see. Okay. have I been poned again? Have I been pwned? P W N E D. So it's showing me that email address was found on thirteen breached sites and on one paste site, websites that are used to upload big files and share them. Okay. Basically. So it's saying eight tracks, plus I remember them, I didn't know they were still around. So it tells you about it. It says in June 2017, the online playlist service suffered a data breach that impacted eighteen million accounts. So it turned out it was an employee get hub account, not secured using two-factor authentication. Again, everybody, use two-factor authentication. It had a salted one password hash, let's see Apollo. This was a sales engagement startup that I signed up for a big collection almost. It was three-quarters of a billion records. It's called collection number one. This was for credential stuffing. So what credential stuffing is when the bad guys have your email address, they have one or more passwords that you have used on a website and they were able to steal of them. Then what they do is they start pushing all of that data to another website. So they'll go to Bank of America or some other site, and they'll try your email address with every. Password they have for you. So that's password stuffing. So that's what that one is. So it says it had my email address and some passwords, and of course, I changed them frequently and I use a different password on every website, et cetera. Another one here called Cove. This was February this year. Absolutely massive. This was personal information provided to him after being found left, exposed on a publicly facing elastic search server. So again, here is an example of a problem with the people who have, they don't even know, and that is a misconfigured cloud service or system. That's what it was. it turns out it was originally from the Cove contacts app V E. It had email addresses, job titles, names, phone numbers, physical addresses, social media profiles. Lovely. This is all my data, And that's why I want you to have a look for yours, data enrichment, and exposer exposure from PDL customers. A couple of people unprotected another elastic search server holding 1.2 billion records of personal data. So apparently my, at least my email address was in there and that had email addresses, employers geocode, job pedals, name, phone number, social media profiles, drop out box back in mid-2012. How's a, you Z, Z. That's a housing design or website, let's see, lead Hunter people tracking me online. That's part of what we have talked about tracking 110 million Rose again, another elastic search server. Onliners spam bot. Yeah, let's see here. 711 million records, river city media spam list in January 2017. The massive trove of data. 1.4 billion records, email addresses, IP names, physical addresses. Isn't that? Something the trick spam botnet gene. I had a bunch of button heads. No wonder I had a, I get so much spam, right? Yeah. I've had the same email address for almost 30 years. so this is June 2018 43 million people. Dot IO. This is an email address, validation service, and a 763 million unique email addresses stored in a model. Go DB instance again. Misconfigured stuff. So yeah, you gotta be very careful. So that was me. All right. That was my Cray. Get mainstream.net email address that I've had for years because it's so heavily spammed, I just don't pay that much attention to it anymore. And at least my Me at Craig Peterson hasn't shown up anywhere yet. So that's site number one, site. Number two. This is, are a gift from our friends at Google this is a fishing quiz. Now, this is phishing with a pH and it is very good. I think you will like this a lot. This is something that you need to make sure that your friends, your neighbors, everybody. Who you have contact with, goes to this site. Okay. very important. It's part of the jigsaw project over from our friends at Google. So here is the URL guys - Ready? Get your pencil out or type it in it's called fishing quiz. P H I S H I N G Q U I Z. Fishing quiz dot with Google. Dotcom. So there are three words. The first one is phishing quiz with a pH dot with google.com. You can take the quiz. They're just going to ask you for a fake name and email address that it's going to use. You can use a real one if you want, but it's going to use to try and mess you up. A very good thing for people to do. You absolutely have to make sure that you. You go online and take this quiz and have your friends take this quiz. So there you go. Two sites to check out right away. Have I been postponed and the phishing quiz with Google, both the, both a website chat to visit them right away, important stuff. All right. When we come back. Okay. I promise we'll finally get into China here. we've got a new iOS, four privacy setting. That's really good. Going to hurt a lot of ad targeting businesses. Facebook is pushing back, does not want Apple to keep your information safe. I keep saying, use WebEx, excuse WebEx teams. Don't you use any of these others that are out there? Yeah. Now, KPMG, you might be familiar with these guys, KPMG, right? International, a very big company, lots of employees have careers covering a lot of industries that do a lot of research and consulting work. Yeah. they were using Microsoft teams totally messed up. Now, the KPMG was not doing for themselves. What I do for our cloud customers that are using Microsoft tools, including their email office three 65 now called Microsoft three 65 that is that KPMG trusted Microsoft. We don't, we try not to trust anybody we were, we back up all of the stuff that Microsoft holds for our customers, just in case highly encrypted too, by the way, KPMG did not. And they lost 150,000 of their employees, personal chats, Microsoft teams, the way to go guys, stick around Craig Peterson here. We'll be wrapping up in just a minute. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including: Misconfigured cloud databases Why is this such a common issue, and how can we address it? Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud? What tools can we use to better secure our cloud databases? How can we secure sensitive information as we migrate it from LAN side to the cloud? CCPA (California Consumer Privacy Act) What is the CCPA? How does it relate to GDPR? If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know? Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?" Does CCPA only apply to California residents and companies? Secure data sharing What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners’ systems, while addressing privacy concerns? What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients? What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?

Cloudflare says that reported Ukrainian breaches aren’t its issue. Trend Micro describes a new and unusually capable strain of malware. Garmin is reported to have obtained a decryptor for WastedLocker ransomware. Third-party risk continues in the news, as do misconfigured databases that expose personal information. Huawei’s CFO alleges misconduct by Canadian police and intelligence agencies. Ben Yelin examines the EFF's online Atlas of Surveillance. Dave DeWalt with SafeGuard Cyber on the evolving threat landscape as folks return to the workplace. And the Twitter incident seems to have been a problem waiting to appear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/145

The University of California San Francisco pays Netwalker extortionists nearly a million and a half to recover its data. A Kashmir utility restores business systems after last week’s cyberattack. The website defacements in Ethiopia continue to look more like hacktivism than state-sponsored activity. Our own Rick Howard talks about wrapping up his first season of CSO Perspectives. Our guest is Sanjay Gupta from Mitek discussing how online marketplaces can balance security with biometrics. Data are exposed at an e-learning platform. Three prominent cyber-hoods go down in US Federal courts. And Lion says the beer is flowing, post ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/125

CallStranger hits the horror trope where the call is coming from inside the house, SMBleedingGhost Writeup expands on prior SMB flaws that exposed kernel memory, Misconfigured Kubeflow workloads are a security risk, Verizon Data Breach Investigations Report, and more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode111

CallStranger hits the horror trope where the call is coming from inside the house, SMBleedingGhost Writeup expands on prior SMB flaws that exposed kernel memory, Misconfigured Kubeflow workloads are a security risk, Verizon Data Breach Investigations Report, and more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode111

RedBear; Supercomputer Cryptomining; Misconfigured Firebase; Internet Weather

COVID-19 Scams; Misconfigured Containers; Wiper Malware; Internet Weather

Virgin Media discloses a data exposure incident, another misconfigured database. Microsoft subdomains are reported vulnerable to takeover. A dark web search engine is gaining popularity, and black market share. Researchers find that Russian disinformation trolls have upped their game. The crypto wars have flared up as the US Senate considers the EARN IT act. Tech companies sign on to voluntary child protection principles. And Huawei talks about backdoors. Thomas Etheridge from Crowdstrike on empowering business leaders to manage cyber risk, guest is Sherri Davidoff on her book, Data Breaches: Crisis and Opportunity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_06.html Support our show

Craig is in the WGAN Morning News with Ken and Matt. This morning the Amazon employee who stole Millions of Records from Capital One. Iranian cybercriminals using the information found on social media to attack businesses. Elon Musk's new technology venture featuring brains and computing. These and more tech tips, news, and updates visit - CraigPeterson.com --- Related Articles: Ready for Computerized Brains? LinkedIn No Longer an Asset but Now a Liability --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

BlackWater is snooping around the Middle East. It’s evasive, and it looks a lot like the more familiar MuddyWater threat actor. TeamViewer turns out to have been hacked, and the perpetrators look like the proprietors of the Winnti backdoor. An Android app is behaving badly. Another unsecured database is found hanging out on the Internet. There’s a free decryptor out for a strain of ransomware, but  also it won’t help Baltimore. And the market’s look at the Huawei ban. Craig Williams from Cisco Talos discussing honeypots on Elasticsearch. Guest is Dave Venable from Masergy on cyber vulnerabilities at the infrastructure level. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_21.html  Support our show

In today's podcast we run through a brief guide to election risks, and the difference between hacking and influence operations. An Alaskan trade mission prompts a wave of Chinese industrial espionage. Misconfigured project management pages may have exposed Canadian and British Government information. Necurs flared up in a short-lived spam campaign against banks this week. Crooks use bogus Fortnite download pages. Final briefs are submitted in Kaspersky's court challenge to its US ban. Emily Wilson from Terbium Labs on her experience getting certified as a fraud examiner. Guest is Marco Rubin from the Center for Innovative Technology, on the security of UAVs and drones.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_17.html

Ep 1185 I speak about a mistake almost everyone makes, particularly if they use page headers. Jeff Altman, The Big Game Hunter is a career and leadership coach who worked as a recruiter for what more than 40 years. He is the host of “No BS Job Search Advice Radio,” the #1 podcast in iTunes for job search with more than 1100 episodes, “Job Search Radio,” “and his newest show, “No BS Coaching Advice” and is a member of The Forbes Coaches Council. Are you interested in 1:1 coaching, interview coaching, advice about networking more effectively, how to negotiate your offer or leadership coaching? Connect with me on LinkedIn. Then message me to schedule an initial complimentary session. If you have questions for me, call me through the Magnifi app for iOS (video) or PrestoExperts.com (phone) JobSearchCoachingHQ.com offers great advice for job hunters—videos, my books and guides to job hunting, podcasts, articles, PLUS a community for you to ask questions of PLUS the ability to ask me questions where I function as your ally with no conflict of interest answering your questions.   Connect with me on LinkedIn. Like me on Facebook. Join and attend my classes on Skillshare. Become a premium member and get 2 months free. --- Support this podcast: https://anchor.fm/nobsjobsearchadviceradio/support

Ep 1185 I speak about a mistake almost everyone makes, particularly if they use page headers. Jeff Altman, The Big Game Hunter is a career and leadership coach who worked as a recruiter for what more than 40 years. He is the host of “No BS Job Search Advice Radio,” the #1 podcast in iTunes for job search with more than 1100 episodes, “Job Search Radio,” “and his newest show, “No BS Coaching Advice” and is a member of The Forbes Coaches Council. Are you interested in 1:1 coaching, interview coaching, advice about networking more effectively, how to negotiate your offer or leadership coaching? Connect with me on LinkedIn. Then message me to schedule an initial complimentary session. If you have questions for me, call me through the Magnifi app for iOS (video) or PrestoExperts.com (phone) JobSearchCoachingHQ.com offers great advice for job hunters—videos, my books and guides to job hunting, podcasts, articles, PLUS a community for you to ask questions of PLUS the ability to ask me questions where I function as your ally with no conflict of interest answering your questions.   Connect with me on LinkedIn. Like me on Facebook. Join and attend my classes on Skillshare. Become a premium member and get 2 months free.

In today's podcast we hear a bit more on Variant 4—we may see more like it. Mitigations are under preparation. The Confucius threat group modifies its approach to targets. Turla adopts a two-stage infection technique. A misconfigured AWS S3 bucket exposes a California not-for-profit's clients. ZTE's lifeline may not be so strong after all: the US Administration wants significant concessions and the US Congress seems to want none of it at all. Facebook's EU testimony gets tepid reviews. And a botnet is pushing smart pills and diet supplements—not that any of you will be tempted. Daniel Prince from Lancaster University on risk management and uncertainty. Guest is Sung Cho from SEWORKS on research they did on the security of fitness apps.  

Rafael Amado and Michael Marriott join this week’s Shadow Talk, taking a deep dive into our recent report “Too Much Information”. The research discovered over 1.5 billion files from a host of services, including Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites. To learn more, download the full report at https://info.digitalshadows.com/FileSharingDataExposureResearch-Podcast.html.

Misconfigured microphone settings can’t keep us from talking to one of our favorite comics retailers, BRIAN HIBBS of Comix Experience in San Francisco! Brian’s been in the comics industry longer than we have, and his insight is invaluable. Looking at the state of the industry vs. the quality of today’s product. Comix Experience has an amazing graphic novel club. You will not believe what Brian’s favorite comic book is… let’s just say Dal was ecstatic.

In today's podcast, we hear that the Five Eyes look at WannaCry and officially see Pyongyang. New US National Security Strategy emphasizes economic power and cybersecurity (and names the adversaries). Hex Men are no super heroes. More Bitcoin theft bankrupts an alt-currency exchange. Android Monero miner can basically melt your phone, it's working so hard. Users leave Lexmark printers open to the Internet. AnubisSpy peeks at Arabic-speaking Android users. Joe Carrigan from JHU on holiday IoT devices. Guest is Chris Webber from SafeBreach, reviewing the third edition of their Hacker’s Playbook. And guess the two worst passwords of 2017. 

In today's podcast, we hear that former National Security Advisor Flynn pleads guilty to lying to the FBI. Another misconfigured AWS account is found. Cobalt is either careless or engaged in misdirection. Election trolling and mutual suspicion between Russia and the US. Kaspersky says his company didn't, doesn't, and won't spy for the Russian government as US agencies begin to purge their systems of his security software. Black Friday fraud seems to be down this year. South Korea's investigation of domestic election meddling by its cyber command sharpens. Malek Ben Salem from Accenture Labs with thoughts on GDPR. Gary Golomb from Awake Security with thoughts on properly setting priorities. And Roman Seleznev gets another fourteen years on carding charges. 

In today's podcast we hear that another misconfigured AWS S3 bucket has turned up. This one holds sensitive US Army files. Apple fixes a big flaw in the latest MacOS High Sierra version—the password is…"root." Russia says American aggression in cyberspace is moving it to create its own DNS. Russia and Venezuela exploit the Catalan independence movement for disruptive information operations. Boyusec, mentioned in recent US indictment, has been disbanded.  Dale Drew from CenturyLink with lessons on consolidation. Jason McGee from IBM on software containers. 

In today's podcast, we hear that ransomware strains, old and new, are circulating in the wild. ShadowPad backdoors are tentatively attributed to Chinese espionage operations in the supply chain. A hacker releases the decryption key for Apple's Secure Enclave. Profexor may actually not know much about Fancy Bear's romp through the DNC. Another misconfigured AWS bucket exposes data on voters in Chicago. The difficulties of countering extremism online. Malek Ben Salem from Accenture Labs on the cloud security maturity model. Joseph Carson from Thycotic on the evolution of phishing campaigns. The FBI has a roadshow warning companies of the risks of using Kaspersky security products.