POPULARITY
The UK Investor Magazine was delighted to welcome Mike Maddison, CEO of NCC Group, to the podcast to explore the FTSE 250 cyber security specialist.We explore NCC Group's growth opportunities as the world becomes increasingly digitalised, and new threats to organisations emerge.Mike explains NCC's growth strategy and how the business is evolving to meet clients' demands.The company has recently announced improving margins and a return to growth. Mike provides insight into the key drivers behind the numbers.NCC Group recently announced the extension of a contract with TikTok. We explore this partnership and touch on NCC's wider customer base. Hosted on Acast. See acast.com/privacy for more information.
John Maytham speaks to Dean Ferreira, Managing Director of NCC Group, following a listener query about posters placed in Newlands Forest detailing grievances from NCC wildfire firefighters.See omnystudio.com/listener for privacy information.
Watch on YouTube In this investing masterclass, UK small/midcap fund manager Christopher Mills of Harwood Capital takes me through his view of the markets and latest thoughts on 18 stock ideas, including: 00:00 Outlook for 2025 04:35 Closing #NAS's and #OIG's investment trust discounts 09:10 Spire Healthcare 13:25 Optima Health 16:35 EKF Diagnostics 20:00 NIOX 22:25 Pinewood Technologies 26:00 Tribal Group 30:00 TP ICAP 33:00 Avingtrans 36:40 Facilities by ADF 39:40 Trifast 42:10 PayPoint 45:10 Polar Capital 47:15 AssetCo 49:40 Frenkel Topping 55:10 NCC Group 57:55 Restore 60:00 Real Estate Investors 61:40 Hargreaves Services 66:35: Best stock idea for 2025
C'est désormais officiel : le premier bâtiment du centre de données TikTok, installé à Hamar, en Norvège, est opérationnel, marquant le début de la migration des données des utilisateurs européens depuis les États-Unis. Ce centre est le second en Europe, après celui en Irlande, inauguré en 2023.Le projet Clover, un investissement de plus de 12 milliards d'euros, est au cœur de l'initiative de sécurité de TikTok en Europe. En plus de ce centre norvégien, TikTok a confié la surveillance continue des passerelles de sécurité au NCC Group, expert indépendant en cybersécurité, pour garantir une protection optimale des données européennes. TikTok affirme que les protocoles mis en place bloquent l'accès aux informations sensibles — telles que les numéros de téléphone ou les adresses IP — aux employés basés en Chine. « L'enclave dédiée à l'Europe, où les données des utilisateurs européens sont stockées par défaut, est désormais répartie entre nos centres de données situés aux États-Unis, en Irlande et en Norvège », indique TikTok.Bien que la Norvège soit membre de l'Association européenne de libre-échange (AELE) et de l'Espace économique européen (EEE), elle ne fait pas partie de l'Union européenne, à l'instar de l'Islande et du Liechtenstein. Cependant, le RGPD (Règlement général sur la protection des données) s'applique aux membres de l'EEE, y compris la Norvège, en complément de la « personopplysningsloven », la loi norvégienne sur la protection des données et de la vie privée. TikTok souligne que ces mesures de sécurité, déployées dans le cadre du projet Clover, assurent aux 150 millions d'utilisateurs européens une protection des données « à la pointe de l'industrie ». Hébergé par Acast. Visitez acast.com/privacy pour plus d'informations.
IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone. Segment resources: https://www.fcc.gov/document/cybersecurity-labeling-program-internet-things-iot-products Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-297
Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more! Show Notes: https://securityweekly.com/asw-297
IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone. Segment resources: https://www.fcc.gov/document/cybersecurity-labeling-program-internet-things-iot-products Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-297
Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more! Show Notes: https://securityweekly.com/asw-297
This Brand Story Podcast comes to you from the RSA Conference Broadcast Alley and features an insightful discussion between Sean Martin, the host, and Siân John, the Chief Technology Officer at NCC Group. The conversation dives deep into the complex world of cybersecurity, shedding light on critical issues and trends impacting organizations globally. Siân John, in her role as the Chief Technology Officer at NCC Group, brings a wealth of experience and knowledge to the table. She discusses the challenges faced by organizations in the rapidly evolving cybersecurity landscape.From insights to innovation, threat intelligence to research, her role encompasses a wide range of responsibilities aimed at enhancing cybersecurity capabilities. One of the key highlights of the episode is the discussion around the shift in regulatory dynamics driven by citizen advocacy. Siân John emphasizes how the push for regulations, especially in areas like online safety and data privacy, is now coming from the citizens themselves. This shift signifies a growing awareness and concern among the general public regarding cybersecurity issues.The conversation also touches upon the importance of bridging the gap between business and cybersecurity. Sean Martin and Siân John discuss how organizations need to align their security strategies with business objectives to effectively manage cyber risks. By emphasizing the need for a business-driven approach to cybersecurity, they underscore the significance of integrating security into the fabric of the organization. Furthermore, the episode explores emerging technology trends that are reshaping the cybersecurity landscape. Siân John highlights the importance of consolidation, simplification, and automation in security operations.The discussion underscores the need for organizations to adapt to new technologies while ensuring a streamlined and resilient cybersecurity posture. As the conversation unfolds, Sean Martin and Siân John stress the importance of strategic planning and gradual implementation in cybersecurity initiatives. They caution against hasty decisions driven by urgency, advocating for a methodical approach to security transformation. By drawing parallels with failed IT projects, they emphasize the need for careful planning and execution in cybersecurity endeavors.Ultimately, the episode offers valuable insights into the evolving cybersecurity landscape and the role of key stakeholders in driving security transformation. Sean Martin and Siân John bring a wealth of knowledge and expertise to the table, offering practical advice and strategic guidance for organizations navigating the complex cybersecurity terrain.To learn more about the latest cybersecurity trends and best practices, connect with Sean John and the team at NCC Group and explore the cutting-edge solutions they offer to enhance cybersecurity resilience and protect against evolving threats.Learn more about NCC Group: https://itspm.ag/ncc-gr1ajhNote: This story contains promotional content. Learn more.Guest: Siân John, Chief Technology Officer, NCC GroupOn LinkedIn | https://www.linkedin.com/in/sian-john/ResourcesLearn more and catch more stories from NCC Group: https://www.itspmagazine.com/directory/ncc-groupView all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
This Brand Story Podcast comes to you from the RSA Conference Broadcast Alley and features an insightful discussion between Sean Martin, the host, and Siân John, the Chief Technology Officer at NCC Group. The conversation dives deep into the complex world of cybersecurity, shedding light on critical issues and trends impacting organizations globally. Siân John, in her role as the Chief Technology Officer at NCC Group, brings a wealth of experience and knowledge to the table. She discusses the challenges faced by organizations in the rapidly evolving cybersecurity landscape.From insights to innovation, threat intelligence to research, her role encompasses a wide range of responsibilities aimed at enhancing cybersecurity capabilities. One of the key highlights of the episode is the discussion around the shift in regulatory dynamics driven by citizen advocacy. Siân John emphasizes how the push for regulations, especially in areas like online safety and data privacy, is now coming from the citizens themselves. This shift signifies a growing awareness and concern among the general public regarding cybersecurity issues.The conversation also touches upon the importance of bridging the gap between business and cybersecurity. Sean Martin and Siân John discuss how organizations need to align their security strategies with business objectives to effectively manage cyber risks. By emphasizing the need for a business-driven approach to cybersecurity, they underscore the significance of integrating security into the fabric of the organization. Furthermore, the episode explores emerging technology trends that are reshaping the cybersecurity landscape. Siân John highlights the importance of consolidation, simplification, and automation in security operations.The discussion underscores the need for organizations to adapt to new technologies while ensuring a streamlined and resilient cybersecurity posture. As the conversation unfolds, Sean Martin and Siân John stress the importance of strategic planning and gradual implementation in cybersecurity initiatives. They caution against hasty decisions driven by urgency, advocating for a methodical approach to security transformation. By drawing parallels with failed IT projects, they emphasize the need for careful planning and execution in cybersecurity endeavors.Ultimately, the episode offers valuable insights into the evolving cybersecurity landscape and the role of key stakeholders in driving security transformation. Sean Martin and Siân John bring a wealth of knowledge and expertise to the table, offering practical advice and strategic guidance for organizations navigating the complex cybersecurity terrain.To learn more about the latest cybersecurity trends and best practices, connect with Sean John and the team at NCC Group and explore the cutting-edge solutions they offer to enhance cybersecurity resilience and protect against evolving threats.Learn more about NCC Group: https://itspm.ag/ncc-gr1ajhNote: This story contains promotional content. Learn more.Guest: Siân John, Chief Technology Officer, NCC GroupOn LinkedIn | https://www.linkedin.com/in/sian-john/ResourcesLearn more and catch more stories from NCC Group: https://www.itspmagazine.com/directory/ncc-groupView all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
Welcome to Season 2, Episode 29 of The Full Circl Podcast! Today we're joined by Sian John who is a technology executive, security strategist, keynote speaker & classical studies enthusiast. Sian talks about her unconventional career journey, and emphasises the importance of pursuing what sounds interesting rather than following a strict plan. Sian first worked in IT in the public sector, discovering an interest in security while fixing vulnerabilities at the Houses of Parliament. She then moved to the private sector, and eventually found her way into security consulting, pre-sales, and landed roles at Symantec and Microsoft before joining NCC Group. She encourages individuals transitioning to tech careers to not be fazed by the change and not to listen to gatekeepers, emphasising the importance of passion, curiosity, and self-study. The Full Circl Podcast takes a closer look into the lives and stories of aspirational leaders worldwide. A range of powerful themes are explored throughout each episode such as; the powerful stories of these Leaders, their pathway to success, and advice to Future Leaders. Find out more at - http://www.circl.org Follow us on Instagram - @Circlgram Follow us on LinkedIn - https://linkedin.com/company/circllearning Be sure to like and subscribe for more episodes! Thank you for listening.
When engaging in a transformation project to optimise the law department's work, there are myriad lessons to be learnt to ensure that such a project is as successful as possible. In this episode of The Corporate Counsel Show, host Jerome Doraisamy speaks with NCC Group head of legal (APAC) and head of data governance Elizabeth Duncan-Lee about working in a cyber security business and helping build a safer world, what it means to undertake a transformation project and what she and her team are currently working on, optimising daily operations, and the questions to be asked in getting started on such projects. Ms Duncan-Lee also delves into the practical steps to be taken in the implementation of transformation projects, how best to carve out time for the law department's other duties (including firefighting) while undertaking a transformation project and striking the right balance between competing priorities, how often to evaluate a project's success and direction, knowing when the team can be confident in an outcome and how long to allow for a new approach to work, and lessons learnt from engaging in such transformative processes. If you like this episode, show your support by rating us or leaving a review on Apple Podcasts (The Lawyers Weekly Show) and by following Lawyers Weekly on social media: Facebook, X (formerly Twitter) and LinkedIn. If you have any questions about what you heard today, any topics of interest you have in mind, or if you'd like to lend your voice to the show, email editor@lawyersweekly.com.au for more insights!
Howdy, y'all, and welcome to The Cyber Ranch Podcast! Our guest is Ayman Elsawah, who, like Allan these days, is a fractional CISO and founder of his own security company. He has done the fractional CISO thing many times. He has also been a professor, a security consultant, and a cloud-specific security consultant. His tenure includes eBay, NCC Group, Justworks and Masterclass. Ayman and Allan are talking about how cybersecurity teams can integrate themselves with the rest of the business. So we talk about the role of the CISO in business enablement all the time. Allan argues, based on the wise words of Scott McCool, a friend and mentor, that we are not here to enable the business. Rather we are here to BE the business. The distinction is that enablement still puts the CISO off to the side of the goings on. Being the business means that the CISO is part of the process, in there with sleeves rolled up alongside CRO, CMO, CFO, CEO, COO, etc. So let's ask the question twice: In a B2B context, what are three things a CISO can do to enable the business? In a B2B context what are three things a CISO can do to BE the business? Presumably one of these involves being part of the sales cycle? Let's drill in on the company's products/services. Not talking about sales, but rather the products and services themselves, how can we as security practitioners be an integral part of products and/or services? What are three ways we can be the business there? What about the relationships? How do we strengthen being the business with regards to relationships with our peers? What about customer-facing activities beyond sales? How do we be the business with regards to our customers? Challenge round, what about B2C? Melanie Ensign in a panel she was part of said that one way Cybersecurity can help B2C is by reducing support tickets. This is pure genius. Any other B2C tips? You have your own podcast, and a newsletter, book…. Tell our listeners all about what you offer the cybersecurity world... Y'all be good now!
Matt Lewis from the NCC Group joins to discuss how cybercriminals can decode your personality through AI conversations to launch targeted attacks at you. Dave and Joe share some follow up from listener Sydney, who writes in to share her thoughts on an FCC proceeding and how it could be of greater relevance to IoT security than SBOMs and HBOMs. Dave also shares a story from a listener from last Christmas, sending a warning to holiday shoppers. Dave has two stories this week, he shares one regarding an announcement on holiday scams coming out. His other story follows Zelle finally caving in to provide some relief to scam victims. Joe's story follows new crypto-theft attacks and warns people against the new tactics. Links to the stories: 2023 Holiday Shopping Scams Zelle finally caves after years of refusing to refund scam victims Microsoft: BlueNoroff hackers plan new crypto-theft attacks Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.
Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Show Notes: https://securityweekly.com/asw-267
Service meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith. Segment Resources: https://www.solo.io/blog/kubernetes-security-cloud-native-applications/ https://www.solo.io/blog/apis-data-breach-zero-trust/ https://www.solo.io/blog/api-gateways-productivity-resilience-security-cloud-applications/ In the news, Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Instagram: https://www.instagram.com/secweekly/ Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-267
Service meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith. Segment Resources: https://www.solo.io/blog/kubernetes-security-cloud-native-applications/ https://www.solo.io/blog/apis-data-breach-zero-trust/ https://www.solo.io/blog/api-gateways-productivity-resilience-security-cloud-applications/ In the news, Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Instagram: https://www.instagram.com/secweekly/ Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-267
Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Show Notes: https://securityweekly.com/asw-267
How governments cooperate across borders to keep cyber threats at bay came into the spotlight at this week's GovWare Conference, as critical digital infrastructures become increasingly under threat as technology advances at breakneck speed. On this episode of Morning Shot - we tackle the issue with Juliette Wilcox, Cyber Security Ambassador for Defence and Security Exports at the UK Department for Business and Trade and Siân John, Chief Technology Officer of the NCC Group, a global cyber and software resilience business. Presented by: Ryan Huang & Emaad Akhtar Produced and edited by: Yeo Kai Ting (ykaiting@sph.com.sg) Music/sound credits: pixabay & its talented community of contributorsSee omnystudio.com/listener for privacy information.
Step into the heart of fintech innovation with our live coverage of Amsterdam's Fintech Week (XFW)! Join resident host Don Ginsel as he welcomes the brilliant industry thought leader Conny Dorrestijn to lead our captivating interviews with two powerhouses of the week. Jacob Paolo, representing NCC Group, and Paula Kant, the face of Invest Hong Kong, share their insights and visions in these exclusive conversations. If you missed the excitement of XFW in Amsterdam, don't fret! Tune in to catch these remarkable interviews and stay in the loop with the future of fintech. Meet our guests: Paula Kant - Head of Investment Promotion at InvestHK linkedin.com/in/paulakant/ investhk.gov.hk/ Jacob Paolo - Senior Account Manager linkedin.com/in/jacob-paolo/ nccgroupplc.com/
Welcome to part two of a three part Fintech Chatter special recorded live from the British Consulate in Sydney with your host Dexter Cousins.Back in 2018 Tier One People began supporting the work of the UK Department of Business and Trade in their efforts to establish a UK/Aus fintech bridge.Each year a UK Fintech Mission heads down under as part of Intersekt week.It's a fantastic opportunity not only to showcase what Australia has to offer, but to learn from our UK cousins.So over this 3 part series I'm bringing interviews with the delegates sharing their insights, experiences and their thoughts to the Australian Fintech community.In this episode Dexter chats to three Fintechs about to launch in Australia.Abigail Thornleigh chats about NCC Group. NCC is already established here in Australia as a Cyber solution, they're about to launch a new business which could help Fintechs and Banks enter into commercial agreements much faster and at a much lower cost. - https://www.nccgroup.com/au/Know It is the first Scottish Fintech we've featured on the show. Founder Lynne Darcey Quigley shares her journey as a business owner to Fintech founder undergoing global expansion. - https://know-it.co.uk/And Nigel Bridges is the CEO of Veracity Trust Network - an AI and Machine Learning Fintech helping banks beat Fraud and Scams. - https://veracitytrustnetwork.com/Subscribe Newsletter: https://www.linkedin.com/newsletters/fintech-leaders-7092732051488980992/Apple: https://apple.co/3D7NsPtSpotify: https://spoti.fi/3IzSViQSubscribe and like on Youtube: https://bit.ly/3tBlRmEConnect on Linkedin: https://bit.ly/3DsCJBpFollow on Twitter: https://twitter.com/DexterCousins
This week, Anna (https://twitter.com/annarrose) and Guillermo (https://twitter.com/GuilleAngeris) chat with David Wong (https://twitter.com/cryptodavidw), author of the Real-World Cryptography book (https://www.manning.com/books/real-world-cryptography?a_aid=Realworldcrypto&a_bid=ad500e09), and a cofounder [zksecurity.xyz]((https://www.zksecurity.xyz/) - an auditing firm focused on Zero Knowledge technology. They chat about what first got him interested in cryptography, his early work as a security consultant, his work on the Facebook crypto project and the Mina project, zksecurity.xyz, auditing techniques and their efficacy in a ZK context, what common bugs are found in ZK code, and much more. Here's some additional links for this episode: Crypto is not cryptocurrency (https://cryptoisnotcryptocurrency.com/) NCC Group (https://www.nccgroup.com/) OCaml website (https://ocaml.org/) Real-World Cryptography book (https://www.manning.com/books/real-world-cryptography) Mina Protocol (https://minaprotocol.com/) 3pages.fr (https://www.3pages.fr/home/login/) The Frozen Heart vulnerability in PlonK | Trail of Bits Blog (https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vulnerability-in-plonk/) ZK Podcast Episode 284: Using Formal Verification on ZK Systems with Jon Stephens (https://zeroknowledge.fm/284-2/) zkSecurity Website (https://www.zksecurity.xyz/) ZK Podcast Episode 257: Proof of Solvency with Kostas Chalkias - ZK Podcast (https://zeroknowledge.fm/257-2/) ZK Podcast Episode 210: The Road to STARKs and Miden with Bobbin Threadbare - ZK Podcast (https://zeroknowledge.fm/210-2/) ZK Podcast Episode 76: Sean Bowe on SNARKs, Trusted Setups & Elliptic Curve Cryptography - ZK Podcast (https://zeroknowledge.fm/76-2/) Check out the ZK Jobs Board (https://jobsboard.zeroknowledge.fm/) for new job opportunities in the run up to the zkSummit 10 (https://www.zksummit.com/)! Aleo (https://www.aleo.org/) is a new Layer-1 blockchain that achieves the programmability of Ethereum, the privacy of Zcash, and the scalability of a rollup. For questions, join their Discord at aleo.org/discord (http://aleo.org/discord). If you like what we do: * Find all our links here! @ZeroKnowledge | Linktree (https://linktr.ee/zeroknowledge) * Subscribe to our podcast newsletter (https://zeroknowledge.substack.com) * Follow us on Twitter @zeroknowledgefm (https://twitter.com/zeroknowledgefm) * Join us on Telegram (https://zeroknowledge.fm/telegram) * Catch us on YouTube (https://zeroknowledge.fm/)
Hoe gaat een internationaal bedrijf in koelopslag en -transport wereldwijde voedselverspilling tegen? Harld Peters, president van Lineage Logistics Europa, is te gast in BNR Zakendoen. Macro met Mujagić Elke dag een intrigerende gedachtewisseling over de stand van de macro-economie. Op maandag en vrijdag gaat presentator Thomas van Zijl in gesprek met econoom Arnoud Boot, de rest van de week praat Van Zijl met econoom Edin Mujagić. Lobbypanel De Algemene Rekenkamer vraagt politieke partijen om hun verkiezingsprogramma's eenvoudig en uitvoerbaar te maken. En: Cyberbeveiliger Fox-IT reorganiseert en gaat op in Britse eigenaar NCC Group, waarmee Nederlandse staatsgeheimen wederom een stukje verder van huis belanden. Is dat een probleem? Dat en meer bespreken we om 13.00 in het lobbypanel met: - Mark van den Anker, mede-eigenaar van Wepublic - Sybrig van Keep, directeur van Issuemakers Luister | Lobbypanel Geniaal of Onzinnig Welk bedrijf droomt er niet van: het introduceren van een geniaal product of een briljante dienst. Maar wat in de ogen van het bedrijf in kwestie geweldig is, kan zo maar onzinnig zijn. Te gast is Marieke van Iperen van digitaal verhuisplatform Settly. Future Business Leaders Wie zijn de leiders van de toekomst, wat beweegt hen, waar dromen ze over, wat vinden ze belangrijk én wat juist niet? Dat bespreekt Edwin Mooibroek met Future Business Leaders. Te gast is Sara Teiken, junior manager op de afdeling risicoadvies bij Deloitte Zakenpartner Ze ambieerde éigenlijk een carrière als schadecorrespondent, maar rolde na haar studie in een functie als personeelsadviseur. Die expertise zette ze vervolgens jaren in voor de Gemeente Lelystad, waar ze via verschillende omwegen in de gebiedsplanning terecht kwam. Inmiddels is zij commercieel manager Lelystad bij bouwbedrijf van Wijnen. De zakenpartner van deze week is Chantal Visser. Contact & Abonneren BNR Zakendoen zendt elke werkdag live uit van 12:00 tot 14:30 uur. Je kunt de redactie bereiken via e-mail en Twitter. See omnystudio.com/listener for privacy information.
De Algemene Rekenkamer vraagt politieke partijen om hun verkiezingsprogramma's eenvoudig en uitvoerbaar te maken. En: cyberbeveiliger Fox-IT reorganiseert en gaat op in Britse eigenaar NCC Group, waarmee Nederlandse staatsgeheimen wederom een stukje verder van huis belanden. Is dat een probleem? Panelleden Presentator Thomas van Zijl gaat in gesprek met het lobbypanel, dat deze keer bestaat uit: - Mark van den Anker, mede-eigenaar van Wepublic - Sybrig van Keep, directeur van Issuemakers Abonneer je op de Podcast Ga naar de pagina van het Lobbypanel en abonneer je op de podcast, ook te beluisteren via Apple Podcast, Spotify en elke woensdag live om 13:00 uur in BNR Zakendoen.See omnystudio.com/listener for privacy information.
DSO Overflow S3EP8Static Application Security TestingwithNipun GuptaIn this episode, Glenn is joined by Nipun Gupta, a seasoned technology executive, entrepreneur, and speaker to talk about static code analysis, its benefits, its pitfalls and how best to integrate tools into developer workflows. Based nowadays in London, UK after a decade in Silicon Valley, Nipun has developed a reputation as a thought leader and innovator in cybersecurity at places like NCC Group, Deutsche Bank, and Deloitte. Prior to leading Integrations Product at Devo, he served as the Vice President, Global Cyber Security Strategy & Innovation Lead at Deutsche Bank's Silicon Valley office. Currently serving as the COO at Bearer, a fast-growing static code analysis platform that is redefining what code security can do, Nipun is at the forefront of the DevSecOps revolution, helping companies of all sizes adopt modern approaches to software development and security.Resources mentioned in this podcast:Nipun's LinkedIn profileNipun's Twitter FeedBearer CLI documentationBearer on GitHubBearer on TwitterDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors: Prisma Cloud,, Apiiro, and SysdigYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com
On today's episode of the Security Vendor spin-off series, we are joined by Aaron Singleton Martin and Sean Mitchell, Head of SOC Operations at NCC Group. During today's episode, they discuss Sean's introduction into the cybersecurity field after a long career in the IT world. Sean also shares more about his mentorship program and the inspiration behind starting this up. Learn more from Sean: https://www.linkedin.com/in/sean-mitchell-cyber/ https://seanmitchell.tech/ Want to stay up to date with new episodes? Follow our LinkedIn page for all the latest podcast updates!Head to: https://www.linkedin.com/company/the-route-to-networking-podcast/Interested in following a similar career path? Why don't you take a look at our jobs page, where you can find your next job opportunity? Head to: www.hamilton-barnes.com/jobs/
In this podcast interview, we sit down with Nandor Csonka, the global practice lead for cloud security services at NCC Group, to explore their adoption and implementation of the CSA Cloud Control Matrix (CCM). Nandor shares the initial process of why NCC Group adopted the CCM and the challenges they encountered as a non CSP (Cloud Service Provider), along with their strategies for overcoming them. He also highlights the specific benefits and improvements that resulted from the adoption within NCC Group. Furthermore, Nandor delves into the common challenges faced by clients when implementing the CSA CCM and provides insights on successful adoption strategies. We discuss the transition from older versions to CSA CCM V4 and its associated challenges. Lastly, Nandor sheds light on NCC Group's future involvement with the CSA CCM, including their journey to become an accredited CB (Certification Body) and CSA STAR (Security, Trust & Assurance Registry) auditing firm. He also shares his perspective on areas where organizations may need to focus more attention and allocate resources in the coming years. Join us for an insightful discussion on securing cloud technology and reducing risk with NCC Group's cloud security expert.
Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack. Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training
Brandon Evans reunites with his former co-worker, Josh, a Senior Security Architect at Snowflake, as they discuss how to build security into DevOps organizations and how he was able to identify vulnerabilities in cloud DevOps tooling.Our Guest - Joshua MakinenJoshua Makinen is a security expert based out of Seattle who has been working in security design and penetration testing for 6 years. Currently, he works with Snowflake to decompose and mitigate the risks associated with Snowflake's infrastructure and public-facing offerings as a Data Cloud. During his time as a Security Consultant with NCC Group, he was exposed to a multitude of different organizations and was fascinated by the wide variety of problems they faced, technologies they used, and the approaches to cloud security they chose as a result. While much of his career accomplishments are not public, he once released a container image registry scanning tool called go-pillage-registries and also (accidentally) discovered and responsibly disclosed a couple of high-severity bug-bounty findings and CVE-2021-3583 in Ansible. Internal threats to an organization's supply chain and management interfaces for sensitive environments remains as one of Josh's favorite topics to consider in security. Follow JoshuaTwitterLinkedInWebSponsor's Note:Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs.Focus on where the cloud is going, not where it is today. Your organization is going to need someone with SPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube
A CISO's Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand. What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What's changing on this going forward First of all, let's talk about what a pentest is NOT. It is not a simple vulnerability scan. That's something you can do yourself with any number of publicly available tools. However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest. Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte? Now let's start with providing a definition of a penetration test. According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system. It's really designed to show weaknesses in a system that can be exploited. Let's think of things we want to test. It can be a website, an API, a mobile application, an endpoint, a firewall, etc. There's really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm. You need to focus on high likelihood and impact because professional penetration tests are not cheap. Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it's not unheard of to go up to $100,000. As a CISO you need to be able to defend this expenditure of resources. So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year. My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest. Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better. He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies." Please do not confuse a penetration test with a Red Team exercise. A red team exercise just wants to accomplish an objective like steal data from an application. A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate. It's a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities. Now, is a pentest about finding ALL vulnerabilities? I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like. Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided. There really is a “good enough” standard of risk, and that is called “acceptable risk.” So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate. Let's take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them. The first question you should consider is do you want an internal or an external penetration test. Well, the classic answer of "it depends" is appropriate. If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test. In this case your company would be expected to document a pentest performed by an external provider. Now if your company has a website that is selling direct to a consumer, then chances are you don't have the same level of requirement for an external pentest. So, you may be able to just perform an internal penetration test performed by your company's employees. I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20. The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting. What is the priority of pentesting, you may ask? #18 of 18 -- dead last. Now, that doesn't mean pentests are not valuable, or not useful, or even not important. What it does mean is that pentests come at the end of building your security framework and implementing controls. Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should. That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort. Think of a pentest as a final exam if you will. Otherwise, it's an expensive way to populate your security to-do list. OK let's say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor. Remember this, a penetration test is only as good as the conductor of the penetration test. Cyber is a very unregulated industry which means it can be tricky to know who is qualified. Compare this to the medical industry. If you go to a hospital, you will generally get referred to a Medical Doctor or Physician. This is usually someone who has a degree such as a MD or DO which proves their competency. They will also have a license from the state to practice medicine legally. Contrast this to the cyber security industry. There is no requirement for a degree to practice Cyber in the workforce. Also, there is no license issued by the state to practice cyber or develop software applications. Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test. There's a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP. We strongly recommend anyone performing an actual penetration test have an OSCP. This certification is difficult to pass. A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification. This is exactly what you want in a pentester, which is why we are big fans of this certification. This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test. Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification. It may mean your penetration tests cost more, but it's a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company. Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP. What companies should you look at? Usually, we see three types of penetration testing companies. Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2). This is expensive but it's easy to get them approved since most large companies already have contracts with at least one of these companies. The second type of company that we see are large penetration testing companies. Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing. They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies. Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client. Finally, there are boutique shops that specialize in particular areas. For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs. This is a more specialized skill and a bit harder to find so you have to find a relevant vendor. Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing. Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting. This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding. Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect. It's common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect. Don't let this happen to your company and review the labor and contract requirements in a recurring fashion. Alright, let's imagine you have a highly skilled vendor who meets these requirements. How should they perform a penetration test? Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google. Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes. It's a great read so please take a look. Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment. Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual. These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out. They can also standardize the documentation of findings. Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding. This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks. If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future? The answer is automation. Now we have had automated vulnerability management tools for decades. But please don't think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test. A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan. As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling. Examples of this include Bishop Fox's Cosmos, Pentera's Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling. Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams. This means that companies can perform more tests on more applications. The other major advantage with these tools is repeatability. Usually, a penetration test is a point in time assessment. For example, once a year you schedule a penetration test on your application. That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test. So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors. Here's one final tip. Don't rely on a single penetration testing company. Remember we discussed that a penetration testing company is only as good as the tester and the toolbox. So, try changing out the company who tests the same application each year. For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year. You can alternate which company scans which application. Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024. Every penetration tester looks for something different and they will bring different skills to the test. If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk. It allows you to know if a penetration testing vendor's pricing is out of the norm. You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices. And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report. Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey. As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show. This is your host, G. Mark Hardy, and until next time, stay safe.
FEATURED VOICES IN THIS EPISODEDan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he's active on the boards of four early-stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project -- AlgoVPN -- is the Internet's most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System.Evan SultanikEvan Sultanik is a Principal Computer Security Researcher at Trail of Bits. A computer scientist with extensive experience both in industry (as a software engineer) and academia, Evan is an active contributor to open source software. He is author of more than two dozen peer-reviewed academic papers, and is particularly interested in intelligent, distributed/peer-to-peer systems. Evan is editor of and frequent contributor to the International Journal of PoC||GTFO. Trent BrunsonTrent is a Principal Security Engineer and Research Practice Manager at Trail of Bits. He has worked in computer security since 2012 as a researcher and engineer at Assured Information Security in Rome, NY, and at the Georgia Tech Research Institute, where he served as the Threat Intelligence Branch Chief and the Associate Division Chief of Threat Intelligence & Analytics. Trent received his Ph.D. in computational physics from Emory University in Atlanta in 2014, and his dissertation work applied the renormalization group and Monte Carlo methods to study exact results on complex networks.Host: Nick SelbyAn accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm. Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRocky Hill Studios, Ghent, New York. Nick Selby, EngineerPreuss-Projekt Tonstudio, Salzburg, Austria. Christian Höll, EngineerRemote recordings: Whistler, BC (Nick Selby); Queens, NY (Emily Haavik)Edited and Mastered by Chris JulinTrail of Bits supports and adheres to the Tape Syncers United Fair Rates CardMusicDispatches From Technology's Future, the Trail of Bits theme, Chris JulinCANTO DELLE SCIACALLE, Cesare PastanellaSHALLOW WATER - REMIX, Omri Smadar, Yehezkel Raz, Sivan TalmorALL IN YOUR STRIDE, ABELET IT RISE, Divine Attraction ROAD LESS TRAVELED, The David Roy CollectiveKILLING ME SOFTLY, Ty SimonTECH TALK, Rex BannerLOST ON EARTH, Marek JakubowiczSCAPES, Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 0; Immutable © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/. Referenced in this EpisodeIn “Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers,” Evan Sultanik, Trent Brunson, and nine other engineers on the Trail of Bits Research and Engineering and Software Assurance teams report their findings from the year-long project to examine Blockchain centrality. Fluxture is a free and open source software crawling framework for Blockchains and peer-to-peer systems that Trail of Bits created to assist with the work described in this episode. We also link to the free and open source recursive dependency graphing tool It-Depends, which we will discuss in depth in the upcoming podcast episode that's creatively titled, It-Depends. The Are Blockchains Decentralized paper cites more than 30 academic and commercial research papers. There is literature about how malicious Tor exit nodes surveil and inject attacks into Tor-users' traffic. You may also read comments about exit node manipulation by Tor network maintainers. One report states that On February 2, 2021, a single, malicious actor was able to fully manage 27 percent of Tor's exit capacity.The reports “How Malicious Tor Relays are Exploiting Users in 2020 (Part I)" hypothesized that the entity behind a range of malicious tor relays would not to stop its activities anytime soon; the follow-up, "Tracking One Year of Malicious Tor Exit Relay Activities" continues the discussion. Meet the Team:CHRIS JULINChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.EMILY HAAVIKFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
FEATURED VOICES IN THIS EPISODEDan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he's active on the boards of four early-stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project -- AlgoVPN -- is the Internet's most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System.Nat ChinNat Chin is a security engineer 2 at Trail of Bits, where she performs security reviews of blockchain projects, and develops tools that are useful when working with Ethereum. She is the author of solc-select, a tool to help switch Solidity versions. She worked as a smart contract developer and taught as a Blockchain Professor at George Brown College, before transitioning to blockchain security when she joined Trail of Bits.Opal WrightOpal Wright is a cryptography analyst at Trail of Bits. Two of the following three statements about her are true: (a) she's a long-distance unicyclist; (b) she invented a public-key cryptosystem; (c) she designed and built an award-winning sex toy.Jim MillerJim Miller is the cryptography team lead at Trail of Bits. Before joining Trail of Bits, Jim attended graduate programs at both Cambridge and Yale, where he studied and researched both Number Theory and Cryptography, focusing on topics such as lattice-based cryptography and zero-knowledge proofs. During his time at Trail of Bits, Jim has led several security reviews across a wide variety of cryptographic applications and has helped lead the development of multiple projects, such as ZKDocs and PrivacyRaven.Josselin FeistJosselin Feist is a principal security engineer at Trail of Bits where he participates in assessments of blockchain software and designs automated bug-finding tools for smart contracts. He holds a Ph.D. in static analysis and symbolic execution and regularly speaks at both academic and industrial conferences. He is the author of various security tools, including Slither - a static analyzer framework for Ethereum smart contracts and Tealer - a static analyzer for Algorand contracts.Peter GoodmanPeter Goodman is a Staff Engineer in the Research and Engineering practice at Trail of Bits, where he leads all de/compilation efforts. He is the creator of various static and dynamic program analysis tools, ranging from the Remill library for lifting machine code into LLVM bitcode, to the GRR snapshot/record/replay-based fuzzer. When Peter isn't writing code, he's mentoring a fleet of interns to push the envelope. Peter holds a Master's in Computer Science from the University of Toronto.Host: Nick SelbyAn accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm.Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRocky Hill Studios, Ghent, New York. Nick Selby, EngineerPreuss-Projekt Tonstudio, Salzburg, Austria. Christian Höll, EngineerRemote recordings:Whistler, BC, Canada; (Nick Selby) Queens, NY; Brooklyn, NY; Rochester, NY (Emily Haavik);Toronto, ON, Canada. TAPES//TYPES, Russell W. Gragg, EngineerTrail of Bits supports and adheres to the Tape Syncers United Fair Rates CardEdited by Emily Haavik and Chris JulinMastered by Chris JulinMusicDISPATCHES FROM TECHNOLOGY'S FUTURE, THE TRAIL OF BITS THEME, Chris JulinOPEN WINGS, Liron MeyuhasNEW WORLD, Ian PostFUNKYMANIA, Omri Smadar, The Original OrchestraGOOD AS GONE, INSTRUMENTAL VERSION, Bunker Buster ALL IN YOUR STRIDE, AbeBREATHE EASY, Omri SmadarTREEHOUSE, LingerwellLIKE THAT, Tobias BergsonSCAPES, Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 0; Immutable © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.Meet the Team:CHRIS JULINChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.EMILY HAAVIKFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
A daily look at the relevant information security news from overnight - 09 June, 2022Episode 241 - 09 June 2022Linux Symbiote- https://www.zdnet.com/article/this-new-linux-malware-is-almost-impossible-to-detect/Black Basta hearts Qbot - https://threatpost.com/black-basta-ransomware-qbot/179909/Emotet gets Chromed- https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/Cuba upgrade - https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-extorting-victims-with-updated-encryptor/China hacking telecoms - https://www.securityweek.com/us-details-chinese-attacks-against-telecoms-providersHi, I'm Paul Torgersen. It's Thursday June 9th, 2022, and from Chicago, this is a look at the information security news from overnight. From ZDNet.comA joint research effort has discovered a new form of Linux malware they've called Symbiote that is almost impossible to detect. Instead of attempting to compromise running processes, Symbiote instead acts as a shared object library that is loaded on all running processes via LD_PRELOAD. It appears to have been developed to target financial institutions in Latin America, although that is not definitive. Details and a link to the research blog post in the article. From ThreatPost.com:Here's a mashup I never wanted to hear: Black Basta is now leveraging the Qbot network to spread its ransomware and move laterally through the infected networks. You can link to the NCC Group research for all the nasty details in the article. From BleepingComputer.com:The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles. In an odd twist, once card details are collected they were exfiltrated to a different C2 server than the module loader. Details in the article. Also from BleepingComputer.com:The Cuba ransomware group has returned to regular operations with a new and improved version of its malware. Cuba ransomware's activity reached a peak last year when it partnered with the Hancitor malware gang for initial access, breaching 49 US organizations. This year has seen much lower activity from them, but that appears to be changing with the upgrade to the malware. And last today, from SecurityWeek.comThe NSA, CISA and FBI have issued a joint cybersecurity advisory warning of China-linked threat actors compromising telecom companies and network services providers. The advisory details some of the techniques and tactics the APTs use, as well as specify many of the vulnerabilities they have been targeting. See the article for details and a link to that advisory. That's all for me today. Have a great rest of your day. Like and subscribe. Tell a friend. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 06 June, 2022Episode 238 - 06 June 2022Patched Atlassian- https://www.securityweek.com/atlassian-patches-confluence-zero-day-exploitation-attempts-surgeYuga Labs phished - https://www.bleepingcomputer.com/news/security/bored-ape-yacht-club-otherside-nfts-stolen-in-discord-server-hack/Novartis data sale - https://www.bleepingcomputer.com/news/security/novartis-says-no-sensitive-data-was-compromised-in-cyberattack/U-Boot baddie - https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-embedded-systemsReverse Tunnel phishing - https://www.bleepingcomputer.com/news/security/evasive-phishing-mixes-reverse-tunnels-and-url-shortening-services/Hi, I'm Paul Torgersen. It's Monday June 6th, 2022, and this is a look at the information security news from overnight. From SecurityWeek.comWe talked Friday about the zero-day affecting Atlassian Confluence Server and Data Center. Well, two things have happened since then; Atlassian has issued a patch, and attempts to exploit the vulnerability have gone through the roof. According to a Cloudflare report, they say they have seen evidence suggesting that potentially malicious payloads have been delivered since at least May 26. We may not have seen the full impact of this vulnerability quite yet. And in the meantime, get your patch on kids. From BleepingComputer.com:Hackers reportedly stole over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab's Bored Ape Yacht Club and Otherside Metaverse Discord servers were compromised in a phishing scam. The scam pretended to be an exclusive, limited giveaway for existing NFT holders, which included a link to a webpage that allowed a visitor to mint a free NFT. You can imagine where the link really went. Details in the article. Also from BleepingComputer.com:Data extortion group Industrial Spy began selling data allegedly stolen from Novartis on their Tor extortion marketplace for $500,000 in bitcoin. The data is supposed to be related to RNA and DNA-based drug technology, although Novartis says that no sensitive data was compromised. There are 7.7 MB of PDF files for sale, but it is unclear if that is the extent of the data that was taken. Novartis has no comment yet about how and when the data was accessed. From SecurityWeek.com:A critical vulnerability in the U-Boot, boot loader could be exploited to write arbitrary data, and ultimately allow an attacker to gain root on Linux-based embedded systems. The open-source boot loader is used in various types of embedded systems, including ChromeOS and Android, and supports multiple architectures. NCC Group says a patch is in the works. And last today, from BleepingComputer.comResearchers are seeing an uptick in phishing campaigns utilizing reverse tunnel services along with URL shorteners, which makes them a bear to get shut down. With reverse tunnels, threat actors can host the phishing pages locally on their own computers and then route connections through external services. Often, they refresh those phishing links in less than 24 hours, making it nearly impossible to shut down the sites before they get moved. Details in the article. That's all for me today . Have a great rest of your day. Like and subscribe. And until tomorrow, be safe out there.
Podcast: Control Loop: The OT Cybersecurity PodcastEpisode: Welcome to Control Loop: Giving back to the OT community.Pub date: 2022-06-01Every two weeks, get the latest in OT news in Control Loop News Brief, an interview featuring a thought leader in the OT space sharing current industry trends, and the Control Loop Learning Lab's educational segment. A companion monthly newsletter is available through free subscription and on the CyberWire's website.Headlines include: Russia's hybrid war against Ukraine. Russian threat actors against industrial control systems. Exploits for Bluetooth Low Energy. Hacktivists claim attacks against Russian ground surveillance robots. New wiper loader. Turla threat actor reconnaissance in Estonian and Austrian networks. Robert M. Lee, CEO of Dragos, talks giving back to the OT community and shares insights on Pipedream malware. Learning Lab has Dragos' Mark Urban and Jackson Evans-Davies talking about the fundamentals of OT cybersecurity.Control Loop News Brief.Continuing expectations of escalation in cyberspace.Microsoft President: Cyber Space Has Become the New Domain of Warfare - Infosecurity MagazineCyber Attacks on Ukraine: Not What You Think | PCMag Warning: threat actor targets industrial systems.US warns energy firms of a rapidly advancing hacking threat - E&E NewsPIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | DragosPipedream Malware: Feds Uncover 'Swiss Army Knife' for Industrial System Hacking | WIREDIndestroyer2 and Ukraine's power grid. Twitter: @ESETresearchIndustroyer2: Industroyer reloaded | WeLiveSecurityRussian hackers tried to bring down Ukraine's power grid to help the invasion | MIT Technology ReviewBluetooth vulnerabilities demonstrated in proof-of-concept.NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at riskTesla Hacker Proves a Way of Unlocking Doors, Starting Engine - BloombergCISA and its international partners urge following best practices to prevent threat actors from gaining initial access.Weak Security Controls and Practices Routinely Exploited for Initial Access | CISAHacktivists claim to have compromised Russian-manufactured ground surveillance robots.Did hackers commandeer surveillance robots at a Russian airport?Twitter: @caucasnetPolitically motivated DDoS attack on Port of London Authority website.Twitter: @LondonPortAuthPro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack New loader identified in wiper campaigns.Sandworm uses a new version of ArguePatch to attack targets in Ukraine | WeLiveSecurity Turla reconnaissance detected in Austrian and Estonian networks.Russian hackers perform reconnaissance against Austria, Estonia TURLA's new phishing-based reconnaissance campaign in Eastern Europe SANS ICS Summit is coming to Florida, June 1-9.ICS Security Summit & Training 2022Colonial Pipeline's ransomware attack, one year later.How the Colonial Pipeline attack instilled urgency in cybersecurityOT vulnerabilities as credit risk.Operational Technology Cyberattacks Are a Credit Risk for UtilitiesA Cyber Resilience Pledge. Global CEOs Commit to Collective Action on Cyber Resilience Recent threat intelligence findings from Dragos.Dragos ICS/OT Ransomware Analysis: Q1 2022Control Loop Interview.Robert M. Lee, CEO of Dragos, on giving back to the OT cybersecurity community, the idea behind the Control Loop podcast and newsletter, and his candid thoughts on the Pipedream malware and its creators.Follow Rob on LinkedIn and Twitter.Control Loop Learning Lab.Dragos' Mark Urban and Jackson Evans-Davies on the fundamentals of OT cybersecurity and network architecture.Dragos 2021 ICS Cybersecurity Year in ReviewHow to Build a Roadmap for ICS/OT Cybersecurity: 3 Steps to a Sustainable ProgramManaging External Connections to Your Operational Technology EnvironmentImproving ICS/OT Security Perimeters with Network SegmentationThe podcast and artwork embedded on this page are from CyberWire Inc., which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Every two weeks, get the latest in OT news in Control Loop News Brief, an interview featuring a thought leader in the OT space sharing current industry trends, and the Control Loop Learning Lab's educational segment. A companion monthly newsletter is available through free subscription and on the CyberWire's website. Headlines include: Russia's hybrid war against Ukraine. Russian threat actors against industrial control systems. Exploits for Bluetooth Low Energy. Hacktivists claim attacks against Russian ground surveillance robots. New wiper loader. Turla threat actor reconnaissance in Estonian and Austrian networks. Robert M. Lee, CEO of Dragos, talks giving back to the OT community and shares insights on Pipedream malware. Learning Lab has Dragos' Mark Urban and Jackson Evans-Davies talking about the fundamentals of OT cybersecurity. Control Loop News Brief. Continuing expectations of escalation in cyberspace. Microsoft President: Cyber Space Has Become the New Domain of Warfare - Infosecurity Magazine Cyber Attacks on Ukraine: Not What You Think | PCMag Warning: threat actor targets industrial systems. US warns energy firms of a rapidly advancing hacking threat - E&E News PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos Pipedream Malware: Feds Uncover 'Swiss Army Knife' for Industrial System Hacking | WIRED Indestroyer2 and Ukraine's power grid. Twitter: @ESETresearch Industroyer2: Industroyer reloaded | WeLiveSecurity Russian hackers tried to bring down Ukraine's power grid to help the invasion | MIT Technology Review Bluetooth vulnerabilities demonstrated in proof-of-concept. NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk Tesla Hacker Proves a Way of Unlocking Doors, Starting Engine - Bloomberg CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Weak Security Controls and Practices Routinely Exploited for Initial Access | CISA Hacktivists claim to have compromised Russian-manufactured ground surveillance robots. Did hackers commandeer surveillance robots at a Russian airport? Twitter: @caucasnet Politically motivated DDoS attack on Port of London Authority website. Twitter: @LondonPortAuth Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack New loader identified in wiper campaigns. Sandworm uses a new version of ArguePatch to attack targets in Ukraine | WeLiveSecurity Turla reconnaissance detected in Austrian and Estonian networks. Russian hackers perform reconnaissance against Austria, Estonia TURLA's new phishing-based reconnaissance campaign in Eastern Europe SANS ICS Summit is coming to Florida, June 1-9. ICS Security Summit & Training 2022 Colonial Pipeline's ransomware attack, one year later. How the Colonial Pipeline attack instilled urgency in cybersecurity OT vulnerabilities as credit risk. Operational Technology Cyberattacks Are a Credit Risk for Utilities A Cyber Resilience Pledge. Global CEOs Commit to Collective Action on Cyber Resilience Recent threat intelligence findings from Dragos. Dragos ICS/OT Ransomware Analysis: Q1 2022 Control Loop Interview. Robert M. Lee, CEO of Dragos, on giving back to the OT cybersecurity community, the idea behind the Control Loop podcast and newsletter, and his candid thoughts on the Pipedream malware and its creators. Follow Rob on LinkedIn and Twitter. Control Loop Learning Lab. Dragos' Mark Urban and Jackson Evans-Davies on the fundamentals of OT cybersecurity and network architecture. Dragos 2021 ICS Cybersecurity Year in Review How to Build a Roadmap for ICS/OT Cybersecurity: 3 Steps to a Sustainable Program Managing External Connections to Your Operational Technology Environment Improving ICS/OT Security Perimeters with Network Segmentation
Over 1 milliard kostede det Mærsk, da de blev hacket tilbage i 2017. Og de er slet ikke de eneste, der er udsat. Cybercrime er på hastig fremmarch i store virksomheder, mindre virksomheder og hos private.Så hvordan bliver vi bedre til at sikre os mod hackerangreb?Det er temaet for i dag, og Jan Skovgren er her for at hjælpe os. Han er Director of Security Consulting i NCC Group og lever af at træne virksomheder i at undgå, at hackerne snyder dem.I episoden finder du ud af: - Hvad hackerne egentlig er ude efter - Hvordan de (ofte nemt) møver sig igennem receptioner - Hvorfor phishingmails er så udbredte, og hvorfor en kop kaffe er et af dine bedste våben imod dem - Hvad 'ransomware' og 'patching' er for noget, og hvorfor det er vigtigt - Hvilke to konkrete ting, du bør gøre ved dine passwords i dag (og nej, indsæt 'stort begyndelsesbogstav' og 'et tal' er ikke et af dem) - Hvad små og mellemstore virksomheder bør gøre i praksis for at sikre sig mod it-angrebSlå to-faktor på dine SoMe-profiler:Som vi taler om i interviewet kan du sikre dig endnu bedre ved at aktivere to-faktor godkendelse på dine SoMe-profiler. Her har du links til enkle guides, der viser dig, hvordan du gøre det. Det tager vitterligt to minutter.To-faktor på Instagram: https://www.facebook.com/help/instagram/1124604297705184To-faktor på Facebook: https://www.facebook.com/help/148233965247823To-faktor på Twitter: https://help.twitter.com/en/managing-your-account/two-factor-authenticationTo-faktor på LinkedIn: https://www.linkedin.com/help/linkedin/answer/31698/sadan-aktiverer-og-deaktiverer-du-totrinsverifikation
A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here. NOTE: This podcast contains an interview with Sultan Qasim Khan of NCC Group. Unfortunately the audio quality in this interview is quite bad. Sorry, it's the best we could do this time! Show notes Risky Biz News: New Bluetooth relay attack bypasses current defenses
A daily look at the relevant information security news from overnight.Episode 238 - 17 May 2022Apple attack - https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/Conti hits Parker - https://www.infosecurity-magazine.com/news/parker-conti-ransomware/Tesla BLE - https://www.bleepingcomputer.com/news/security/hackers-can-steal-your-tesla-model-3-y-using-new-bluetooth-attack/Card skimming - https://www.zdnet.com/article/fbi-hackers-used-malicious-php-code-to-grab-credit-card-data/iPhone vulv- https://threatpost.com/iphones-attack-turned-off/179641/Hi, I'm Paul Torgersen. It's Tuesday May 17th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.com:Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watches. The flaw is an out-of-bounds write issue in the AppleAVD, the kernel extension for audio and video decoding. Apple says it is likely this has already been exploited in the wild. From Infosecurity-magazine.com:US manufacturer Parker-Hannifin has announced a data breach exposing employees' PII after being the target of a Conti ransomware attack. The company said that an unauthorized third party gained access to its IT systems between 11 and 14 of March this year. On the plus side, if you‘re information was involved, you just got two free years of identity theft monitoring. From BleepingComputer.com:Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy relay attack that bypasses all existing protections to authenticate on target devices. What target devices, you ask? Teslas. Details in the article. From ZDNet.com:The FBI put out a warning that someone is scraping credit card data from the checkout pages of US businesses' websites. The bad actor is injecting malicious PHP Hypertext Preprocessor code into the business' online checkout page and sending the scraped data to a server that spoofed a legitimate card processing server. They also left a backdoor into the victims system. And last today, from ThreatPost.comBecause of how Apple implements standalone wireless features such as Bluetooth, Near Field Communication and Ultra-wideband technologies, researchers have found that iPhones are vulnerable to malware loading attacks even when the device is turned off. The root cause of the issue is how iPhones implement low power mode for wireless chips. No comment yet from Apple, but there is a link to the research report in the article. That's all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.
Snowden Played Key Role in Zcash Creation -- Interview with Nate Wilcox, Zcash co-creatorGoogle Now Accepts Requests for Sensitive Data RemovalElon Musk Wants to Make Twitter DMs Encrypted0:00 Pre-roll0:52 Show Intro2:00 Edward Snowden Played Key Role in Creation of Zcash, w/ Nathan Wilcox4:10 Nathan Wilcox explains "The Ceremony"6:33 NCC Group's involvement11:35 Wilcox: "We are building an infrastructure for everyone"17:00 Zcash myths exposed!20:20 Private protocol isn't enough, wallets can expose your data! 23:00 Wilcox: "Wallets are more important than protocols"24:42 Is Your Phone Number on Google?28:55 Elon Musk Wants to Make Twitter DMs Encrypted33:29 Quiz, Congrats YT Viewer OldSkool!37:13 Show Out and ThanksBrought to you by NBTV members: Sam Ettaro, Will Sandoval, and Naomi BrockwellTo support NBTV, visit https://www.nbtv.media/support(tax-deductible in the US)Sign up for the free CryptoBeat newsletter here:https://cryptobeat.substack.com/Beware of scammers, I will never give you a phone number or reach out to you with investment advice. I do not give investment advice.Visit the NBTV website:https://nbtv.mediaSupport the show (https://www.patreon.com/naomibrockwell)
The hack of Beanstalk is just the latest major compromise of a decentralized finance (DeFi) platform. In this podcast, Jennifer Fernick of NCC Group joins me to talk about why DeFi's security woes are much bigger than Beanstalk. The post Episode 237: Jacked on the Beanstalk – DeFi's Security Debt Runs Wide, Deep appeared first on The Security Ledger with Paul F. Roberts. Click the icon below to listen. Related StoriesEpisode 241: If Its Smart, Its Vulnerable a Conversation with Mikko HyppönenEpisode 241: If Its Smart, Its Vulnerable a Conversation wit Mikko HyppönenEpisode 240: As Stakes Of Attacks Grow, Can Cyber Policy “Shift Right”?
In this podcast today, I will discuss the company NCC Group! Listen to the podcast for details! --- Support this podcast: https://anchor.fm/thressa-sweat/support
In this episode we speak to Thomas Ptacek, currently a software engineer at Fly.io and previously a co-founder at security firms Latacora and Matasano Security. We discuss the state of software security in sectors like energy and healthcare, how software developers should think about supply chain risk, and what they should do about securing their dependencies. We also explore how security threats have changed over the years, and what developers working on open source should do to improve their own security.About Thomas PtacekThomas Ptacek is a leading security researcher. Best known as one of the co-founders of Matasano Security, which was prior to its acquisition by NCC Group one of the largest software security firms in the US. Working in software security since 1995, Thomas was a member of the industry's first commercial vulnerability research lab - Secure Networks. Thomas is currently a software engineer at Fly.ioOther things mentioned:DjangoNodeJSReactDenoOktaGoogle cloud authenticationTailscaleWireGuardServer-side request forgeryBurp SuiteBlack HatEmacs Tramp ModeMagitLet us know what you think on Twitter:https://twitter.com/consoledotdevhttps://twitter.com/davidmyttonhttps://twitter.com/tqbfOr by email: hello@console.devAbout ConsoleConsole is the place developers go to find the best tools. Our weekly newsletter picks out the most interesting tools and new releases. We keep track of everything - dev tools, devops, cloud, and APIs - so you don't have to. Sign up for free at: https://console.devRecorded: 2021-10-19.
Key takeaways: Aligning the security roadmap to business objectives Preparing for the initial requirements assessment Making sure you understand what is important to the business and not just 1-2 people Assessing internal capabilities Iterating and collaborating on the roadmap Coming into the job with a blank slate view Meet: Noah Beddome is the Chief Information Security Officer (CISO) at Opendoor, the leading digital real estate platform, where he is responsible for protecting the data and technology infrastructure as well as overseeing Opendoor's information security program and IT. Noah has more than a decade of experience working in information security in enterprise and government environments. Most recently, he served as VP of Security Engineering and interim CISO for Datadog. Prior to that, Noah worked as the Practice Director for Strategic Infrastructure Services (SIS) at NCC Group, where he built and led the SIS practice. Noah began his career in security consulting, conducting assessments and penetration testing for several firms. He also served as a non-commissioned officer in the U.S. Marine Corps for four years. If you have any questions for Noah, please feel free to reach out via: https://www.linkedin.com/in/noah-beddome-6b794940/ I hope you enjoyed the episode, the best place to connect with me is on Linkedin - https://www.linkedin.com/in/amirbormand (Amir Bormand). Please send me a message if you would like me to cover certain topics with future guests.
Today's episode of The Secure Developer features some fantastic content from a panel at DevSecCon London. Clint Gibler, Research Director at the NCC Group is joined by Doug DePerry, Director of Defense at Datadog, Tash Norris, Head of Product Security at Moonpig, Jesse Endahl, CSO at Fleetsmith, and Zane Lackey, CSO at Signal Sciences. The discussion begins with a dive into building a good security culture within a company and ways to get other members of an organization interested in security. Some of the strategies explored include cross-departmental relationship building, incentivizing conversations with the security team through swag and food, and embedding security within development teams. We then turn our attention to metrics. There are often competing priorities between developers and security, which can cause tension. The panel shares some of the security metrics that have and have not worked for them, and we also hear different takes on the often-divisive bug count metric. Next up is a dive into working with limited personnel and financial resources, one of the most common constraints security teams face. We hear how the panel approaches prioritization, adding value to the organization as a whole, and the importance of making the security capabilities digestible to the developers. After this, the panel explores risk quantification and subsequent communication. While it's difficult to quantify risk precisely, there are some effective strategies such as risk forecasting. Along with this, techniques on communicating with executives in resonant ways to convey the severity of potential threats are also shared. Other topics covered include policy-driven vs technical-driven security and skilling up less technical teams, how to know when security is ‘done,' and incentives for upholding security protocols!
Our guest today on the show is Clint Gibler, a research director at NCC Group, where he helps provide organizations with security consulting services. Clint speaks to Guy Podjarny at DevSecCon Seattle about the current landscape of application security, how his company fits into that as a global information assurance specialist and the job of helping companies scale their security efforts through cutting edge tools and processes. His vast experience in the field of security, with a wide range of companies, has afforded him great insight into the importance of security teams' morale and goal setting. We hear from him about staying up to date on the latest developments in the field and his advice for remaining as current as possible. Clint's background in helping companies implement security automation and DevSecOps best practices has led to his current standing and we get to hear about the panel discussion he moderated at the DevSecCon event.Show notes and transcript can be found here
In episode 35 of The Secure Developer, Guy is joined by Robert C. Seacord of NCC Group, who champions the continued practice of coding security in C and C++, and offers practical advantages to using various programming languages in the Agile era. The post Ep. #35, Secure Coding in C/C++ with Robert C. Seacord of NCC Group appeared first on Heavybit.
In episode 35 of The Secure Developer, Guy is joined by Robert C. Seacord of NCC Group, who champions the continued practice of coding security in C and C++, and offers practical advantages to using various programming languages in the Agile era.
This week on BSDNow, we have a variety of news to discuss, covering quite the spectrum of BSD. (Including a new DragonFly release!). This episode was brought to you by Headlines my int is too big (http://www.tedunangst.com/flak/post/my-int-is-too-big) “The NCC Group report (http://marc.info/?l=oss-security&m=146853062403622&w=2) describes the bugs, but not the history of the code.” “Several of them, as reported by NCC, involved similar integer truncation issues. Actually, they involved very similar modern 64 bit code meeting classic 32 bit code” “The thrsleep system call is a part of the kernel code that supports threads. As the name implies, it gives userland a measure of control over scheduling and lets a thread sleep until something happens. As such, it takes a timeout in the form of a timespec. The kernel, however, internally implements time keeping using ticks (there are HZ, 100, ticks per second). The tsleep function (t is for timed) takes an int number of ticks and performs basic validation by checking that it's not negative. A negative timeout would indicate that the caller has miscalculated. The kernel panics so you can fix the bug, instead of stalling forever.” “The trouble therefore is when userland is allowed to specify a timeout that could be negative. The existing code made an attempt to handle various tricks by converting the timespec to a ticks value stored as a 64 bit long long which was checked against INTMAX before passing to sleep. Any value over INTMAX would be truncated, so we can't allow that. Instead, we saturate the value to INT_MAX. Unfortunately, this check didn't account for the possibility that the tick conversion from the timespec could also overflow and result in a negative value.” Then there is the description of the kqueue flaw: “Every kqueue keeps a list of all the attached events it's watching for. A simple array is used to store file events, indexed by fd.” “This array is scaled to accommodate the largest fd that needs to be stored. This would obviously cause trouble, consuming too much memory, if the identifier were not validated first. Which is exactly what kqueue tries to do. The fdgetfile function checks that the identifier is a file that the process has open. One wrinkle. fdgetfile takes an int argument but ident is a uintptr_t, possibly 64 bits. An ident of 2^32 + 2 will look like a valid file descriptor, but then cause the array to be resized to gargantuan proportions.” “Again, the fix is pretty simple. We must check that the ident is bounded by INTMAX before calling fdgetfile. This bug likely would have been exploitable beyond a panic, but the array allocation was changed to use mallocarray instead of multiplying arguments by hand, thus preventing another overflow.” Then there is a description of the anonymous mmap flaw, and the “secret magic” _MAPNOFAULT flag *** FreeBSD Quarterly Status Report Q2 2016 (https://www.freebsd.org/news/status/report-2016-04-2016-06.html) It's time for another round of FreeBSD Quarterly Status Reports! In this edition, we have status updates from the various teams, including IRC/Bugs/RE/Ports/Core and Foundation We also have updates on some specific projects, including from Konstantin on the on-going work for his implementation of ASLR, including the new ‘proccontrol' command which provides the following: > “The proccontrol(1) utility was written to manage and query ASLR enforcement on a per-process basis. It is required for analyzing ASLR failures in specific programs. This utility leverages the procctl(2) interface which was added to the previous version of the patch, with some bug fixes.” Next are updates on porting CEPH to FreeBSD, the ongoing work to improve EFI+GELI (touched on last week) and more robust Mutexes. Additionally we have an update from Matt Macy and the Xorg team discussing the current work to update FreeBSD's graphic stack: > “All Intel GPUs up to and including the unreleased Kaby Lake are supported. The xf86-video-intel driver will be updated soon. Updating this driver requires updating Xorg, which in turn is blocked on Nvidia updates.” The kernel also got some feature status updates, including on the new Allwinner SoC support, an update on FreeBSD in Hyper-V and VIMAGE In addition to a quick update on the arm64 architecture (It's getting there, RPi3 is almost a thing), we also have a slew of port updates, including support for GitLab in ports, updates on GNOME / KDE and some additional Intel-specific networking tools. *** Vulnerabilities discovered in freebsd-update and portsnap (https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html) There are two vulnerabilities discovered in freebsd-update and portsnap, where an attacker could place files in the portsnap directory and they would be used without being subject to having their checksum verified (but this requires root access), and the second where a man-in-the-middle attacker could guess the name of a file you will fetch by exploiting the time-gap between when you download the initial snapshot, and when you fetch the updated files. There are a number of vulnerabilities that were discovered in libarchive/tar as well There is also an issue with bspatch. A security advisory for bspatch has already been released, as this vulnerabilities was also discovered by the Chromium team, which uses this same code. The patch discussed in this mailing list thread is larger, but secteam@ believes at least one of the additional checks introduced is incorrect and may prevent a valid patch from being applied. The smaller patch was pushed out first, to solve the main attack vector, while the larger patch is investigated. Automated fuzz testing is underway. Great care is being taken fixing bspatch, as if it is broken installing future updates becomes much more difficult secteam@ and core@ would like to emphasize that the FreeBSD project takes these issue very seriously and are working on it > “As a general rule, secteam@ does not announce vulnerabilities for which we don't have patches, but we concede that we should have considered making an exception in this case” Work is underway to re-architect freebsd-update and portsnap to do signature verification on all files before they are passed to libarchive/tar, to help protect users from any future vulnerabilities in libarchive. However, this requires changes to the metadata format to provide these additional signatures, and backwards compatibilities must be preserved, so people can update to the newer versions to get these additional security features There is also discussion of using HTTPS for delivery of the files, but certificate verification and trust are always an issue. FreeBSD does not distribute a certificate trust store by default. There will be more on this in the coming days. *** OpenSSH 7.3 Released (http://www.openssh.com/txt/release-7.3) OpenSSH 7.3 has landed! Primarily a bug-fix release, the release notes do mention the pending deprecation of some more legacy Crypto in the future, including denying all RSA keys < 1024bit, and removal of SSHv1 support. (Already disabled via compile option) On the bug side, there was a security issue addressed in sshd: “sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters” Also a timing issue was resolved in regard to password auth, which could possibly allow an attacker to discern between valid/invalid account names. On the feature side, we have the new ProxyJump option (-J flag) which allows you to do simplified indirection through various SSH jump hosts. Various bugs were fixed, and some compile failures resolved in the portable version to auto-disable some ciphers not supported by OpenSSL. News Roundup OpenBSD Ports - Integrating Third Party Applications [pdf] (http://jggimi.homeip.net/semibug.pdf) A talk from Josh Grosse, presented at SEMIBUG (South-East Michigan BSD Users Group), about OpenBSD Ports It opens by explaining the separation of the ‘base system' from ‘packages', as is common in most all BSDs It explains the contents of OpenBSD package tar file, which contain some metadata files (+CONTENTS and +DESC) and then the actual package files The talk goes on to explain the different branches (-release, -stable, and -current), and warn users that there are no official -stable packages from the project Then it goes on into the development model, including what new contributors should expect Then it walks through the entire process of creating a port and getting it contributed *** NetBSD removes last RWX page in amd64 kernel (http://mail-index.netbsd.org/source-changes/2016/07/27/msg076413.html) NetBSD has purged the last holdout RWX page on the amd64 platform > “Use UVMPROTALL only if UVMKMFEXEC is given as argument. Otherwise, if UVMKMFPAGEABLE is also given as argument, only the VA is allocated and UVM waits for the page to fault before kentering it. When kentering it, it will use the UVMPROT flag that was passed to uvm_map; which means that it will kenter it as RWX. With this change, the number of RWX pages in the amd64 kernel reaches strictly zero.” Break out the party favors! Hopefully any last stragglers in any of the other BSD's gets retired soon as well. *** DragonFly BSD 4.6 launches with home-grown support for NVMe Controllers (http://linux.softpedia.com/blog/dragonfly-bsd-4-6-0-launches-with-home-grown-support-for-nvme-controllers-506908.shtml) Softpedia picked up on the release of DragonFlyBSD 4.6, specifically about their new home-grown NVMe driver. > “We now have a NVMe driver (PCIe SSDs). It currently must be kldloaded with nvme_load="YES" in /boot/loader.conf. The driver uses all concurrency features offered by the chip and will distribute queues and interrupts across multiple CPUs to maximize performance. It has been tested up to around 1.05M IOPS @4K, and roughly 6.5 GBytes/sec @32K (random read from urandom-filled partition, physio, many threads), with the 2xE5-2620v4 (xeon) test server 78% idle in the IOPS test and 72% idle on the bandwidth test. In other words, we maxed out the three NVMe devices we had plugged in and the system still had plenty of suds left over. Please note that a machine's ability to boot from an NVMe device depends on the BIOS, and not DragonFly. Most BIOSes cannot boot from NVMe devices and those that can probably only do it through UEFI. Info on device state is available with the new utility nvmectl.“ In addition to this improved support, 4.6 also brings in the improved graphics support, matching what is in Linux 4.4 and support for Broadwell/Skylake. SMP also got some love: > “SMP performance was already very good. As part of the NVMe driver work we revamped the buffer cache subsystem and a number of other I/O related paths, further reducing lock contention and IPI signalling overheads. We also put topology-aware cpu cache localization into the kernel memory allocator (primarily helps multi-socket systems and systems with high core counts). The network subsystem also continues to receive significant improvement, with modest machine configurations now capable of handling upwards of 580K conns/sec.“ +Full Release Notes (https://www.dragonflybsd.org/release46/) *** The powerd++ daemon monitors the system load and adjusts the CPU clock accordingly and is a drop-in replacement for FreeBSD's native powerd(8). (http://www.freshports.org/sysutils/powerdxx/) As mentioned in our EuroBSDCon 2016 rundown, Dominic Fandrey will be giving a presentation about his powerd replacement, powerd++ The source code is already available on github, and is in ports The major difference is the newer design handle many-core systems much better. The original powerd was written at a time when most laptops only had a single core, and maybe a hyperthread. The new design decides which CPU frequency to use by looking at the busiest core, rather than the average across the cores, resulting in a more meaningful result. It also supports averaging over a longer period of time, to avoid jumping to a higher frequency to quickly powerd++ also avoids ‘slewing' the cpu frequency, ratching it up and down one step at a time, and instead jumps directly to the target frequency. Often times, you will use less battery by jumping to maximum frequency, finishing the work, and going back to a low power state, than trying to do that work over a longer period of time in low power mode *** Beastie Bits Hyper-V: Unmapped I/O improves userland direct disk performance by 35% ~ 135% (https://svnweb.freebsd.org/base?view=revision&revision=303474) One does not simply remove FreeBSD (https://imgur.com/a/gjGoq) A new BSD Podcast "BSD Synergy" has started (https://www.youtube.com/channel/UCBua6yMtJ6W5ExYSREnS3UQ) KnoxBug - Next Meeting - Aug 30th (http://knoxbug.org/content/2016-08-30) Feedback/Questions Daniel - Root/Wheel (http://pastebin.com/8sMyKm6c) Joe - IPV6 Frag (http://pastebin.com/r5Y0gbxf) Paul - ChicagoBug (http://pastebin.com/iVYPYcVs) Chris - SSH BruteBlock (http://pastebin.com/597m9gHa) Todd - Jails (http://pastebin.com/xjbKwSaz) ***
This week on BSDNow, we have some big breaking news about another major switcher to FreeBSD, plus early information about the pending This episode was brought to you by Headlines Leo Laporte tries FreeBSD (http://www.leolaporte.com/blog/a-grand-experiment) Leo Laporte, formerly of TechTV, and now of TWiT.tv, is switching to FreeBSD “The latest debacle over the "forced" upgrade to Windows 10 and Apple's increasingly locked-in ecosystem has got me thinking. Do I really need to use a proprietary operating system to get work done? And while I'm at it, do I need to use commercial cloud services to store my data?” A sometimes Linux user since the mid 90s, Leo talks about his motivations: “But as time went by, even Ubuntu began to seem too commercial to me” “So now for the grand experiment. Is it possible, I wonder, to do everything I need to do on an even more venerable, more robust system: a true UNIX OS, FreeBSD? Here are my requirements” Browsing Email with PGP signing and encryption Coding - I'm a hobbyist programmer requiring support for lisp/scheme/racket, rust, and python (and maybe forth and clojure and meteor and whatever else is cool and new) Writing A password vault. I currently use Lastpass because it syncs with mobile but eventually I'll need to find a FOSS replacement for that, too Photo editing - this is the toughest to replace. I love Photoshop and Lightroom. Can I get by with, say, GIMP and Darktable? I do all of those things on my PCBSD machine all the time “I love Linux and will continue to use it on my laptops, but for my main workhorse desktop I think FreeBSD will be a better choice. I also look forward to learning and administering a true UNIX system.” He got a nice SuperMicro based workstation, with an Intel Xeon E3-1275v5 and an NVIDIA GeForce GTX 960 GPU I have a server with one of those Skylake E3s, it is very nice “450Mbps Wireless N Dual Band PCI-e Adapter w/ 3x 2dBi Antennas (Yes, sad to say, unless I rewire my house I'll have to use Wi-Fi with this beast. I'll probably rewire my house.)” He plans to have a 4x 1TB ZFS pool, plus a second pool backed by a 512 GB NVMe m.2 for the OS “And I'll continue to chronicle my journey into the land of FOSS here when The Beast arrives. But in the meantime, please excuse me, I've got some reading to do.” Leo went so far as to slap a “Power By FreeBSD” sticker (https://youtu.be/vNVst_rxxm0?t=270) on the back of his new Tesla *** OpenBSD 6.0 to be released on Sept 1st, 2016 (http://undeadly.org/cgi?action=article&sid=20160725100831) OpenBSD 6.0 Tenative Released Notes (https://www.openbsd.org/60.html) OpenBSD 6.0 is just around the corner, currently slated for Sept 1st and brings with it a whole slew of exciting new features First up, and let's get this right out of the way.. VAX support has been dropped!! Oh no! However to make up for this devastating loss, armv7 has been added to this release. The tentative release notes are very complete and marks 6.0 as quite an exciting release OpenBSD 6.0 Pre-orders up (http://undeadly.org/cgi?action=article&sid=20160726230851) OpenBSD 6.0 tightens security by losing Linux compatibility (http://www.infoworld.com/article/3099038/open-source-tools/openbsd-60-tightens-security-by-losing-linux-compatibility.html) In related news, infoworld picked up on the pending removal of Linux compat from OpenBSD 6.0. Touted as a security feature, you will soon be unable to run legacy linux binaries on OpenBSD. This has both positives and negatives depending upon your use case. Ironically we're excitedly awaiting improved Linux Compat support in FreeBSD, to allow running some various closed-source applications. (Netflix DRM, Steam, Skype to name a few) *** EuroBSDCon 2016 Schedule released (https://2016.eurobsdcon.org/talks-schedule/) EuroBSDCon 2016 Tutorial Schedule released (https://2016.eurobsdcon.org/tutorials/) EuroBSDCon has announced the list of talks and tutorials for September 22nd-25th's conference! George Neville Neil (Who we've interviewed in the past) is giving the keynote about “The Coming Decades of BSD” *** News Roundup Blast from the past No interview again this week, we're working on getting some people lined up. The Leo Laporte story brought these old gem from TechTV into my youtube playlist: Matt Olander and Murrey Stokey explain FreeBSD on TechTV (https://www.youtube.com/watch?v=d0UsXwRvaIg) Matt Olander and Brooks Davis explain building a cluster with FreeBSD on TechTV (https://www.youtube.com/watch?v=bAsYz5pVwyc) FreeBSD vs Linux Part 1 (https://www.youtube.com/watch?v=91igg2UX7o8) FreeBSD vs Linux Part 2 (https://www.youtube.com/watch?v=oU88fQkwfws) *** Running FreeBSD on the LibreM (https://ericmccorkleblog.wordpress.com/2016/07/16/freebsd-librem-update/) Eric McCorkle (Who has worked on the EFI loader for a while now) has written an update on his efforts to get FreeBSD working properly on the LibreM 13 laptop. Since April the work seems to be progressing nicely Matt Macy's i915 graphics patch works well on the Librem 13, and I personally made sure that the suspend/resume support works. The patch is very stable on the Librem, and I've only had one kernel panic the entire time testing it. The HDMI output Just Works™ with the i915 driver. Even better, it works for both X11 and console modes. Full support for the Atheros 9462 card has been merged in. I've had some occasional issues, but it works for the most part. The vesa weirdness is obviated by i915 support, but it was resolved by using the scfb driver. Some of the outstanding issues still being worked on are support for Synaptics on this particular touchpad, as well as hotkey support for the keyboard, and brightness controls. In addition Eric is still working on the EFI + Geli support, with the eventual goal of getting EFI secure-boot working out of box as well. More OpenBSD syscall fuzzing (http://seclists.org/oss-sec/2016/q3/157) NCC Group's Project Triforce continues its work of fuzzing OpenBSD This time they have found a flaw that allows any user to panic the kernel Attempting to read from the tmpfs_vfsops sysctl tree will panic the system: “attempt to execute user address 0x0 in supervisor mode” This is actually a “good” thing… “Impact: Any user can panic the kernel by using the sysctl call. If a user can manage to map a page at address zero, they may be able to gain kernel code execution and escalate privileges” OpenBSD's default configuration prevents mapping a page at address zero, so the code execution is prevented So while a panic is a bad outcome, it is a lot better than it could have been *** Root privilege escalation on NetBSD (http://akat1.pl/?id=2) This post described a root privilege escalation in NetBSD mail.local is a utility included in the base system for delivering mail to other users on the same system, rather than invoking a mail client and going through the mail server. The mail.local utility contains a ‘time of check / time of use' vulnerability. This means that it checks if a file or permission is valid, and then later accesses that file. If an attacker can change that file between the time when it is checked, and the time when it is used, they may be able to exploit the system by evading the check This is exactly what happens in this case mail.local appends a message to the indicated user's mailbox It first checks if the target user already has an existing mailbox file. If the file exists, but is a link, mail.local exits with an error (to prevent exploits) If the file does not exist, it is created The message is then appended to the file If the file needed to be created, it is chown'd to the owner of the mailbox This is where the problem lies, if mail.local checks and does not find the mailbox, but an attacker then creates a link from the target mailbox to some other file mail.local then appends to that file instead, thinking it is creating the new mailbox Then, mail.local chown's the target file to the user the attacker was trying to send mail to The article explains how this could be used to replace /etc/master.passwd etc, but opts for an easier proof of concept, replacing /usr/bin/atrun, which is run as root every 5 minutes from crontab with a script that will copy the shell to /tmp and mark it setuid The attacker can then run that shell out of /tmp, and be root NetBSD fixed the vulnerability by changing the code flow, separating the cases for opening an existing file from creating a new file. In the case where an existing file is opened, the code then verifies that the file that was opened has the same inode number and is on the same device, as the file that was checked earlier, to ensure it was not a link *** FreeBSD Heap vulnerability in bspatch (https://www.freebsd.org/security/advisories/FreeBSD-SA-16:25.bspatch.asc) An important vuln has been found and fixed in FreeBSD this past week, specifically relating to the ‘bspatch' utility. “Upstream's bspatch.c implementation doesn't check for negative values on the number of bytes to read from the "diff" and "extra" streams, allowing an attacker controlling the patch file to write at arbitrary locations in the heap.” This could result in a crash, or running arbitrary code as the user running bspatch. (Often root) “bspatch's main loop reads three numbers from the "control" stream in the patch: X, Y and Z. The first two are the number of bytes to read from "diff" and "extra" (and thus only non-negative), while the third one could be positive or negative and moves the oldpos pointer on the source image. These 3 values are 64bits signed ints (encoded somehow on the file) that are later passed the function that reads from the streams, but those values are not verified to be non-negative.” “Chrome[OS] has four different implementations of this program, all derived from the same original code by Colin Percival.” Chromium Issue Tracker (https://bugs.chromium.org/p/chromium/issues/detail?id=372525) Patch your systems now! *** Beastie Bits: If you're a BUG member or Organizer, please contact BSD Now (https://twitter.com/q5sys/status/758087886927388673) TedU writes about some interesting localizations to gcc in openbsd, and why they are there (http://www.tedunangst.com/flak/post/one-reason-to-hate-openbsd) List of Products based on FreeBSD -- Help complete the list (https://en.wikipedia.org/wiki/List_of_products_based_on_FreeBSD) Virtualbox v5 hits the FreeBSD Ports tree (http://www.freshports.org/emulators/virtualbox-ose/) Skull Canyon NUC booting FreeBSD 11.0-BETA2 (https://gist.github.com/gonzopancho/b71be467f45594822131f4816d6cb718) 2016 BSDCan Trip Report : Trent Thompson (https://www.freebsdfoundation.org/blog/2016-bsdcan-trip-report-trent-thompson/) August London BSD Meetup (http://mail-index.netbsd.org/regional-london/2016/07/25/msg000542.html) Feedback/Questions Michael Open-Source Alts (http://pastebin.com/eiWbDXTd) Herminio - AP Troubles (http://pastebin.com/w9aCDBut) Jake - Plasma (http://pastebin.com/d15QpVFw) Morgan - Clean DO Droplets (http://pastebin.com/Wj1P7jq8) Chris - Auditd (http://pastebin.com/U9PYEH6K) ***