Firewalls Don't Stop Dragons Podcast

Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss - also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg Privacy is Power, book by Carissa Véliz : https://www.amazon.com/Privacy-Power-Should-Take-Control/dp/1612199151 My review of Privacy is Power: https://firewallsdontstopdragons.com/privacy-is-power-review/ The Value of Privacy, by Bruce Schneier: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html TED Talk on Privacy by Glenn Greenwald: https://www.ted.com/talks/glenn_greenwald_why_privacy_matters Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it's easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren't). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world's largest hacking conferences. I've been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today's show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg DEFCON 29: https://defcon.org/html/defcon-29/dc-29-index.html DEFCON 29 media: https://media.defcon.org/DEF%20CON%2029/ Making the DEF CON 29 Badge: https://www.youtube.com/watch?v=H3kdq40PY3s Soundtrack https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20music/ Preparing for Hacker Summer Camp: https://theplaceboeffects.wordpress.com/2019/07/13/preparing-for-hacker-summer-camp/ Hack-A-Day badge article: https://hackaday.com/2021/08/05/hands-on-def-con-29-badge-embraces-the-new-normal/ DC Tin Foil Hat: @DC_Tin_Foil_Hat (Twitter)Hackerboxes.com: https://hackerboxes.com/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Generate secure passphrases! https://d20key.com/#/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in history, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that's being shared in order to target those ads to you. Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan worked in adtech, media, and policy. His previous roles included Chief Innovation Officer of The Irish Times and Senior Researcher at the Institute of International & European Affairs (IIEA). Further Info: Irish Council for Civil Liberties lawsuit: https://www.iccl.ie/rtb-june-2021/  Johnny Ryan: https://www.iccl.ie/staff/dr-johnny-ryan/  IAB Audience Taxonomy: https://www.iab.com/guidelines/audience-taxonomy/ IAB Content Taxonomy: https://www.iab.com/guidelines/content-taxonomy/ OpenRTB 3.0 spec: https://github.com/InteractiveAdvertisingBureau/openrtb Browser plugin: https://chrome.google.com/webstore/detail/bidfilter-header-bidding/addamgcbhieigmdmmaooppajdocgggck FTC’s data broker report from 2014: Data Brokers: A Call for Transparency and Accountability Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more - meaning that it's an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I'll help you understand why it's so important to protect your cell phone number and digital contact lists. In other news: you need to update everything again... Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web - and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it's customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group's spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it's easy and highly profitable to re-associate people with supposedly anonymous data sets. Article Links Apple fixes bug that breaks iPhone WiFi when joining rogue hotspots https://www.bleepingcomputer.com/news/security/apple-fixes-bug-that-breaks-iphone-wifi-when-joining-rogue-hotspots/ Revil Ransomware Group Missing From Dark Web; Temporary Vacation, or Permanently Out of Business? https://www.cpomagazine.com/cyber-security/revil-ransomware-group-missing-from-dark-web-temporary-vacation-or-permanently-out-of-business/ The Kaseya Ransomware Nightmare Is Almost Over https://www.wired.com/story/kaseya-ransomware-nightmare-is-almost-over/ Takeaways from the Pegasus Project https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/ How to Protect Yourself From the New Windows 10 and 11 Security Bug https://lifehacker.com/how-to-protect-yourself-from-the-new-windows-10-and-11-1847338342 Venmo removes its global, public feed as part of a major redesign https://techcrunch.com/2021/07/20/venmo-removes-its-global-public-feed-in-a-significant-app-redesign/ The FBI Is Locating Cars By Spying On Their WiFi https://www.forbes.com/sites/thomasbrewster/2021/07/22/the-fbi-is-using-stingray-smartphone-surveillance-to-locate-cars-and-spy-on-their-wifi/?sh=113ea16335c8 Inside the Industry That Unmasks People at Scale https://www.vice.com/en/article/epnmvz/industry-unmasks-at-scale-maid-to-pii A priest’s phone location data outed his private life. It could happen to anyone. https://www.washingtonpost.com/technology/2021/07/22/data-phones-leaks-church/ Connected cars: What happens to your data after you leave your rental car behind? https://www.zdnet.com/article/connected-cars-what-happens-to-your-data-after-you-leave-your-rental-car/ Privacy International 2017 study: http://privacyinternational.org/sites/default/files/2017-12/cars_briefing.pdf  Further Info Who’s making money on ransomware? https://ransomwhe.re/ No More Ransom: https://www.nomoreransom.org/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The first step to solving any problem is gathering as much information as you can. Unfortunately, today we're basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles - knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there's a safety issue. This is not true for software makers... yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to change that. Allan Friedman is the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, which is part of the US department of Commerce,. There he coordinates cross-sector efforts to address key challenges in the cybersecurity ecosystem. Further Info NTIA’s SBOM website: https://www.ntia.gov/sbom Twitter #SBOM: https://twitter.com/search?q=%23SBOM Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Just when you thought it couldn't get worse, the bad guys say "hold my beer". The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you've never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don't have to. But this also gives MSP's a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I'll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself. In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I'll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cookies for at least two years; a Microsoft exec tells the US Congress about how law enforcement and intelligence agencies make thousands of gag-order-restricted demands for data every year; a research group discovers that an old cell phone encryption standard was intentionally weakened to allow easier cracking; Microsoft's PrintNightmare bug is still not fully patched and the back story is a comedy of errors; and with hurricane season upon us, I'll point you to some great tips on preparing for power outages. Article Links A popular password manager screwed up, but there's an easy fix https://mashable.com/article/kaspersky-password-manager-security-bug Brazilian iPhone thieves demonstrate importance of responsible password practices https://appleinsider.com/articles/21/07/07/brazilian-iphone-thieves-demonstrate-importance-of-responsible-password-practices Why Google Can't Bring Itself to Make the Internet Respect Your Privacy https://www.inc.com/jason-aten/why-google-cant-bring-itself-to-make-internet-respect-your-privacy.html Microsoft exec: Targeting of Americans’ records ‘routine’ https://apnews.com/article/government-and-politics-technology-business-ed50baf4ffb09ca50cda9b8a262c54ad Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened https://www.vice.com/en/article/4avnan/bombshell-report-finds-phone-network-encryption-was-deliberately-weakened PrintNightmare official patch is out – update now? https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/ Up to 1,500 businesses infected in one of the worst ransomware attacks ever https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/  Further Info Microsoft PrintNightmare patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 CISA, FBI share guidance for victims of Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/cisa-fbi-share-guidance-for-victims-of-kaseya-ransomware-attack/ Ransomware Defense: Top 5 Things to Do Right Now https://threatpost.com/ransomware-defense-top-5-tips/167536/ How to prepare for a power outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ How to safely download software: https://firewallsdontstopdragons.com/how-to-safely-download-software/ Sign up for the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Robocalls are the bane of my existence. I get so many spam calls that I've just stopped answering my home phone altogether. I've given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won't answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: "Stir" ("secure telephone identity revisited") and "Shaken" ("signature-based handling of asserted information using tokens"). While not perfect, they should at least help identify shady callers. In today's Tip of the Week, I'll give you some other options for blocking spam calls, as well. Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are vulnerable to a nasty BIOS attack; many users of the old WD My Book Live storage drives have had all their data erased; the REvil ransomware gang has attacked at least 200 companies with a new supply chain hack; Microsoft tries and fails miserably to fix a bad printer server bug ("PrintNightmare"), Russian hackers are constantly trying to brute force your bad passwords; and finally, the USA's CISA is warning manufacturers of ThroughTek devices about an exploitable vulnerability in several webcams and IoT devices. Article Links Data Scraping Yields 700 Million LinkedIn Profiles for Sale on Dark Web; About 92% Of Platform Users, but Mostly Public Information https://www.cpomagazine.com/cyber-security/data-scraping-yields-700-million-linkedinBeware! Connecting to This Wireless Network Can Break Your iPhone's Wi-Fi Feature https://thehackernews.com/2021/06/beware-connecting-to-this-wireless.html 30M Dell Devices at Risk for Remote BIOS Attacks, RCE https://threatpost.com/dell-bios-attacks-rce/167195/ Western Digital My Book Live devices being remotely wiped by attackers https://appleinsider.com/articles/21/06/25/western-digital-my-book-live-devices-being-remotely-wiped-by-attackers REvil ransomware hits 200 companies in MSP supply-chain attack https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/ How to Avoid Windows' 'PrintNightmare' Security Threat https://lifehacker.com/how-to-avoid-windows-printnightmare-security-threat-1847221653 Russian Hackers Are Trying to Brute-Force Hundreds of Networks https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/ CISA warns manufacturers of ThroughTek vulnerability (webcams) https://www.zdnet.com/article/cisa-warns-manufacturers-of-throughtek-vulnerability/ Robocalls are out of control. But that could all change today https://www.cnet.com/news/robocalls-are-out-of-control-but-that-could-all-change-today/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Today's news headlines are littered with stories on massive cybersecurity failures: SolarWinds, Microsoft Exchange, Colonial Pipeline, data breaches, ransomware... Are the bad guys ramping up their game? Or are we just really bad at cybersecurity? (Or both?) How do we fix this? Who can lead the charge to improve our cyber defenses and fend off these attacks? Where do we learn best practices? Can new tools like Artificial Intelligence (AI) help us be more secure - or will these tools benefit the bad guys more? In today's show, I discuss the current sorry state of cybersecurity and it's foggy future with Josh Jackson from 6clicks! Josh Jackson is an avid student of law, policy, and regulations. He is a speaker on Artificial Intelligence and Automation and a teacher on the Legal and Regulatory Environment of Business. He is passionate about ethics and agency law, and corporate and regulatory risk. Further Info: 6clicks: https://www.6clicks.io/ Cybersecurity Maturity Model: https://www.acq.osd.mil/cmmc/draft.html Internet of Things Cybersecurity Improvement Act of 2020: https://www.congress.gov/bill/116th-congress/house-bill/1668/text Only three days to get your challenge coin!! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Are satellites really just IoT devices in space? They're small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You'd think that they'd be a lot more complex and secure... but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don't think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter - and time to register for this year's tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force Defensive Cyber Operations for Space Systems (DCO-S) program.  MITRE operates Federally Funded Research and Development Centers (FFRDC's), which support the US government in a variety of capacities. Jason Williams is a Security Researcher, Engineer, and CEO of Cromulence LLC and member of Legitimate Business Syndicate (organizers of DEF CON CTF 2012-2017). 15+ years experience in cybersecurity and vulnerability research. Further Info Hack-A-Sat 2: https://www.hackasat.com/ US Digital Service: https://www.usds.gov/Cromulence LLC: https://cromulence.com/MITRE Corp: https://www.mitre.org/HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Payment apps are fairly secure & very convenient, but NOT private. And Venmo is the worst. Venmo is the only payment app that is primarily a "social" app. That's shorthand for "share as much info as possible, with as many people as possible". If you weren't already aware, all Venmo transactions are public by default. (That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.) Your Venmo friends list is also public by default, as Joe Biden recently discovered. But perhaps due to that event, Venmo at least now gives you a way to make it private. I'll tell you how to change this and other Venmo privacy settings - and also which apps are better at privacy. Lots of other news to cover today: Amazon Sidewalk has been activated for all new Echo and Ring devices (like it or not), but you can turn it off; Amazon Ring is offering more transparency on requests for video footage by law enforcement; Apple addresses some of the "stalker" privacy concerns with AirTags; apps are sidestepping Apple's new App Tracking Transparency (shocker); TikTok just changed its privacy policy to mention the collection of your biometric info, including "faceprints" and "voiceprints"; we found out how the hackers got into the Colonial Pipeline computers and (maybe) how the FBI managed to get back some of the ransom money; the FBI secretly ran an encrypted communication platform marketed to criminals called Anom; and a new facial recognition service allows you (or come creeper) to search the web for anyone's face for free. Article Links Amazon is about to share your Internet connection with neighbors. Here’s how to turn it off. https://www.washingtonpost.com/technology/2021/06/07/amazon-sidewalk-network/ Ring will require police & fire departments to make public requests for video footage https://appleinsider.com/articles/21/06/03/ring-will-require-police-fire-departments-to-make-public-requests-for-video-footage Apple announces AirTag privacy improvements, Android app coming this year https://9to5mac.com/2021/06/03/airtag-privacy-improvements-sound-android-app/  How to Check Your AirTags Firmware Version https://www.macrumors.com/how-to/check-airtags-firmware-version/ Apps Continuing to Track Users Despite Apple's Privacy Prompt https://www.macrumors.com/2021/06/07/apps-continuing-to-track-users/ WhatsApp is getting a crafty new way to verify your identity https://www.techradar.com/news/whatsapp-is-getting-a-crafty-new-way-to-verify-your-identity TikTok just gave itself permission to collect biometric data on U.S. users, including ‘faceprints and voiceprints’ https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/ Ransomware attackers used compromised password to access Colonial Pipeline network https://www.cnn.com/2021/06/04/politics/colonial-pipeline-ransomware-attack-password/index.html How could the FBI recover BTC from Colonial’s ransomware payment? https://nakedsecurity.sophos.com/2021/06/09/how-could-the-fbi-recover-btc-from-colonials-ransomware-payment/ The FBI's Anom Stunt Rattles the Encryption Debate https://www.wired.com/story/fbi-anom-phone-network-encryption-debate/  This facial recognition website can turn anyone into a cop - or a stalker https://news.yahoo.com/facial-recognition-website-turn-anyone-113646451.html VICTORY: You Can Now Make Your Venmo Friends List Private. Here’s How. https://www.eff.org/deeplinks/2021/06/victory-you-can-now-make-your-venmo-friends-list-private-heres-how  Further Info HUGE sale on my book right now (55% off)! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.