UL NO. 451: Altman Says ASI in "Thousands of Days"

Play Podcast START CONTENT * Twitch, a game streaming service owned by Amazon, was hacked last week * Passwords, emails, usernames, addresses, phone numbers, dates of birth * Amazon bought them last year for almost 1 billion dollars * Bar Mitzvah attack on TLS * Requires that you can sniff traffic * Basically an RC4 problem * Solution is to remove it from your supported algorithms * GitHub Has been hit by a massive DDoS attack * Apparently from China * CSRF vulnerability found in a wind turbine * Allowed you to pull usernames and passwords * Also allowed the password to be changed for the default user, which had admin access * CSRF vulnerability exposes Hilton customer accounts * There was an account rotation issue where you could gain access to their account as long as you could guess their 9-digit username * Snowden says IT workers now the targets of spies * They’re not going after their information, but to use them for access to networks * Premera hacked on same day as Blue Cross (January 29th) * Same story: encryption, know your network, etc. * Also same story: health data is harder to clean up from because it involves PII that cannot easily be changed * More speculation around these attacks is that they’re data gathering for larger attacks on government networks * Apple Acquires FoundationDB * Fast NoSQL database probably to be used for its increasing entry into the services market * Researchers use heat to breach air-gapped systems * Everyone knows that an airgap is the best defense * Ben-Gurion University came out with BitWhisper * Now bidirectional using malware on both systems that controlled heat creation and detection * Only 8-bits per hour * BioCatch, Zumigo, Alibaba release tools to identify users * I used to work with a technology called BioPass * Uses what you do with your mouse, scrolling, how you smile via selfie, compares habits, your current location, etc. Similar to existing fraud detection just with more data points * Really cool tech, needs to be used with the right authentication level * Korea investing 5B in IoT and Smart Cars * Bring Your Own IoT * Recording audio and video are getting increasingly easy * Sensitive meetings might become dead zones soon, and perhaps even sensitive work areas * Some people will say that we already have this risk, but they key is the ease with which it can be done END CONTENT Play Podcast Notes * I skipped a week due to travel in Asia. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

30 Mar 201516min

Play Podcast START CONTENT * There was another SQL Injection bug found in SEO by Yoast * It required admins to click a malicious link * Was patched quickly * It’s the plugins that make WordPress vulnerable * Attackers are targeting gamers for ransomware * Virlock is one version of ransomware that not only locks the screen, but infects files * It’s also polymorphic, so it changes itself every time it runs * TeslaCrypt goes after gamers, which seems super smart because they are often addicted * The Hello Barbie doll is recording kids voices and sending the recordings over the Internet for voice recognition * I get asked a lot about what to do about this kind of stuff * Start by making a list of everything that can record voice or audio in your home, and determine what kind of controls you have on them * Assume the worst, even though it’s probably not that bad * US industrial systems attacked 245 times between October 2013 and September 2014 * Most attacks were against Critical Manufacturing and Energy * Biggest vectors were spear phishing and port scanning * CloudFlare aims to defeat DDoS with Virtual DNS * They want to proxy DNS before it hits customer name server * The CIA supposedly tried to hack Apple hardware * The article has come under extreme scrutiny * Going to be on the Security Weekly podcast with Pau * Hillary Clinton’s email account dram * OpenSSL is getting an audit * Bout time * Wikimedia is suing the NSA over surveillance * Spoofing the boss is the best way to phish someone, evidently * Had a great time at CactusCon in Phoenix * Did a talk with Jason and saw Dave’s keynote * Dave’s keynote was about struggling with the basics, not APT * He asked when a major breach was NOT a dumb mistake * Someone’s looking to make a Snowden Phone * Looks like I’ll be on the Security Weekly podcast with Paul * Going to talk about IoT security and my our OWASP project END CONTENT Play Podcast Notes * Comments welcome on content and format, as usual. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

16 Mar 201522min

START CONTENT * Sorry about the audio last week; wireless headsets don’t compare to the Yeti * The CIA is focusing on cyberespionage in its new management * Anthem is refusing an audit by the OIG office–an org that audits health care groups that provide services to federal employees * Nothing says I’m guilty like refusing an audit * Reminds me of the Russians refusing the crash investigation in Game of Cards * There’s been a possible credit card breach at the Mandarin Oriental hotel chain * The incident was reported by Brian Krebs * Three people were indicted in the Epsilon hack * Resulted in around 1 billion email addresses being stolen * Dave Aitel thinks junk hacking is a waste * Basically hacking your blender or whatever * In my opinion he’s missing the point that most conferences are like this * I think there’s a hierarchy of talks * Create new defense tool based on new defense idea * Create new defense idea * Create new attack tool based on new attack idea * Create new attack idea * Create new tool for existing attack or defense idea * Describe existing attack or defense idea * Microsoft has reported it’s vulnerable to FREAK as well, making it even more serious * FREAK has proved to be less alarming than previous SSL vulns simply because of the difficulty of attack END CONTENT Play Podcast Notes * I think I’m going to standardize the intro and outro so that I only end up recording the actual story content each week. * Any recommendations on what else you’d like to see would be appreciated. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

9 Mar 201512min

START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense * This seems highly suspect * First you’re putting that data at risk in a personal system * Second you’re obviously trying to hide your conversations * Facebook can access your account without your password * Google no longer encrypting Lollipop by default * Was one of the main selling points for 5, and now it’s gone * They said it was simply a driver issue * DLink routers have a remote command injection bug * Could allow DNS hijacking and other attacks * ISIS has threatened some members of the Twitter team for disabling their accounts * This really puts a point on public presence for me * I’m a strong proponent of the belief that the way to avoid attack is to avoid being a target, not to be hard to attack once people want to * This works for personal attacks, not for countries obviously * There has been some major fraud happening with people connecting stolen cards to ApplePay * The issue isn’t a security problem with ApplePay, but rather with standard bank / card security issue * Up to 18.8 non-Anthem customers exposed in the Anthem breach * This is in addition to the 80 million actual anthem customers * GoPro vulnerability on its website exposes customer Wi-fi passwords * Expect more of this * Uber took over 5 months to issue a breach notification * There was a breach of driver names and license numbers that they just now disclosed * Seagate NAS vulnerability allows unauthorized root access * This raises the cloud storage issue I blogged about last week END CONTENT Play Podcast Notes * Sorry about my voice on this one. I’m a bit sick. :( Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

3 Mar 201516min

START CONTENT * New stuxnet like piece of malware was discovered * Was found by Kaspersky * Has infected thousands of computers, mostly in Iran * The malware is the most advanced ever found * Can hide on the computer even after reinstall * Many of the names used in the application are known NSA codenames, such as GROK * Wired said those targeted groups were Islamic scholars * The group is called equation group due to the encryption used to hide itself * Car washes hacked by Billie Rios * Bad web software * Default passwords * Submit POST requests * Battery power can be used to track Android phones * Based on the power you use from cell phone tower usage * Obama sides with encryption against government groups * Lenovo laptops spying on you * Can we just say it’s dumb to use things produced in China? END CONTENT Play Podcast ### Notes * Sorry about the pops in the audio. My desk randomly makes loud noises. I’m working on it. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

24 Feb 20158min

START CONTENT * Ukrainian banks hacked for up to 1 Billion dollars * Evidently installed malware on bank admin machines using phishing * Not sure they have an FDIC * As if the Ukraine didn’t have enough problems * 10 million password project * Mark Burnett posted 10 Million password combinations * Went through a long explanation of why he was doing it * I’ve broken them up and put them in the SecLists project * Jeb Bush leaks personal data * Anthem may have been Heartbleed * Could have been China, but who knows * Reminder about talking about things without information * It’s best to just leave it alone * HP released Home Security Systems report * We found 10/10 systems vulnerable to account harvesting * DARPA Dark Web Search Engine * Stuff not indexed by Google * Tor services, etc. * Obama creating new threat intelligence agency * Unified organization for tracking threats * Looking to partner with private industry as well * Anthem and Cyberinsurance * Up to 200M in cyberinsurance * Probably won’t cover it, but it’ll be a good test of usefulness * Facebook lets you pick who manages your account when you die * Facebook threat sharing program * Uber lost and found database was online with personal data in it * Basically, if you lose something in a car, they know who you are, and they keep your stuff for you * But they had the database exposed online END CONTENT Play PodcastBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

17 Feb 201512min

START CONTENT * Anthem, the second largest healthcare company, had a major breach * They lost around 80 million socials, addresses, emails, etc., which is roughly double the Target breach * There’s speculation that it was China, trying to penetrate government, but it’s early * Watch for phishing scams related to it * The megabreaches continue…weee! * A WordPress plugin called FancyBox had a serious compromise in it last week, which affected thousands of websites * If you’re going to run WordPress, understand that Plugins are the best way to get yourself hacked * Specifically, the type of plugins that handle user input and do something with it that affects the site’s output * Image manipulation plugins have been particularly vulnerable, usually to XSS * There was another critical Flash vulnerability this week * Like I said last week, and the week before, there’s a first time for everything * Three bug hunters at HP received the 125,000 prize for finding a major vulnerability in Internet Explorer * Because they work for HP they couldn’t take the cash, and instead donated it to charity * Microsoft released Outlook for iOS last week, which looks pretty slick * Unfortunately it is riddled with security flaws * Recommendation: wait for a few updates, and for them to get a security assessment END CONTENT Play PodcastBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

8 Feb 20157min

START CONTENT * Ghost bug in PHP could affect millions of servers * Flaw is in glibc, which is extensively by all Linux distributions * Patch and reboot using yum or aptitude * The US Army Released DShell, a malware forensics tool * This is an interesting trend where we see tons of formerly secret groups flock to Github. Great to see * Reddit released its first transparency report last week * Says it received 55 requests for user information * Says it complied with 64% of state and federal requests * Says it received 218 requests for content removal, and complied with 31 percent of those * I am pleased to see them releasing these numbers, and I hope more organizations do the same * The GHCQ was using a program called BADASS to collect data leaked by games such as Angry Birds * Luckily it only affected the 11 people still playing that game * Russian dating site, Topface, got hacked for 20 million usernames * The FBI busted up a Tom Clancy book plot in New York City * The plan was to get information about wall street trading algorithms and hopefully destabilize the markets * All they managed to do was embarrass themselves by commenting on how they couldn’t recruit young women * China is demanding to be able to build backdoors into any code sold to its banking sector * Some people call this news, but with China we just call this Wednesday * Apple released a Yosemite update that fixed Thunderstrike, among other things * Anonymous and Lizard Squad are going after each other * Anonymous is the famous hacking group known for all sorts of things * Lizard Squad is known for taking down the XBox and Playstation networks around Christmas time * Anonymous DDoS’d the Lizard Squad website, and then Twitter suspended a couple of their handles * Interesting to see these groups going after each other * BMW and the internet of things is in the news, with BMW owners receiving an automatic push to around 2 million cars * A vulnerability was present that could allow attacks to spoof cell towers and possibly control onboard systems * BMW pushed a patch that ensures all such communications go over HTTPS * It’s interesting that, like printers, cars are likely to become a primary IoT platform just because there are so many of them * The key is to figure out what normal things exist in the world today en mass, and then imagine those things being connected * Printers, cars, furniture, clothing, etc. It’s the regular stuff that makes it interesting because of how much attack surface they represent, and how prevalent the perspective they’ll offer into our daily lives END CONTENT Play Podcast Notes * Intro is from Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

2 Feb 20157min