Unsupervised Learning With Daniel Miessler

Topics for this episode: * iOS flaw * The Chinese hacking campaign against the US * Breach at Recorded future * Hacking cars through key fobs * NSA/GCHQ hacking of people through security software * Snowden’s documents in the hands of the Chinese and Russians * Samsung re-enabling Windows Update * Mr. Robot * Blackhat/DEFCON Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Play Podcast START CONTENT * Singtel buys Trustwave * Snowden does interview with John Oliver * CheckPoint buys Lacoon * Everyone’s trying to do everything, which gives the big people a major advantage * China melted GitHub * MiTM’d Baidu traffic and modified its analytics JavaScript to make constant requests to GitHub * They did it because GitHub was hosting two mirror repos for content that is banned in China * Also highlights the need for encryption, so that the JS couldn’t have been injected * Obama just came out and said that if you attack us, we’ll sanction you * How does that work exactly, when China makes everything we use? * Then we just found out Russia hacked us through the State Department issue * A major vulnerability was revealed in Inngate routers used in the US and Europe. * It allows attackers to browse and write to the root file system of the devices, changing configuration, distributing malware, etc. * Mostly used in US and European hotels * Attacke

Play Podcast START CONTENT * Twitch, a game streaming service owned by Amazon, was hacked last week * Passwords, emails, usernames, addresses, phone numbers, dates of birth * Amazon bought them last year for almost 1 billion dollars * Bar Mitzvah attack on TLS * Requires that you can sniff traffic * Basically an RC4 problem * Solution is to remove it from your supported algorithms * GitHub Has been hit by a massive DDoS attack * Apparently from China * CSRF vulnerability found in a wind turbine * Allowed you to pull usernames and passwords * Also allowed the password to be changed for the default user, which had admin access * CSRF vulnerability exposes Hilton customer accounts * There was an account rotation issue where you could gain access to their account as long as you could guess their 9-digit username * Snowden says IT workers now the targets of spies * They’re not going after their information, but to use them for access to networks * Premera hacked on same day as Blue Cro

Play Podcast START CONTENT * There was another SQL Injection bug found in SEO by Yoast * It required admins to click a malicious link * Was patched quickly * It’s the plugins that make WordPress vulnerable * Attackers are targeting gamers for ransomware * Virlock is one version of ransomware that not only locks the screen, but infects files * It’s also polymorphic, so it changes itself every time it runs * TeslaCrypt goes after gamers, which seems super smart because they are often addicted * The Hello Barbie doll is recording kids voices and sending the recordings over the Internet for voice recognition * I get asked a lot about what to do about this kind of stuff * Start by making a list of everything that can record voice or audio in your home, and determine what kind of controls you have on them * Assume the worst, even though it’s probably not that bad * US industrial systems attacked 245 times between October 2013 and September 2014 * Most attacks were against Critical

START CONTENT * Sorry about the audio last week; wireless headsets don’t compare to the Yeti * The CIA is focusing on cyberespionage in its new management * Anthem is refusing an audit by the OIG office–an org that audits health care groups that provide services to federal employees * Nothing says I’m guilty like refusing an audit * Reminds me of the Russians refusing the crash investigation in Game of Cards * There’s been a possible credit card breach at the Mandarin Oriental hotel chain * The incident was reported by Brian Krebs * Three people were indicted in the Epsilon hack * Resulted in around 1 billion email addresses being stolen * Dave Aitel thinks junk hacking is a waste * Basically hacking your blender or whatever * In my opinion he’s missing the point that most conferences are like this * I think there’s a hierarchy of talks * Create new defense tool based on new defense idea * Create new defense idea * Create new attack tool based on new attac

START CONTENT * New SSL attack called FREAK * Has to do with falling RSA back to a deprecated and weak level * Requires the client and server are both vulnerable * The solution is to patch * Many orgs will also want to note which servers were vulnerable * The lesson is that you don’t reduce security to increase it * Backdoors x time = regret * Using Ruby’s Open-URI could be dangerous * open-uri monkeypatches kernel.open * open(params[:url]) can execute |ls * Hilary Clinton used a personal email address and did not store correspondence on government servers for her entire 4 years as Secretary of Defense * This seems highly suspect * First you’re putting that data at risk in a personal system * Second you’re obviously trying to hide your conversations * Facebook can access your account without your password * Google no longer encrypting Lollipop by default * Was one of the main selling points for 5, and now it’s gone * They said it was simply a driver issue * DLink

START CONTENT * New stuxnet like piece of malware was discovered * Was found by Kaspersky * Has infected thousands of computers, mostly in Iran * The malware is the most advanced ever found * Can hide on the computer even after reinstall * Many of the names used in the application are known NSA codenames, such as GROK * Wired said those targeted groups were Islamic scholars * The group is called equation group due to the encryption used to hide itself * Car washes hacked by Billie Rios * Bad web software * Default passwords * Submit POST requests * Battery power can be used to track Android phones * Based on the power you use from cell phone tower usage * Obama sides with encryption against government groups * Lenovo laptops spying on you * Can we just say it’s dumb to use things produced in China? END CONTENT Play Podcast ### Notes * Sorry about the pops in the audio. My desk randomly makes loud noises. I’m working on it. Become a Member: https://danielmiessler.com/upgradeSee om

START CONTENT * Ukrainian banks hacked for up to 1 Billion dollars * Evidently installed malware on bank admin machines using phishing * Not sure they have an FDIC * As if the Ukraine didn’t have enough problems * 10 million password project * Mark Burnett posted 10 Million password combinations * Went through a long explanation of why he was doing it * I’ve broken them up and put them in the SecLists project * Jeb Bush leaks personal data * Anthem may have been Heartbleed * Could have been China, but who knows * Reminder about talking about things without information * It’s best to just leave it alone * HP released Home Security Systems report * We found 10/10 systems vulnerable to account harvesting * DARPA Dark Web Search Engine * Stuff not indexed by Google * Tor services, etc. * Obama creating new threat intelligence agency * Unified organization for tracking threats * Looking to partner with private industry as well * Anthem and Cyberinsurance * Up to 200M in cy

START CONTENT * Anthem, the second largest healthcare company, had a major breach * They lost around 80 million socials, addresses, emails, etc., which is roughly double the Target breach * There’s speculation that it was China, trying to penetrate government, but it’s early * Watch for phishing scams related to it * The megabreaches continue…weee! * A WordPress plugin called FancyBox had a serious compromise in it last week, which affected thousands of websites * If you’re going to run WordPress, understand that Plugins are the best way to get yourself hacked * Specifically, the type of plugins that handle user input and do something with it that affects the site’s output * Image manipulation plugins have been particularly vulnerable, usually to XSS * There was another critical Flash vulnerability this week * Like I said last week, and the week before, there’s a first time for everything * Three bug hunters at HP received the 125,000 prize for finding a major vulner

START CONTENT * Ghost bug in PHP could affect millions of servers * Flaw is in glibc, which is extensively by all Linux distributions * Patch and reboot using yum or aptitude * The US Army Released DShell, a malware forensics tool * This is an interesting trend where we see tons of formerly secret groups flock to Github. Great to see * Reddit released its first transparency report last week * Says it received 55 requests for user information * Says it complied with 64% of state and federal requests * Says it received 218 requests for content removal, and complied with 31 percent of those * I am pleased to see them releasing these numbers, and I hope more organizations do the same * The GHCQ was using a program called BADASS to collect data leaked by games such as Angry Birds * Luckily it only affected the 11 people still playing that game * Russian dating site, Topface, got hacked for 20 million usernames * The FBI busted up a Tom Clancy book plot in New York City * The plan was to get infor

START CONTENT * There was an issue with the Marriott website that exposed reservations and payment information. It’s now been fixed * Police are now using a new radar to see into peoples’ homes without a warrant * Security budgets are reportedly going up due to the mega-breaches in 2014 * Also leading to higher pay for CIOs * Anecdotally, I’d say it’s a pretty good time to be in infosec * A new security startup, PFP Cybersecurity, uses power consumption to detect malware * Meant initially to be used for SCADA type systems * The US hacked North Korean computers back in 2010 * This is reportedly the reasons we were so sure they hacked Sony * Recently leaked documents from Snowden show heavy offense * Snowden recently talked to Schneier at Harvard about a number of things * The NSA is becoming increasingly offensively oriented vs. defensive * The NSA supposedly uses compromised systems as jump points * Snowden said most NSA hackers are junior enlisted with limited skills *

START CONTENT * UK police arrest 18-year-old in connection to Playstation and XBox attack * Major ASUS router bug * Local users can take full control without a password * Biggest issue there seems to be DNS hijacking * Legislative attacks on infosec profession and encryption * Anti-hacking law language ambiguous “according to owner” * Obama is said to agree with Cameron, but it’s complicated * Evidence of a plot is different than outlawing encryption * There’s other talk about it being illegal to see hack data * French reporting 19,000 DoS attacks since the shootings * Anonymous is going after ISIS and others * An attack on free speech is an attack on Anonymous * Google releases another Windows flaw that they didn’t fix * Verizon API vulnerability exposes customer email addresses * Issue was with a mobile API used by Android devices * Allowed him to retrieve peoples’ emails and send emails as them * On whether we should trust the FBI regarding the Sony attac

Subscribe to the Podcast: iTunes | Android | RSS START HEADLINES * Google drops security updates for Android 4.3 and below * This is a problem since that’s most of the install-base * Only .1% of users are on Android 5 * Microsoft and Adobe Push Critical Security Fixes * Seems like Google’s been messing up recently, with their attack on Whitehat for the Aviator stuff, their dropping security updates for Android, and now this early release of a bug before there was a fix. * Obama is asking for the removal of a number of state laws that make it harder to get good broadband in the US. * Obama is asking for quicker laws around the disclosure of hacks * One potential law is the Personal Data Notification and Protection Act, which would require companies to notify within 30 days if they get hacked. * The CENTCOM Twitter account got hacked a couple of days ago by some pro-ISIS folks * Obama is looking to improve the sharing of cybersecurity information as a response to the hack * Sammy Kamka