POPULARITY
Dit is aflevering 121 van Licht op Legal. In deze aflevering gaat Michael Reker, advocaat Information Technology & Privacy bij Van Benthem & Keulen, in op de Cyber Resilience Act.De Cyber Resillience Act (afgekort CRA) is ingevoerd om de beveiliging van hardware en softwareproducten in de EU te verhogen om daarmee impact van beveiligingsincidenten te beperken (denk aan gevallen zoals de Ripple20-exploit of de Crowdstrike-update). De hoofddoelen van de CRA leiden vanaf december 2027 tot strengere producteisen op het gebied van beveiliging en een verplichte CE-markering voor alle producten met digitale elementen (hardware en software).In deze aflevering vertelt Michael op welke producten de Cyber Resilience Act van toepassing is en wat de belangrijkste verplichtingen zijn die de Cyber Resilience Act oplegt aan bijvoorbeeld producenten, importeurs en distributeurs van deze producten. Vervolgens legt Michael uit wat de verplichting tot CE-markering concreet betekent en wat bedrijven hiervoor moeten doen en gaat Michael in op de gevolgen van het niet voldoen aan de eisen van de Cyber Resilience Act. Michael sluit de podcast af met tips voor bedrijven die zich voorbereiden op de komst van de Cyber Resilience Act.Wilt u meer weten over de Cyber Resilience Act? Neem dan contact op met Michael Reker.Heeft u suggesties voor een onderwerp of wilt u dat onze experts hun licht laten schijnen op uw juridische vraagstuk? Stuur dan een mail naar lichtoplegal@vbk.nl. Licht op Legal kunt u via onze website, Spotify, Apple Podcasts of uw eigen favoriete podcastapp beluisteren.Dit is een podcast van Van Benthem & Keulen. U vindt ons op:vbk.nlLinkedInTwitterFacebookInstagram Hosted on Acast. See acast.com/privacy for more information.
Big DREAM School - The Art, Science, and Soul of Rocking OUR World Doing Simple Things Each Day
Bitcoin for Climate Change Warriors with Margot PaezMargot Paez is a climate change physicist and PhD candidate in the civil engineering department at Georgia Institute of Technology. She has an MS in physics from GT and works on climate change statistical-based modeling, primarily in relation to water resources. Her previous research includes robotics and physics of living systems, astrobiology instrumentation, and web-based data management systems.She addresses the misconceptions and misinformation surrounding Bitcoin's environmental impact and emphasizes the need for accurate and unbiased research. Margot also discusses the funding and motivations behind certain environmental campaigns and the potential of Bitcoin mining to reduce methane emissions. She advocates for bridging the gap between environmentalists and the Bitcoin community to find sustainable solutions for the future.
Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software). “If you make money using our software, you must buy a license” - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.” Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways - Devices - Mobile apps - SDKs - integrations Cloud services DO go offline, point of failure:https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/ Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you'll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a ‘happy medium' to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”) Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure? https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch:As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet's collar and help ensure they're safe. If your dog wanders outside a perimeter you've set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers. https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk
(Please feel free to add anything you like… We want our guests to have as much input as possible) -brbr Zoom is on… https://us02web.zoom.us/j/88629788990?pwd=NFNBVlgwM0dDM0s2eUY3YnBITlRNdz09 Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) Talk about side projects, podcasts, speaking events, etc (if you want to) Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software). “If you make money using our software, you must buy a license” - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.” Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways - Devices - Mobile apps - SDKs - integrations Cloud services DO go offline, point of failure:https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/ Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you'll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a ‘happy medium' to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”) Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure? https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch:As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet's collar and help ensure they're safe. If your dog wanders outside a perimeter you've set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers. https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk
Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) 0. Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software). “If you make money using our software, you must buy a license” - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.” Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways - Devices - Mobile apps - SDKs - integrations Cloud services DO go offline, point of failure: https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/ Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you'll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a ‘happy medium' to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”) Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure? https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch: As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet's collar and help ensure they're safe. If your dog wanders outside a perimeter you've set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers. https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk
Join Scott Young and Shaun Sturby from Optrics Engineering as they discuss the largest DDoS (distributed denial of service) attack, blue leaks and dating app data breaches and Ripple 20. For more IT tips go to: > www.OptricsInsider.com Timecodes: 0:00 - Intro 0:20 - Today's 3 topics 0:30 - Topic 1: The Largest DDoS Attack on Amazon Web Service 2:29 - Topic 2: Blue Leaks & Dating App Data Breaches 5:43 - Topic 3: Ripple 20 8:36 - Closing remarks Learn more about the largest DDoS attack: > AWS Shield Threat Landscape report is now available Data Breaches - BlueLeaks and Dating apps: > ‘BlueLeaks' Exposes Files from Hundreds of Police Departments > Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More Learn more about Ripple 20: > New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking > Ripple20 - 19 Zero-Day Vulnerabilities Amplified by the Supply Chain #OptricsInsider #ITSecurityTips #cybersecurity #technews #infosec --- Send in a voice message: https://anchor.fm/optrics-insider/message
Ripple20 is a recently announced set of documented vulnerabilities in the early Treck TCP/IP stack, a popular choice for early IoT devices. Our hosts are joined by guest Alan Grau, who explains the significance of these vulnerabilities, the difficulties in dealing with them, and how we can improve to avoid these problems in the future.
Podcast: Brakeing Down Security PodcastEpisode: 2020-032-Dr. Allan Friedman, SBOM, Software Transparency, and how the sausage is made - Part 2Pub date: 2020-08-24Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between “Software transparency” and “Software bill of materials”? How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM? Where in the development (hardware or software) would you be creating an SBOM? You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail? IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them? How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ? As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening? Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns? Sharing information Best way to share information about IoT components? Could an information sharing org (ISAC) track these more readily? vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor? Interesting feedback from NTIA’s RFC Other SBOM types (clonedx, openbom, FDA’s CBOM) Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/ non-US implementations of SBOM? How do we get our companies to implement these? SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download SPDX: LInux Foundation:https://spdx.org/licenses/ OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release” https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesecThe podcast and artwork embedded on this page are from Bryan Brake, Amanda Berlin, Brian Boettcher, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between “Software transparency” and “Software bill of materials”? How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM? Where in the development (hardware or software) would you be creating an SBOM? You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail? IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them? How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ? As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening? Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns? Sharing information Best way to share information about IoT components? Could an information sharing org (ISAC) track these more readily? vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor? Interesting feedback from NTIA’s RFC Other SBOM types (clonedx, openbom, FDA’s CBOM) Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/ non-US implementations of SBOM? How do we get our companies to implement these? SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download SPDX: LInux Foundation:https://spdx.org/licenses/ OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release” https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Podcast: Brakeing Down Security PodcastEpisode: 2020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is madePub date: 2020-08-18 Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between “Software transparency” and “Software bill of materials”? How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM? Where in the development (hardware or software) would you be creating an SBOM? You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail? IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them? How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ? As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening? Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns? Sharing information Best way to share information about IoT components? Could an information sharing org (ISAC) track these more readily? vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor? Interesting feedback from NTIA’s RFC Other SBOM types (clonedx, openbom, FDA’s CBOM) Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/ non-US implementations of SBOM? How do we get our companies to implement these? SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download SPDX: LInux Foundation:https://spdx.org/licenses/ OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release” https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/The podcast and artwork embedded on this page are from Bryan Brake, Amanda Berlin, Brian Boettcher, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
This week, we welcome Jeff Costlow, Deputy CISO at ExtraHop, to discuss the challenges of detecting and patching Ripple20! Ripple 20 is a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. In the Leadership and Communications section, CISOs say new problem solving strategies required, How Remote Work is Reshuffling Your Security Priorities and Investments, Security Jobs With a Future -- And Ones on the Way Out and more! Show Notes: https://wiki.securityweekly.com/bsw184 Visit https://securityweekly.com/extrahop to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Jeff Costlow, Deputy CISO at ExtraHop, will discuss the challenges of detecting and patching Ripple20. Ripple 20 is a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. There are two primary attack vectors: Internet Protocol and Domain Name Services. Jeff will discuss ExtraHop's approach to detecting these devices and provide a quick demo of the solution. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/ to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/bsw184
This week, we welcome Jeff Costlow, Deputy CISO at ExtraHop, to discuss the challenges of detecting and patching Ripple20! Ripple 20 is a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. In the Leadership and Communications section, CISOs say new problem solving strategies required, How Remote Work is Reshuffling Your Security Priorities and Investments, Security Jobs With a Future -- And Ones on the Way Out and more! Show Notes: https://wiki.securityweekly.com/bsw184 Visit https://securityweekly.com/extrahop to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between “Software transparency” and “Software bill of materials”? How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM? Where in the development (hardware or software) would you be creating an SBOM? You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail? IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them? How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ? As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening? Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns? Sharing information Best way to share information about IoT components? Could an information sharing org (ISAC) track these more readily? vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor? Interesting feedback from NTIA’s RFC Other SBOM types (clonedx, openbom, FDA’s CBOM) Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/ non-US implementations of SBOM? How do we get our companies to implement these? SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download SPDX: LInux Foundation:https://spdx.org/licenses/ OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release” https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/
Jeff Costlow, Deputy CISO at ExtraHop, will discuss the challenges of detecting and patching Ripple20. Ripple 20 is a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. There are two primary attack vectors: Internet Protocol and Domain Name Services. Jeff will discuss ExtraHop's approach to detecting these devices and provide a quick demo of the solution. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/ to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/bsw184
Our guest this month is Luke Tamagna-Darr and he tells us about some of the automation projects his team is working on, including predicting CVSS vectors when they are missing from vulnerability descriptions. As always, Satnam walks us through the latest vulnerability news as well as the work Tenable Research has done to identify devices impacted by Ripple20.Show ReferencesMicrosoft’s August 2020 Patch Tuesday Addresses 120 CVEs (CVE-2020-1337)Zero-Day Remote Code Execution Vulnerability in vBulletin DisclosedRipple20: More Vulnerable Devices Discovered, Including New VendorsCVE-2020-10713: “BootHole” GRUB2 Bootloader Arbitrary Code Execution VulnerabilityCVE-2020-3452: Cisco Adaptive Security Appliance and Firepower Threat Defense Path Traversal Vulnerability
Tor 0day: Stopping Tor ConnectionsNorth Korea's Lazarus Group Developing Cross-Platform Malware FrameworkDoes First Amendment let ISPs sell Web-browsing data? Judge is skepticalAmazon Met With Startups About Investing, Then Launched Competing ProductsRipple20's Effects Could Impact IoT Cybersecurity for Years to ComeFBI nabs Nigerian business scammer who allegedly cost victims millionsWhy everyone is talking about the A.I. text generator released by an Elon Musk backed lab?Cloudflare DNS goes down, taking a large piece of the internet with itTwitter Breach a Reminder of Need to Protect Corporate Social Media UseChallenges with DevOps and end-to-end integration with Hitesh Patel, senior director of product management for automation, orchestration and ecosystems with F5 Networks Hosts: Louis Maresca, Curt Franklin, and Brian McHenry Guest: Hitesh Patel Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Sponsors: securityscorecard.com/twit bit.ly/salesforceforservice ZipRecruiter.com/twiet
Tor 0day: Stopping Tor ConnectionsNorth Korea's Lazarus Group Developing Cross-Platform Malware FrameworkDoes First Amendment let ISPs sell Web-browsing data? Judge is skepticalAmazon Met With Startups About Investing, Then Launched Competing ProductsRipple20's Effects Could Impact IoT Cybersecurity for Years to ComeFBI nabs Nigerian business scammer who allegedly cost victims millionsWhy everyone is talking about the A.I. text generator released by an Elon Musk backed lab?Cloudflare DNS goes down, taking a large piece of the internet with itTwitter Breach a Reminder of Need to Protect Corporate Social Media UseChallenges with DevOps and end-to-end integration with Hitesh Patel, senior director of product management for automation, orchestration and ecosystems with F5 Networks Hosts: Louis Maresca, Curt Franklin, and Brian McHenry Guest: Hitesh Patel Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Sponsors: securityscorecard.com/twit bit.ly/salesforceforservice ZipRecruiter.com/twiet
Tor 0day: Stopping Tor ConnectionsNorth Korea's Lazarus Group Developing Cross-Platform Malware FrameworkDoes First Amendment let ISPs sell Web-browsing data? Judge is skepticalAmazon Met With Startups About Investing, Then Launched Competing ProductsRipple20's Effects Could Impact IoT Cybersecurity for Years to ComeFBI nabs Nigerian business scammer who allegedly cost victims millionsWhy everyone is talking about the A.I. text generator released by an Elon Musk backed lab?Cloudflare DNS goes down, taking a large piece of the internet with itTwitter Breach a Reminder of Need to Protect Corporate Social Media UseChallenges with DevOps and end-to-end integration with Hitesh Patel, senior director of product management for automation, orchestration and ecosystems with F5 Networks Hosts: Louis Maresca, Curt Franklin, and Brian McHenry Guest: Hitesh Patel Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Sponsors: securityscorecard.com/twit bit.ly/salesforceforservice ZipRecruiter.com/twiet
Tor 0day: Stopping Tor ConnectionsNorth Korea's Lazarus Group Developing Cross-Platform Malware FrameworkDoes First Amendment let ISPs sell Web-browsing data? Judge is skepticalAmazon Met With Startups About Investing, Then Launched Competing ProductsRipple20's Effects Could Impact IoT Cybersecurity for Years to ComeFBI nabs Nigerian business scammer who allegedly cost victims millionsWhy everyone is talking about the A.I. text generator released by an Elon Musk backed lab?Cloudflare DNS goes down, taking a large piece of the internet with itTwitter Breach a Reminder of Need to Protect Corporate Social Media UseChallenges with DevOps and end-to-end integration with Hitesh Patel, senior director of product management for automation, orchestration and ecosystems with F5 Networks Hosts: Louis Maresca, Curt Franklin, and Brian McHenry Guest: Hitesh Patel Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Sponsors: securityscorecard.com/twit bit.ly/salesforceforservice ZipRecruiter.com/twiet
Tor 0day: Stopping Tor ConnectionsNorth Korea's Lazarus Group Developing Cross-Platform Malware FrameworkDoes First Amendment let ISPs sell Web-browsing data? Judge is skepticalAmazon Met With Startups About Investing, Then Launched Competing ProductsRipple20's Effects Could Impact IoT Cybersecurity for Years to ComeFBI nabs Nigerian business scammer who allegedly cost victims millionsWhy everyone is talking about the A.I. text generator released by an Elon Musk backed lab?Cloudflare DNS goes down, taking a large piece of the internet with itTwitter Breach a Reminder of Need to Protect Corporate Social Media UseChallenges with DevOps and end-to-end integration with Hitesh Patel, senior director of product management for automation, orchestration and ecosystems with F5 Networks Hosts: Louis Maresca, Curt Franklin, and Brian McHenry Guest: Hitesh Patel Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Sponsors: securityscorecard.com/twit bit.ly/salesforceforservice ZipRecruiter.com/twiet
Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing Agenda: Part 1: Background on the report Why is it called RIPPLE20? What’s the RIPPLE about? Communications with Treck (and it’s Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines? What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes? What did JSOF gain by doing this? What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks? Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don’t know what’s in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible “Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com.” BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities? Are some devices and systems more vulnerable than others? How many are you still investigating to see if they are affected? What’s the initial email look like when you tell a company “you’re vulnerable to X”? Who are you dealing with initially? What is your delivery when you’re routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you’d have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/ https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/ http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing Agenda: Part 1: Background on the report Why is it called RIPPLE20? What’s the RIPPLE about? Communications with Treck (and it’s Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines? What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes? What did JSOF gain by doing this? What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks? Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don’t know what’s in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible “Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com.” BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities? Are some devices and systems more vulnerable than others? How many are you still investigating to see if they are affected? What’s the initial email look like when you tell a company “you’re vulnerable to X”? Who are you dealing with initially? What is your delivery when you’re routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you’d have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/ https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/ http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Satnam starts us off with a veritable parade of vulnerabilities maxing out CVSS severity. Ripple20, PAN OS, BIG-IP, SIGRed, RECON - lots to cover and Satnam breaks it all down for us. As a bit of a palate cleanser, we talk to Tony Huffman and Tyler Coumbes about how Threat Automation works in products.Show ReferencesCVE-2020-11896, CVE-2020-11897, CVE-2020-11901: Ripple20 Zero-Day Vulnerabilities in Treck TCP/IP Libraries DisclosedCVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerabilityhttps://twitter.com/RyanLNewington/status/1278074919092289537?s=20 CVE-2017-7391: Vulnerability in Magento Mass Import (MAGMI) Plugin Exploited in the WildCVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) Actively ExploitedCVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server JAVA Disclosed (RECON)Microsoft’s July 2020 Patch Tuesday Addresses 123 CVEs Including Wormable Windows DNS Server RCE (CVE-2020-1350) (SIGRed)CVE-2020-1350: Wormable Remote Code Execution Vulnerability in Windows DNS Server Disclosed (SIGRed)Tenable Research Discloses Multiple Vulnerabilities in Plex Media Server
In this episode we chat to Andy Ellis, who, on the very day we interviewed him, was celebrating his 20th anniversary as the Chief Security Officer for Akamai. We cover many topics - from taking down the "booth babe" culture at RSA, to fighting for more representation and diversity on cyber panels, to how he eliminated the password at his organization and built a Zero Trust network, before that became a thing. Andy also shares one of the most interesting Star Wars theories we've ever heard, and has a fascinating take on heroes vs villains, and how the two overlap depending on who's telling the story. He then talks about why he hires librarians and journalists in his security team, and also, exactly how hard it is to train lizards. (The last two topics aren't related, btw!)You can read Akamai's "State of the Internet" report here: https://www.akamai.com/uk/en/resources/our-thinking/state-of-the-internet-report/In the studio, Hazel and Ben are joined (virtually) again by Noureen Njoroge. Following the interview with Andy, Noureen talks incredibly passionately about her advocacy roles for women and minorities in cybersecurity, and some of the mentoring work that she does. For anyone who wants to know more about what they can do to give more opportunities for others - don't miss this section.For our 'Emerging Threats' feature, we cover Ripple20: a set of 19 critical vulnerabilities impacting a TCP/IP software stack, used by wide variety of vendors and installed on millions of systems: enterprise network, consumer devices, but also IIoT. More details can be read about this in our blog: https://blogs.cisco.com/security/ripple20-critical-vulnerabilities-might-be-putting-your-iot-ot-devices-at-risk And finally we have our 'On this Day' feature, which is when we jump into the DeLorean and head back in time to explore a significant security event. This time we’re travelling back to 2001 to talk about Sircam, which was a notable worm that spread by email. The series of unfortunate events often started with a couple of lines of text that began ‘I send you this file in order to have your advice’.If you'd like to know more about the advocacy roles for women and minorites that Noureen is involved in, as well as access a wealth of cybersecurity resources, you can check them out at https://cybersecmentorship.org
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Congress wants to kill encryption & face recognition.New information about Ripple20The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognitionThe Lawful Access to Encrypted Data Act wants to kill encryptionMichigan State's legislative House passed the "Microchip Protection Act"Apple forces the industry down to one-year web browser certificate lifespansSafari to eschew 16 new web API's for the sake of user privacyApple also got on the DoH & DoT bandwagonMozilla + Comcast + DoH: Strange BedfellowsDon't forget about VirusTotalWe invite you to read our show notes at https://www.grc.com/sn/SN-773-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit OpenShift.com/SecurityNow expressvpn.com/securitynow
Our first episode of our new podcast! Show Notes: Docker Cryptojacking: https://unit42.paloaltonetworks.com/cryptojacking-docker-images-for-mining-monero/ https://www.binarydefense.com/threat_watch/docker-images-containing-cryptojacking-malware-distributed-via-docker-hub/ BlueLeaks: https://krebsonsecurity.com/2020/06/blueleaks-exposes-files-from-hundreds-of-police-departments/ Ripple20: https://thehackernews.com/2020/06/new-critical-flaws-put-billions-of.html Apple ARM CPUs: https://www.techradar.com/news/intel-cpu-woes-forced-apple-to-design-own-processor-claims-ex-employee Amazon Buys Zoox: https://zoox.com/wp-content/uploads/2018/12/Safety_Report_12Dec2018.pdf https://www.usatoday.com/story/money/2020/06/27/amazon-is-buying-self-driving-startup-zoox/112021444/ Fugaku Supercomputer: https://www.pcmag.com/news/japans-arm-based-fugaku-system-now-the-worlds-fastest-supercomputer Intel AI Degree: https://www.abc15.com/news/business/intel-set-to-debut-artificial-intelligence-degree-program-in-valley
Ripple20; VirusTotal AI; Markley Quiz; O365 Phishing; Internet Weather
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Arrest of a hacker charged with UPMC health system hack in 2014; discussion of attacker motives, methods of sale of healthcare data, and “bad guy business drivers” in healthcare Medical device and IoT alerts from Homeland Security including six prominent manufacturers vulnerabilities and the “Ripple20” vulnerabilities affecting millions of IoT and IoMT devices Healthcare organization adaptations to the “new normal”; an analysis of post-COVID business models and technologies that are causing security and risk teams to adjust their approaches. Trends covered include communication with remote workforce, collaboration tools, telehealth technology, incident response, and more
https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657 https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/ How would we map this against the MITRE matrix? Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix? https://www.us-cert.gov/ics/advisories/icsa-20-168-01 https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/ https://www.tenable.com/blog/cve-2020-11896-cve-2020-11897-cve-2020-11901-ripple20-zero-day-vulnerabilities-in-treck-tcpip https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Zoom encryption, Windows 10 printer error.Ripple20: a set of 19 TCP/IP vulnerabilities that could let remote attackers gain control over your deviceRussian government lifts its failed ban on TelegramZoom: everybody gets optional end to end encryptionGoogle removed 106 malicious Chrome extensions collecting sensitive user dataWindows 10 update breaks printingVLC Media Player 3.0.11 fixes severe remote code execution flawNetgear in the doghouseDDoS is alive and well... and growingHow to get the new Edge for Windows 7We invite you to read our show notes at https://www.grc.com/sn/SN-772-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GetRoman.com/SECURITYNOW extrahop.com/SECURITYNOW Wasabi.com offer code SECURITYNOW
Semanalmente, Joel Teixeira e Renato Marinho trarão os assuntos mais quentes e, ocasionalmente, alguns nomes de peso, do universo da segurança da informação. No terceiro episódio dessa nova temporada, falamos sobre as vulnerabilidades, denominadas Ripple20, que afetam milhões de dispositivos de diferentes produtos, tais como impressoras, bombas de infusão e dispositivos industriais de múltiplos fabricantes, tais como HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter em múltiplas indústrias. *Disponível também no YouTube: https://www.youtube.com/watch?v=5UhwVAu_zfs&feature=youtu.be -------- ACOMPANHE OS NOSSOS CANAIS: https://www.instagram.com/morphusecurity https://www.linkedin.com/company/morphusecurity https://www.facebook.com/morphustecnologia NOSSO BLOG DE CONTEÚDO: https://www.medium.com/morphusblog -------- INFORMAÇÕES: https://www.morphus.com.br https://www.morphuslabs.com
Zoom encryption, Windows 10 printer error.Ripple20: a set of 19 TCP/IP vulnerabilities that could let remote attackers gain control over your deviceRussian government lifts its failed ban on TelegramZoom: everybody gets optional end to end encryptionGoogle removed 106 malicious Chrome extensions collecting sensitive user dataWindows 10 update breaks printingVLC Media Player 3.0.11 fixes severe remote code execution flawNetgear in the doghouseDDoS is alive and well... and growingHow to get the new Edge for Windows 7We invite you to read our show notes at https://www.grc.com/sn/SN-772-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GetRoman.com/SECURITYNOW extrahop.com/SECURITYNOW Wasabi.com offer code SECURITYNOW
Zoom encryption, Windows 10 printer error.Ripple20: a set of 19 TCP/IP vulnerabilities that could let remote attackers gain control over your deviceRussian government lifts its failed ban on TelegramZoom: everybody gets optional end to end encryptionGoogle removed 106 malicious Chrome extensions collecting sensitive user dataWindows 10 update breaks printingVLC Media Player 3.0.11 fixes severe remote code execution flawNetgear in the doghouseDDoS is alive and well... and growingHow to get the new Edge for Windows 7We invite you to read our show notes at https://www.grc.com/sn/SN-772-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GetRoman.com/SECURITYNOW extrahop.com/SECURITYNOW Wasabi.com offer code SECURITYNOW
Zoom encryption, Windows 10 printer error.Ripple20: a set of 19 TCP/IP vulnerabilities that could let remote attackers gain control over your deviceRussian government lifts its failed ban on TelegramZoom: everybody gets optional end to end encryptionGoogle removed 106 malicious Chrome extensions collecting sensitive user dataWindows 10 update breaks printingVLC Media Player 3.0.11 fixes severe remote code execution flawNetgear in the doghouseDDoS is alive and well... and growingHow to get the new Edge for Windows 7We invite you to read our show notes at https://www.grc.com/sn/SN-772-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GetRoman.com/SECURITYNOW extrahop.com/SECURITYNOW Wasabi.com offer code SECURITYNOW
Campaña masiva de desinformación Rusa al descubierto. ¿Objetivo? Desestabilizar el mundo. - Lamphone: el ataque que permite convertir una bombilla en un dispositivo espía de escucha. Un informe publicado por un senador estadounidense saca los colores a la CIA, sus medidas de seguridad en entredicho. Ripple20, el compendio de vulnerabilidades que permite obtener control total de millones de dispositivos IoT y de control industrial. El sistema nacional de sanidad británico, vende toda la información de los pacientes a empresas dedicadas a espionaje por el módico precio de un euro. Negocios legales en múltiples países sirven como tapadera de grupos cibercriminales y malware. Aplicaciones de citas online exponen fotos y audios eróticos junto con datos personales de millones usuarios. Nuevos ataques mejorados que comprometen totalmente los procesadores Intel.
The so-called Ripple20 vulnerabilities affect equipment found in data centers, power grids, and more.
Campaña masiva de desinformación Rusa al descubierto. ¿Objetivo? Desestabilizar el mundo. - Lamphone: el ataque que permite convertir una bombilla en un dispositivo espía de escucha. Un informe publicado por un senador estadounidense saca los colores a la CIA, sus medidas de seguridad en entredicho. Ripple20, el compendio de vulnerabilidades que permite obtener control total de millones de dispositivos IoT y de control industrial. El sistema nacional de sanidad británico, vende toda la información de los pacientes a empresas dedicadas a espionaje por el módico precio de un euro. Negocios legales en múltiples países sirven como tapadera de grupos cibercriminales y malware. Aplicaciones de citas online exponen fotos y audios eróticos junto con datos personales de millones usuarios. Nuevos ataques mejorados que comprometen totalmente los procesadores Intel.
Proběhl doposud největší DDoS útok v historii ve velikosti 2,3 Tbps, výpadek T-Mobile v USA byl způsobený selháním optických obvodů, ne útoky DDoS, 19 zranitelností kolektivně pojmenovaných jako Ripple20 ovlivňují IoT Zařízení ve všech průmyslových odvětvích, Zoom oznámil zavedení end-to-end šifrování pro všechny uživatele a další.
Games, networks, filtering, and bees to start. Jon did a quantum podcast, Excalidraw is cool, and Words Matter. Ripple20 has only 19 vulns (Intel's affected), phishing private notes for bitcoin, and theft of a master key. For fun try Inspriobot, read More Pages Than You Want about programming languages, and enjoy Space Parallax from the 21st century! 0:00 - Intro 4:12 - Cloudflare Filtering 5:51 - Mason Bees 15:13 - Quantum Podcast 16:35 - Excalidraw 17:55 - Return of Trunk 21:04 - Ripple20 25:25 - Intel Advisory 28:24 - Privnote, Phished 34:34 - South African Bank 38:33 - Inspirobot 40:59 - ACM on Programming Languages 45:04 - Space Parallax
This week’s show features a guest co-host, Chris Albrecht, editor at The Spoon. We kick off the show discussing the latest IoT security vulnerability Ripple20 and why you need a software Bill of Materials for your connected products. We then focus on COVID-19 contract tracing, using wireless signals to monitor patients remotely, Intel’s updated robotic … Continue reading Episode 273: Ripple20 and Helium goes global
Ripple20 vulnerabilities are reported in the IoT software supply chain. North Korean operators go for intelligence, but also for cash, and they’re phishing in LinkedIn’s pond. Sino-Indian tensions find expression in cyberspace. A long look at the Russian influence operation, Secondary Infektion. Joe Carrigan from JHU ISI on why older adults share more misinformation online. Our guest Will LaSala from OneSpan tracks the increase in online banking fraud during COVID-19. And the strange case of the bloggers who angered eBay may have more indictments on the way. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/117
On this week’s show Patrick and Adam discuss the week’s security news, including: Facebook commissioned custom 0day to de-cloak child sex predator IP stack bugs to plague IoT, ICS for years Sandworm was doxxed by the NSA and hardly anyone noticed Congress demands answers on 2015 Juniper NetScreen back door investigation Amazon, Microsoft join moratorium on sale of facial recognition to police Much, much more This week’s show is brought to you by Signal Sciences. And instead of having one of their staff on the show, they nominated one of their customers to appear instead. So in this week’s sponsored segment we’re going to hear from Keith Hoodlet. Keith is currently the Senior Manager of Application Experience at Thermo Fisher Scientific, a $137 billion company. He built their appsec program and he’ll be along later on to talk through all of that. It’s a rapid-fire interview about how he was able to get started and make a dent quickly. Keith used to co-host the Application Security Weekly podcast and he’s worked for Bugcrowd and Veracode. He’s a cool guy, it’s a great interview, make sure you stick around for that one. You can subscribe to the new Risky Business newsletter, Seriously Risky Business, here. You can subscribe to our new YouTube channel here. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Facebook Helped the FBI Hack a Child Predator - VICE gov.uscourts.insd.77308.131.0.pdf Ripple20 vulnerabilities will haunt the IoT landscape for years to come | ZDNet Exclusive: Sandworm's Exim hacks reveal wider Russian activity - Risky Business Driving Discord through Disinformation and Disruption – Stranded on Pylos Wyden seeks details on spies' data protection after scathing CIA audit on Vault 7 leaks wyden-cybersecurity-lapses-letter-to-dni.pdf Congress asks Juniper for the results of its 2015 NSA backdoor investigation | ZDNet Wyden House Juniper Letter Juniper 'fesses up to TWO attacks from 'unauthorised code' • The Register Amazon Won’t Let Police Use Its Facial-Recognition Tech for One Year | WIRED Microsoft Won’t Sell Facial Recognition To American Cops After Protests (5) Richard Grenell on Twitter: "They should now be barred from federal government contracts - there should be consequences for not selling technology to police departments. @realDonaldTrump" / Twitter Research shows human rights activists in India were targeted with spyware Italian company exposed as a front for malware operations | ZDNet US intelligence bill takes aim at commercial spyware makers | TechCrunch Text - S.3905 - 116th Congress (2019-2020): Intelligence Authorization Act for Fiscal Year 2021 | Congress.gov | Library of Congress Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More | WIRED South African bank to replace 12m cards after employees stole master key | ZDNet Intel will soon bake anti-malware defenses directly into its CPUs | Ars Technica Arm CPUs impacted by rare side-channel attack | ZDNet Twitter bans 32k accounts pushing Chinese, Russian, and Turkish propaganda | ZDNet COVID-19 Tracking Apps ‘A Privacy Trash Fire’ As Norway Nixes Its Own Zoom Promises To Do Better After Banning Tiananmen Square Protests—Then Builds Tech To Help China’s Censorship Chinese users saw Zoom as a window through the 'Great Firewall' - Reuters Coder-Turned-Kingpin Paul Le Roux Gets His Comeuppance | WIRED Stalkerware detection rates are improving across antivirus products | ZDNet Lamphone attack lets threat actors recover conversations from your light bulb | ZDNet Hackers breached A1 Telekom, Austria's largest ISP | ZDNet Google email domains spoofed by SMTP exploit in G Suite | The Daily Swig Former eBay Employees Sent Cockroaches, Bloody Pig Mask to Mass. Couple In Harassment Campaign: US Attorney – NBC Boston