POPULARITY
Joseph Rae's martial arts journey began in 1993 at the Roanoke Bujinkan Dojo in Virginia. Just five years later, in 1998, he earned his Shodan—marking a major milestone in his commitment to the Bujinkan tradition. In 1999, Joseph enlisted in the U.S. Navy, where he went on to serve with distinction for 22 and a ... Joseph Rae – Buchanan Onmitsukage Ninpo Dojo – Ep221
In this Deep Dive bonus interview, Nightdive's Locke Vincent sits down with Terri and Eric Brosius to talk about their work on System Shock and System Shock 2, including how the two became involved with Looking Glass Studios, how Terri became the voice of SHODAN, Eric's approach to the game's sound design, how they feel about SHODAN's lasting impact on gaming culture, and more! System Shock 2: 25th Anniversary Remaster — Available for Pre-Order on PC —
024: Scott Boyett On Shooting ShootingMilitary historian and weapons and armor expert Scott Boyett joins Film Fights with Friends for a comparative analysis of three films, depicting different time periods, from historic, tactical, technical, and theatrical perspectives. On the dissecting table are LAST OF THE MOHICANS (1992), WAY OF THE GUN (2000), and MOSUL (2019).Scott is a consultant for the film, television, and gaming industries. He grew up in a family of antique arms and armor dealers and mentored under one of the world's premier military historians, Dennis Showalter. Scott holds a Bachelor's Degree and Master's Degree, the latter from Norwich University, specializing in both European and Japanese medieval weaponry. His career began in England as an antique arms buyer, and he has since lectured on historical and theatrical combat at Dartmouth, Loyola Marymount University, CalArts, University of Georgia, and DeSales University, among others. Scott is a graduate of the Orange County Sheriff's Regional Training Academy, is a California DOJ Certified Firearms instructor, and has 20+ years of training with modern firearms and tactics. He has trained extensively with former and current LAPD SWAT officers and former US Special Forces members. Additionally, Scott works as an 911 responder EMT. Scott's study of historical weapons and combat opened avenues in the theatrical world. He achieved degree certificates from the Baliol College (Oxford University), Circle in the Square (New York City), and teacher training from Shakespeare & Co (Massachusetts). After traveling for several years teaching and performing on Broadway, the National Shakespeare Company and Pennsylvania Shakespeare Festivals, Scott moved to California, where he continued acting, teaching and consulting on various productions. He holds a current California Entertainment Firearms Permit. Some of his credits include 50 YEARS ON THE DMZ and BIBLE BATTLES for The History Channel, INDIAN COWBOY and the BBC America drama COPPER. He was a weapons adviser for the popular video game RED DEAD REDEMPTION. Scott has worked with such notable talents as Tim Roth, Ron Perlman, Placido Domingo, Mercedes Ruhel, Anthony LaPaglia, Benny “The Jet” Urquidez and Richard Lawson. Outside of his weapons expertise, Scott has a Shodan in Budo Taijutsu and throughout his career has trained Lama-Pai Kung Fu, Okinawan Go-Ju Ryu, American Freestyle Karate and Brazilian Capoeira. Scott's Website: https://www.scottboyett.com/ MENTIONS:LOTM - Ambush on route to Fort William Henry: https://youtu.be/_GlYa20-JZY?si=kz0cCcRn-2kirJTG LOTM - Ambush of the defeated British: https://youtu.be/kKWSZXHahjc?si=Sq-ymkoZv8q__ai7 LOTM - Last of Mohicans Final Fight: https://youtu.be/q8ZisDHg6v0?si=sqpeWgpn8MqC4Pof Way of the Gun final fight: https://youtu.be/vAvVMTbUKCA?si=tFtG5Iv6uAN8BeHSMosul - police station firefight: https://youtu.be/-M3DBpWToB0?si=8OwdBHPpW4F2h--HMosul – Humvee attack at checkpoint: https://youtu.be/I1Ixdi2QhS4?si=qqA1BsePWv8XD3HhMosul – Attacking the ISIS camp: https://youtu.be/U6N2bR9qGEc?si=BjW3aJTB8HXeiBjCMosul – End of the line: https://youtu.be/yhakuCoiFKo?si=g7Rjc6g0BePMn5gmMosul - Based on the New Yorker Article: https://www.newyorker.com/magazine/2017/02/06/the-desperate-battle-to-destroy-isisRecommendations For The Use Of Firearms, Blanks, And Dummy Rounds: https://www.csatf.org/01_safety_bltn_firearmsProhibitions And Special Restrictions On The Use Of Live Ammunition: https://www.csatf.org/02_safety_bltn_live_ammunitionFILM FIGHTS WITH FRIENDSDo you listen to our show as an audio podcast? Give video a try. Subscribe to our Youtube for the video version with awesome behind the scenes pics and video! https://www.youtube.com/@FilmFightsFriendsPod?sub_confirmation=1Dig the show? Consider...
Time for a SHODAN. Learn more about your ad choices. Visit podcastchoices.com/adchoices
This week we finally arrive in Challen's city, which is far nicer than Tedra imagined. He takes her to the castle at the center of town to meet the Shodan of the city! https://www.passagespod.com/https://www.patreon.com/PassagesBookClubBecome a supporter of this podcast: https://www.spreaker.com/podcast/passages-with-robbie-and-amanda--6153882/support.
https://www.patreon.com/agabpod Josh's podcast: https://www.worstpossible.world/ Thief vs. AAA Gaming: https://www.youtube.com/watch?v=jPqwDGXxLhU Noclip doc on Looking Glass Studios: https://www.youtube.com/watch?v=8ZmcbShMFNY
This weeks guest is making quite name for himself with lots of plans for 2025. He was one of the most recommended guests we've had. I have a few of his tunes in the crates so I was pretty stoked to meet him. Please welcome Jon Cross, a Drum & Bass artist from Chicago, IL USA. His original productions and DJ sets represent the full spectrum of modern D&B. His past and present affiliations include Rebel Music, Locked Up Music, Engage Audio, Four Corners Music, Beats In Mind and DNBB. Tracklist below Please enjoy❤️ Back next week -Thomas Jon Cross - American Junglist Podcast Tracklist 01. Jamezy feat Natalie - Shut U Out - Galacy 02. OB1 & Kolectiv - Don't Mess Around - Four Corners 03. ISHEN - Empty Spaces - Shottaz Yard 04. Mako - Come Closer - Metalheadz 05. Jon Cross - Scorpion Say - Locked Up Music 06. Nymfo & Serpnt - Singularity - Love For Low Frequencies 07. Amoss & Minor Forms - Take Note - Sofa Sound 08. Shodan & Hex feat Sense MC - Contra - Technique Recordings 09. T>I & The Sauce - Grits & Jam - The Sauce 10. Monty - Flub - 1985 Music 11. Heist - Yars Revenge - 31 Recordings 12. Trex - Hollow Holler - DARKMTTR Records 13. Crystal Clear & Sweetpea - Dreamstate - V Recordings 14. Ill Truth - The Real - Truth Hertz 15. Teej & Resslek - Matrix - Flexout Audio 16. Grimmo - Touch My Body - Biological Beats 17. CLB - Decisions - MONTA 18. Silence Groove - Son Doong - Floodlight 19. LO! - Something 2 Say - Rebel Music 20. Alix Perez - Elastic Soul - 1985 Music 21. Jon Cross - Ease Yr Mind 22. Juiceman - Our Time Has Come - Fruits Of Flava 23. Kusp - Fallin - Soul In Motion 24. Slippy & Rico 56 - Will - Beacon 25. Scar - Make Em Know (VIP) - Metalheadz 26. GLXY & Koherent - Darling Sky - Overview Music 27. Para - Uh Huh - Overview Music 28. R3IDY - Sessions - Trust Audio 29. Winslow - Unswung Hero - Hospital Records 30. Motiv - Under A Groove - C.I.A 31. Revan - Last Week of Summer - Flexout Audio 32. Flaco - Light Speed - Code Recordings 33. Zero T - Don't Know - The North Quarter 34. Jon Cross - Capable Spirits - Rebel Music 35. Marvel Cinema & Luke Truth - Elevated State of Mind - Lunar 36. Satl, Milansangar & Ellis Esco - Night Out - The North Quarter
System Shock 2 **(Looking Glass Studios/Irrational Games**, 1999) contains one of the most iconic images in gaming (the scifi horror Medusa-esque SHODAN) and one of the most iconic spiritual sequels in gaming (the Bioshock series), but I still feel like experience with System Shock 2 itself is relegated to those who were there playing on PC in 1999. What was it about this game that made it so foundational for the Bioshock series and so many other modern games? Well, it's a good thing I have this podcast to dig into it! Guest Info: Doug Lief, host of Nostalgium Arcanum (https://nostalgiumarcanum.fireside.fm/) podcast TIMESTAMPS Intros/Personal Histories/Opening Thoughts 0:19 Story Setup/Story Thoughts 13:43 Presentation 30:10 Gameplay 41:00 SPOILER WALL 1:11:09 Music used in the episode is credited to Eric Brosius. Tracks used: Medical, Engineering, Hydroponics #1, Science, Hydroponics #2, Operations #2, End Cutscene, Credits Support Tales from the Backlog on Patreon! (https://patreon.com/realdavejackson) or buy me a coffee on Ko-fi (https://ko-fi.com/realdavejackson)! Join the Tales from the Backlog Discord server! (https://discord.gg/V3ZHz3vYQR) Social Media: Instagram (https://www.instagram.com/talesfromthebacklog/) Twitter (https://twitter.com/tftblpod) Facebook (https://www.facebook.com/TalesfromtheBacklog/) Cover art by Jack Allen- find him at https://www.instagram.com/jackallencaricatures/ and his other pages (https://linktr.ee/JackAllenCaricatures) Listen to A Top 3 Podcast on Apple (https://podcasts.apple.com/us/podcast/a-top-3-podcast/id1555269504), Spotify (https://open.spotify.com/show/2euGp3pWi7Hy1c6fmY526O?si=0ebcb770618c460c) and other podcast platforms (atop3podcast.fireside.fm)!
Join us this week as we sit down with Hanshi Michael Calandra. A 10th Dan in Isshin-Ryu Karate, Hanshi Calandra spent 22 years with the NYPD. He retired in 2010 as a Detective in the Intelligence Division. Hanshi Calandra is certified in FBI defensive tactics, and has taught numerous martial arts students and taken law enforcement seminars through the United States. He is also the founder of P.C.C.T (Institute for Police Control and Cuffing Techniques). Hanshi Clanadra was the Chief Instructor of the Seishinkan Martial Arts Dojo in New York for over 35 years and after relocating to Wittmann, Arizona, has continued teaching in his new dojo - Seishinkan West. Hanshi Calandra is an internationally recognized instructor and has taught seminars in China, India, Europe, South America, and the US. In addition to his 10th Dan in Isshin-Ryu Karate, he also holds the current ranks of: - 7th Dan in Matayoshi Kobudo, an - Indoor Disciple of the Chen Style Taijiquan Practical Method, and a - Shodan in Tenshin Shoden Katori Shinto-Ryu During his lifetime, Hanshi Calandra studied many other martial arts such as: Feeding Crane Gung-Fu, Kendo, Escrima, Naginata Do, Yagyu-Shinkage Ryu, Judo, Aikido, and Qi-Gon. Presently, he also runs his martial arts podcast called “The Martial Truth Podcast” which you can find here: https://www.youtube.com/@oikddojo/podcasts
Discutere sulle discussioni.
Welcome to Episode 316 of the Stress Factor Podcast, featuring DJ Tribo, who returns to deliver an exceptional selection of the finest drum and bass tracks for October of 2024. This episode promises to immerse listeners in a captivating auditory experience, showcasing the latest and most dynamic sounds in the genre. Tune in for an exhilarating journey through the vibrant world of drum and bass music. This episode features tracks and remixes by the following artists and on these labels: ASC, Auxiliary Records, Outer Bass, Fokuz Recordings, Pola and Bryson, Shogun Audio, Zero T, Manny, The North Quarter, Serpnt, Unknown, Monty, 1985 Music, Koherent, GLXY, Overview Music, Minor Forms, Sofa Sound, Vodkah, Gorilla Warfare, Benny L, TrES-2b MUSIC, London Elektricity, Doktor, Fast Soul Music, ChaseR, Neropunk Records, Pine, Conni, Premiere, Rockwell, Phace, Obsolete Medium, Hex, Shodan, Sense MC, Technique Recordings, Alix Perez, Visage, Mortlock, Universal Project, S.P.Y, Dispatch Recordings, Bladerunner, Hi Resolution, Sydney Bryce, QZB, Flexout Audio. Tracklist 01. ASC - Exoplanet [Auxiliary Records} 02. Outer Bass - Radical [Fokuz Recordings] 03. Pola and Bryson - Waterfall [Shogun Audio] 04. Zero T, Manny - Let Me Know [The North Quarter] 05. Serpnt - All We Do [Unknown] 06. Monty - Flub [1985 Music] 07. Koherent, GLXY - Darling Sky [Overview Music] 08. Minor Forms - Wake the Funk [Sofa Sound] 09. Vodkah - Silo [Gorilla Warfare] 10. Benny L - Rattler [TrES-2b MUSIC] 11. London Elektricity, Doktor - Don't Stop [Fast Soul Music] 12. ChaseR - Duality [Neropunk Records] 13. Zero T - The Technique [The North Quarter] 14. Pine, Conni - Frontline [Premiere] 15. Rockwell, Phace - Gramma (Phace Remix) [Obsolete Medium] 16. Hex, Shodan, Sense MC - Contra [Technique Recordings] 17. Alix Perez, Visages - Kauri [1985 Music] 18. Mortlock, Universal Project, S.P.Y - Snorkel (S.P.Y Remix 2024 Remastered) [Dispatch Recordings] 19. Bladerunner - All The Massive [Hi Resolution] 20. Sydney Bryce, QZB - Ashes and Bones [Flexout Audio]
We explain the one-packet attack on CUPS and discuss its real-world implications. Plus, a Meshtastic update and more.Sponsored By:Jupiter Party Annual Membership: Put your support on automatic with our annual plan, and get one month of membership for free!Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Support LINUX UnpluggedLinks:
Ché has been a student, competitor, in-house deshi, coach, sempai (big brother/mentor) and sensei in the Goju Ryu Karate Centre since 1999. He started in this dojo under Paul Andre Sensei and received his Shodan-ho at 14 under Aubrey Pieterse Sensei. His current instructors are Sensei Lilian and Sensei Elias, who are the Shibo-cho instructors for Africa OGKK, and who train under Hanshi Kikugawa, based in Naha, Okinawa. Over his forty-plus years of training, Ché has been fortunate to train with many great teachers, including Higaonna Morio Sensei & Chinen Teruo Sensei. He continues to pass on their knowledge both in the dojo and on our youtube channel. In his downtime, Sensei Jagger is an avid gardener, DIY fundi, reader of karate books and baker of bread https://www.grkc1978.com/ https://www.facebook.com/GojuRyuKarateCentre/ https://www.youtube.com/channel/UCy61L8jq6ugyEwGNwMdVZhA Don't forget to grab your Karate Journal to document your journey: Amazon Karate Journal Link: https://amzn.to/3l9spmt If you found value in this episode or enjoyed it, please consider sharing it with your friends on social media. And if it didn't resonate with you, feel free to pass it along to your enemies – perhaps they'll find it enlightening! Support the show at no extra cost to you by shopping on Amazon through my affiliate link, where I receive a small commission on your purchases. It's a win-win! Find the link below. Amazon Affiliate Link: https://amzn.to/3qqfuhy You can also support the Karate For Mental Health Programme by purchasing our merchandise or donating via Buy Me a Coffee: www.buymeacoffee.com/KFMH And check out our shop for exclusive merchandise, including the Anxious Black Belt Mug: Les Bubka's Shop: https://lesshop.ammhub.com/accessories/anxious-black-belt-mug About Les Bubka: Author, Karate coach, entrepreneur, and creator of the #Hikite4ever T-shirt. Les promotes inclusive Karate with a focus on the mental health aspects of training. Teaching nationally and internationally. Let's connect: info@lesbubka.co.uk Learn more about your ad choices. Visit podcastchoices.com/adchoices
En este episodio exploramos los conocimientos fundamentales que debe tener un Shodan, el primer nivel de cinturón negro. Hablamos de 4 áreas fundamentales y muchas cosas más. Con la participación de José Navarro y bajo la dirección de Jorge F. Garibaldi.
Big shoutout to KASM for sponsoring this video. KASM workspaces supports the OSINT Community Efforts by providing the following products: Kasm Community Edition: https://kasmweb.com/community-edition Kasm Cloud OSINT: https://kasmweb.com/cloud-personal Kasm Workspaces OSINT Platform for Professionals/: https://kasmweb.com/osint Kasm Infrastructure/Apps for OSINT Collection: https://registry.kasmweb.com/1.0/ // MJ Banias' SOCIALS // LinkedIn: / mjbanias Cloak and Dagger Podcast (Spotify): https://open.spotify.com/show/6mT8zDM... The Debrief: https://thedebrief.org/podcasts/ Instagram: / mjbanias X: https://x.com/mjbanias Website: https://www.bullshithunting.com/ // Ritu Gill' SOCIALS // LinkedIn: / ritugill-osinttechniques OSINT Techniques website: https://www.osinttechniques.com/ Instagram: https://www.osinttechniques.com/ X: https://x.com/osinttechniques YouTube: / @forensicosint Forensic OSINT website: https://www.forensicosint.com/ TikTok: / osint.techniques // Rae Baker's SOCIALS // Website: https://www.raebaker.net/ LinkedIn: linkedin.com/in/raebakerosint X: https://x.com/wondersmith_rae // Eliot Higgins' SOCIALS // Bellingcat website: https://www.bellingcat.com/author/eli... X: https://x.com/eliothiggins // Books // The UFO People: A Curious Culture by MJ Banias: USA: https://amzn.to/3xP5Jme UK: https://amzn.to/4cOrzoK Deep Dive: Exploring the Real-world Value of Open Source Intelligence by Rae Baker and Micah Hoffman: USA: https://amzn.to/3xFN9gv UK: https://amzn.to/3zJSy6z We Are Bellingcat: Global Crime, Online Sleuths, and the Bold Future of News by Eliot Higgins: USA: https://amzn.to/3RXNa64 UK: https://amzn.to/4cvYP4B // YouTube video REFERENCE // Top 10 FREE OSINT tools (with demos): • Top 10 FREE OSINT tools (with demos) ... Deep Dive OSINT: • Deep Dive OSINT (Hacking, Shodan and ... Best Hacking Python Book: • Best Hacking Python Book? She Hacked Me: • She hacked me! // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: www.twitter.com/davidbombal Instagram: www.instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: www.facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 00:00 - Coming up 00:41 - Sponsored Section: KASM Workspaces demo 06:26 - Intro 06:46 - MJ's Journey in OSINT 11:14 - Starting an OSINT Company 11:55 - Teaching Background 12:34 - Years in OSINT 13:19 - Advice for People Starting Out 15:44 - What It Means to Do OSINT 16:54 - Recommended Tools for OSINT 19:03 - Meet Ritu Gil 19:09 - Characteristics of a Good OSINT Investigator 20:03 - Knowing When to Give Up 20:43 - Soft Skills vs Technical Skills 22:17 - Ritu's Advice on How to Get Started 23:24 - Are There Jobs in OSINT? 24:39 - Forensic OSINT Demo 26:41 - Tinder Vulnerabilities 30:51 - Next Guest Intro 32:04 - Rae Baker 32:33 - Tools Rae Uses 34:11 - From Graphic Design to OSINT 37:56 - Volunteering to Learn 39:10 - Next Guest Intro 40:10 - Eliot Higgins 40:19 - Eliot's Background into OSINT 41:44 - Bellingcat 44:27 - No Degree Needed to Start 45:37 - Useful Tools to Use 47:19 - Advice for People Starting Out 48:36 - Communities to Join 51:50 - Recommended Books 53:03 - How MJ Got the Job 55:53 - MJ Shares an OSINT Story 01:02:44 - Importance of a Team 01:08:15 - Conclusion 01:10:34 - Outro Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only.
Greetings, Midnighters!Welcome to another electrifying episode of The Midnight Project. This week, we're diving deep into the pulse of the techno universe with a mix that will energize your workouts, drives, and reflective moments. This episode features some incredible tracks from the techno maestros that push the boundaries of the genre.Our journey begins with the mesmerizing sounds of Wehbba's "Revelation." Wehbba, a Brazilian producer, has been a powerhouse in the techno scene, known for his intricate sound design and compelling beats. His tracks have consistently featured on top techno charts, and "Revelation" is no exception. It's a track that captures the essence of his style—dark, driving, and utterly captivating.Next up, we have a special treat with Eftihios' remix of my track "High Society." Eftihios, a rising star in the techno world, brings a fresh and energetic twist to the original. His remixing skills have garnered attention across the globe, blending deep grooves with hypnotic rhythms. Shout out to Shodan head honcho Horatio at Shodan for the collaborative spirit within the techno community!Belocca's "G.T.D." follows with a track that pulsates with raw energy. The Hungarian producer has carved out a niche with his unique blend of house and techno. His productions are known for their infectious rhythms and powerful basslines, making "G.T.D." a perfect addition to this week's set.As always, the full tracklist is available at 1001 Tracklists. Dive in, lose yourself in the music, and let these beats fuel your day.Don't forget to subscribe to the show and share the love with fellow techno enthusiasts. Comment with your favorite track of the show or recommend an artist I should bring to the next show. Let's keep this community thriving!For bookings, contact contact@redesignrecords.com and subscribe for a new techno mix every Wednesday at 6 AM (CET) via www.sebastiaanhooft.com.Keep the beat alive,Sebastiaan Hooft
#151 Principle Centric with Simon Oliver Sensei Over 50 years of study, practical application, and obsessive interest in the martial arts means Simon Oliver delivers some of the most Dynamic martial arts Seminars around. Born in 1961 into a rare martial arts heritage both his father and grandfather were former Jujutsu and judo practitioners Simon Oliver started learning Jujutsu and judo at the tender age of six years to try and calm is boisterous nature. It was a chance experience that lead him into starting karate after seeing a demonstration at Alexander Palace in London by a group of senior Japanese Sensei; he pestered his father to find a dojo. Simon was eventually introduced to karate by a student of the great Tatsuo Suzuki who was a friend of his father. Peter Bell provided private tuition in the Wado Ryu style, due to the age restriction on people starting karate during the late 1960's early 70's. Simon received his Shodan with the Wado Ryu before the family moved to Doncaster where he met Alan Rushby Sensei who was teaching the Shukokai (Shito Ryu) style. It was during this time that Simon started to develop a keen interest in Kobujutsu (Old style weapons) and started training in various traditional weapons. Website: https://simonoliversensei.com/wp/ Fb :https://www.facebook.com/profile.php?id=100064507879843 If you would like to support the show at no cost to you and you shop with Amazon, please use my affiliate link, for which I get a small commission when you purchase something - note that it is completely free for you! Please find the link below. https://amzn.to/3qqfuhy If you would like to support the Karate For Mental Health Programme, you can buy our merchandise (links below) or donate via ☕ Buy me a coffee
Les damos la bienvenida al Podcast 217 de Cronicasgoomba y de nuevo a la Estación Ciudadela… Hacker. Hablaremos de un emocionante juego de 1994, pero en su versión de remake de 2023. En System Shock, asumirás el papel de un hacker mientras exploras y sobrevives a los horrores de la Estación Ciudadela, todo ello provocado por una IA rebelde llamada SHODAN. Les traemos a un gran invitado, AlexRod (@alexrod8305), quien tras experimentar el juego tanto en su versión original como en el remake, nos trae sus comentarios. @vdallos y @flagstaad se esfuerzan porque el podcast salga lo más enredado posible. Este se encuentra disponible en PC, pero se espera una versión para consolas. Spotify Google Podcast Nuestras redes Twitter - https://twitter.com/CronicasGoomba Instagram - https://www.instagram.com/cronicasgoomba/ Facebook - https://www.facebook.com/CronicasGoomba
¿Que conlleva el camino del Karateka desde la primera vez que entramos al Dojo, hasta que sacamos el codiciado Shodan? ¿Que experiencias nos esperan? ¿Que lecciones hay para aprender? Todo esto y mucho más, hablamos con José Navarro. Bajo la dirección de Jorge F. Garibaldi --- Send in a voice message: https://podcasters.spotify.com/pod/show/podcastdojo/message
Insights on fake AI law firms, Facebook malware schemes, and critical VPN vulnerabilities. Discover the intricate web of SEO manipulation, the alarming spread of malware through counterfeit AI services, and the global impact of a new VPN flaw. Stay ahead with actionable advice and join the conversation on safeguarding against these sophisticated digital threats. Original URLs: https://arstechnica.com/gadgets/2024/04/fake-ai-law-firms-are-sending-fake-dmca-threats-to-generate-fake-seo-gains/ https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-page-promoted-malware-to-12-million-people/ https://www.bleepingcomputer.com/news/security/new-ivanti-rce-flaw-may-impact-16-000-exposed-vpn-gateways/ https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: cybersecurity, AI scams, malware, VPN vulnerabilities, SEO manipulation, digital threats, fake law firms, Facebook malware, Ivanti, RCE flaw, data security, online safety, cybersecurity tips, tech news, hacking Search Phrases: Cybersecurity threats and AI scams How to spot and avoid online malware schemes Understanding VPN vulnerabilities and their impact Dealing with fake DMCA threats for SEO gains Protecting against Facebook AI service scams Ivanti VPN gateways security flaws Tips for enhancing online data security Latest in cybersecurity and hacking news Identifying and responding to digital threats Navigating SEO manipulation and fake law firms Transcript Apr 6 Welcome back to the Daily Decrypt. Fake law firms like Commonwealth Legal out of Arizona are sending out copyright infringement notices to manipulate SEO rankings. This is just another way attackers are getting more and more creative to manipulate the things that you see on the day to day. Over 1. 2 million people were tricked using a Facebook scam where hackers peddled fake services like Midjourney or OpenAI's Sora that deployed malware designed to hijack users data. How can you identify this type of scam and protect yourself? And finally, Ivanti has patched a critical security flaw that affects over 16, 000 vPN gateways. What is this vulnerability and how can administrators protect their VPN gateways? We live in a world where everyone has a website, whether it's your personal business or your hobby. There are tons of websites and they're easy to spin up. Well, Ars Technica is reporting that there are now fake law firms who are sending copyright infringement notices to personal and hobby websites. For example, you're using an image that doesn't belong to you, please provide compensation. Ars Technica. Taking it down doesn't work. The most notable firm. is titled Commonwealth Legal, even though it's out of Arizona or so it says, which isn't a state that's deemed a Commonwealth. And they're claiming to represent the Intellectual Property Division of Tech4Gods. Like I mentioned, there are a lot of key indicators that this legal firm is fake. For example, it's a brand new domain registration, which means their website's brand new. It's also a Canadian IP address and the physical address doesn't match the one listed on the website. If you actually go to the website for Commonwealth Legal, you'll see a bunch of AI generated images of attorneys. Yeah, doesn't take much to realize this is probably a fake website. But regardless, if you receive a copyright infringement notice, That's a pretty scary thing. So why does this exist? Why is this happening? Well, it's pretty clever. This legal firm claims to represent the company Tech4Gods, which may or may not be a legitimate site, but the whole goal of this is to boost the SEO for Tech4Gods. And the way that it does that is by placing backlinks or just links to the Tech4Gods website all over the internet, which is a gold mine for SEO rankings. Now, if you want more specifics than that, you can check out the article by Ars Technica in the show notes, but make sure to just be skeptical of every threat or every email you get from someone who you don't know. If you get an email that claims you're infringing on someone's copyright, Look for signs that it's fake. Maybe reach out to a different law firm. Maybe reach out to the police because maybe they've heard of this scam before and will be able to verify that it's a scam. Nothing in our legal system, especially in the United States goes quickly. So don't act with a sense of urgency. You don't need to pay anything immediately. Take your time and work through this. Over 1. 2 million people on Facebook have been tricked into clicking links for counterfeit AI services such as Midjourney, OpenAI Sora, ChatGPT-5, and DAL E by promising previews of unreleased features. And you'll never guess how attackers have done this. They have purchased ads. That's right. Anyone can purchase ads. Attackers do it. They promise you something that's too good to be true. You click it, and now you've downloaded some malicious software. So these specific Facebook ads coax users into joining fake Facebook groups that look real, and then immediately the users are bombarded with Seemingly legitimate updates, AI generated visuals, and enticing offers or, quote, early access to AI innovations. So these are just baits to lure victims into downloading malicious software, but instead of getting the cutting edge tools you were promised, you're getting password theft malware, like, Rylide, Vidar, IceRat, and Nova. Once this malware is downloaded, it's gonna go into your browser and try to grab your session cookies, credentials, maybe stored in your Google Chrome password manager. It's gonna look for cryptocurrency details and more. The case outlined by Bitdefender and reported by Blooping Computer in our show notes. It showcases a mid journey fan page that had over 1. 2 million followers, which was initially a legitimate fan page, but was taken over by hackers in June of 2023. It operated from June of 2023 up until last week when Facebook finally took it down. Once attackers had taken over this Facebook page, they created a fake website, flawlessly mimicking the mid journey website. which only helped them push this fake malware onto its users. When they click on the website, it actually goes to a website that looks exactly like Midjourney. Here is where users would be tricked into downloading the malware disguised as the state of the art image generation tools. Once they download, It looks like they were required to install a Google Translate browser extension, which is where the malware lives. Even though this page has been taken down by Facebook, the attackers have quickly moved over to a new page which already has 600, 000 plus followers. So this is just a case of malvertising. I'm actually gonna start making stickers. Don't click on Google ads. Now I'm gonna include don't click on Facebook ads because they're pretty cheap to run. I did a test the other day on a Daily Decrypt Reel on Instagram and I got 3, 000 views for five bucks. Now if I had attacker kind of money, That would be a lot more views, a lot more clicks. So just be weary of Facebook ads. I literally don't click any ads anymore, even if the product looks polished and pristine, there are some legitimate ads out there, but at this point, I don't trust any of them. So keep an eye out. for a Daily Decrypt store opening up soon with some fresh new stickers handmade by me, and don't click on any ads. And finally, Ivanti has disclosed a high severity remote code execution flaw which affects up to 16, 500 of its connect secure and poly secure gateways. This vulnerability is due to a heap overflow in the IPSet component impacting versions 9. 0 and 22. And could potentially allow unauthorized attackers to execute remote code. or initiate denial of service by sending specifically crafted requests. This issue came to light following reports by internet search engine Shodan and threat monitoring service Shadow Server, which initially discovered approximately 29, 000 exposed services. Ivanti, however, has reassured its customer base that there have been no observed instances of exploitation, but emphasizes the importance of applying necessary updates without delay to avoid breaches. ShadowServer's subsequent assessments revealed that the number of susceptible devices might be closer to around 16, 000, with the highest concentrations of vulnerable gateways located in the United States. Japan, the UK, Germany, France, and the list goes on. This vulnerability is not the first to raise alarms with Ivanti's user community. Earlier this year, various Ivanti products flaws were exploited by state sponsored actors and hacking groups to facilitate their use. unauthorized access, and control over affected devices. A recent report by Mandiant highlights the exploitation of Ivanti endpoints by Chinese hackers employing a malware family dubbed Spawn. Ivanti has released patches for all supported versions of the affected products. So yeah, get out there, update your systems, and sleep well at night. That's all I got for you today. If you like what you hear, we'd really appreciate a review on Spotify or Apple podcasts and a follow on Instagram, subscription on YouTube, wherever you consume your media and send us a comment. We'd love to hear from you. I hope you have a great rest of your weekend. Go check out the solar eclipse this Monday and we'll talk to you some more later.
Dr. Oelberger is a licensed Psychologist based in Los Angeles. He received his doctorate in Clinical Psychology through the Saybrook Graduate School in San Francisco, with an emphasis in Spirituality and Consciousness. He holds ACT board certification in Cognitive Behavioral Therapy, and a Certification in Sports psychology- having trained with a Navy Seal in order to target emotional obstacles to performance amongst athletes. Dr.Oelberger has attained the rank level of Shodan, in Shaolin kempo martial arts and was awarded this rank in the Shaolin temple in Deng Feng, China in the summer of 2013. Richard has a book published on the integration of spirituality and psychology entitled, “Qualitative Kabbalah: The Value of Living a Spiritual System”. His Master's thesis focused on Treatment and understanding of Post -Traumatic Stress disorder, specifically cultural and historical trends and implications for treatment. Richard Oelberger, PhD offers his own unique style of psychology differentiating him amongst traditional forms of psychology, integrating a model of psychology combining Somatic and body oriented psychotherapy with mindfulness and spiritual approaches. He hosts a bi weekly Podcast on his Richardlistens channel on Apple Podcasts on topics surrounding channeling your own inner hero, covering the field of Performance, Human transformation, and Sports Psychology related interests. He continues to coach multiple youth sports teams and actively engages community development of sport and team building.He offers treatment for:Sports and performance issuesBody oriented processing of stress and traumaAnxiety/DepressionAddiction, Gambling, and Recovery IssuesRelationship IssuesStress Reduction SkillsPerformance Enhancement Visualization Skills and MeditationMind/Body TrainingTransformational Character Developmenthttps://www.richardlistens.com/ https://www.instagram.com/Richardlistens/https://www.twitter.com/Richardlistens Become a supporter of this podcast: https://www.spreaker.com/podcast/i-am-refocused-radio--2671113/support.
The growth of TheMoon malware and its contribution to the Faceless proxy network, shining a light on the vital role of cybersecurity in safeguarding critical infrastructure. Featuring insights from Lumen Technologies' Black Lotus Labs and CISA's new reporting mandates. [00:02:53] The Moon Malware [00:07:37] Critical Infrastructure Cybersecurity Updates [00:17:08] Personal Cybersecurity Tips & Encouragement Original URLs: https://blog.lumen.com/the-darkside-of-themoon/ https://krebsonsecurity.com/2023/04/giving-a-face-to-the-malware-proxy-service-faceless/ https://www.cybersecuritydive.com/news/cisa-notice-critical-infrastructure/711506/ https://www.cisa.gov/news-events/news/cisa-marks-important-milestone-addressing-cyber-incidents-seeks-input-circia-notice-proposed https://thehackernews.com/2024/03/key-lesson-from-microsofts-password.html Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: cybersecurity, TheMoon malware, Faceless network, Lumen Technologies, CISA, critical infrastructure, cyber incident reporting, Microsoft, Midnight Blizzard, NOBELIUM, password spray hack, IoT security, proxy services, cyber threats, router vulnerabilities Search Phrases: Exploring TheMoon malware and its impact on cybersecurity Understanding Faceless proxy service and cyber anonymity Lumen Technologies' fight against cyber threats CISA's new cyber incident reporting rules for critical infrastructure Microsoft's response to Midnight Blizzard cyber attacks NOBELIUM's tactics in cyber espionage How to protect routers from cyber attacks The significance of cybersecurity in safeguarding critical infrastructure Cybersecurity best practices for IoT devices Strategies to counter password spray hacks Importance of secure accounts in preventing cyber attacks Analyzing the growth of proxy networks in cybercrime The role of critical infrastructure in national cybersecurity Updates and insights from CISA on cyber incident management Microsoft's investigation into state-sponsored cyber threats Transcript: Transition (Short) Low Energy [00:00:00] Welcome & Introduction offsetkeyz: Welcome back to the Daily Decrypt. Fly me to the moon. [00:00:08] The Rise of The Moon Malware offsetkeyz: The Moon malware is now covertly amassing over 7, 000 SOHO routers and IoT devices each week into the faceless proxy network, as unveiled by Black Lotus Labs at Lumen Technologies, signaling a worrying escalation in cybercriminal capabilities. What steps can be taken to prevent devices from falling prey to the moon malware and contributing to the expansion of the faceless proxy network? Critical infrastructure entities such as power and water are now mandated to swiftly report cyber incidents and ransom payments following new rules proposed by the cybersecurity and infrastructure security agency known as CISA. Marking a crucial advancement in bolstering the nation's cybersecurity defenses. And finally, we've got the expert dogespan back to discuss some lessons learned from the recent midnight Blizzard Microsoft breach. So stick around for that juicy goodness. So recently we reported on Soho routers, which is small home. What is small, dogespan: small, office, home office. offsetkeyz: small home office office, small. Is it small office, home office? dogespan: Yeah. South of Houston street, offsetkeyz: So yeah, recently there's been some news on Soho routers being vulnerable to these malwares. pulling them into proxy networks. And so this isn't necessarily breaking news, but there has been some recent research coming out that shows some pretty staggering numbers. So the latest findings by Lumen Technologies Black Lotus Labs spotlight a startling expansion of the faceless proxy network, with the moon malware enrolling over 7, 000 new users. per week into its ranks. That's a lot of routers. dogespan: ISP routers right there? offsetkeyz: I would hope not, but your ISP has no incentive whatsoever to replace that router and you're paying a rental fee. So dogespan: Yep. offsetkeyz: There's a little bit more information linked in the show notes below, but. An aggressive campaign in early March of 2024 saw over 6, 000 ASUS routers compromised in less than 72 hours. So at this rate, they're well over 40, 000 last we checked in February, plus 7, 000 each week. The Moon malware continues to refine its infection methods, targeting devices with accessible shell environments before implementing a series of IP table modifications. This prepares the compromised device to serve as a proxy facilitating anonymous internet usage for malicious actors through the faceless service. [00:02:53] The Moon Malware offsetkeyz: First of all, we can talk about what a proxy network is. It's essentially just. It's essentially just tens of thousands of devices that cybercriminals are able to route their traffic through. So that's bad news for you, whether you're trying to avoid people snooping on you, or you're trying to protect your privacy, or you're trying to not be an accomplice in cybercrime. In the article linked in the show notes below, you'll be able to see some indicators of compromise, but the biggest thing is that's the gateway to the internet for you. So everything going in and everything coming out of your house. is now accessible to these attackers. They're probably not interested in that. They're interested in just having the power to route their criminal activity through 40, 000 routers. But when you hand criminals a bunch of free data, they're probably going to get around to using it. So what can you do to prevent your router from being part of this proxy network? Make sure it's up to date. And that's kind of tricky for most users. You're going to actually have to go into the router, which is a bit of a process. You also really want to make sure the username and passwords to your router are changed because they're probably accessible via the internet. Like I could go Google your router model number and find out what the username and password is, enter it in, and B boom. dogespan: There's a number of them, just out on the internet, you can throw creds at them at any point in time. offsetkeyz: Yeah. Once you start getting into cybersecurity, you'll quickly come across the sites that just index all vulnerable routers, what, what's the site that I'm thinking of? Do you remember? Doja Span. dogespan: Shodan. Shodan. offsetkeyz: If you just go on there, you can, first of all, you can check your IP and see what the deal is. But yeah there, there's a lot of 'em. So this proxy network is growing quickly. Probably thanks to Shodan, but mostly because there's a lot of vulnerable routers out there, even if they're not end of life People just don't change their password. They don't know. So tell your mom, tell your friends, tell your grandpa, change your router password it's a big deal. Honestly. dogespan: Yeah, it's interesting, we like, of course there is the proxy implication, so the attacker is like you said, most likely just using it to hide and cover their tracks, and one of the things that could come out of that, I think you did mention it, that you could be legally implicated. for certain types of activity. And while you're not the person doing it, if you are like the exit node or close enough in the chain for beginning or end, you might get picked up. So Definitely see if this is something that is affecting you, a lot of this malware, you can just reboot the router, like give it an unplug for 10 seconds, 30 seconds, and plug it back in, a lot of the malware will will die off, but then of course, make sure it's updated. One thing you can do is request that your ISP updates your router. So if you have been paying that monthly lease, if it's been two years, call them and tell them that you want a new one. offsetkeyz: Yeah, I'm sure it's even built into your contract that you're entitled to a new router after X amount of months, and it probably isn't more than 18. dogespan: Mm hmm. offsetkeyz: know they're not updating it, they're not forcing updates, and they know you're not updating it. so they probably legally have to offer you a new one. So all you have to do is call, and you might be on hold for a while, but just, yeah, get a new router if you've inherited an ISP router and you feel really proud of yourself because you're not paying the 7 a month anymore, and you've had the same router for five years. this right here serves as your official notice to not do that. Go get a new one. So yeah, to wrap this up, the article linked in the show notes recommends a couple things. They recommend first of all blocking botnet traffic based on certain indicators of compromise. So if you're a network defender, see that article for those IOCs. But consumers with SOHO routers should follow best practices of regularly rebooting routers, as dogespan said, and installing security updates and patches. And they provide a full link on how to do that. offsetkeyz: by the Canadian Center for Cybersecurity. So thanks, Canadia. And, for organizations that manage SOHO routers, make sure the devices do not rely upon common default passwords. They should also ensure the management interfaces are properly secured and not accessible via the internet. And again, another article explaining exactly how to do that. So, do those things, call your ISP, and you should be good to go. transition: DOG. DOG. DOG. DOG. [00:07:37] Critical Infrastructure Cybersecurity Updates offsetkeyz: So one of the common themes, if you've been listening for a while, is critical infrastructure. The White House has been releasing guidance to critical infrastructure IT departments. There's been a real emphasis on securing critical infrastructure. Turns out that's because it's constantly under attack and it's our Achilles heel. If attackers can get our critical infrastructure, they can probably shut down our internet, and then we have no way of protecting ourselves. They can shut down our power, we have no security cameras, you know, We have no food, can't nourish our bodies, to go to cyber war. the most recent step in this effort is the Cybersecurity and Infrastructure Security Agency, known as CISA, introduced a proposed rule mandating that critical infrastructure entities report significant cyber incidents within 72 hours and ransom payments within 24 hours. So this is pretty huge because we don't really have the data. We don't know how these critical infrastructures are getting attacked, if they're paying, if they're not paying. We're all kind of guessing. So It's gonna suck a little. Another checklist item while you're under attack. but it's going to help overall critical infrastructure stay secure. dogespan: Yeah, Critical Infrastructure definitely needs to be reporting that up as soon as possible. It's such a big deal. And I do like that they're imposing that on Critical Infrastructure. It's a really good step in the right direction. 72 hours? offsetkeyz: Yeah, that's a little generous and yeah, there's a lot of conflicting feelings about this, especially if. you're under ransomware attack, attackers are telling you not to report it, attackers are saying they're going to shred your data, they're going to destroy it if you report it up, and when you're under attack, you're afraid, and you might have the money, and you might just pay them, and you might forget to report, and that might cause fines or whatever, so that's just one of the cons to this, but we really need this data, It's going to help keep critical infrastructure more secure. It looks like this rule is expected to affect over 316, 000 entities with an estimated cost of 2. 6 billion. There is some debate as to what qualifies as critical infrastructure, and I'm surprised that this guidance came out with gray area at all. It should be pretty exhaustive, but it According to the article linked in the show notes, which we always encourage you to read for yourself, don't just listen to what we're saying as truth go read it for yourself. The U. S. recognizes 16 critical infrastructure sectors, but debates continue about the scope of entities required to comply. For example, UnitedHealthcare group. qualifies under the current definitions, but the status of change healthcare, which was recently breached, is kind of gray. It's uncertain, which doesn't make sense to me, if there's uncertainty, people aren't going to report and then they're going to claim they didn't know. So let's figure that out. dogespan: Yeah, definitely like to see them move in the direction of just, when in doubt, report. Because if you're getting CISA involved, they're going to lend that expert help. If you're not equipped to do the investigation, you're better off just letting them know and cooperating with them. Even with ransomware and you going and paying it, you're hoping that they live up to their word? And that's a criminal. offsetkeyz: Yeah, exactly. It's a lesson in all facets of life. from big enterprises down to personal as well. If you need help, ask for it. If you did something wrong, tell the people it impacts. Any smart person receiving this information is going to try to help as hard as they can, and they're not going to hold it against you. Simply telling the truth always wins, so do it, dogespan: That's exactly what I tell my kids. offsetkeyz: and they need to hear it, and so do many others. dogespan: Alright, so the last one. Midnight Blizzard, also known as Nobellium, a Russian state sponsored actor, got into Microsoft and they did so through the use of password sprays. So password spray being they just go down the line hitting as many passwords as they can on any account and hoping for the best. Well, this was against Microsoft and it ended up being successful. Nobelium got access to a dev account and This account ended up having elevated privileges. Throughout the stages of this attack, they ended up going up higher and higher and higher through privilege escalation. . This one was a privileged account, but it was in a development environment. They ended up getting access to an account and started sending off phishing emails across the board to their executives. Well, they ended up getting a couple of hits and there was no MFA. on those higher up accounts. That's probably the most shocking aspect of that. We know that. This was all previous information. So, what's happening now? Microsoft has gotten them out and they have been doing all their recursive investigations. So the evidence of this is that they got access to, well, source code and internal systems. Luckily, no customer facing systems were compromised. They did have access to source code, but nothing customer related, so we are still in the clear. However, go change your passwords. Now, being that they've had access to this stuff, they've been able to start probing at systems a little bit more in depth, and these Well, Microsoft has noticed since this that password sprays have increased by a tenfold. offsetkeyz: What? Against Microsoft, or in general? dogespan: Probably Microsoft systems since they have access to that kind of data, but they, it does say here that they are increasing their security investments. Good, good, good. cross enterprise coordination and enhanced defense capabilities against this persistent threat. So that sounds like they are working with customers to make sure that everybody's safe and sound. Good on them. Overall, I think they've done a good job with this response. In recent weeks, they have seen that Midnight Blizzard is using the information that they originally exfiltrated to attempt to gain more unauthorized access. This comes from two different sources. One was directly from Microsoft's blog and then the other was a summary from the Hacker News. I'd like how the Hacker News, they've gone and broken little bits of it and kind of translated it more targeted at a smaller organization and not so much, you know, how Microsoft got hit by this stuff. And one of the things that they mentioned is the importance of protecting all accounts. this ended up being an attack against a privileged developer account or an developer environment. And a lot of times what happens in larger organizations is you kind of create accounts, you create stuff, and it serves its purpose, and you never delete it. So it's super important to make sure that you're either, have good security on it in the first place, or you delete it as soon as you're done with it. Now, how does that translate to the regular user? You mentioned this yesterday's podcast. when you're downloading an app for a single purpose, do you typically leave it on your system or do you delete it afterwards? One of the things that I try to think about is, ordering food. a lot of them, you cannot order food through a web browser, unless you're actually like physically on a computer. it's going to be so persistent to try to get you to go to that app. A lot of times it won't even let you like McDonald's is one of those good ones. You are automatically rerouted to that app. Every single time I download that app, order my food, pick up my food, and then I delete that app. And it's not so much. That it's McDonald's, but you just don't know what else is involved in that. And McDonald's is all about food, not data security. offsetkeyz: No, I mean, they are a fortune five company, probably. so hopefully they have a good security system, but yeah, you'd be surprised at the permissions the McDonald's app asks for. And Hawkrow Farmer and I were discussing this a week or two ago. when you're hungry, there is a serious sense of urgency. And attackers know. Under what circumstances there's a sense of urgency. So if you're on DoorDash and you're having a hard time getting the food, you might pivot over to some other delivery service by Googling it, clicking on an ad, and then downloading the app from that ad. Because you're really hungry and you're just trying to get your food. So now you've downloaded the wrong app, you create an account, username, same password you use on your bank, same email you use on your bank, they now have that, they go to your bank, they get you, whatever. Now you're in a proxy network because you left that app. There's so many bad things that happen, but, but the one thing about, that's a good example, doges, is urgency. And when you're hungry, things feel very urgent. dogespan: Very, very urgent. If an attacker has access to a password and it's associated with an email, they're going to try it anywhere and everywhere. And one of the key areas that they're going to try it is your email provider, because that is clear evidence that you have an account there. So that's the main takeaway with it from this, even on a large enterprise scale, is all accounts need to be protected. [00:17:08] Personal Cybersecurity Tips & Encouragement dogespan: If you can't protect those accounts Use them for what you need to and remove it. Whether that's just getting an app on your phone or creating an account just for the purpose of ordering some food. Delete it afterwards. offsetkeyz: Yeah, we'd like to just harp on not reusing passwords. Um, if someone can get into your email, they can reset any password on any account that you have, because, I mean, what's the first step? I think I talked about it in yesterday's episode. When you click the reset password button, what does it do? It sends you an email to click on a link to go reset your password. And that's all it is. So if, if the attacker has access to your email address, they can reset any password, including your bank, including your Instagram. You know, the more I talk to people about password reuse and password managers and multifactor authentication, the more I met with fear and shame. Shame is really the key one, and the shame doesn't quite outweigh the fear. like it never is enough to get them going, but it is a negative feeling associated with passwords. And what I mean by that is people are just always ashamed that they haven't done this, or they haven't done that, whatever. They reuse their password. They're really ashamed. Well, this can serve as a good example for you that even executives at Microsoft haven't enabled multi factor authentication. You're doing okay. Just try to chip away at it. one piece at a time, try to enable multi factor authentication. Don't surrender to the shame. dogespan: It doesn't have to be something that you, you know, you decide Today when you wake up. That. I'm going to go enable MFA on all of my accounts. How I handle that is when I log in and I don't get prompted to authenticate myself, I think, is there a way to get MFA? Put a little sticky note somewhere that says, go check your security settings on this website when you're done with what you're doing. So you don't have to break focus, just real quick, security settings. Go back to it after you've checked your balance or whatever it is you went to. And then the next time you log into something else and you don't get prompted for MFA, offsetkeyz: it's a slow process. and that's okay. It's okay to be a slow process. Really focus on the important things to start and the more you get going, the easier it gets. But right now, if you haven't started, it seems like it's going to be really painful, but think about it. What happens when you accomplish really painful, really hard tasks? You get a flood of dopamine. Look forward to that dopamine hit when you actually enable MFA and change your password and download that pass password manager It sounds impossible right now. It will feel so good I still get that dopamine hit every time I make a little chip away at my security dogespan: Leave a comment. Let us know that you did it and we will praise you. offsetkeyz: We will we will I'll make a freaking whole podcast episode about you Dude, I was talking to my parents this week. Shout out to my parents my dad Unprompted made his first passkey for Amazon. dogespan: Oh, offsetkeyz: Yeah. and my dad is an electrical engineer and he actually informed me that he has some patents in encryption algorithms. And so I said, dad, I don't know how passkeys work. I spent two hours banging my head against the desk trying to figure it out. So if you figure it out, I'm bringing you on the podcast. You get to explain it to my listeners. So, really excited. You guys get to meet my dad, but he was so excited when he enabled his passkey and you too can share that joy. So yeah, to bring it back to the Microsoft thing, and I don't want to make this an ethics podcast per se, but it is always So it ignites fire within both me and DogeSpan, uh, just personal security and how easy it actually is, not to shame you by any means, but you can take certain easy steps to drastically improve your security. But Microsoft here is doing exactly what we were preaching in the previous segment, which is reporting things. They're doing a great job. They're saying they messed up and, hey, we're kind of on board. We're like, wow, great. Thank you so much. It's when. It's when companies try to hide it, like LastPass, for example. Um, I was a diehard LastPass user and hey, LastPass is better than nothing, even still, but it was really the fact that they hid their breach and tried to downplay their breach that ultimately got me to switch off of LastPass. I think their service now is great. It's fine. I would trust it a lot. So if you have LastPass, great. But it's ultimately. the way that LastPass makes you feel. Like, no more warm fuzzies. More like cold sharpies. You know, it's just stabbing me when I think about LastPass. So, good on Microsoft for just reporting and continuing to uncover new things, and we can all learn something from them. I dogespan: close to a month now, about how consumers are actually taking that into consideration more and more. Where I was under the impression that it was just us tech nerds that were looking at it and going, ew, you got a, you got a breach and you didn't handle it poorly, but more consumers are looking at that and everybody is going to get hacked. If you haven't been hacked yet, you just don't know it. It has happened. Own up to it, it's fine. Handle it well. Go the appropriate steps. offsetkeyz: mean, this story is evidence of that more than anything, that Microsoft just got hacked. I mean, they, they made the, they made the first computer. They made the internet. So yeah, no shame, especially nowadays when the weekly breaches are, it's a very long list of breaches out there. I like this article from the Hacker News. Another great thing is it has a section titled defend against password spray attacks. and it has four actionable steps. I'm surprised multi factor authentication isn't the first one. Should be the first one. but if you're in an organization and you have access to the Active Directory domain controller or admin rights there, you can run password audits. Have any of the passwords for any account on your Active Directory shown up on the dark web? there's search engines that just list passwords on the dark web. There's search engines that list email addresses, which is probably more applicable for the day to day user, but you can just, yeah, search. I think it's even Have I Been Pwned. Like they have a password search feature and Have I Been Pwned has an API, so you can set up using an API and automate it. but that's something I haven't considered. is just audits. That could have saved it if they're unwilling to enable multi factor authentication. Multi factor authentication, we talk about it like it's a, like a silver bullet, but it is susceptible to attacks too, especially MFA bombing or MFA fatigue. The weakest link in anything, in anything security is the human element. So even if you have enabled MFA, You can still do these password audits. You can only secure yourself more. So yeah, that's, those are just some of the action items you can take either as an individual or as a corporation. And yeah, the point of bringing this up was just to kind of recap on this big attack and have a discussion. So, got anything else for us dogespan? dogespan: No. Get a password manager. offsetkeyz: And as always, get a password manager. I'm gonna, it's like a drinking game around my house. How many times do I say password manager in a night? And I'm heading to a bar after this where you better believe I will be talking about password managers. [00:24:57] Closing Thoughts & Thanks offsetkeyz: But that's all we got for you today. Thanks so much to Dogespan for coming back. We've missed you. Our editing software has missed you and we hope you'll be more of a frequent guest. Oh, he's back, baby. And I hope your work or organization place where you work lets you have Friday off like mine does. Uh, so TBD, if we'll have an episode tomorrow, probably because I'm an addict, but if we don't have a great weekend, we'll talk to you later.
Developed by Looking Glass Studios and published by Origin Systems for the MS-DOS, Mac OS, and PC-98. In it, the player controls a hacker who is caught attempting to steal files from the TriOptimum Corporation and is taken to Citadel Station, and cooperates with Edward Diego, an executive from the aforementioned company, to remove the station's AI, SHODAN's ethical constraints in exchange for a military-grade neural implant. For which the hacker is placed into a six month coma. The game starts as the hacker awakens from his slumber to discover that SHODAN has commandeered the ship. Hosted on Acast. See acast.com/privacy for more information.
Developed by Looking Glass Studios and published by Origin Systems for the MS-DOS, Mac OS, and PC-98. In it, the player controls a hacker who is caught attempting to steal files from the TriOptimum Corporation and is taken to Citadel Station, and cooperates with Edward Diego, an executive from the aforementioned company, to remove the station's AI, SHODAN's ethical constraints in exchange for a military-grade neural implant. For which the hacker is placed into a six month coma. The game starts as the hacker awakens from his slumber to discover that SHODAN has commandeered the ship. Hosted on Acast. See acast.com/privacy for more information.
In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management. Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/ Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207 Chapters 00:00 Introduction 00:56 Understanding Vulnerability Management 02:15 How Bad Actors Exploit Vulnerabilities 04:26 Building a Comprehensive Vulnerability Management Program 08:10 Prioritizing and Remediation of Vulnerabilities 13:09 Optimizing the Patching Process 15:28 Measuring and Improving Vulnerability Management Effectiveness 18:28 Gamifying Vulnerability Management for Better Results 20:38 Securing Executive Buy-In for Enhanced Security 21:15 Conclusion and Further Resources
In this episode, we explore the link between technology and coercive control. We discuss how technology can be used as both a tool to perpetrate coercive control, as well as a resource for survivors of abuse to seek help and access support. To help us we welcome our special guest Dr Leonie Tanczer. Leonie is an Associate Professor in International Security and Emerging Technologies at University College London's Department of Computer Science. Her research addresses the interplay between gender, technology and abuse. To find out more about her work click here. You can click the links below to access some of the resources we talk about in this episode, as well as some additional resources from our guest: Resources: The Refuge Chatbot: https://refuge.org.uk/news/72-of-refuge-service-users-identify-experiencing-tech-abuse/ Shodan: https://www.shodan.io/ The Keep App: The keep app https://www.thekeepapp.com/login Bright Sky App: Bright sky app https://www.hestia.org/brightsky Refuge resources on tech safety: https://refugetechsafety.org/ e-Safety for women: https://www.esafety.gov.au/women Clinic to End Tech Abuse: https://www.ceta.tech.cornell.edu/ Strategic Threat and Risk Assessment of Violence Against Women and Girls Report: https://www.vkpp.org.uk/publications/publications-and-reports/reports/strategic-threat-and-risk-assessment-of-violence-against-women-and-girls/ Sign up to the Gender and Tech monthly newsletter here: https://www.ucl.ac.uk/computer-science/research/research-groups/gender-and-tech Books: Technology and Domestic and Family Violence: https://www.routledge.com/Technology-and-Domestic-and-Family-Violence-Victimisation-Perpetration/Harris-Woodlock/p/book/9780367521431 The Palgrave Handbook of Gendered Violence and Technology: https://link.springer.com/book/10.1007/978-3-030-83734-1 News articles: The first UK prosecution for stalking using a smart device: https://www.manchestereveningnews.co.uk/news/greater-manchester-news/jealous-businessman-spied-ex-partner-14640719 Digital hashing used by companies to tackle revenge porn: https://www.cosmopolitan.com/uk/love-sex/sex/a42176939/bumble-tiktok-stopncii-non-consensual-intimate-image-abuse/ Academic Papers: Tanczer, L. M., López-Neira, I., & Parkin, S. (2021). ‘I feel like we're really behind the game': perspectives of the United Kingdom's intimate partner violence support sector on the rise of technology-facilitated abuse. Journal of Gender-Based Violence, 5(3), 431-450. Retrieved Jan 19, 2024, from https://doi.org/10.1332/239868021X16290304343529
Big thanks to Brilliant for sponsoring this video! First 200 people that sign up will get a special discount. Get started with a free 30 day trial and 20% discount: https://Brilliant.org/DavidBombal // Free OSINT course // Introduction to OSINT course: https://www.myosint.training/courses/... // Griffin's Start me page // Start me page: https://myosint.link/hatless or https://start.me/p/DPYPMz/the-ultimat... // Course LINKS (Affiliate) // All OSINT Course Bundle (all our OSINT courses for 1 price): https://www.myosint.training/bundles/... Core OSINT courses in OSINT Immersion bundle: https://www.myosint.training/bundles/... // Previous YouTube videos // Deep Dive OSINT: • Deep Dive OSINT (Hacking, Shodan and ... OSINT Social Media: • OSINT social media: Are you crazy to ... OSINT tools to track you down: • OSINT tools to track you down. You ca... OSINT: You can't hide: • OSINT: You can't hide // Your privacy... // Micah Hoffman's SOCIAL// X: / webbreacher LinkedIn: / micahhoffman Micah's Personal Blog: https://webbreacher.com // Griffin Glynn's SOCIAL // X: / hatless1der LinkedIn: / griffin-g Griffin's Personal Blog: https://hatless1der.com Griffin's Start.me Resources: https://myosint.link/hatless or https://start.me/p/DPYPMz/the-ultimat... // My OSINT Training SOCIAL // OSINT Training: https://myosint.training OSINT Newsletter: https://myosint.link/newsletter X / Twitter: / myosinttrainer LinkedIn: / my-osint-training YouTube: / @myosinttraining // Resources SHARED // My OSINT Training (MOT) free courses: Introduction to OSINT: https://www.myosint.training/courses/... Careers Using OSINT Skills: https://www.myosint.training/courses/... or on YouTube: • Careers in OSINT Griffin's Start.me page: https://myosint.link/hatless or https://start.me/p/DPYPMz/the-ultimat... Newsletter – My OSINT News (through My OSINT Training): https://myosint.link/newsletter (https://link.myosint.training/my-osin...) // Books REFERENCE // Deep Dive by Rae Baker: https://amzn.to/3tWocvg OSINT Techniques Resources for Uncovering Online Information by Michael Bazzell: https://amzn.to/3O6Ljdj // David's SOCIAL // Discord: / discord X / Twitter: / davidbombal Instagram: / davidbombal LinkedIn: / davidbombal Facebook: / davidbombal.co TikTok: / davidbombal YouTube: / @davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com osint open-source intelligence open source intelligence tools osint curious geolocation geolocation game facebook instagram google bing yandex geolocation google geolocation bing you cannot hide social media warning about social media google dorks dorks google osintgram osint framework osint tools osint tv osint ukraine osint tutorial osint course osint instagram osint framework tutorial cyber security information security open-source intelligence open source intelligence sans institute cybersecurity training cyber security training information security training what is osint open source artificial intelligence cyber hack privacy nsa oscp ceh Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #osint #cyber #privacy
SS VENTURA - Old School [shodan records] FULL FUNKTION - Kushiro (Jonno & Gibson Remix) [shodan records] HORATIO - J From Jumper [shodan records] HORATIO - Midnight Acid [shodan records] JONNO & GIBSON - Project 1 [shodan records] SYM - Stubborn To The Bone [shodan records] KAMIL VAN DERSON - Masters [shodan records] 18 EAST AND MIKE TURING - Medieval Warrior [shodan records] HORATIO & KRYOMAN - Washing Machine [shodan records] BELIAAL - Secret [shodan records] JUST FRANK & SENTINEL GLITCH- La Farra [shodan records] RIZA GOBELEZ & MERTENS - Scent [shodan records] SEBASTIAN HOOFT - Les Girls [shodan records] VOIDMAN - Insurrection [shodan records] RAMON CASTELLS & ANNA FERRIS - Sweet Poison [shodan records]
SS VENTURA - Old School [shodan records] FULL FUNKTION - Kushiro (Jonno & Gibson Remix) [shodan records] HORATIO - J From Jumper [shodan records] HORATIO - Midnight Acid [shodan records] JONNO & GIBSON - Project 1 [shodan records] SYM - Stubborn To The Bone [shodan records] KAMIL VAN DERSON - Masters [shodan records] 18 EAST AND MIKE TURING - Medieval Warrior [shodan records] HORATIO & KRYOMAN - Washing Machine [shodan records] BELIAAL - Secret [shodan records] JUST FRANK & SENTINEL GLITCH- La Farra [shodan records] RIZA GOBELEZ & MERTENS - Scent [shodan records] SEBASTIAN HOOFT - Les Girls [shodan records] VOIDMAN - Insurrection [shodan records] RAMON CASTELLS & ANNA FERRIS - Sweet Poison [shodan records]
During this episode, I'm going to share a lesson I gave at the dojo during a recent Black Belt testing. The lesson is based on the answer to a progress-related question posed to one of the Shodan candidates and, while it was well-intentioned, his answer pointed to a HUGE misconception for many in the realms […]
In episode ba Anahita Nayebi neshastim az ROYA dashtan goftim va inke chejuri mishe motefavet khast va motefavet amal kard. My telegram: @kooshgood Insta: @kooshgood Guest insta: @anahithoor --- Send in a voice message: https://podcasters.spotify.com/pod/show/koosha-goodarzi3/message
Alex Lawrence, Field CISO at Sysdig, joins Corey on Screaming in the Cloud to discuss how he went from studying bioluminescence and mycology to working in tech, and his stance on why open source is the future of cloud security. Alex draws an interesting parallel between the creative culture at companies like Pixar and the iterative and collaborative culture of open-source software development, and explains why iteration speed is crucial in cloud security. Corey and Alex also discuss the pros and cons of having so many specialized tools that tackle specific functions in cloud security, and the different postures companies take towards their cloud security practices. About AlexAlex Lawrence is a Field CISO at Sysdig. Alex has an extensive history working in the datacenter as well as with the world of DevOps. Prior to moving into a solutions role, Alex spent a majority of his time working in the world of OSS on identity, authentication, user management and security. Alex's educational background has nothing to do with his day-to-day career; however, if you'd like to have a spirited conversation on bioluminescence or fungus, he'd be happy to oblige.Links Referenced: Sysdig: https://sysdig.com/ sysdig.com/opensource: https://sysdig.com/opensource falco.org: https://falco.org TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted guest episode is brought to us by our friends over at Sysdig, and they have brought to me Alexander Lawrence, who's a principal security architect over at Sysdig. Alexander, thank you for joining me.Alex: Hey, thanks for having me, Corey.Corey: So, we all have fascinating origin stories. Invariably you talk to someone, no one in tech emerged fully-formed from the forehead of some God. Most of us wound up starting off doing this as a hobby, late at night, sitting in the dark, rarely emerging. You, on the other hand, studied mycology, so watching the rest of us sit in the dark and growing mushrooms was basically how you started, is my understanding of your origin story. Accurate, not accurate at all, or something in between?Alex: Yeah, decently accurate. So, I was in school during the wonderful tech bubble burst, right, high school era, and I always told everybody, there's no way I'm going to go into technology. There's tons of people out there looking for a job. Why would I do that? And let's face it, everybody expected me to, so being an angsty teenager, I couldn't have that. So, I went into college looking into whatever I thought was interesting, and it turned out I had a predilection to go towards fungus and plants.Corey: Then you realized some of them glow and that wound up being too bright for you, so all right, we're done with this; time to move into tech?Alex: [laugh]. Strangely enough, my thesis, my capstone, was on the coevolution of bioluminescence across aquatic and terrestrial organisms. And so, did a lot of focused work on specifically bioluminescent fungus and bioluminescing fish, like Photoblepharon palpebratus and things like that.Corey: When I talk to people who are trying to figure out, okay, I don't like what's going on in my career, I want to do something different, and their assumption is, oh, I have to start over at square one. It's no, find the job that's halfway between what you're doing now and what you want to be doing, and make lateral moves rather than starting over five years in or whatnot. But I have to wonder, how on earth did you go from A to B in this context?Alex: Yeah, so I had always done tech. My first job really was in tech at the school districts that I went to in high school. And so, I went into college doing tech. I volunteered at the ELCA and other organizations doing tech, and so it basically funded my college career. And by the time I finished up through grad school, I realized my life was going to be writing papers so that other people could do the research that I was coming up with, and I thought that sounded like a pretty miserable life.And so, it became a hobby, and the thing I had done throughout my entire college career was technology, and so that became my new career and vocation. So, I was kind of doing both, and then ended up landing in tech for the job market.Corey: And you've effectively moved through the industry to the point where you're now in security architecture over at Sysdig, which, when I first saw Sysdig launch many years ago, it was, this is an interesting tool. I can see observability stories, I can see understanding what's going on at a deep level. I liked it as a learning tool, frankly. And it makes sense, with the benefit of hindsight, that oh, yeah, I suppose it does make some sense that there are security implications thereof. But one of the things that you've said that I really want to dig into that I'm honestly in full support of because it'll irritate just the absolute worst kinds of people is—one of the core beliefs that you espouse is that security when it comes to cloud is inherently open-source-based or at least derived. I don't want to misstate your position on this. How do you view it?Alex: Yeah. Yeah, so basically, the stance I have here is that the future of security in cloud is open-source. And the reason I say that is that it's a bunch of open standards that have basically produced a lot of the technologies that we're using in that stack, right, your web servers, your automation tooling, all of your different components are built on open stacks, and people are looking to other open tools to augment those things. And the reality is, is that the security environment that we're in is changing drastically in the cloud as opposed to what it was like in the on-premises world. On-prem was great—it still is great; a lot of folks still use it and thrive on it—but as we look at the way software is built and the way we interface with infrastructure, the cloud has changed that dramatically.Basically, things are a lot faster than they used to be. The model we have to use in order to make sure our security is good has dramatically changed, right, and all that comes down to speed and how quickly things evolve. I tend to take a position that one single brain—one entity, so to speak—can't keep up with that rapid evolution of things. Like, a good example is Log4j, right? When Log4j hit this last year, that was a pretty broad attack that affected a lot of people. You saw open tooling out there, like Falco and others, they had a policy to detect and help triage that within a couple of hours of it hitting the internet. Other proprietary tooling, it took much longer than two hours.Corey: Part of me wonders what the root cause behind that delay is because it's not that the engineers working at these companies are somehow worse than folks in the open communities. In some cases, they're the same people. It feels like it's almost corporate process ossification of, “Okay, we built a thing. Now, we need to make sure it goes through branding and legal and marketing and we need to bring in 16 other teams to make this work.” Whereas in the open-source world, it feels like there's much more of a, “I push the deploy button and it's up. The end.” There is no step two.Alex: [laugh]. Yeah, so there is certainly a certain element of that. And I think it's just the way different paradigms work. There's a fantastic book out there called Creativity, Inc., and it's basically a book about how Pixar manages itself, right? How do they deal with creating movies? How do they deal with doing what they do, well?And really, what it comes down to is fostering a culture of creativity. And that typically revolves around being able to fail fast, take risks, see if it sticks, see if it works. And it's not that corporate entities don't do that. They certainly do, but again, if you think about the way the open-source world works, people are submitting, you know, PRs, pull requests, they're putting out different solutions, different fixes to problems, and the ones that end up solving it the best are often the ones that end up coming to the top, right? And so, it's just—the way you iterate is much more akin to that kind of creativity-based mindset that I think you get out of traditional organizations and corporations.Corey: There's also, I think—I don't know if this is necessarily the exact point, but it feels like it's at least aligned with it—where there was for a long time—by which I mean, pretty much 40 years at this point—a debate between open disclosure and telling people of things that you have found in vendors products versus closed disclosure; you only wind—or whatever the term is where you tell the vendor, give them time to fix it, and it gets out the door. But we've seen again and again and again, where researchers find something, report it, and then it sits there, in some cases for years, but then when it goes public and the company looks bad as a result, they scramble to fix it. I wish it were not this way, but it seems that in some cases, public shaming is the only thing that works to get companies to secure their stuff.Alex: Yeah, and I don't know if it's public shaming, per se, that does it, or it's just priorities, or it's just, you know, however it might go, there's always been this notion of, “Okay, we found a breach. Let's disclose appropriately, you know, between two entities, give time to remediate.” Because there is a potential risk that if you disclose publicly that it can be abused and used in very malicious ways—and we certainly don't want that—but there also is a certain level of onus once the disclosure happens privately that we got to go and take care of those things. And so, it's a balancing act.I don't know what the right solution is. I mean, if I did, I think everybody would benefit from things like that, but we just don't know the proper answer. The workflow is complex, it is difficult, and I think doing our due diligence to make sure that we disclose appropriately is the right path to go down. When we get those disclosures we need to take them seriously is when it comes down to.Corey: What I find interesting is your premise that the future of cloud security is open-source. Like, I could make a strong argument that today, we definitely have an open-source culture around cloud security and need to, but you're talking about that shifting along the fourth dimension. What's the change? What do you see evolving?Alex: Yeah, I think for me, it's about the collaboration. I think there are segments of industries that communicate with each other very, very well, and I think there's others who do a decent job, you know, behind closed doors, and I think there's others, again, that don't communicate at all. So, all of my background predominantly has been in higher-ed, K-12, academia, and I find that a lot of those organizations do an extremely good job of partnering together, working together to move towards, kind of, a greater good, a greater goal. An example of that would be a group out in the Pacific Northwest called NWACC—the NorthWest Academic Computing Consortium. And so, it's every university in the Northwest all come together to have CIO Summits, to have Security Summits, to trade knowledge, to work together, basically, to have a better overall security posture.And they do it pretty much out in the open and collaborating with each other, even though they are also direct competitors, right? They all want the same students. It's a little bit of a different way of thinking, and they've been doing it for years. And I'm finding that to be a trend that's happening more and more outside of just academia. And so, when I say the future is open, if you think about the tooling academia typically uses, it is very open-source-oriented, it is very collaborative.There's no specifications on things like eduPerson to be able to go and define what a user looks like. There's things like, you know, CAS and Shibboleth to do account authorization and things like that. They all collaborate on tooling in that regard. We're seeing more of that in the commercial space as well. And so, when I say the future of security in cloud is open-source, it's models like this that I think are becoming more and more effective, right?It's not just the larger entities talking to each other. It's everybody talking with each other, everybody collaborating with each other, and having an overall better security posture. The reality is, is that the folks we're defending ourselves against, they already are communicating, they already are using that model to work together to take down who they view as their targets: us, right? We need to do the same to be able to keep up. We need to be able to have those conversations openly, work together openly, and be able to set that security posture across that kind of overall space.Corey: There's definitely a concern that if okay, you have all these companies and community collaborating around security aspects in public, that well won't the bad actors be able to see what they're looking at and how they're approaching it and, in some cases, move faster than they can or, in other cases, effectively wind up polluting the conversation by claiming to be good actors when they're not. And there's so many different ways that this can manifest. It feels like fear is always the thing that stops people from going down this path, but there is some instance of validity to that I would imagine.Alex: Yeah, no. And I think that certainly is true, right? People are afraid to let go of, quote-unquote, “The keys to their kingdom,” their security posture, their things like that. And it makes sense, right? There's certain things that you would want to not necessarily talk about openly, like, specifically, you know, what Diffie–Hellman key exchange you're using or something like that, but there are ways to have these conversations about risks and posture and tooling and, you know, ways you approach it that help everybody else out, right?If someone finds a particularly novel way to do a detection with some sort of piece of tooling, they probably should be sharing that, right? Let's not keep it to ourselves. Traditionally, just because you know the tool doesn't necessarily mean that you're going to have a way in. Certainly, you know, it can give you a path or a vector to go after, but if we can at least have open standards about how we implement and how we can go about some of these different concepts, we can all gain from that, so to speak.Corey: Part of me wonders if the existing things that the large companies are collaborating on lead to a culture that specifically pushes back against this. A classic example from my misspent youth is that an awful lot of the anti-abuse departments at these large companies are in constant communication. Because if you work at Microsoft, or Google or Amazon, your adversary, as you see it, in the Trust and Safety Group is not those other companies. It's bad actors attempting to commit fraud. So, when you start seeing particular bad actors emerging from certain parts of the network, sharing that makes everything better because there's an understanding there that it's not, “Oh, Microsoft has bad security this week,” or, “Google will wind up approving fraudulent accounts that start spamming everyone.”Because the takeaway by theby the customers is not that this one company is bad; it's oh, the cloud isn't safe. We shouldn't use cloud. And that leads to worse outcomes for basically everyone. But they're als—one of the most carefully guarded secrets at all these companies is how they do fraud prevention and spam detection because if adversaries find that out, working around them becomes a heck of a lot easier. I don't know, for example, how AWS determines whether a massive account overage in a free-tier account is considered to be a bad actor or someone who made a legitimate mistake. I can guess, but the actual signal that they use is something that they would never in a million years tell me. They probably won't even tell each other specifics of that.Alex: Certainly, and I'm not advocating that they let all of the details out, per se, but I think it would be good to be able to have more of an open posture in terms of, like, you know what tooling do they use? How do they accomplish that feat? Like, are they looking at a particular metric? How do they basically handle that posture going forward? Like, what can I do to replicate a similar concept?I don't need to know all the details, but would be nice if they embrace, you know, open tooling, like say a Trivy or a Falco or whatever the thing is, right, they're using to do this process and then contribute back to that project to make it better for everybody. When you kind of keep that stuff closed-source, that's when you start running into that issue where, you know, they have that, quote-unquote, “Advantage,” that other folks aren't getting. Maybe there's something we can do better in the community, and if we can all be better, it's better for everybody.Corey: There's a constant customer pain in the fact that every cloud provider, for example, has its own security perspective—the way that identity is managed, the way that security boundaries exist, the way that telemetry from these things winds up getting represented—where a number of companies that are looking at doing things that have to work across cloud for a variety of reasons—some good, some not so good—have decided that, okay, we're just going to basically treat all these providers as, more or less, dumb pipes and dumb infrastructure. Great, we're just going to run Kubernetes on all these things, and then once it's inside of our cluster, then we'll build our own security overlay around all of these things. They shouldn't have to do that. There should be a unified set of approaches to these things. At least, I wish there were.Alex: Yeah, and I think that's where you see a lot of the open standards evolving. A lot of the different CNCF projects out there are basically built on that concept. Like, okay, we've got Kubernetes. We've got a particular pipeline, we've got a particular type of implementation of a security measure or whatever it might be. And so, there's a lot of projects built around how do we standardize those things and make them work cross-functionally, regardless of where they're running.It's actually one of the things I quite like about Kubernetes: it makes it be a little more abstract for the developers or the infrastructure folks. At one point in time, you had your on-premises stuff and you built your stuff towards how your on-prem looked. Then you went to the cloud and started building yourself to look like what that cloud look like. And then another cloud showed up and you had to go use that one. Got to go refactor your application to now work in that cloud.Kubernetes has basically become, like, this gigantic API ball to interface with the clouds, and you don't have to build an application four different ways anymore. You can build it one way and it can work on-prem, it can work in Google, Azure, IBM, Oracle, you know, whoever, Amazon, whatever it needs to be. And then that also enables us to have a standard set of tools. So, we can use things like, you know, Rego or we can use things like Falco or we can use things that allow us to build tooling to secure those things the same way everywhere we go. And the benefit of most of those tools is that they're also configured, you know, via some level of codification, and so we can have a repository that contains our posture: apply that posture to that cluster, apply it to the other cluster in the other environment. It allows us to automate these things, go quicker, build the posture at the very beginning, along with that application.Corey: One of the problems I feel as a customer is that so many of these companies have a model for interacting with security issues that's frankly obnoxious. I am exhausted by the amount of chest-thumping, you'll see on keynote stages, all of the theme, “We're the best at security.” And whenever a vulnerability researcher reports something of a wide variety of different levels of severity, it always feels like the first concern from the company is not fix the issue, but rather, control the messaging around it.Whenever there's an issue, it's very clear that they will lean on people to rephrase things, not use certain words. It's, I don't know if the words used to describe this cross-tenant vulnerability are the biggest problem you should be focusing on right now. Yes, I understand that you can walk and chew gum at the same time as a big company, but it almost feels like the researchers are first screaming into a void, and then they're finally getting attention, but from all the people they don't want to get the attention from. It feels like this is not a welcoming environment for folks to report these things in good faith.Alex: [sigh]. Yeah, it's not. And I don't know what the solution is to that particular problem. I have opinions about why that exists. I won't go into those here, but it's cumbersome. It's difficult. I don't envy a lot of those research organizations.They're fantastic people coming up with great findings, they find really interesting stuff that comes out, but when you have to report and do that due diligence, that portion is not that fun. And then doing, you know, the fallout component, right: okay, now we have this thing we have to report, we have to go do something to fix it, you're right. I mean, people do often get really spun up on the verbiage or the implications and not just go fix the problem. And so again, if you have ways to mitigate that are more standards-based, that aren't specific to a particular cloud, like, you can use an open-source tool to mitigate, that can be quite the advantage.Corey: One of the challenges that I see across a wide swath of tooling and approaches to it have been that when I was trying to get some stuff to analyze CloudTrail logs in my own environment, I was really facing a bimodal distribution of options. On one end of the spectrum, it's a bunch of crappy stuff—or good stuff; hard to say—but it's all coming off of GitHub, open-source, build it yourself, et cetera. Good luck. And that's okay, awesome, but there's business value here and I'm thrilled to pay experts to make this problem go away.The other end of the spectrum is commercial security tooling, and it is almost impossible in my experience to find anything that costs less than $1,000 a month to start providing insight from a security perspective. Now, I understand the market forces that drive this. Truly I do, and I'm sympathetic to them. It is just as easy to sell $50,000 worth of software as it is five to an awful lot of companies, so yeah, go where the money is. But it also means that the small end of the market as hobbyists, as startups are just getting started, there is a price barrier to engaging in the quote-unquote, “Proper way,” to do security.So, the posture suffers. We'll bolt security on later when it becomes important is the philosophy, and we've all seen how well that plays out in the fullness of time. How do you square that circle? I think the answer has to be open-source improving to the point where it's not just random scripts, but renowned projects.Alex: Correct, yeah, and I'd agree with that. And so, we're kind of in this interesting phase. So, if you think about, like, raw Linux applications, right, Linux, always is the tenant that you build an application to do one thing, does that one thing really, really, really well. And then you ended up with this thing called, like, you know, the Cacti monitoring stack. And so, you ended up having, like, 600 tools you strung together to get this one monitoring function done.We're kind of in a similar spot in a lot of ways right now, in the open-source security world where, like, if you want to do scanning, you can do, like, Clair or you can do Trivy or you have a couple different choices, right? If you want to do posture, you've got things like Qbench that are out there. If you want to go do runtime security stuff, you've got something like Falco. So, you've got all these tools to string together, right, to give you all of these different components. And if you want, you can build it yourself, and you can run it yourself and it can be very fun and effective.But at some point in your life, you probably don't want to be care-and-feeding your child that you built, right? It's 18 years later now, and you want to go back to having your life, and so you end up buying a tool, right? That's why Gartner made this whole CNAP category, right? It's this humongous category of products that are putting all of these different components together into one gigantic package. And the whole goal there is just to make lives a little bit easier because running all the tools yourself, it's fun, I love it, I did it myself for a long time, but eventually, you know, you want to try to work on some other stuff, too.Corey: At one point, I wound up running the numbers of all of the first-party security offerings that AWS offered, and for most use cases of significant scale, the cost for those security services was more than the cost of the theoretical breach that they'd be guarding against. And I think that there's a very dangerous incentive that arises when you start turning security observability into your own platform as a profit center. Because it's, well, we could make a lot of money if we don't actually fix the root issue and just sell tools to address and mitigate some of it—not that I think that's the intentional direction that these companies are taking these things and I don't want to ascribe malice to them, but you can feel that start to be the trend that some decisions get pushed in.Alex: Yeah, I mean, everything comes down to data, right? It has to be stored somewhere, processed somewhere, analyzed somewhere. That always has a cost with it. And so, that's always this notion of the shared security model, right? We have to have someone have ownership over that data, and most of the time, that's the end-user, right? It's their data, it's their responsibility.And so, these offerings become things that they have that you can tie into to work within the ecosystem, work within their infrastructure to get that value out of your data, right? You know, where is the security model going? Where do I have issues? Where do I have misconfigurations? But again, someone has to pay for that processing time. And so, that ends up having a pretty extreme cost to it.And so, it ends up being a hard problem to solve. And it gets even harder if you're multi-cloud, right? You can't necessarily use the tooling of AWS inside of Azure or inside of Google. And other products are trying to do that, right? They're trying to be able to let you integrate their security center with other clouds as well.And it's kind of created this really interesting dichotomy where you almost have frenemies, right, where you've got, you know, a big Azure customer who's also a big AWS customer. Well, they want to go use Defender on all of their infrastructure, and Microsoft is trying to do their best to allow you to do that. Conversely, not all clouds operate in that same capacity. And you're correct, they all come at extremely different costs, they have different price models, they have different ways of going about it. And it becomes really difficult to figure out what is the best path forward.Generally, my stance is anything is better than nothing, right? So, if your only choice is using Defender to do all your stuff and it cost you an arm or leg, unfortunate, but great; at least you got something. If the path is, you know, go use this random open-source thing, great. Go do that. Early on, when I'd been at—was at Sysdig about five years ago, my big message was, you know, I don't care what you do. At least scan your containers. If you're doing nothing else in life, use Clair; scan the darn things. Don't do nothing.That's not really a problem these days, thankfully, but now we're more to a world where it's like, well, okay, you've got your containers, you've got your applications running in production. You've scanned them, that's great, but you're doing nothing at runtime. You're doing nothing in your posture world, right? Do something about it. So, maybe that is buy the enterprise tool from the cloud you're working in, buy it from some other vendor, use the open-source tool, do something.Thankfully, we live in a world where there are plenty of open tools out there we can adopt and leverage. You used the example of CloudTrail earlier. I don't know if you saw it, but there was a really, really cool talk at SharkFest last year from Gerald Combs where they leveraged Wireshark to be able to read CloudTrail logs. Which I thought was awesome.Corey: That feels more than a little bit ridiculous, just because it's—I mean I guess you could extract the JSON object across the wire then reassemble it. But, yeah, I need to think on that one.Alex: Yeah. So, it's actually really cool. They took the plugins from Falco that exist and they rewired Wireshark to leverage those plugins to read the JSON data from the CloudTrail and then wired it into the Wireshark interface to be able to do a visual inspect of CloudTrail logs. So, just like you could do, like, a follow this IP with a PCAP, you could do the same concept inside of your cloud log. So, if you look up Logray, you'll find it on the internet out there. You'll see demos of Gerald showing it off. It was a pretty darn cool way to use a visualization, let's be honest, most security professionals already know how to use in a more modern infrastructure.Corey: One last topic that I want to go into with you before we call this an episode is something that's been bugging me more and more over the years—and it annoyed me a lot when I had to deal with this stuff as a SOC 2 control owner and it's gotten exponentially worse every time I've had to deal with it ever since—and that is the seeming view of compliance and security as being one and the same, to the point where in one of my accounts that I secured rather well, I thought, I installed security hub and finally jumped through all those hoops and paid the taxes and the rest and then waited 24 hours to gather some data, then 24 hours to gather more. Awesome. Applied the AWS-approved a foundational security benchmark to it and it started shrieking its bloody head off about all of the things that were insecure and not configured properly. One of them, okay, great, it complained that the ‘Block all S3 Public Access' setting was not turned on for the account. So, I turned that on. Great.Now, it's still complaining that I have not gone through and also enabled the ‘Block Public Access Setting' on each and every S3 bucket within it. That is not improving your security posture in any meaningful way. That is box-checking so that someone in a compliance role can check that off and move on to the next thing on the clipboard. Now, originally, they started off being good-intentioned, but the result is I'm besieged by these things that don't actually matter and that means I'm not going to have time to focus on the things that actually do. Please tell me I'm wrong on some of this.Alex: [laugh].Corey: I really need to hear that.Alex: I can't. Unfortunately, I agree with you that a lot of that seems erroneous. But let's be honest, auditors have a job for a reason.Corey: Oh, I'm not besmirching the role of the auditor. Far from it. The problem I run into is that it's the Human Nessus report that dumps out, “Here's the 700 things to go fix in your environment,” as opposed to, “Here's the five things you can do right now that will meaningfully improve your security posture.”Alex: Yeah. And so, I think that's a place we see a lot of vendors moving, and I think that is the right path forward. Because we are in a world where we generate reports that are miles and miles long, we throw them over a wall to somebody, and that person says, “Are you crazy?” Like, “You want me to go do what with my time?” Like, “No. I can't. No. This is way too much.”And so, if we can narrow these things down to what matters the most today, and then what can we get rid of tomorrow, that makes life better for everybody. There are certainly ways to accomplish that across a lot of different dimensions, be that vulnerability management, or configuration management stuff, runtime stuff, and that is certainly the way we should approach it. Unfortunately, not all frameworks allow us to look at it that way.Corey: I mean, even AWS's thing here is yelling at me for a number of services not having encryption-at-rest turned on, like CloudTrail logs, or SNS topics. It's okay, let's be very clear what that is defending against: someone stealing drives out of a data center and taking them off to view the data. Is that something that I need to worry about in a public cloud provider context? Not unless I'm the CIA or something pretty close to that. I mean, if you can get my data out of an AWS data center and survive, congratulations, I kind of feel like you've earned it at this point. But that obscures things I need to be doing that I'm not.Alex: Back in the day, I had a customer who used to have—they had storage arrays and their storage arrays' logins were the default login that they came with the array. They never changed it. You just logged in with admin and no password. And I was like, “You know, you should probably fix that.” And he sent a message back saying, “Yeah, you know, maybe I should, but my feeling is that if it got that far into my infrastructure where they can get to that interface, I'm already screwed, so it doesn't really matter to me if I set that admin password or not.”Corey: Yeah, there is a defense-in-depth argument to be made. I am not disputing that, but the Cisco world is melting down right now because of a bunch of very severe vulnerabilities that have been disclosed. But everything to exploit these things always requires, well you need access to the management interface. Back when I was a network administrator at Chapman University in 2006, even then, I knew, “Well, we certainly don't want to put the management interfaces on the same VLAN that's passing traffic.”So, is it good that there's an unpatched vulnerability there? No, but Shodan, the security vulnerability search engine shows over 80,000 instances that are affected on the public internet. It would never have occurred to me to put the management interface of important network gear on the public internet. That just is… I don't understand that.Alex: Yeah.Corey: So, on some level, I think the lesson here is that there's always someone who has something else to focus on at a given moment, and… where it's a spectrum: no one is fully secure, but ideally, you don't want to be the lowest of low-hanging fruit.Alex: Right, right. I mean, if you were fully secure, you'd just turn it off, but unfortunately, we can't do that. We have to have it be accessible because that's our jobs. And so, if we're having it be accessible, we got to do the best we can. And I think that is a good point, right? Not being the worst should be your goal, at the very, very least.Doing bare minimums, looking at those checks, deciding if they're relevant for you or not, just because it says the configuration is required, you know, is it required in your use case? Is it required for your requirements? Like, you know, are you a FedRAMP customer? Okay, yeah, it's probably a requirement because, you know, it's FedRAMP. They're going to tell you got to do it. But is it your dev environment? Is it your demo stuff? You know, where does it exist, right? There's certain areas where it makes sense to deal with it and certain areas where it makes sense to take care of it.Corey: I really want to thank you for taking the time to talk me through your thoughts on all this. If people want to learn more, where's the best place for them to find you?Alex: Yeah, so they can either go to sysdig.com/opensource. A bunch of open-source resources there. They can go to falco.org, read about the stuff on that site, as well. Lots of different ways to kind of go and get yourself educated on stuff in this space.Corey: And we will, of course, put links to that into the show notes. Thank you so much for being so generous with your time. I appreciate it.Alex: Yeah, thanks for having me. I appreciate it.Corey: Alexander Lawrence, principal security architect at Sysdig. I'm Cloud Economist Corey Quinn, and this episode has been brought to us by our friends, also at Sysdig. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment that I will then read later when I pick it off the wire using Wireshark.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: Encore: Leveraging Your Military Career to Carve Out a Cyber Security Career with Dr. Michael ChipleyPub date: 2023-10-03Dr. Michael Chipley, the Founder and President of the PMC Group, is the guest for today's podcast.Dr. Chipley has over 30 years of consulting experience in the areas of Program and Project Management, Cybersecurity, Energy and Environmental (LEED, Energy Star, and Carbon Footprint); Critical Infrastructure Protection and Analysis; Building Information Modeling (BIM) Technology; Base Realignment and Closure (BRAC), and Emergency Management/Disaster Recovery. Dr. Chipley served 24 years as a Civil Engineer in the US Air Force and has been consulting since 2001. He is a former adjunct faculty member at George Mason University, where he taught the Infrastructure Security Engineering, Building Security, and Building Information Modeling courses.Dr. Chipley grew up on a farm in Oregon. He is a long-time contributor to cybersecurity for control systems, civil engineer, US Airforce veteran, husband, father, grandfather, outdoor enthusiast, and wine enthusiast. He joins Derek Harp today to discuss his military background and career journey and share his insights and advice. You will not want to miss this episode if you are leaving the military and considering a career in cybersecurity. Stay tuned to hear Dr. Chipley's story and benefit from his breadth of experience!Show highlights:What Dr. Chipley did and studied during the 24 years he spent in the military. Dr. Chipley talks about Shodan.io and what it can do.Some advice about skills and opportunities in the control systems space.How Dr. Chipley benefited from joining the military.Why you can never stop learning in the control systems world.Why women tend to excel in the cyber field.How students can find opportunities to join internship programs.Potential challenges that people in cybersecurity could face.Some of the projects with which Dr. Chipley is currently involved.What can young people do to add to their knowledge and education to increase their value five years from now?Links and resources:(CS)²AIThe PMC GroupMichael Chipley on LinkedInThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: Encore: Leveraging Your Military Career to Carve Out a Cyber Security Career with Dr. Michael ChipleyPub date: 2023-10-03Dr. Michael Chipley, the Founder and President of the PMC Group, is the guest for today's podcast.Dr. Chipley has over 30 years of consulting experience in the areas of Program and Project Management, Cybersecurity, Energy and Environmental (LEED, Energy Star, and Carbon Footprint); Critical Infrastructure Protection and Analysis; Building Information Modeling (BIM) Technology; Base Realignment and Closure (BRAC), and Emergency Management/Disaster Recovery. Dr. Chipley served 24 years as a Civil Engineer in the US Air Force and has been consulting since 2001. He is a former adjunct faculty member at George Mason University, where he taught the Infrastructure Security Engineering, Building Security, and Building Information Modeling courses.Dr. Chipley grew up on a farm in Oregon. He is a long-time contributor to cybersecurity for control systems, civil engineer, US Airforce veteran, husband, father, grandfather, outdoor enthusiast, and wine enthusiast. He joins Derek Harp today to discuss his military background and career journey and share his insights and advice. You will not want to miss this episode if you are leaving the military and considering a career in cybersecurity. Stay tuned to hear Dr. Chipley's story and benefit from his breadth of experience!Show highlights:What Dr. Chipley did and studied during the 24 years he spent in the military. Dr. Chipley talks about Shodan.io and what it can do.Some advice about skills and opportunities in the control systems space.How Dr. Chipley benefited from joining the military.Why you can never stop learning in the control systems world.Why women tend to excel in the cyber field.How students can find opportunities to join internship programs.Potential challenges that people in cybersecurity could face.Some of the projects with which Dr. Chipley is currently involved.What can young people do to add to their knowledge and education to increase their value five years from now?Links and resources:(CS)²AIThe PMC GroupMichael Chipley on LinkedInThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Control System Cyber Security Association International: (CS)²AI
Dr. Michael Chipley, the Founder and President of the PMC Group, is the guest for today's podcast.Dr. Chipley has over 30 years of consulting experience in the areas of Program and Project Management, Cybersecurity, Energy and Environmental (LEED, Energy Star, and Carbon Footprint); Critical Infrastructure Protection and Analysis; Building Information Modeling (BIM) Technology; Base Realignment and Closure (BRAC), and Emergency Management/Disaster Recovery. Dr. Chipley served 24 years as a Civil Engineer in the US Air Force and has been consulting since 2001. He is a former adjunct faculty member at George Mason University, where he taught the Infrastructure Security Engineering, Building Security, and Building Information Modeling courses.Dr. Chipley grew up on a farm in Oregon. He is a long-time contributor to cybersecurity for control systems, civil engineer, US Airforce veteran, husband, father, grandfather, outdoor enthusiast, and wine enthusiast. He joins Derek Harp today to discuss his military background and career journey and share his insights and advice. You will not want to miss this episode if you are leaving the military and considering a career in cybersecurity. Stay tuned to hear Dr. Chipley's story and benefit from his breadth of experience!Show highlights:What Dr. Chipley did and studied during the 24 years he spent in the military. Dr. Chipley talks about Shodan.io and what it can do.Some advice about skills and opportunities in the control systems space.How Dr. Chipley benefited from joining the military.Why you can never stop learning in the control systems world.Why women tend to excel in the cyber field.How students can find opportunities to join internship programs.Potential challenges that people in cybersecurity could face.Some of the projects with which Dr. Chipley is currently involved.What can young people do to add to their knowledge and education to increase their value five years from now?Links and resources:(CS)²AIThe PMC GroupMichael Chipley on LinkedIn
Good morning, beautiful souls,Can you feel it? That familiar pulse of excitement that graces us every Wednesday at 6 AM CET? Yes, it's our sacred time to unite again through The Midnight Project, a sanctuary where we embrace the rhythmic heartbeat of techno intertwined with the essence of health and harmony.This week, I am eager to embark on this journey with you, beginning with a piece very dear to me, "Crest." I am beyond excited to let you experience it firsthand before its grand unveiling on Shodan this September 25th.As we drift through this curated haven of sound, we encounter creators who are not merely musicians but narrators of the techno chronicle, echoing the genre's distinct spirit and pulse in every beat they craft. Talents such as Nicolas Taboada, Perpetual Universe, and the indomitable Tiger Stripes alongside Oscar Escapa craft experiences beyond just music; they are a pulse, a heartbeat, a journey.In this curated collection of artistry, I couldn't pass the opportunity to share a fascinating tidbit about Tiger Stripes. Did you know that apart from creating reverberating techno tracks, he has a deep love for Jazz music? This fusion of love for different genres brings a distinct richness to his creations, a richness that we get to explore in this episode through "The Answer."This communion we share transcends beats and rhythms; it's a testament to the vital force of techno, a rhythm that flows in us, nurturing our being, kindling a spirit of joy, and fostering a community bound by love for music and the ardency to live a balanced, healthy life.So, with hearts full of anticipation and spirits alight with the vibrancy of techno, let's step into another week of exploration, music, and harmony. Here's to the joy of being, the pulse of techno, and the vibrant connection we share in this musical haven we call The Midnight Project.See you on the dance floor of life,Sebastiaan Hooft
Podcast: Unsolicited Response (LS 33 · TOP 5% what is this?)Episode: Interview with HD MoorePub date: 2023-07-26HD Moore is most famous for his creation of the Metasploit penetration testing framework. It began in 2003 and hit the OT world in 2011. HD is now the Founder and CTO of RunZero, another cybersecurity startup that is starting to play in the OT Space. In this episode we spend the first third of the show talking about Metasploit ... early reaction, OT modules, is Metasploit still necessary and useful today. We then shift to creating asset inventories in IT and OT, which is what RunZero does. Why HD decided to run back into the cybersecurity startup world? How it started as a solo shop with HD writing all the code. How HD things Shodan and RunZero are different. What technique does RunZero use to 'scan'. A term that many fear in OT. Check out their approach to 'fragile devices'. The OT reaction to this type of scanning. What role uses the RunZero product? Links RunZero website S4x24 Call For PresentationsThe podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
HD Moore is most famous for his creation of the Metasploit penetration testing framework. It began in 2003 and hit the OT world in 2011. HD is now the Founder and CTO of RunZero, another cybersecurity startup that is starting to play in the OT Space. In this episode we spend the first third of the show talking about Metasploit ... early reaction, OT modules, is Metasploit still necessary and useful today. We then shift to creating asset inventories in IT and OT, which is what RunZero does. Why HD decided to run back into the cybersecurity startup world? How it started as a solo shop with HD writing all the code. How HD things Shodan and RunZero are different. What technique does RunZero use to 'scan'. A term that many fear in OT. Check out their approach to 'fragile devices'. The OT reaction to this type of scanning. What role uses the RunZero product? Links RunZero website S4x24 Call For Presentations
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Shodan's API for the (Recon) Win! https://isc.sans.edu/diary/Shodan%27s%20API%20For%20The%20%28Recon%29%20Win!/30050 Stolen Microsoft Key May Have Opened Up a lot more than US Government E-Mail Inboxes https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr https://www.theregister.com/2023/07/21/microsoft_key_skeleton/ Okta Logs Decoded https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/ Threat Actors Exploiting Citrix CVE-2023-3519 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a https://github.com/securekomodo/citrixInspector
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Shodan's API for the (Recon) Win! https://isc.sans.edu/diary/Shodan%27s%20API%20For%20The%20%28Recon%29%20Win!/30050 Stolen Microsoft Key May Have Opened Up a lot more than US Government E-Mail Inboxes https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr https://www.theregister.com/2023/07/21/microsoft_key_skeleton/ Okta Logs Decoded https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/ Threat Actors Exploiting Citrix CVE-2023-3519 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a https://github.com/securekomodo/citrixInspector
Want more detail than Shodan queries? Need to figure out which devices have that new critical vuln and are exposed to the internet? Creator of Intrigue.io, Jcran discusses his creation and touches on the topics of digital fingerprinting and discovery tools.
This week, we take a deep look at "System Shock," one of the most legendary game design feats of all time. Was 30 years too long a wait? Is this remake worthy of its name? All this and a bunch of other games too! PLEASE: Help the people of Ukraine! They are fighting on behalf of the entire free world and we owe them a debt that can never be repayed. Donate what you can to the link below or to the Ukrain-focused charitable org of your choice. Slava Ukraini! unicefusa.org ---Games Mentioned In This Week's Episode:--- System Shock ($39.99 or free demo) https://store.steampowered.com/app/482400/System_Shock/ Sniper Elite 5 (-50%, $19.99 through June 8th) https://store.steampowered.com/app/1029690/Sniper_Elite_5/ We Love Katamari REROLL+ Royal Reverie ($29.99) https://store.steampowered.com/app/1730700/We_Love_Katamari_REROLL_Royal_Reverie/ Starship Troopers: Extermination ($24.99) https://store.steampowered.com/app/1268750/Starship_Troopers_Extermination/ -------- -BE SURE TO CHECK OUT our twitch livestream at: www.twitch.tv/skookiesprite -JOIN OUR DISCORD EXPERIMENT at: https://discord.gg/M3C7AvKrj3 --POST YOUR GAME REPORTS TO PROTONDB.COM!!!! --------------------------------------------------------------- BUY DRACULA FACTORY'S NEW ALBUM: https://draculafactory.hearnow.com/
In this episode, host Bidemi Ologunde spoke with Huxley Barbee, the lead organizer for BSides NYC and a Security Evangelist at runZero, a cyber asset management solution.The discussion covered various topics related to asset-centric investigations, such as the pros and cons of the different methods of conducting cyber asset inventory; operational technology (OT) scanning; and security research-based fingerprinting and incremental fingerprinting. Huxley also delved into vulnerability prioritization technology (VPT) and the utility of Shodan, a popular search engine for identifying and cataloging internet-connected devices and systems. Additionally, he mentioned some of the tools required for network access security; the stark reality of managing threat attack surfaces, and lots more. To wrap up, he shared insights into how runZero can aid organizations in securing all their network assets and devices.==============Organize your work and life, finally.Become focused, organized, and calm with Todoist. The world's #1 task manager and to-do list app.Start for free=======Receive $25 off orders of $149+ with code SWAPSRF at Snake River Farms!Whether you're a seasoned veteran or a beginner to beef, the pioneers of American Wagyu have got you covered with $25 off your order.Shop Delicious Meats Now=======Turn your Airtable or Google Sheets into modern business tools you need.Softr lets you stop waiting for developers. Build software without devs. Blazingly fast. Trusted by 100,000+ teams worldwide.Start building now.=======Sesame Care - Doctor appointments as low as $19.Find the best price for the highest quality physicians. Book an appointment in minutes.Get Started=======Compliantly hire anyone, anywhere, in 5 minutes with Deel.Deel is your one-stop shop for hiring, paying, and managing your remote team. We stay on top of local labor laws across the world to ensure compliance and mitigate risk so that you don't have to.Get Started=======Shut The Box Game.Dating back to 12th century France, sailors cherished playing Shut The Box Game. In modern times whether you're camping with friends or relaxing with family, you'll have endless fun with this easy-to-learn game! Buy 2, Get 1 Free, plus free shipping within the United States.Get Started=======Support the show
Correction on this episode, we mentioned Ireland, but it should be Northern Ireland which is part of the UK. On episode 77 of Tatami Talk. We start off talking about the American Judo Systems upcoming tournament on June 4th named "SUMMER SLAM". How this tournament is for USA Judo points, as well as the interesting prizes for the youth division and senior elite division. Then we go into some viewer question/feedback. With the first two part questions being. Are the federation dues for USA Judo, USJF and USJF too high? And is it harming Judo's growth in the US? The second part of the question was would a discount or reward program help grow Judo? Like discounts on tickets for hotels and flights as well as stores and restaurants. Could this help grow and bring people to Judo. Like what they do in other countries? The other two part question was can someone be promoted to Black Belt or get promotions in general just for being a class assistant and not practicing themselves or going to tournaments. With the further question of can someone that doesn't step on the mat and only does office or volunteer work be promoted to Black Belt? This is a very interesting question and you may be surprised by our answers. * Intro / AJS Summer Slam [0:00] * Viewer question: USJA/USJF/USAJ membership price and its affects on growth of judo in the US [06:27] * NGB helping marketing judo [28:55] * Parents and kyu grades involvement in volunteering [42:35] * Getting a brown belt / shodan for assisting [52:09] * Terminal Brown belts [58:50] * Honorary Black belts / Getting a Shodan by only doing office work / volunteering [01:05:35] * Separate types of belts / ranks [01:10:49] ------------------------------------------- Email us: tatamitalk@gmail.com Follow us on Instagram: @tatamitalk Juan: @thegr8_juan Anthony: @anthonythrowsIntro + Outro by Donald Rickert: @donaldrickertCover Art by Mas: @masproducePodcast Site: https://anchor.fm/tatamitalk Also listen on Apple iTunes, Google podcasts, Google Play Music and Spotify
Roger Grimes is an industry expert and the Data Driven Defense Evangelist for KnowBe4. In this episode, Roger and host Hillarie McClure talk about a new version of the Xenomorph Android malware that has been spotted in the wild, which can allegedly steal credentials from 400 different banking apps, as well as what's changing in cybercrime, Shodan.io, and more. KnowBe4 is the world's first and largest New-school security awareness training and simulated phishing provider that helps you manage the ongoing problem of social engineering. To learn more about our sponsor, KnowBe4, visit https://knowbe4.com
Joe and Ray discuss how OSINT is used in offensive security scenarios, focusing on the importance of doing in-depth research. In order to properly use OSINT, Ray explains that it is essential to identify and map out the risks associated with an organization, as well as to do research to understand the company's structure, assets, and resources. He emphasizes that it is important to look at where the information lies, in order to get an idea of who the key people are within an organization. This could include looking for patterns in social media accounts, websites, and other sources to uncover insight on those individuals. Ray also advises that when doing the legwork, it is important to not only look at public sources, but to dig deeper. By using OSINT, companies can better understand their adversaries and develop a more effective security strategy. He further explains that it is important to constantly monitor the situation, as adversaries often change their tactics or target different areas. With the right tools and strategies in place, organizations can stay one step ahead of potential threats and be better prepared to respond. Links Discussed: Dehashed: https://www.dehashed.com HaveIBeenPwned: https://www.haveibeenpwned.com SecurityTrails: https://www.securitytrails.com View DNS: https://www.viewdns.info DNS Dumpster: https://www.dnsdumpster.com Snapchat Map: https://map.snapchat.com Trace Labs Kali: https://www.tracelabs.org/initiatives/osint-vm Raspberry Pis: https://www.raspberrypi.com/ Free Digital Ocean Credit: https://m.do.co/c/ab5f75969c8a Phone Infoga: https://github.com/sundowndev/phoneinfoga CSI Linux: https://csilinux.com/ Flare VM: https://github.com/mandiant/flare-vm Parrot OS: https://www.parrotsec.org/ Kali Linux: https://www.kali.org/ Axiom: https://github.com/pry0cc/axiom SANS SIFT: https://www.sans.org/tools/sift-workstation/ Volatility Framework: https://www.volatilityfoundation.org/ Shodan: https://www.shodan.io Michael Bazzell's Extreme Privacy: https://inteltechniques.com/book7.html Michael Bazzell's Website: https://inteltechniques.com/ Joe's Podcast with Michael Bazzell: https://osint.mobi/michael-bazzell-podcast Joe's Podcast with Justin Seitz: https://osint.mobi/justin-seitz-podcast Justin Seitz's Hunchly: https://www.hunchly.com Justin Seitz's Python for OSINT Training: https://www.automatingosint.com Imagga: https://imagga.com/ Infoga: https://github.com/The404Hacking/Infoga Joe's Podcast with Joe Vest: https://osint.mobi/red-team-podcast Contacting Rey: Twitter: https://twitter.com/reybango The OSINTion Links: https://linktr.ee/TheOSINTion Twitch: https://twitch.tv/theosintion YouTube: https://osint.mobi/youtube The OSINTion Training: On-Demand: https://academy.theosintion.com Live Training: https://www.theosintion.com/courses --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
Dr. Oelberger is a licensed Psychologist based in Los Angeles. He received his doctorate in Clinical Psychology through the Saybrook Graduate School in San Francisco, with an emphasis in Spirituality and Consciousness. He holds ACT board certification in Cognitive Behavioral Therapy, and a Certification in Sports psychology- having trained with a Navy Seal in order to target emotional obstacles to performance amongst athletes. Dr.Oelberger has attained the rank level of Shodan, in Shaolin kempo martial arts and was awarded this rank in the Shaolin temple in Deng Feng, China in the summer of 2013. Richard has a book published on the integration of spirituality and psychology entitled, “Qualitative Kabbalah: The Value of Living a Spiritual System”. His Master's thesis focused on Treatment and understanding of Post -Traumatic Stress disorder, specifically cultural and historical trends and implications for treatment. Richard Oelberger, PhD offers his own unique style of psychology differentiating him amongst traditional forms of psychology, integrating a model of psychology combining Somatic and body oriented psychotherapy with mindfulness and spiritual approaches. He hosts a bi weekly Podcast on his Richardlistens channel on Apple Podcasts on topics surrounding channeling your own inner hero, covering the field of Performance, Human transformation, and Sports Psychology related interests. He continues to coach multiple youth sports teams and actively engages community development of sport and team building. He offers treatment for: Sports and performance issues Body oriented processing of stress and trauma Anxiety/Depression Addiction, Gambling, and Recovery Issues Relationship Issues Stress Reduction Skills Performance Enhancement Visualization Skills and Meditation Mind/Body Training Transformational Character Development
About TimTim Gonda is a Cloud Security professional who has spent the last eight years securing and building Cloud workloads for commercial, non-profit, government, and national defense organizations. Tim currently serves as the Technical Director of Cloud at Praetorian, influencing the direction of its offensive-security-focused Cloud Security practice and the Cloud features of Praetorian's flagship product, Chariot. He considers himself lucky to have the privilege of working with the talented cyber operators at Praetorian and considers it the highlight of his career.Tim is highly passionate about helping organizations fix Cloud Security problems, as they are found, the first time, and most importantly, the People/Process/Technology challenges that cause them in the first place. In his spare time, he embarks on adventures with his wife and ensures that their two feline bundles of joy have the best playtime and dining experiences possible.Links Referenced: Praetorian: https://www.praetorian.com/ LinkedIn: https://www.linkedin.com/in/timgondajr/ Praetorian Blog: https://www.praetorian.com/blog/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Thinkst Canary. Most Companies find out way too late that they've been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching 'em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. Check out what people are saying at canary.love today!Corey: Kentik provides Cloud and NetOps teams with complete visibility into hybrid and multi-cloud networks. Ensure an amazing customer experience, reduce cloud and network costs, and optimize performance at scale — from internet to data center to container to cloud. Learn how you can get control of complex cloud networks at www.kentik.com, and see why companies like Zoom, Twitch, New Relic, Box, Ebay, Viasat, GoDaddy, booking.com, and many, many more choose Kentik as their network observability platform. Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Every once in a while, I like to branch out into new and exciting territory that I've never visited before. But today, no, I'd much rather go back to complaining about cloud security, something that I tend to do an awful lot about. Here to do it with me is Tim Gonda, Technical Director of Cloud at Praetorian. Tim, thank you for joining me on this sojourn down what feels like an increasingly well-worn path.Tim: Thank you, Corey, for having me today.Corey: So, you are the Technical Director of Cloud, which I'm sort of short-handing to okay, everything that happens on the computer is henceforth going to be your fault. How accurate is that in the grand scheme of things?Tim: It's not too far off. But we like to call it Praetorian for nebula. The nebula meaning that it's Schrödinger's problem: it both is and is not the problem. Here's why. We have a couple key focuses at Praetorian, some of them focusing on more traditional pen testing, where we're looking at hardware, hit System A, hit System B, branch out, get to goal.On the other side, we have hitting web applications and [unintelligible 00:01:40]. This insecure app leads to this XYZ vulnerability, or this medical appliance is insecure and therefore we're able to do XYZ item. One of the things that frequently comes up is that more and more organizations are no longer putting their applications or infrastructure on-prem anymore, so therefore, some part of the assessment ends up being in the cloud. And that is the unique rub that I'm in. And that I'm responsible for leading the direction of the cloud security focus group, who may not dive into a specific specialty that some of these other teams might dig into, but may have similar responsibilities or similar engagement style.And in this case, if we discover something in the cloud as an issue, or even in your own organization where you have a cloud security team, you'll have a web application security team, you'll have your core information security team that defends your environment in many different methods, many different means, you'll frequently find that the cloud security team is the hot button for hey, the server was misconfigured at one certain level, however the cloud security team didn't quite know that this web application was vulnerable. We did know that it was exposed to the internet but we can't necessarily turn off all web applications from the internet because that would no longer serve the purpose of a web application. And we also may not know that a particular underlying host's patch is out of date. Because technically, that would be siloed off into another problem.So, what ends up happening is that on almost every single incident that involves a cloud infrastructure item, you might find that cloud security will be right there alongside the incident responders. And yep, this [unintelligible 00:03:20] is here, it's exposed to the internet via here, and it might have the following application on it. And they get cross-exposure with other teams that say, “Hey, your web application is vulnerable. We didn't quite inform the cloud security team about it, otherwise this wouldn't be allowed to go to the public internet,” or on the infrastructure side, “Yeah, we didn't know that there was a patch underneath it, we figured that we would let the team handle it at a later date, and therefore this is also vulnerable.” And what ends up happening sometimes, is that the cloud security team might be the onus or might be the hot button in the room of saying, “Hey, it's broken. This is now your problem. Please fix it with changing cloud configurations or directing a team to make this change on our behalf.”So, in essence, sometimes cloud becomes—it both is and is not your problem when a system is either vulnerable or exposed or at some point, worst case scenario, ends up being breached and you're performing incident response. That's one of the cases why it's important to know—or important to involve others in the cloud security problem, or to be very specific about what the role of a cloud security team is, or where cloud security has to have certain boundaries or has to involve certain extra parties have to be involved in the process. Or when it does its own threat modeling process, say that, okay, we have to take a look at certain cloud findings or findings that's within our security realm and say that these misconfigurations or these items, we have to treat the underlying components as if they are vulnerable, whether or not they are and we have to report on them as if they are vulnerable, even if it means that a certain component of the infrastructure has to already be assumed to either have a vulnerability, have some sort of misconfiguration that allows an outside attacker to execute attacks against whatever the [unintelligible 00:05:06] is. And we have to treat and respond our security posture accordingly.Corey: One of the problems that I keep running into, and I swear it's not intentional, but people would be forgiven for understanding or believing otherwise, is that I will periodically inadvertently point out security problems via Twitter. And that was never my intention because, “Huh, that's funny, this thing isn't working the way that I would expect that it would,” or, “I'm seeing something weird in the logs in my test account. What is that?” And, “Oh, you found a security vulnerability or something akin to one in our environment. Oops. Next time, just reach out to us directly at the security contact form.” That's great. If I'd known I was stumbling blindly into a security approach, but it feels like the discovery of these things is not heralded by an, “Aha, I found it.” But, “Huh, that's funny.”Tim: Of course. Absolutely. And that's where some of the best vulnerabilities come where you accidentally stumble on something that says, “Wait, does this work how—what I think it is?” Click click. Like, “Oh, boy, it does.”Now, I will admit that certain cloud providers are really great about with proactive security reach outs. If you either just file a ticket or file some other form of notification, just even flag your account rep and say, “Hey, when I was working on this particular cloud environment, the following occurred. Does this work the way I think it is? Is this is a problem?” And they usually get back to you with reporting it to their internal team, so on and so forth. But let's say applications are open-source frameworks or even just organizations at large where you might have stumbled upon something, the best thing to do was either look up, do they have a public bug bounty program, do they have a security contact or form reach out that you can email them, or do you know, someone that the organization that you just send a quick email saying, “Hey, I found this.”And through some combination of those is usually the best way to go. And to be able to provide context of the organization being, “Hey, the following exists.” And the most important things to consider when you're sending this sort of information is that they get these sorts of emails almost daily.Corey: One of my favorite genre of tweet is when Tavis Ormandy and Google's Project Zero winds up doing a tweet like, “Hey, do I know anyone over at the security apparatus at insert company here?” It's like, “All right. I'm sure people are shorting stocks now [laugh], based upon whatever he winds up doing that.”Tim: Of course.Corey: It's kind of fun to watch. But there's no cohesive way of getting in touch with companies on these things because as soon as you'd have something like that, it feels like it's subject to abuse, where Comcast hasn't fixed my internet for three days, now I'm going to email their security contact, instead of going through the normal preferred process of wait in the customer queue so they can ignore you.Tim: Of course. And that's something else you want to consider. If you broadcast that a security vulnerability exists without letting the entity or company know, you're also almost causing a green light, where other security researchers are going to go dive in on this and see, like, one, does this work how you described. But that actually is a positive thing at some point, where either you're unable to get the company's attention, or maybe it's an open-source organization, or maybe you're not being fully sure that something is the case. However, when you do submit something to the customer and you want it to take it seriously, here's a couple of key things that you should consider.One, provide evidence that whatever you're talking about has actually occurred, two, provide repeatable steps that the layman's term, even IT support person can attempt to follow in your process, that they can repeat the same vulnerability or repeat the same security condition, and three, most importantly, detail why this matters. Is this something where I can adjust a user's password? Is this something where I can extract data? Is this something where I'm able to extract content from your website I otherwise shouldn't be able to? And that's important for the following reason.You need to inform the business what is the financial value of why leaving this unpatched becomes an issue for them. And if you do that, that's how those security vulnerabilities get prioritized. It's not necessarily because the coolest vulnerability exists, it's because it costs the company money, and therefore the security team is going to immediately jump on it and try to contain it before it costs them any more.Corey: One of my least favorite genres of security report are the ones that I get where I found a vulnerability. It's like, that's interesting. I wasn't aware that I read any public-facing services, but all right, I'm game; what have you got? And it's usually something along the lines of, “You haven't enabled SPF to hard fail an email that doesn't wind up originating explicitly from this list of IP addresses. Bug bounty, please.” And it's, “No genius. That is very much an intentional choice. Thank you for playing.”It comes down to also an idea of whenever I have reported security vulnerabilities in the past, the pattern I always take is, “I'm seeing something that I don't fully understand. I suspect this might have security implications, but I'm also more than willing to be proven wrong.” Because showing up with, “You folks are idiots and have a security problem,” is a terrific invitation to be proven wrong and look like an idiot. Because the first time you get that wrong, no one will take you seriously again.Tim: Of course. And as you'll find that most bug bounty programs are, if you participate in those, the first couple that you might have submitted, the customer might even tell you, “Yeah, we're aware that that vulnerability exists, however, we don't view it as a core issue and it cannot affect the functionality of our site in any meaningful way, therefore we're electing to ignore it.” Fair.Corey: Very fair. But then when people write up about those things, well, they've they decided this is not an issue, so I'm going to do a write-up on it. Like, “You can't do that. The NDA doesn't let you expose that.” “Really? Because you just said it's a non-issue. Which is it?”Tim: And the key to that, I guess, would also be that is there an underlying technology that doesn't necessarily have to be attributed to said organization? Can you also say that, if I provide a write-up or if I put up my own personal blog post—let's say, we go back to some of the OpenSSL vulnerabilities including OpenSSL 3.0, that came out not too long ago, but since that's an open-source project, it's fair game—let's just say that if there was a technology such as that, or maybe there's a wrapper around it that another organization could be using or could be implementing a certain way, you don't necessarily have to call the company up by name, or rather just say, here's the core technology reason, and here's the core technology risk, and here's the way I've demoed exploiting this. And if you publish an open-source blog like that and then you tweet about that, you can actually gain security support around such issue and then fight for the research.An example would be that I know a couple of pen testers who have reported things in the past, and while the first time they reported it, the company was like, “Yeah, we'll fix it eventually.” But later, when another researcher report this exact same finding, the company is like, “We should probably take this seriously and jump on it.” It sometimes it's just getting in front of that and providing frequency or providing enough people around to say that, “Hey, this really is an issue in the security community and we should probably fix this item,” and keep pushing others organizations on it. A lot of times, they just need additional feedback. Because as you said, somebody runs an automated scanner against your email and says that, “Oh, you're not checking SPF as strictly as the scanner would have liked because it's a benchmarking tool.” It's not necessarily a security vulnerability rather than it's just how you've chosen to configure something and if it works for you, it works for you.Corey: How does cloud change this? Because a lot of what we talked about so far could apply to anything. Go back in time to 1995 and a lot of what we're talking about mostly holds true. It feels like cloud acts as a significant level of complexity on top of all of this. How do you view the differentiation there?Tim: So, I think it differentiated two things. One, certain services or certain vulnerability classes that are handled by the shared service model—for the most part—are probably secure better than you might be able to do yourself. Just because there's a lot of research, the team is [experimented 00:13:03] a lot of time on this. An example of if there's a particular, like, spoofing or network interception vulnerability that you might see on a local LAN network, you probably are not going to have the same level access to be able to execute that on a virtual private cloud or VNet, or some other virtual network within cloud environment. Now, something that does change with the paradigm of cloud is the fact that if you accidentally publicly expose something or something that you've created expo—or don't set a setting to be private or only specific to your resources, there is a couple of things that could happen. The vulnerabilities exploitability based on where increases to something that used to be just, “Hey, I left a port open on my own network. Somebody from HR or somebody from it could possibly interact with it.”However, in the cloud, you've now set this up to the entire world with people that might have resources or motivations to go after this product, and using services like Shodan—which are continually mapping the internet for open resources—and they can quickly grab that, say, “Okay, I'm going to attack these targets today,” might continue to poke a little bit further, maybe an internal person that might be bored at work or a pen tester just on one specific engagement. Especially in the case of let's say, what you're working on has sparked the interest of a nation-state and they want to dig into a little bit further, they have the resources to be able to dedicate time, people, and maybe tools and tactics against whatever this vulnerability that you've given previously the example of—maybe there's a specific ID and a URL that just needs to be guessed right to give them access to something—they might spend the time trying to brute force that URL, brute force that value, and eventually try to go after what you have.The main paradigm shift here is that there are certain things that we might consider less of a priority because the cloud has already taken care of them with the shared service model, and rightfully so, and there's other times that we have to take heightened awareness on is, one, we either dispose something to the entire internet or all cloud accounts within creations. And that's actually something that we see commonly. In fact, one thing I would like to say we see very common is, all AWS users, regardless if it's in your account or somewhere else, might have access to your SNS topic or SQS Queue. Which doesn't seem like that big of vulnerability, but I changed the messages, I delete messages, I viewed your messages, but rather what's connected to those? Let's talk database Lambda functions where I've got source code that a developer has written to handle that source code and may not have built in logic to handle—maybe there was a piece of code that could be abused as part of this message that might allow an attacker to send something to your Lambda function and then execute something on that attacker's behalf.You weren't aware of it, you weren't thinking about it, and now you've exposed it to almost the entire internet. And since anyone can go sign up for an AWS account—or Azure or GCP account—and then they're able to start poking at that same piece of code that you might have developed thinking, “Well, this is just for internal use. It's not a big deal. That one static code analysis tool isn't probably too relevant.” Now, it becomes hyper-relevant and something you have to consider with a little more attention and dedicated time to making sure that these things that you've written or deploying, are in fact, safe because misconfigured or mis-exposed, and suddenly the entire world is starts knocking at it, and increases the risk of, it may really well be a problem. The severity of that issue could increase dramatically.Corey: As you take a look across, let's call it the hyperscale clouds, the big three—which presumably I don't need to define out—how do you wind up ranking them in terms of security from top to bottom? I have my own rankings that I like to dole out and basically, this is the, let's offend someone at every one of these companies, no matter how we wind up playing it. Because I will argue with you just on principle on them. How do you view them stacking up against each other?Tim: So, an interesting view on that is based on who's been around longest and who is encountered of the most technical debt. A lot of these security vulnerabilities or security concerns may have had to deal with a decision made long ago that might have made sense at the time and now the company has kind of stuck with that particular technology or decision or framework, and are now having to build or apply security Band-Aids to that process until it gets resolved. I would say, ironically, AWS is actually at the top of having that technical debt, and actually has so many different types of access policies that are very complex to configure and not very user intuitive unless you speak intuitively JSON or YAML or some other markdown language, to be able to tell you whether or not something was actually set up correctly. Now, there are a lot of security experts who make their money based on knowing how to configure or be able to assess whether or not these are actually the issue. I would actually bring them as, by default, by design, between the big three, they're actually on the lower end of certain—based on complexity and easy-to-configure-wise.The next one that would also go into that pile, I would say is probably Microsoft Azure, who [sigh] admittedly, decided to say that, “Okay, let's take something that was very complicated and everyone really loved to use as an identity provider, Active Directory, and try to use that as a model for.” Even though they made it extensively different. It is not the same as on-prem directory, but use that as the framework for how people wanted to configure their identity provider for a new cloud provider. The one that actually I would say, comes out on top, just based on use and based on complexity might be Google Cloud. They came to a lot of these security features first.They're acquiring new companies on a regular basis with the acquisition of Mandiant, the creation of their own security tooling, their own unique security approaches. In fact, they probably wrote the book on Kubernetes Security. Would be on top, I guess, from usability, such as saying that I don't want to have to manage all these different types of policies. Here are some buttons I would like to flip and I'd like my resources, for the most part by default, to be configured correctly. And Google does a pretty good job of that.Also, one of the things they do really well is entity-based role assumption, which inside of AWS, you can provide access keys by default or I have to provide a role ID after—or in Azure, I'm going to say, “Here's a [unintelligible 00:19:34] policy for something specific that I want to grant access to a specific resource.” Google does a pretty good job of saying that okay, everything is treated as an email address. This email address can be associated in a couple of different ways. It can be given the following permissions, it can have access to the following things, but for example, if I want to remove access to something, I just take that email address off of whatever access policy I had somewhere, and then it's taken care of. But they do have some other items such as their design of least privilege is something to be expected when you consider their hierarchy.I'm not going to say that they're not without fault in that area—in case—until they had something more recently, as far as finding certain key pieces of, like say, tags or something within a specific sub-project or in our hierarchy, there were cases where you might have granted access at a higher level and that same level of access came all the way down. And where at least privilege is required to be enforced, otherwise, you break their security model. So, I like them for how simple it is to set up security at times, however, they've also made it unnecessarily complex at other times so they don't have the flexibility that the other cloud service providers have. On the flip side of that, the level of flexibility also leads to complexity at times, which I also view as a problem where customers think they've done something correctly based on their best knowledge, the best of documentation, the best and Medium articles they've been researching, and what they have done is they've inadvertently made assumptions that led to core anti-patterns, like, [unintelligible 00:21:06] what they've deployed.Corey: This episode is sponsored in part by our friends at Uptycs, because they believe that many of you are looking to bolster your security posture with CNAPP and XDR solutions. They offer both cloud and endpoint security in a single UI and data model. Listeners can get Uptycs for up to 1,000 assets through the end of 2023 (that is next year) for $1. But this offer is only available for a limited time on UptycsSecretMenu.com. That's U-P-T-Y-C-S Secret Menu dot com.Corey: I think you're onto something here, specifically in—well, when I've been asked historically and personally to rank security, I have viewed Google Cloud as number one, and AWS is number two. And my reasoning behind that has been from an absolute security of their platform and a pure, let's call it math perspective, it really comes down to which of the two of them had what for breakfast on any given day there, they're so close on there. But in a project that I spin up in Google Cloud, everything inside of it can talk to each other by default and I can scope that down relatively easily, whereas over an AWS land, by default, nothing can talk to anything. And that means that every permission needs to be explicitly granted, which in an absolutist sense and in a vacuum, yeah, that makes sense, but here in reality, people don't do that. We've seen a number of AWS blog posts over the last 15 years—they don't do this anymore—but it started off with, “Oh, yeah, we're just going to grant [* on * 00:22:04] for the purposes of this demo.”“Well, that's horrible. Why would you do that?” “Well, if we wanted to specify the IAM policy, it would take up the first third of the blog post.” How about that? Because customers go through that exact same thing. I'm trying to build something and ship.I mean, the biggest lie in any environment or any codebase ever, is the comment that starts with, “To do.” Yeah, that is load-bearing. You will retire with that to do still exactly where it is. You have to make doing things the right way at least the least frictionful path because no one is ever going to come back and fix this after the fact. It's never going to happen, as much as we wish that it did.Tim: At least until after the week of the breach when it was highlighted by the security team to say that, “Hey, this was the core issue.” Then it will be fixed in short order. Usually. Or a Band-Aid is applied to say that this can no longer be exploited in this specific way again.Corey: My personal favorite thing that, like, I wouldn't say it's a lie. But the favorite thing that I see in all of these announcements right after the, “Your security is very important to us,” right after it very clearly has not been sufficiently important to them, and they say, “We show no signs of this data being accessed.” Well, that can mean a couple different things. It can mean, “We have looked through the audit logs for a service going back to its launch and have verified that nothing has ever done this except the security researcher who found it.” Great. Or it can mean, “What even are logs, exactly? We're just going to close our eyes and assume things are great.” No, no.Tim: So, one thing to consider there is in that communication, that entire communication has probably been vetted by the legal department to make sure that the company is not opening itself up for liability. I can say from personal experience, when that usually has occurred, unless it can be proven that breach was attributable to your user specifically, the default response is, “We have determined that the security response of XYZ item or XYZ organization has determined that your data was not at risk at any point during this incident.” Which might be true—and we're quoting Star Wars on this one—from a certain point of view. And unfortunately, in the case of a post-breach, their security, at least from a regulation standpoint where they might be facing a really large fine, is absolutely probably their top priority at this very moment, but has not come to surface because, for most organizations, until this becomes something that is a financial reason to where they have to act, where their reputation is on the line, they're not necessarily incentivized to fix it. They're incentivized to push more products, push more features, keep the clients happy.And a lot of the time going back and saying, “Hey, we have this piece of technical debt,” it doesn't really excite our user base or doesn't really help us gain a competitive edge in the market is considered an afterthought until the crisis occurs and the information security team rejoices because this is the time they actually get to see their stuff fixed, even though it might be a super painful time for them in the short run because they get to see these things fixed, they get to see it put to bed. And if there's ever a happy medium, where, hey, maybe there was a legacy feature that wasn't being very well taken care of, or maybe this feature was also causing the security team a lot of pain, we get to see both that feature, that item, that service, get better, as well as security teams not have to be woken up on a regular basis because XYZ incident happened, XYZ item keeps coming up in a vulnerability scan. If it finally is put to bed, we consider that a win for all. And one thing to consider in security as well as kind of, like, we talk about the relationship between the developers and security and/or product managers and security is if we can make it a win, win, win situation for all, that's the happy path that we really want to be getting to. If there's a way that we can make sure that experience is better for customers, the security team doesn't have to be broken up on a regular basis because an incident happened, and the developers receive less friction when they want to go implement something, you find that that secure feature, function, whatever tends to be the happy path forward and the path of least resistance for everyone around it. And those are sometimes the happiest stories that can come out of some of these incidents.Corey: It's weird to think of there being any happy stories coming out of these things, but it's definitely one of those areas that there are learnings there to be had if we're willing to examine them. The biggest problem I see so often is that so many companies just try and hide these things. They give the minimum possible amount of information so the rest of us can't learn by it. Honestly, some of the moments where I've gained the most respect for the technical prowess of some of these cloud providers has been after there's been a security issue and they have disclosed either their response or why it was a non-issue because they took a defense-in-depth approach. It's really one of those transformative moments that I think is an opportunity if companies are bold enough to chase them down.Tim: Absolutely. And in a similar vein, when we think of certain cloud providers outages and we're exposed, like, the major core flaw of their design, and if it kept happening—and again, these outages could be similar and analogous to an incident or a security flaw, meaning that it affected us. It was something that actually happened. In the case of let's say, the S3 outage of, I don't know, it was like 2017, 2018, where it turns out that there was a core DNS system that inside of us-east-1, which is actually very close to where I live, apparently was the core crux of, for whatever reason, the system malfunctioned and caused a major outage. Outside of that, in this specific example, they had to look at ways of how do we not have a single point of failure, even if it is a very robust system, to make sure this doesn't happen again.And there was a lot of learnings to be had, a lot of in-depth investigation that happened, probably a lot of development, a lot of research, and sometimes on the outside of an incident, you really get to understand why a system was built a certain way or why a condition exists in the first place. And it sometimes can be fascinating to kind of dig into that very deeper and really understand what the core problem is. And now that we know what's an issue, we can actually really work to address it. And sometimes that's actually one of the best parts about working at Praetorian in some cases is that a lot of the items we find, we get to find them early before it becomes one of these issues, but the most important thing is we get to learn so much about, like, why a particular issue is such a big problem. And you have to really solve the core business problem, or maybe even help inform, “Hey, this is an issue for it like this.”However, this isn't necessarily all bad in that if you make these adjustments of these items, you get to retain this really cool feature, this really cool thing that you built, but also, you have to say like, here's some extra, added benefits to the customers that you weren't really there. And—such as the old adage of, “It's not a bug, it's a feature,” sometimes it's exactly what you pointed out. It's not necessarily all bad in an incident. It's also a learning experience.Corey: Ideally, we can all learn from these things. I want to thank you for being so generous with your time and talking about how you view this increasingly complicated emerging space. If people want to learn more, where's the best place to find you?Tim: You can find me on LinkedIn which will be included in this podcast description. You can also go look at articles that the team is putting together at praetorian.com. Unfortunately, I'm not very big on Twitter.Corey: Oh, well, you must be so happy. My God, what a better decision you're making than the rest of us.Tim: Well, I like to, like, run a little bit under the radar, except on opportunities like this where I can talk about something I'm truly passionate about. But I try not to pollute the airwaves too much, but LinkedIn is a great place to find me. Praetorian blog for stuff the team is building. And if anyone wants to reach out, feel free to hit the contact page up in praetorian.com. That's one of the best places to get my attention.Corey: And we will, of course, put links to that in the [show notes 00:30:19]. Thank you so much for your time. I appreciate it. Tim Gonda, Technical Director of Cloud at Praetorian. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how no one disagrees with you based upon a careful examination of your logs.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game - except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn't require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it - in a completely safe and legal environment. Jordan will tell you all about it in today's show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he's mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years of HackASat and he was one of the founders of Vector 35, the company that makes Binary Ninja. Interview Links Hack-A-Sat 3: https://hackasat.com/ Satellite hacked using $25 hardware: https://threatpost.com/starlink-hack/180389/ Decommissioned satellite hacked to broadcast movie: https://www.independent.co.uk/tech/hack-satellite-hijack-def-con-b2147595.html Student Rick-Rolls school: https://www.malwarebytes.com/blog/news/2021/10/high-school-student-rickrolls-entire-school-district-and-gets-praised Hack-A-Sat 2 interview: https://podcast.firewallsdontstopdragons.com/2021/06/21/hacking-satellites-for-fun-profit/ Plaid CTF: https://plaidctf.com/ CTFTime.org: https://ctftime.org/ Pwnable.kr: https://pwnable.kr/ Pwnable.tw: https://pwnable.tw/ Reversing.kr: http://reversing.kr/ Shodan: https://www.shodan.io/Burp Suite: https://portswigger.net/burp Wireshark: https://www.wireshark.org/ Binary Ninja: https://binary.ninja/ Metasploit: https://www.metasploit.com/ Nmap: https://nmap.org/ Live Overflow: https://liveoverflow.com/ TryHackMe: https://tryhackme.com/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Support my work! https://firewallsdontstopdragons.com/support/ Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequestGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup0:04:25: What is Hack-A-Sat?0:08:44: How has the Hack-A-Sat program evolved?0:12:58: How did CTF's start out and when did they become popular?0:17:37: Why do we have so many unfilled cybersecurity jobs?0:21:15: Do you need a college degree to work in cybersecurity?0:29:39: What's a black hat hacker vs white hat? What's a red team or blue team?0:32:15: How do CTF's actually work? What is a flag and how do I capture it?0:38:05: Are they beginner CTFs that are free to try?0:44:38: What sorts of tools do hackers use in CTFs and in real hacking?0:51:57: How do hackers chain together multiple exploits?0:56:26: What's your advice to someone who would like to try a CTF?1:00:36: What's next for Hack-A-Sat?1:02:25: interview wrapup1:04:07: What is Rick-Rolling?1:05:23: Try a CTF, go to a hacker con!
Scott Burr is a Martial Arts practitioner and second-degree black belt professor of Gracie Jiu-Jitsu at the Enclave Jiu-Jitsu. There's a fine line in Martial Arts around the idea of respect. Which is that if I demand that you never challege me, you respect me… I create an environment where teaching my technique never gets tested and eventually I drift away from legitimacy… Scott Burr - Episode 696 Scott Burr is a second-degree black belt professor of Gracie Jiu-Jitsu. He is the first person to earn the rank of black belt from American BJJ pioneer and sixth-degree black belt professor Steve Maxwell. To date, he is one of only a handful of people to have earned the rank of black belt under Steve. Scott also holds black belt rank in Kodokan Judo (Nidan/second degree: Shodan awarded by representatives of the Konan Yudanshakai and certified by the Kodokan Judo Institute; Nidan certified by the USJA) and the Korean art of Kuk Sul Do (jo kyo/first degree, awarded and certified by Federation President and Grandmaster Choon Shik Yang). He has trained extensively in Muay Thai, Western Boxing, and Submission Grappling. Scott is a Level 1 certified Ginastica Natural instructor under system founder Professor Alvaro Romano. He is also a MaxwellSC-certified Pro Trainer and holds Level 1 and Level 2 certifications in both the MaxwellSC Kettlebell and Bodyweight Training systems. He has traveled all over the world with Steveófrom El Salvador to Croatiaóassisting at seminars on everything from joint mobility to breathwork to kettlebell training to Gracie Jiu-Jitsu. You will also find him in many of Steve's instructional videos as Steve's assistant and designated demonstrator. Scott was the head BJJ instructor and Strength & Conditioning coach at The Fight Gym - originally an all-in-one MMA gym, and later a Brazilian Jiu-Jitsu school and Strength & Conditioning facility - for over a decade. Scott is the author of the strength & conditioning and martial arts books Suspend Your Disbelief: How to Build and Build Strength with the World's Most Rugged Suspension Training Device, Superhero Simplified: Collected, Selected, Revised and Expanded, and Get a Grip: A Practical Primer on Grip Strength and Endurance Training... and More. He is the co-author of Worth Defending: How Gracie Jiu-Jitsu Saved My Life, Richard Bresler's memoir of his time with the Gracie family and his over 40 years' involvement with Gracie Jiu-Jitsu. In recent years Scott has had the opportunity to train with and learn directly from Master Rickson Gracie. He now takes every opportunity to travel to Southern California to do so. Show Notes Visit Scott Burr's website at EnclaveJiuJitsu.com www.WorthDefendingBook.com instagram.com/enclavejiujitsu facebook.com/enclavejiujitsu