Take 1 Security Podcast: Episode 6

An essay on why time can feel like it's speeding up when you get older, and how to slow it back down.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

20 Jul 20195min

Parts of Manhattan had a power outage Saturday night, which happened to be the anniversary of another power outage in 1977. The power company apologized but didn't explain what happened. The hacker in me thinks this could easily be a probing shot by a sophisticated attacker, or a fun prank by amateurs. But the overwhelming odds are on simple failure. Either way, this country needs to get a whole lot more resilient to small attacks, because enough small ones can quickly become a big one. MoreZoom has had a bad week or two. Not only did it have a major vuln, but it turned out to be part of the design, and they moved relatively slowly in addressing it, and then companies started auto-uninstalling it from their OS. They had a lot of momentum going in the space, too. This will sting for sure. MoreFacebook will be fined $5 billion over its various privacy catastrophes. MoreMarriott is being fined $124 million over the Starwood breach. Real question: how does that compare to their coffee budget? MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

15 Jul 201920min

The Telegraph has found strong links between Huawei employees and Chinese intelligence agencies. The Huawei counter was that this was extremely common among telecom companies, and that it wasn't a big deal. The counter to that counter was, basically, "Well, then why did you try to hide it?" /gg MoreThe NPM security team caught a malicious package designed to steal cryptocurrency. A lot of these packages work by uploading something useful, waiting until it's used by lots of people, and then updating it to have the malicious payload. My buddy Andre Eleuterio did the IR on the situation there at NPM, and said they're constantly improving their ability to detect these kinds of attacks. Luckily NPM's security team had the talent and tooling to detect such a thing, but think of how many similar companies aren't so equipped. I think any team that's part of a supply chain should be thinking about this type of attack very seriously. MoreFederal agents are mining state DMV photos to feed their facial recognition systems, and they're doing it without proper authorizations or consent. To me this has always been inevitable because—as Benedict Evans pointed out—it's a natural extension of what humans already do. You already have wanted posters. You already have known suspects lists. And it's already ok for any citizen or any cop to see any person on that list and report them. In fact it's not just possible, it's encouraged. So the only thing happening here is that process is becoming a whole lot more aware (through more sensors), and therefore more effective. Of course, any broken algorithms that identify the wrong people, or automatically single out groups of people without actual matches, those issues need to be snuffed out for sure. But we can't expect society to not use superior machine alternatives to existing human processes, such as identifying suspects in public. That just isn't realistic. Our role as security people should be making sure these systems are as accurate as possible, with as little bias as possible, by the best possible people. In other words, we should spend our cycles improving reality, not trying to stop it from happening. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

8 Jul 201921min

The world being sorted into two different countries—a Green country of the top 10% of income/wealk, and a Red country that's everyone else. These countries are separated not by geography, but by class.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

3 Jul 20198min

I created a new tutorial on OWASP Amass, and just joined the team as a contributor as well. TutorialChinese hacking groups have been embedded deep inside multiple major US tech firms for many years, including Fujitsu, Tata, NTT, Dimension Data, and HPE. The first thing you should be thinking is where else they are today. MoreAmazon is getting heavier into the SIEM space (and perhaps others) with their new Amazon Security Hub offering. It takes in lots of event types from various AWS services, and surfaces what it thinks is most important. Of course, it doesn't do this for other product types, i.e., non-AWS stuff, but that could come eventually. MoreAmazon also launched a new service that lets you monitor your AWS VPC traffic. And lots of vendors are announcing their support for it. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

1 Jul 201918min

There's a Linux vulnerability called SACK Panic (among other names) that takes advantage of a kernel feature called Selective ACK. The feature lets systems tell the other side of the conversation how much data it's received, and it turns out it can be overflowed or fuzzed. The former creates a crash, and the latter creates a slowdown. You should patch. And if you have any services facing the internet running Linux, you should definitely patch. MoreA Florida city paid $600,000 in bitcoin to get access to their data back from a ransomware gang. MoreMagic Leap is suing former engineer Chi Xu for allegedly using his knowledge of the headset to make a version for China. MoreThe average security group is running over 50 security tools. As my friend Jeremiah once said when looking at a Momentum Partners slide, "Are we secure yet?" MoreAmazon just got a patent for using delivery drones for surveillance. I don't necessarily think that means they'll use delivery drones for surveillance though. That's what a lot of the conspiracy theorists will say, though—just based on them getting a patent for using delivery drones for surveillance. Actually, the patent is a bit more benign than my joke implies. It's designed to monitor opted-in people's property, a lot like a house camera or a Ring device. Makes sense. But still. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

24 Jun 201913min

The US is supposedly ramping up attacks against Russian power grid through the use of new cyberattack powers granted by Trump. I am happy to hear of this, but it's an example of where we as outsiders can only know a tiny fragment of the story. But any signs that this administration sees Russia as a foe, and are treating it as such, are positive in my view. MoreAdobe is entering the deepfakes arena by showing off research tools designed to detect manipulated photos. MoreTarget stores have been hit by major outages. MoreMany places are using very granular bluetooth beacon tracking to watch you move throughout their businesses, including airports, malls, subways, buses, gyms, hotels, festivals, museums, etc. MoreThe US is going after ethnic Chinese researchers in the medical field, and specifically at cancer centers. I'm all for becoming more aggressive towards the Chinese government pilfering the world's intellectual property, but, um, cancer research is one thing that I think it's ok to spread widely. It's not like they're stealing the only copy of the research; they're just sharing it. Maybe I'm missing something, but if that something is just about who makes the profit, then I'm calling Meh. MoreFirewalling outbound DNS could save companies billions. Yes! I've been on about this for years. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

18 Jun 201910min

Some absolutely fascinating research has just come out on what percentages and types of vulnerabilities are actually exploited in the wild. It found that only 5.5% of vulnerabilities discovered between 2009 and 2018 were actually exploited, with most of those being issues with a CVSS score of 9 or 10. The best part of the paper, however, was a discussion of optimal patching strategies, where they looked at different methodologies for what to patch and measured them against each other based on coverage (no misses) and efficiency (not patching what you don't have to). Options included patching by CVSS, whether or not there are public exploits, by vulnerability tags, etc. The ML model performed best, but it seemed that patching the CVSS 7 and above was decent as well, and for more efficiency but less coverage—CVSS 9 and above. Super interesting paper. MoreThe US is going to start requiring 5 years of social media account history from Visa applicants, as part of the filtering process. I'm genuinely curious as to how effective this is going to be. On the one hand, there will now be a market for creating and maintaining fake social media accounts that people can use for this purpose. But on the other hand, there will be many who don't want to go to that effort and either won't try to come, or will get caught in the filter. As with most things, the efficacy will come down to execution. MoreA team at Stanford has made it possible to edit video using a text editor. So, editing the things that were said by the actual subject, to say something else entirely, but having it seamlessly injected into the video so it looks completely natural. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

11 Jun 201924min