[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Juniper backdoor; could have been found with diff; signs point to NSA * [ ] RCE on FireEye appliances * [ ] Hyatt got hacked; malware on POS * [ ] 45K drones registered with FAA within 2 days * [ ] Industry moving towards password-free logins; still single factor, now the factor is your device; although access to device could require factors * [ ] Microsoft will now tell you if your account has been targeted by government authorities * [ ] Tor announced it’s doing a bug bounty, looks like it’ll be internal * [ ] Steam had a DoS that revealed 34K user details * [ ] Linode has been suffering a massive DDoS on its datacenters, DNS infrastructure * [ ] Spy files found in North Korea’s Operating System Ideas, updates, and discussion * [ ] 3 things you should do every January * [ ] Web Scanner Series: Burp vs. Netsparker * [ ] When you’re interviewing, make sure you make it clear that you’re the asset too, not just them * [ ] Failing at the basics in intelligence and infosec * [ ] Why Trump is Winning * [ ] Sensitive data sent in URL over HTTPS * [ ] Difference between correlation and causation * [ ] Paul Graham’s REFRAGMENTATION post * [ ] The relationship between Relaxation, Fun, and Performance * [ ] Michael Coates makes the argument that false negatives are way better than false positives because false positives create unnecessary work for his team * [ ] Brainstorm questions, not solutions Tools and projects * [ ] BLUTO * [ ] Serpico * [ ] Firmware Extraction from Craig Smith * [ ] Vulnerability Database Resources * [ ] IoT Attack Surfaces Project * [ ] RobotsDisallowed Project * [ ] Nowhere.net (CyberPunk) * [ ] EyeWitness * [ ] REST Security Cheat Sheet * [ ] Censys.io * [ ] GithubDorks * [ ] InstaRecon (DNS lookups, whois, shodan, google dorks, etc) * [ ] twfactorauth.org Announcements * [ ] Speaking at OWASP Cali end of January * [ ] Currently working on an ICS / SCADA primer Miscellaneous * [ ] Need to check out the Benedict Evans blog * [ ] Serial Podcast / Making a Murderer on Netflix * [ ] If you know any Army veterans who are getting out and want to get into InfoSec, let me know * [ ] Twitter account: CISSP Googling * [ ] Sam Altman (Startup Playbook) [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] In this episode I explore the topic of Security and Obscurity by reading my popular essay on the topic. Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] Topics for this episode: News * [ ] Stringing Shodan to exploitation * [ ] Why you need to check HaveIBeenPwned * [ ] Another DELL root cert hacked * [ ] ISIS OPSEC advice (data privacy, tor, crytocat, telegram, proton mail, gps features on mobile devices, etc.) They also mention not to use instagram because Facebook has a poor privacy record. * [ ] Obama wants to make it harder for terrorists to use technology to escape from justice * [ ] DHS giving companies free penetration tests * [ ] Issues in Honeywell gas detectors (path traversal and clear-text passwords) * [ ] UAE Bank declines to pay ransom, data released * [ ] Swift is open source * [ ] Amazon two-factor now available * [ ] Credit freeze vs. monitoring * [ ] Thousands of IoT devices sharing the same SSH keys * [ ] Many people predicting that 2016 is the year that Apple gets targeted by more attackers * [ ] Engine Immobilizers hackable over the internet Announcements * [ ] Speaking at OWASP Cali end of January * [ ] Currently working on an ICS / SCADA primer Productivity * [ ] Algorithmic learning [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * [ ] Ads using high frequency sound to communicate across devices. The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product. * [ ] Conficker in police body cameras (windows brute force tool) * [ ] Siri iOS data extraction. Tv reporter * [ ] The eye of Siri * [ ] Read top stories from the security news site * [ ] Expect to see concealed carry increase in the united states * [ ] Starwood hotels hit with POS malware * [ ] How to Deploy Splunk AD Monitoring in 437 Easy Steps * [ ] PCs being shipped with MiTM certs in them (supply chain security) * [ ] Java Deserialization flaws evidently affect more libraries * [ ] France looking at banning Tor, blocking public WiFi * [ ] Blackberry leaves Pakistan rather than provide backdoor * [ ] EFF launches bug disclosure program for Let’s Encrypt and HTTPS Everywhere * [ ] Flash is really on the way out Ideas and commentary * Personal Github Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Companies don't want employees, and they're doing their best to get rid of them. We should be getting ready for this.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * [ ] A couple of months into my job with IOActive * [ ] Paris Attacks: resilience vs. prevention * [ ] Updating the OWASP IoT Project (no longer the Top 10) It’s an umbrella project. * [ ] Adding to the IoT project the SCADA Top 10 List (read the list), and Nabil Ouchn is going to be project leader on that project * [ ] Pentagon farms coding to Russia * [ ] Crypto email service pays ransom, gets taken out anyway * [ ] Blackout Europe shows vulnerabilities in LTE. Forced leak of location within 2-KM radius. Were also able to block LTE and force 3G or 2G. * [ ] Onapsis talks SAP HANA vulnerabilities. They’re config issues, and aren’t patchable, and include: remote file writes, remote directory deletions, moving files to where they can be access remotely, remote command execution, and remote python execution. To fix, you have to upgrade to the latest version and reconfigure your system. Also two issues with the database that allow HTTP RCE and SQL RCE. * [ ] TPP : how did we even get an agreement that was secret in the first place. Forget the details. This should never be allowed to happen again * [ ] Linux ransomware now hitting websites (broken by Brian Krebs) * [ ] Linux.Encoder.1 has a predictable key for its ransomware, and a tool was released to decrypt victims’ systems. Good to know that even attackers make dumb encryption implementation mistakes. * [ ] Visio smart tracking turned on for 10 million users. Here was the pitch “revolutionary shift across all screens that brings measurability, relevancy and personalization to the consumer like never before!” * [ ] Ring-0 theory of devops: history of the o-ring. Small thing that everything else depends on. for serial tasks you need A players to have an A process. As you lower the whole thing tumbles down * [ ] The Chinese Great Cannon: so we know about the Great Firewall, now learn about the Great Cannon * [ ] Must read article: What ISIS Really Wants, by the Atlantic * [ ] Two must follows: Gunnar Peterson, and Benedict Evans. Gunnar is brilliant in security, and Benedict works for Adresesen Horowitz Updates and announcements * Hit me up at IOActive if you have any security consulting needs. Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. * It’s better to listen via iTunes or with the player embedded above, but you can also download the sound file directly. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * Sonar framework * Schneider Electric SCADA issues revealed at DEFCON * Ashley Madison hack, extortion will become more common, passwords added to SecLists * Hackers attack PR firm and manipulate stocks * Uber is quadrupling their security staff in 2015 * Android vulnerabilities lately Ideas and commentary * Business-based hacking: extortion-based hacking, ransomware, prediction-based hacking, PR releases, etc. Find the leverage, then execute the hack * My problem with threat intelligence * Optimal playlists for getting work done: baroque, no words, medium volume, 60 beats per minute * Ambient sound as two-factor, which goes to my idea of continuous authentication * How standardization and insurance will change security * Miller (mlr) is like sed, awk, join, cut, and sort, but for name:index data such as CSV * Participation in the OWASP IoT Project, Sasa Zdjelar is going to work on an IOT disposition project, Digicert is possibly working on a secure updates project, and we welcome others to add to the mix Updates and announcements * Vegas conferences: two talks, Blackhat Arsenal, DEFCON talk on IoT Attack Surface Areas, Caparser release * If you’re into IoT, be sure to check out Craig Smith’s podcast at IoT Weekly, and Bruce Sinclair’s IoT podcast as well * SecLists has been reorganized, go check it out * Kali Linux 2.0 is out: new kernel, based on debian, rolling release, go get it Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ NOTE: There are spoilers below, not just for this episode but for the show in general. ] Enough people have asked me to start doing reviews of Mr. Robot episodes that I’m going to have a go at it. The deciding factor was the fact that I had such a strong desire to write during the third episode. I’m going to start here with thoughts on the show in general, not just on episode 3. Mr. Robot in general The character The main protagonist is an interesting character. He is what the writer evidently wants to capture, or actually believes to be, the template for a true hacker, which is highly damaged. I am quite struck with the focus that is placed on how truly messed up he is. He has major drama with the way his father was killed. He largely hates society. He has deep personal depression. And he’s a user of narcotics. I’m left thinking along the lines of a Hemingway type of artist, where the best creativity (in this case hacking) comes from those wo are the most tortured internally. Painters, musicians, etc. We’re familiar with the template. This redeeming qualities, which the writers take equal efforts to highlight, are the desire to protect people, his love for the blonde girl, and a general but understated willingness to fight back against the soul-crushing force of our modern, consumerist society. I really enjoy how he is only actually going to see his psychiatrist because he’s trying to help her, and if she’s actually going to help him it’ll kind of be on accident. He deeply analyzes people and sees if they’re good, or weak, or in need of help, and then if they are he kind of hates them less because of this. And he is willing to use his superpowers to help them as a result, like when he pushed that guy out of his psychiatrist’s life. The tech Before going into the various problems, it must be said that the information security writing has been exemplary. I’d say definitely the best we’ve seen in either movies or “television” (whatever that is). That said, there are a number of missing links in the armor. On one of the first episodes, possibly the first, I noticed an IP address with a final octet in the 300’s. That’s just an editing miss, but it did take me out of the fantasy. In Episode 2, which I generally didn’t like, I was quite bothered by the destruction scene. Here’s what I think happened there. They wanted to do a destruction scene, they had it all rigged up, and they wrote the story so that he’d do a quick hack and then get spooked enough to do it. Then they show the infosec writer(s) the story component and they’re like, Um, no. There’s no way anyone of this skill level would be hacking from his actual IP address. And they’re like, Well, we need to do this scene. Most people will miss that, and the scene will be cool enough to make up for it. So the writer stomps out of the room mumbling about how they shouldn’t have hired him for authenticity if they were going to make such obvious mistakes, and they go with it. Who knows if that really happened, but that’s how I imagine it. Comments on modern society I also find the comments on modern society to be quite interesting. I think it’s a big part of the whole hacker feel. Hackers have always had this component to their mystique. Being counter-culture. Being underground. Fighting against the man. So the idea that everything is a conspiracy with the rich exploiting the poor, the strong exploiting the weak, and everything being about selling advertising and the dominance o...Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: Announcements * [ ] New desk, new mic setup News * [ ] SSL vuln spoofing issue, requires mitm * [ ] Sleepy puppy XSS Payload Management Framework * [ ] Troy Hunt on tech presentations * [ ] Stock market attacked and taken down. Anonymous warned about it beforehand * [ ] OPM goes to 21.5 million cards; director steps down * [ ] People need to get fired for this stuff; it’s the only way anyone will care enough to do anything * [ ] National Guard announces data breach Commentary * [ ] Mr. Robot * [ ] Splunk buys Caspida * [ ] Securing web session ids, by Eran Hammer Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: * [ ] Hacking Team Hacked, show which oppressive governments bought their software * [ ] No exploits for non-jailbroken iPhone * [ ] The FBI spent 775K on Hacking Team software * [ ] Citi creating a digital currency, called Citicoin * [ ] Clinton attacking China on hacking, “Said they’re trying to hack into everything that doesn’t move.” * [ ] Eric Holder suggests that Snowden had a positive impact, and that an agreement could be reached * [ ] Critical bug in node.js patched that could lead to DoS * [ ] MasterCard looking to do facial scanning to authenticate purchases * [ ] FBI is offering 4.3 million for help finding top hackers * [ ] A petition for Ellen Pao to leave Reddit has topped 150K signatures Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.