Take 1 Security Podcast: Episode 4

Play Podcast START CONTENT * Twitch, a game streaming service owned by Amazon, was hacked last week * Passwords, emails, usernames, addresses, phone numbers, dates of birth * Amazon bought them last year for almost 1 billion dollars * Bar Mitzvah attack on TLS * Requires that you can sniff traffic * Basically an RC4 problem * Solution is to remove it from your supported algorithms * GitHub Has been hit by a massive DDoS attack * Apparently from China * CSRF vulnerability found in a wind turbine * Allowed you to pull usernames and passwords * Also allowed the password to be changed for the default user, which had admin access * CSRF vulnerability exposes Hilton customer accounts * There was an account rotation issue where you could gain access to their account as long as you could guess their 9-digit username * Snowden says IT workers now the targets of spies * They’re not going after their information, but to use them for access to networks * Premera hacked on same day as Blue Cross (January 29th) * Same story: encryption, know your network, etc. * Also same story: health data is harder to clean up from because it involves PII that cannot easily be changed * More speculation around these attacks is that they’re data gathering for larger attacks on government networks * Apple Acquires FoundationDB * Fast NoSQL database probably to be used for its increasing entry into the services market * Researchers use heat to breach air-gapped systems * Everyone knows that an airgap is the best defense * Ben-Gurion University came out with BitWhisper * Now bidirectional using malware on both systems that controlled heat creation and detection * Only 8-bits per hour * BioCatch, Zumigo, Alibaba release tools to identify users * I used to work with a technology called BioPass * Uses what you do with your mouse, scrolling, how you smile via selfie, compares habits, your current location, etc. Similar to existing fraud detection just with more data points * Really cool tech, needs to be used with the right authentication level * Korea investing 5B in IoT and Smart Cars * Bring Your Own IoT * Recording audio and video are getting increasingly easy * Sensitive meetings might become dead zones soon, and perhaps even sensitive work areas * Some people will say that we already have this risk, but they key is the ease with which it can be done END CONTENT Play Podcast Notes * I skipped a week due to travel in Asia. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

30 Mar 201516min

Play Podcast START CONTENT * There was another SQL Injection bug found in SEO by Yoast * It required admins to click a malicious link * Was patched quickly * It’s the plugins that make WordPress vulnerable * Attackers are targeting gamers for ransomware * Virlock is one version of ransomware that not only locks the screen, but infects files * It’s also polymorphic, so it changes itself every time it runs * TeslaCrypt goes after gamers, which seems super smart because they are often addicted * The Hello Barbie doll is recording kids voices and sending the recordings over the Internet for voice recognition * I get asked a lot about what to do about this kind of stuff * Start by making a list of everything that can record voice or audio in your home, and determine what kind of controls you have on them * Assume the worst, even though it’s probably not that bad * US industrial systems attacked 245 times between October 2013 and September 2014 * Most attacks were against Critical Manufacturing and Energy * Biggest vectors were spear phishing and port scanning * CloudFlare aims to defeat DDoS with Virtual DNS * They want to proxy DNS before it hits customer name server * The CIA supposedly tried to hack Apple hardware * The article has come under extreme scrutiny * Going to be on the Security Weekly podcast with Pau * Hillary Clinton’s email account dram * OpenSSL is getting an audit * Bout time * Wikimedia is suing the NSA over surveillance * Spoofing the boss is the best way to phish someone, evidently * Had a great time at CactusCon in Phoenix * Did a talk with Jason and saw Dave’s keynote * Dave’s keynote was about struggling with the basics, not APT * He asked when a major breach was NOT a dumb mistake * Someone’s looking to make a Snowden Phone * Looks like I’ll be on the Security Weekly podcast with Paul * Going to talk about IoT security and my our OWASP project END CONTENT Play Podcast Notes * Comments welcome on content and format, as usual. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

16 Mar 201522min

START CONTENT * Sorry about the audio last week; wireless headsets don’t compare to the Yeti * The CIA is focusing on cyberespionage in its new management * Anthem is refusing an audit by the OIG office–an org that audits health care groups that provide services to federal employees * Nothing says I’m guilty like refusing an audit * Reminds me of the Russians refusing the crash investigation in Game of Cards * There’s been a possible credit card breach at the Mandarin Oriental hotel chain * The incident was reported by Brian Krebs * Three people were indicted in the Epsilon hack * Resulted in around 1 billion email addresses being stolen * Dave Aitel thinks junk hacking is a waste * Basically hacking your blender or whatever * In my opinion he’s missing the point that most conferences are like this * I think there’s a hierarchy of talks * Create new defense tool based on new defense idea * Create new defense idea * Create new attack tool based on new attack idea * Create new attack idea * Create new tool for existing attack or defense idea * Describe existing attack or defense idea * Microsoft has reported it’s vulnerable to FREAK as well, making it even more serious * FREAK has proved to be less alarming than previous SSL vulns simply because of the difficulty of attack END CONTENT Play Podcast Notes * I think I’m going to standardize the intro and outro so that I only end up recording the actual story content each week. * Any recommendations on what else you’d like to see would be appreciated. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

9 Mar 201512min

START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense * This seems highly suspect * First you’re putting that data at risk in a personal system * Second you’re obviously trying to hide your conversations * Facebook can access your account without your password * Google no longer encrypting Lollipop by default * Was one of the main selling points for 5, and now it’s gone * They said it was simply a driver issue * DLink routers have a remote command injection bug * Could allow DNS hijacking and other attacks * ISIS has threatened some members of the Twitter team for disabling their accounts * This really puts a point on public presence for me * I’m a strong proponent of the belief that the way to avoid attack is to avoid being a target, not to be hard to attack once people want to * This works for personal attacks, not for countries obviously * There has been some major fraud happening with people connecting stolen cards to ApplePay * The issue isn’t a security problem with ApplePay, but rather with standard bank / card security issue * Up to 18.8 non-Anthem customers exposed in the Anthem breach * This is in addition to the 80 million actual anthem customers * GoPro vulnerability on its website exposes customer Wi-fi passwords * Expect more of this * Uber took over 5 months to issue a breach notification * There was a breach of driver names and license numbers that they just now disclosed * Seagate NAS vulnerability allows unauthorized root access * This raises the cloud storage issue I blogged about last week END CONTENT Play Podcast Notes * Sorry about my voice on this one. I’m a bit sick. :( Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

3 Mar 201516min

START CONTENT * New stuxnet like piece of malware was discovered * Was found by Kaspersky * Has infected thousands of computers, mostly in Iran * The malware is the most advanced ever found * Can hide on the computer even after reinstall * Many of the names used in the application are known NSA codenames, such as GROK * Wired said those targeted groups were Islamic scholars * The group is called equation group due to the encryption used to hide itself * Car washes hacked by Billie Rios * Bad web software * Default passwords * Submit POST requests * Battery power can be used to track Android phones * Based on the power you use from cell phone tower usage * Obama sides with encryption against government groups * Lenovo laptops spying on you * Can we just say it’s dumb to use things produced in China? END CONTENT Play Podcast ### Notes * Sorry about the pops in the audio. My desk randomly makes loud noises. I’m working on it. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

24 Feb 20158min

START CONTENT * Ukrainian banks hacked for up to 1 Billion dollars * Evidently installed malware on bank admin machines using phishing * Not sure they have an FDIC * As if the Ukraine didn’t have enough problems * 10 million password project * Mark Burnett posted 10 Million password combinations * Went through a long explanation of why he was doing it * I’ve broken them up and put them in the SecLists project * Jeb Bush leaks personal data * Anthem may have been Heartbleed * Could have been China, but who knows * Reminder about talking about things without information * It’s best to just leave it alone * HP released Home Security Systems report * We found 10/10 systems vulnerable to account harvesting * DARPA Dark Web Search Engine * Stuff not indexed by Google * Tor services, etc. * Obama creating new threat intelligence agency * Unified organization for tracking threats * Looking to partner with private industry as well * Anthem and Cyberinsurance * Up to 200M in cyberinsurance * Probably won’t cover it, but it’ll be a good test of usefulness * Facebook lets you pick who manages your account when you die * Facebook threat sharing program * Uber lost and found database was online with personal data in it * Basically, if you lose something in a car, they know who you are, and they keep your stuff for you * But they had the database exposed online END CONTENT Play PodcastBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

17 Feb 201512min

START CONTENT * Anthem, the second largest healthcare company, had a major breach * They lost around 80 million socials, addresses, emails, etc., which is roughly double the Target breach * There’s speculation that it was China, trying to penetrate government, but it’s early * Watch for phishing scams related to it * The megabreaches continue…weee! * A WordPress plugin called FancyBox had a serious compromise in it last week, which affected thousands of websites * If you’re going to run WordPress, understand that Plugins are the best way to get yourself hacked * Specifically, the type of plugins that handle user input and do something with it that affects the site’s output * Image manipulation plugins have been particularly vulnerable, usually to XSS * There was another critical Flash vulnerability this week * Like I said last week, and the week before, there’s a first time for everything * Three bug hunters at HP received the 125,000 prize for finding a major vulnerability in Internet Explorer * Because they work for HP they couldn’t take the cash, and instead donated it to charity * Microsoft released Outlook for iOS last week, which looks pretty slick * Unfortunately it is riddled with security flaws * Recommendation: wait for a few updates, and for them to get a security assessment END CONTENT Play PodcastBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

8 Feb 20157min