- 3SB-8: Password Complexity
Follow up:
- No follow ups
Topics:
- NIST changing password requirements
- Roundtable how we got into security + suggestions
Paul Rant:
- Paul is on vacation. No Rants.
Links:
- https://pages.nist.gov/800-63-3/sp800-63b.html
- https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Special Guest:
Travis McPeak @travismcpeak
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
1h 0m | Jun 24, 2021 - 3SB-7: 🍎 Security Worms
Follow up:
- US is elevating ransomware the same level of terrorism.
Topics:
- Apple Security WWDC
- Move beyond passwords ( iCloud Keychain WebAuthN keys )
- Discover account-driven User Enrollment
- Secure login with iCloud Keychain verification codes ( domain-binding apple-totp )
- Polkit PrivEsc
- Growing abuse of Kubernetes (it’s not containers)
Paul Rant:
- Apple Bug Report blackhole
Links:
- https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/
- https://threatpost.com/microsoft-cryptomining-kubeflow/166777/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
1h 28m | Jun 16, 2021 - 3SB-6: Dependency Hell
Follow up:
- Nothing this week
Topics:
- Automated Fuzzing Testing in Go
- Stack Overflow Supply Chain Attacks
- Deps.dev
- Update on Github’s policies regarding exploits, malware, and vulnerability research
Paul Rant:
- Pinning dependencies on Libraries
Links:
- https://blog.golang.com/fuzz-beta
- https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400
- https://deps.dev
- https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
54m | Jun 9, 2021 - 3SB-5: Hardware Apocalypses
Follow up:
- Vaxxed || Mask Rant Update
- WhatsApp will not be removing functionality.
Topics:
- OpenSSL Rustification
- Data without context is useless
- AMD attacks on Virtual Machine Protection System.
- M1ssing Register Access Controls Leak EL0 State
Paul Rant:
- QC35 switch is garbage. GARBAGE!
Links:
- https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/
- https://m1racles.com
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
1h 5m | Jun 3, 2021 - 3SB-4: EuroCyberVision
Episode Follow up:
- Codecov Mercari
- Audacity Open Source Telemetry
Topics:
- WhatsApp: Give me your privacy or I will stop working.
- Russian Keyboard as a first line of defense
- Craig Federighi MacOS vs iOS Security Model
Paul Rant:
- Vaxxed or Mask. Trust by Verify Rant by Matias Brutti.
Links:
- https://about.mercari.com/en/press/news/articles/20210521_incident_report/
- https://github.com/audacity/audacity/discussions/889
- https://blog.malwarebytes.com/privacy-2/2021/05/whatsapp-calls-and-messages-will-break-unless-you-share-data-with-facebook/
- https://www.schneier.com/blog/archives/2021/05/adding-a-russian-keyboard-to-protect-against-ransomware.html
- https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
- https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/
- https://www.imore.com/craig-federighi-defends-iphone-security-throwing-mac-under-bus
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
1h 6m | May 26, 2021 - 3SB-3: Zero Trust Cyber
Episode 2 Follow up:
- CodeCov continues to claim victims. Rapid7 & Twilio.
Topics:
- Rob’s python adventures
- Alfredos mouse mic
- FragAttack
- CyberBattleSiem
Paul Rant:
- ZeroTrust Executive Order By Robert
Links:
- https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/
- https://www.twilio.com/blog/response-to-the-codecov-vulnerability
- https://github.com/ortegaalfredo/mousemic
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/
- https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
1h 8m | May 19, 2021 - 3SB-2: BlockChain Tuna
Episode 1 follow up:
- Signal continues to make the news. This time hacking Privacy
Topics:
- CocoaPods Trunk: Remote Code Execution found
- Cosign - container image signing.
- TBONE hacking Tesla from a drone with zero clicks.
- SAML XML Injections
- Tinker Twitter threat on: real & physical occupational hazard for infosec.
- 1Password Secrets Automation
- Google mandatory MFA
Paul’s rant:
- -blockchain tuna tracking
Links:
- https://signal.org/blog/the-instagram-ads-you-will-never-see/
- https://blog.cocoapods.org/CocoaPods-Trunk-RCE/
- https://justi.cz/security/2021/04/20/cocoapods-rce.html
- https://blog.1password.com/introducing-secrets-automation/
- https://kunnamon.io/tbone/
- https://research.nccgroup.com/2021/03/29/saml-xml-injection/
- https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html
- https://twitter.com/TinkerSec/status/1388107620574171140
- https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/
Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti
Post-Production:
Matias Brutti @MrBrutti
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
1h 5m | May 11, 2021 - 3SB-1: A New Beginning
Episode 0 follow up:
- Signal legal consequences. Robert was right.
Topics:
- Hypocrite commits
- Apple AirDrop PII leak
- ZK proof Vuln Disclosure
- Software RAID recovery rant by Paul
Links:
- AirDrop Leak paper (https://www.usenix.org/system/files/sec21fall-heinrich.pdf) presented in August at the USENIX Security Symposium
- https://www.scmagazine.com/home/security-news/vulnerabilities/darpa-is-creating-zero-knowledge-proofs-for-vulnerability-disclosure/
Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.
47m | May 4, 2021
