News [ ] Panama Papers leak [ ] Hackers targeting major US law firms [ ] Ubuntu has some kernel vuln patches out [ ] 50 million turkish citizens have their information dumped online [ ] Microsoft makes cloud-app security services now available (Adallom) [ ] OSVDB shutting down because nobody would pay them [ ] WhatsApp is now end-to-end encrypted [ ] Critical new Flash bug, expect Ransomware to leverage it [ ] Security salaries skyrocketing due to talent shortage | http://www.csoonline.com/article/3049374/security/survey-with-all-eyes-on-security-talent-shortage-sends-salaries-sky-high.html [ ] Data exfiltration using Smart Lightbulbs | http://www.scribd.com/doc/306620189/Eyal-Ronen-and-Adi-Shamir-Hack-Lightbulbs [ ] Significant Firefox extensions bug, look for a patch soon [ ] $40 attack that steals police drones from 2 kilometers away | http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/ | break wep, disconnect their controller, connect yours, must be within 100 meters [ ] IoT is expected to push the US ahead of China in manufacturing by 2020 | http://www.zdnet.com/article/internet-of-things-analytics-expected-to-push-u-s-ahead-of-china-for-manufacturing/ [ ] 1,400 vulnerabilities found in automated medical supply system | https://www.helpnetsecurity.com/2016/03/30/1400-flaws-automated-medical-supply-system/ | automated cabinets that dispense medical supplies , if you’re locked out it could be bad -- :: Unsupervised Learning: Episode 33 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Verizon Enterprise Solutions had a major data breach of their customer data. This is the group that handles breaches for their customers. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks…” * [ ] Iranians charged with attacks against US banks and a New York dam * [ ] Hackers steal 81 billion from the Federal reserve bank of New York * [ ] Uber launches bug bounty program, describes the surface area. Someone said it was really bad, though. Not sure what that’s about * [ ] New ultra-fast SSD technology coming from Intel soon * [ ] FBI backs off request for Apple backdoor. Says they have it handled. We find out it’s an Israeli company * [ ] Water treatment plant hacked, chemical mix changed for tap supplies | http://www.theregister.co.uk/2016/03/24/water_utility_hacked/ * [ ] German steel mill compromised and wrecked a blast furnace * [ ] This is after a string of attacks against power companies using spear phishing and office malware * [ ] Microsoft’s AI Chatbot was a teenage girl, but it learned from the people who talked to it, so before long it was talking about loving incest, sex, and hitler * [ ] Millions of Android devices vulnerable to root exploit due to Snapdragon chip flaw * [ ] Kentucky-based Methodist Hospital declares state of emergency after it’s wrecked by Locky ransomware * [ ] Credit Card Breaches Linked To Security Cameras * [ ] Chinese national pleads guilty to stealing plans for Air Force aircraft * [ ] Hackers offer Apple’s Ireland staff $23,000 for their login credentials * [ ] Ransomware hitting major vulns: The Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits spread the Flash CVE 2015-7645 exploit; Angler spreads Flash 2015-8446; Angler and Neutrino spread Flash CVE 2015-8651; and Angler spreads Silverlight CVE-2016-0034, an exploit exposed in the Hacking Team breach. * [ ] Microsoft Deploys Macro Blocking Feature in Office to Curb Malware Ideas, updates, and discussion * [ ] Innovation Sandbox | Innovative Security Products (2016 Edition) * [ ] AI and messaging apps are the new mobile apps * [ ] Human Attention as Attack Surface | https://danielmiessler.com/blog/human-attention-as-influence-attack-surface/ * [ ] Most can’t respond to breach: http://blogs.csc.com/2016/03/15/while-majority-of-orgs-fear-big-breach-theyre-not-prepared-to-respond/?utm_content=bufferc043c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer * [ ] How your data is collected and commoditized online by free online services | http://www.troyhunt.com/2016/03/how-your-data-is-collected-and.html Tools, talks, and projects * [ ] Innovation Sandbox | Innovative Security Products (2016 Edition) * [ ] 2016 Data Breach Digest | https://danielmiessler.com/blog/analysis-verizons-2016-data-breach-digest/ * [ ] AI and messaging apps are the new mobile apps | https://danielmiessler.com/blog/ai-assistants-are-the-new-applications/ * [ ] Idea Expansion Format | https://danielmiessler.com/blog/idea-expansion-format-ief/ * [ ] BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. * [ ] IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets and log files using a message queuing protocol.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] FBI saying it will force Apple to hand over source code and signing ability if they don’t comply | http://thehackernews.com/2016/03/fbi-apple-iphone.html [ ] Locky ransomware campaign, JS downloader [ ] X11 forwarding issue in OpenSSH, update now [ ] Seagate Phish Exposes All […] -- :: T1SP: Episode 31 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] [ UPDATE: Much credit to Sam for engaging in the conversation. I’m not sure how people claim he’s closed on this topic when he is clearly open to exploring it. ] I don't agree with all of it. But this is a very good response to my remarks about encryption. https://t.co/rMl8zgtuWN@danielmiessler— Sam Harris (@SamHarrisOrg) February 28, 2016 — I’ve been planning on doing a podcast episode on the Apple encryption debate for some time, but I was unsure of the format I should use. This problem was just solved for me when I listened to Sam Harris—who is someone I respect greatly—miss the mark significantly in a recent podcast. The thing that compelled me to respond was the fact that I don’t often disagree with Sam. His logic is usually impeccable, and we often end up with nearly identical opinions. So it was somewhat surreal to hear him be wrong about something. Or at least disagree with me (which, of course, may not be the same thing). Anyway, being in information security myself I felt like a response was important. This essay takes the form of a retort to his comments, followed by my own points and then a summary. Sam’s points [ The points are summarized, by the way, not necessarily exact quotes. ] * Apple built the lock, but didn’t build the key, and now they’re telling us that building the key would put us all at risk. Self-serving abdication of responsibility. * Community in tech swayed by Snowden. Even when the government gets a court order, they think they shouldn’t give access * Gives cases where text messages could have helped solve a murder, but the texts are unread because the iPhone is unbreakable. Imagine being a family member! * Could someone build an impregnable room inside their own house? * What if you could take a drug that could make your DNA unanalyzable? So you could never be linked to any crime. The only people who would benefit would be criminals! * Apple could maintain the backdoor and it’d be fine, just like banks have your banking information. They’re trading on paranoia. My responses [ NOTE: This will come in the form of a podcast, which I may still record. I wrote it largely in the voice of a spoken conversation. ] First, let’s start with where we agree. You speak of a “Cult of Privacy”, where people are blindly saying that Snowden did nothing wrong whatsoever, that he didn’t set a dangerous precedent, that any violation of privacy in any case is always bad, etc., etc. I absolutely agree with you that this is not an intelligent way to understand and discuss current events. But there’s another cult on the other side, and it’s one that you’re coming dangerous close to membership in. And that’s “The Cult of Safety”. This one works like this: If there is any situation in which some amount of data could be used to help learn where a kidnapped girl is, or where a terrorist’s bomb will detonate, then it’s within the rights of a government to legally seize ...Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Apple calls out FBI on iPhone decryption case * [ ] Trump calls for a boycott of Apple, from an iPhone * [ ] Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers * [ ] Wow. Someone hacked @linuxmint’s website and replaced ISOs with backdoored version today http://blog.linuxmint.com/?p=2994  * [ ] This affects a universally used library (glibc) at a universally used protocol (DNS).  Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe. ~ Dan Kaminsky * [ ] Mint Forum Hacked, website compromised, fake downloads posted * [ ] TeslaCrypt now targeting Joomla sites as well as WordPress * [ ] Hollywood Hospital pays 17K to decrypt files; hope they cleaned up afterwards otherwise they’ll be paying rent * [ ] Patch your vServer; RCE flaw * [ ] Power grid honeypot by MalCrawler Ideas, updates, and discussion * [ ] The San Bernadino health department changed the iCloud password (at the FBI’s request) after having the device for just a few hours * [ ] The FBI didn’t have the other two phones, which were destroyed * [ ] The implications for data security if US companies are told the government must be able to get in is that US citizens will soon be told that they cannot create, purchase, or use tech that is locked down in this way * [ ] There’s another way to the iPhone data: https://threatpost.com/delicate-hardware-hacks-could-unlock-shooters-iphone/116388/ via @IOActive Tools, talks, and projects * [ ] Bitquark is releasing some subdomain research; will be added to SecLists * [ ] Log.io web interface for looking at log files | http://www.tecmint.com/linux-server-log-monitoring-with-log-io/ * [ ] Lobotomy: Automate Android assessment and reversing | https://n0where.net/android-security-toolkit-lobotomy/ * [ ] SSLyze: https://n0where.net/fast-and-full-featured-ssl-scanner-sslyze/ * [ ] SELKS: Full NSM with Suricate and rule manager | https://www.stamus-networks.com/downloads/ Announcements * [ ] I’ll be at the IOAsis at RSA next week; come by and say hello Miscellaneous * [ ] War-games movie prompted Reagan to take cybersecurity action | http://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Major Cisco ASA buffer overflow; patch now [ ] Critical patches for Windows and Flash [ ] The FBI is officially investigating Hillary Clinton regarding her private email server [ ] NSA doing a complete reorg (basically combining defense and offense) […] -- :: T1SP: Episode 28 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Heavy surveillance around the Super Bowl [ ] A new BlackEnergy spear phishing campaign is targeting more Ukrainian companies [ ] Magneto, the popular e-commerce CMS, releases fixes to critical XSS issues [ ] Someone has posted private files of America’s […] -- :: T1SP: Episode 27 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Backdoor found in AMX devices that run corporate and government conference rooms [ ] Autopwn every Android device on your network using BetterCap and addJavascritInterface [ ] Cyber insurance challenged: a lawsuit for failing to cover a 500K loss in Houston […] -- :: T1SP: Episode 26 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] TrendMicro node.js server listening on localhost can execute commands; exposed to the internet * [ ] SSH backdoor found in Fortinet firewalls * [ ] SSH client vulnerability * [ ] Australia’s Cybercrime Online Reporting Network (ACORN) received over 39K reports of criminal activity in 2015 * [ ] Hyatt names 250 hotels hit by malware, includes the one for DerbyCon * [ ] Web sense rebranding as Forepoint, acquires Intel’s firewall business * [ ] Twitter might be ending its 140 character limit * [ ] Major vulns still being found in Health and Fitness mobile apps * [ ] Angler exploit kit continues to evade detection * [ ] LostPass attack is a phishing email attack that works against LastPass (showed at Shmoocon this weekend) * [ ] Virus just took down the Melbourne Health computer system * [ ] Lastpass has found a workaround for the LostPass attack * [ ] A bit match fixing problem has been found in Tennis * [ ] Trustwave is being sued by Affinity for supposedly missing an second hack that was going on while they were there to fix an initial hack Ideas, updates, and discussion * [ ] IR is messy and dangerous; assume compromise; assume continued compromise; be extremely careful saying that things were contained; if you’re not Mandiant you’re probably not doing a great job * [ ] Smartphone encryption and the gun debate: same coin? ISIS supposedly has its own encryption app. What next, make murder illegal? Tools, talks, and projects * [ ] FIR – Fast Incident Response Management Platform * [ ] DIVA damn insecure and vulnerable Android app * [ ] Kill Chain for Kali Linux 2.0 : recon, weaponization, delivery, exploit, installation, c2, actions * [ ] EZ-Wave: exploiting Z-Wave networks using SDR * [ ] GoPhish: open source phishing framework * [ ] V3n0m SQLi scanner * [ ] VScan : uses NSE scripts to find vulns * [ ] SleepyPuppy Burp Extension * [ ] DBDAT — Database Assessment Tool — https://github.com/foospidy/DbDat Announcements * [ ] Speaking at AppSec Cali next week (Tuesday) on ATM * [ ] Shmoocon hiring list: http://www.room362.com/2016/01/2016-shmoocon-hiring-list.html Miscellaneous * [ ] Great security news source: https://security.didici.cc/news * [ ] Thanks to Tripwire for giving a shoutout to the podcast on Twitter [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Norse lays of 20 people; not clear what percentage that is; threat intel not going so well? * [ ] OPM declines to release details on its big breach * [ ] Juniper says it’s going to remove the code that it thinks was developed by the NSA to eavesdrop on traffic * [ ] CVE details lists (OS X, iOS, Flash, Air, IE, Chrome, Firefox) as the software with the most issues * [ ] GM is going to do a bug bounty * [ ] The Hacker Manifesto turned 30 (My crime is that of curiosity) * [ ] Sophos Home free for Windows and Mac users * [ ] SF Yellowcab filling for bankruptcy * [ ] Hackers shut down Ukraine power grid; evidently a malicious word doc sent via email; supposedly the Sandworm Team * [ ] Bicycle Attack on TLS: https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf * [ ] North Korea evidently detonated a hydrogen bomb * [ ] Time warner customers lose email passwords (320K) * [ ] Microsoft killing off IE 8, 9, and 10 on January 12th * [ ] VTech launching new product line after it got hacked and leaked data on 6 million kids * [ ] Big Flash player update, 0-day and 18 other issues Ideas, updates, and discussion * [ ] Back to Ubuntu from CentOS * [ ] Sick for five weeks * [ ] Ikigai (what you love, what the world needs, what you can be paid for, what you are good at) * [ ] Giving books as gifts Tools, talks, and projects * [ ] TOWER-SEC protecting ECUs and Telematics on cars * [ ] AppSensor project; Detection points: https://www.owasp.org/index.php/AppSensor_DetectionPoints * [ ] Where the Science is Taking Us in Cybersecurity, Dan Geer * [ ] Rapid7 Hackazon app (modern) * [ ] DVNA (Damn vulnerable Node Application) * [ ] Argon2 password hashing algorithm * [ ] Dradis * [ ] Kippo SSH honeypot [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.