Unsupervised Learning With Daniel Miessler

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] The hack of Mossak Fonseca has been tied to a breach of their wordpress install through a plugin called Revolution Slider, leading to the Panama Papers breach. So just to be clear, we might have just seen the biggest data leak […] -- :: Unsupervised Learning: Episode 35 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] — I think a lot about how to become immortal. More than I should, probably. Many think it’s a waste of time. Everyone dies, and it’s foolish to think we can avoid it. This piece takes a different view, and describes a number of ways, with varying levels of requirement and effectiveness, one can either avoid dying or live on after death. They’ll go from most practical to most effective. 1. Live On Through Your Children This one is cheating a bit, mostly because you’re not actually becoming immortal. But the fact remains that this does give many people (probably billions) a genuine feeling of lastingness, and that’s significant. Again, I don’t really count it because it’s an extremely tenuous way of living on, but it deserves mention. 2. Live On Through Your Works This one is kind of like the first, in that you’re not actually getting to continue living. So it’s a bit of a misnomer too.

News [ ] Panama Papers leak [ ] Hackers targeting major US law firms [ ] Ubuntu has some kernel vuln patches out [ ] 50 million turkish citizens have their information dumped online [ ] Microsoft makes cloud-app security services now available (Adallom) [ ] OSVDB shutting down because nobody would pay them [ ] WhatsApp is now end-to-end encrypted [ ] Critical new Flash bug, expect Ransomware to leverage it [ ] Security salaries skyrocketing due to talent shortage | http://www.csoonline.com/article/3049374/security/survey-with-all-eyes-on-security-talent-shortage-sends-salaries-sky-high.html [ ] Data exfiltration using Smart Lightbulbs | http://www.scribd.com/doc/306620189/Eyal-Ronen-and-Adi-Shamir-Hack-Lightbulbs [ ] Significant Firefox extensions bug, look for a patch soon [ ] $40 attack that steals police drones from 2 kilometers away | http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/ | break wep, disconnect their controller, connec

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Verizon Enterprise Solutions had a major data breach of their customer data. This is the group that handles breaches for their customers. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks…” * [ ] Iranians charged with attacks against US banks and a New York dam * [ ] Hackers steal 81 billion from the Federal reserve bank of New York * [ ] Uber launches bug bounty program, describes the surface area. Someone said it was really bad, though. Not sure what that’s about * [ ] New ultra-fast SSD technology coming from Intel soon * [ ] FBI backs off request for Apple backdoor. Says they have it handled. We find out it’s an Israeli company * [ ] Water treatment plant hacked, chemical mix changed for tap supplies | http://www.theregister.co.uk/2016/03/24/water_utility_hacked/ * [ ] German steel mill compromised and wrecked a blast furnace * [ ] This is after a string of attacks against power

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] FBI saying it will force Apple to hand over source code and signing ability if they don’t comply | http://thehackernews.com/2016/03/fbi-apple-iphone.html [ ] Locky ransomware campaign, JS downloader [ ] X11 forwarding issue in OpenSSH, update now [ ] Seagate Phish Exposes All […] -- :: T1SP: Episode 31 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] [ UPDATE: Much credit to Sam for engaging in the conversation. I’m not sure how people claim he’s closed on this topic when he is clearly open to exploring it. ] I don't agree with all of it. But this is a very good response to my remarks about encryption. https://t.co/rMl8zgtuWN@danielmiessler— Sam Harris (@SamHarrisOrg) February 28, 2016 — I’ve been planning on doing a podcast episode on the Apple encryption debate for some time, but I was unsure of the format I should use. This problem was just solved for me when I listened to Sam Harris—who is someone I respect greatly—miss the mark significantly in a recent podcast. The thing that compelled me to respond was the fact that I don’t often disagree with Sam. His logic is usually impeccable, and we often end up with nearly identical opinions. So it was somewhat surreal to hear him be wrong about something. Or at least disagree with me (which, of

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Apple calls out FBI on iPhone decryption case * [ ] Trump calls for a boycott of Apple, from an iPhone * [ ] Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers * [ ] Wow. Someone hacked @linuxmint’s website and replaced ISOs with backdoored version today http://blog.linuxmint.com/?p=2994  * [ ] This affects a universally used library (glibc) at a universally used protocol (DNS).  Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe. ~ Dan Kaminsky * [ ] Mint Forum Hacked, website compromised, fake downloads posted * [ ] TeslaCrypt now targeting Joomla sites as well as WordPress * [ ] Hollywood Hospital pays 17K to decrypt files; hope they cleaned up afterwards otherwise they’ll be paying rent * [ ] Patch your vServer; RCE flaw * [ ] Power grid honeypot by MalCrawler Ideas, updates, and discussion * [ ]

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Major Cisco ASA buffer overflow; patch now [ ] Critical patches for Windows and Flash [ ] The FBI is officially investigating Hillary Clinton regarding her private email server [ ] NSA doing a complete reorg (basically combining defense and offense) […] -- :: T1SP: Episode 28 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Heavy surveillance around the Super Bowl [ ] A new BlackEnergy spear phishing campaign is targeting more Ukrainian companies [ ] Magneto, the popular e-commerce CMS, releases fixes to critical XSS issues [ ] Someone has posted private files of America’s […] -- :: T1SP: Episode 27 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Backdoor found in AMX devices that run corporate and government conference rooms [ ] Autopwn every Android device on your network using BetterCap and addJavascritInterface [ ] Cyber insurance challenged: a lawsuit for failing to cover a 500K loss in Houston […] -- :: T1SP: Episode 26 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] TrendMicro node.js server listening on localhost can execute commands; exposed to the internet * [ ] SSH backdoor found in Fortinet firewalls * [ ] SSH client vulnerability * [ ] Australia’s Cybercrime Online Reporting Network (ACORN) received over 39K reports of criminal activity in 2015 * [ ] Hyatt names 250 hotels hit by malware, includes the one for DerbyCon * [ ] Web sense rebranding as Forepoint, acquires Intel’s firewall business * [ ] Twitter might be ending its 140 character limit * [ ] Major vulns still being found in Health and Fitness mobile apps * [ ] Angler exploit kit continues to evade detection * [ ] LostPass attack is a phishing email attack that works against LastPass (showed at Shmoocon this weekend) * [ ] Virus just took down the Melbourne Health computer system * [ ] Lastpass has found a workaround for the LostPass attack * [ ] A bit match fixing problem has been found in Tennis * [ ] Trustwave is being sued by Affinity

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Norse lays of 20 people; not clear what percentage that is; threat intel not going so well? * [ ] OPM declines to release details on its big breach * [ ] Juniper says it’s going to remove the code that it thinks was developed by the NSA to eavesdrop on traffic * [ ] CVE details lists (OS X, iOS, Flash, Air, IE, Chrome, Firefox) as the software with the most issues * [ ] GM is going to do a bug bounty * [ ] The Hacker Manifesto turned 30 (My crime is that of curiosity) * [ ] Sophos Home free for Windows and Mac users * [ ] SF Yellowcab filling for bankruptcy * [ ] Hackers shut down Ukraine power grid; evidently a malicious word doc sent via email; supposedly the Sandworm Team * [ ] Bicycle Attack on TLS: https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf * [ ] North Korea evidently detonated a hydrogen bomb * [ ] Time warner customers lose email passwords (320K) * [ ] Microsoft killing off IE 8, 9, and 10 on January 12

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Juniper backdoor; could have been found with diff; signs point to NSA * [ ] RCE on FireEye appliances * [ ] Hyatt got hacked; malware on POS * [ ] 45K drones registered with FAA within 2 days * [ ] Industry moving towards password-free logins; still single factor, now the factor is your device; although access to device could require factors * [ ] Microsoft will now tell you if your account has been targeted by government authorities * [ ] Tor announced it’s doing a bug bounty, looks like it’ll be internal * [ ] Steam had a DoS that revealed 34K user details * [ ] Linode has been suffering a massive DDoS on its datacenters, DNS infrastructure * [ ] Spy files found in North Korea’s Operating System Ideas, updates, and discussion * [ ] 3 things you should do every January * [ ] Web Scanner Series: Burp vs. Netsparker * [ ] When you’re interviewing, make sure you make it clear that you’re the asset too, not just them * [ ] Failing at the ba

[ Subscribe to the Podcast: iTunes | Android | RSS ] In this episode I explore the topic of Security and Obscurity by reading my popular essay on the topic. Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

[ Subscribe to the Podcast: iTunes | Android | RSS ] Topics for this episode: News * [ ] Stringing Shodan to exploitation * [ ] Why you need to check HaveIBeenPwned * [ ] Another DELL root cert hacked * [ ] ISIS OPSEC advice (data privacy, tor, crytocat, telegram, proton mail, gps features on mobile devices, etc.) They also mention not to use instagram because Facebook has a poor privacy record. * [ ] Obama wants to make it harder for terrorists to use technology to escape from justice * [ ] DHS giving companies free penetration tests * [ ] Issues in Honeywell gas detectors (path traversal and clear-text passwords) * [ ] UAE Bank declines to pay ransom, data released * [ ] Swift is open source * [ ] Amazon two-factor now available * [ ] Credit freeze vs. monitoring * [ ] Thousands of IoT devices sharing the same SSH keys * [ ] Many people predicting that 2016 is the year that Apple gets targeted by more attackers * [ ] Engine Immobilizers hackable over the internet Announcements * [ ] Speaking at

Topics for this episode: News and analysis * [ ] Ads using high frequency sound to communicate across devices. The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product. * [ ] Conficker in police body cameras (windows brute force tool) * [ ] Siri iOS data extraction. Tv reporter * [ ] The eye of Siri * [ ] Read top stories from the security news site * [ ] Expect to see concealed carry increase in the united states * [ ] Starwood hotels hit with POS malware * [ ] How to Deploy Splunk AD Monitoring in 437 Easy Steps * [ ] PCs being shipped with MiTM certs in them (supply chain security)

Companies don't want employees, and they're doing their best to get rid of them. We should be getting ready for this.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Topics for this episode: News and analysis * [ ] A couple of months into my job with IOActive * [ ] Paris Attacks: resilience vs. prevention * [ ] Updating the OWASP IoT Project (no longer the Top 10) It’s an umbrella project. * [ ] Adding to the IoT project the SCADA Top 10 List (read the list), and Nabil Ouchn is going to be project leader on that project * [ ] Pentagon farms coding to Russia * [ ] Crypto email service pays ransom, gets taken out anyway * [ ] Blackout Europe shows vulnerabilities in LTE. Forced leak of location within 2-KM radius. Were also able to block LTE and force 3G or 2G. * [ ] Onapsis talks SAP HANA vulnerabilities. They’re config issues, and aren’t patchable, and include: remote file writes, remote directory deletions, moving files to where they can be access remotely, remote command execution, and remote python execution. To fix, you have to upgrade to the latest version and reconfigure your system. Also two issues with the database that allow HTTP RCE and SQL RCE. * [ ] TPP

Topics for this episode: News and analysis * Sonar framework * Schneider Electric SCADA issues revealed at DEFCON * Ashley Madison hack, extortion will become more common, passwords added to SecLists * Hackers attack PR firm and manipulate stocks * Uber is quadrupling their security staff in 2015 * Android vulnerabilities lately Ideas and commentary * Business-based hacking: extortion-based hacking, ransomware, prediction-based hacking, PR releases, etc. Find the leverage, then execute the hack * My problem with threat intelligence * Optimal playlists for getting work done: baroque, no words, medium volume, 60 beats per minute * Ambient sound as two-factor, which goes to my idea of continuous authentication * How standardization and insurance will change security * Miller (mlr) is like sed, awk, join, cut, and sort, but for name:index data such as CSV * Participation in the OWASP IoT Project, Sasa Zdjelar is going to work on an IOT disposition project, Digicert is possibly working on a secure updates

[ NOTE: There are spoilers below, not just for this episode but for the show in general. ] Enough people have asked me to start doing reviews of Mr. Robot episodes that I’m going to have a go at it. The deciding factor was the fact that I had such a strong desire to write during the third episode. I’m going to start here with thoughts on the show in general, not just on episode 3. Mr. Robot in general The character The main protagonist is an interesting character. He is what the writer evidently wants to capture, or actually believes to be, the template for a true hacker, which is highly damaged. I am quite struck with the focus that is placed on how truly messed up he is. He has major drama with the way his father was killed. He largely hates society. He has deep personal depression. And he’s a user of narcotics. I’m left thinking along the lines of a Hemingway type of artist, where the best creativity (in this case hacking) comes from those wo are the most tortured internall