Weekly podcast where three security buddies discuss security topics.

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/6/24/19/de4640a4-772f-4807-a115-90e5eac9ef39_3sb-ep8.mp3

Follow up:<ul><li>No follow ups</li></ul> Topics:<ul><li>NIST changing password requirements</li><li>Roundtable how we got into security + suggestions</li></ul> Paul Rant:<ul><li>Paul is on vacation. No Rants.  </li></ul> Links:<ul><li><a href="https://pages.nist.gov/800-63-3/sp800-63b.html" rel="nofollow">https://pages.nist.gov/800-63-3/sp800-63b.html</a> </li><li><a href="https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords" rel="nofollow">https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords</a> </li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Special Guest:Travis McPeak @travismcpeak  Post-Production:Matias Brutti @MrBrutti Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-8: Password Complexity

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/6/16/3/7b16bebe-997d-4d97-a42b-bccacb2044ea_3sb-ep7.mp3

Follow up:<ul><li>US is elevating ransomware the same level of terrorism.</li></ul> Topics:<ul><li>Apple Security WWDC</li><li>Move beyond passwords ( iCloud Keychain WebAuthN keys ) </li><li>Discover account-driven User Enrollment</li><li>Secure login with iCloud Keychain verification codes ( domain-binding apple-totp )</li><li>Polkit PrivEsc</li><li>Growing abuse of Kubernetes (it’s not containers) </li></ul> Paul Rant:<ul><li>Apple Bug Report blackhole  </li></ul> Links:<ul><li><a href="https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/" rel="nofollow">https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/</a> </li><li><a href="https://threatpost.com/microsoft-cryptomining-kubeflow/166777/" rel="nofollow">https://threatpost.com/microsoft-cryptomining-kubeflow/166777/</a></li><li><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" rel="nofollow">https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/</a> </li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Post-Production:Matias Brutti @MrBrutti Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-7: 🍎 Security Worms

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/6/9/21/9d61eed1-fe21-46af-a3f7-2d31f7d39d59_3sb-ep6.mp3

Follow up: - Nothing this week Topics:<ul><li>Automated Fuzzing Testing in Go</li><li>Stack Overflow Supply Chain Attacks</li><li>Deps.dev</li><li>Update on Github’s policies regarding exploits, malware, and vulnerability research</li></ul>Paul Rant:<ul><li>Pinning dependencies on Libraries </li></ul> Links:<ul><li><a href="https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/" rel="nofollow">https://blog.golang.com/fuzz-beta</a></li><li><a href="https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400" rel="nofollow">https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400</a></li><li><a href="https://deps.dev" rel="nofollow">https://deps.dev</a></li><li><a href="https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/" rel="nofollow">https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/</a></li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Post-Production:Matias Brutti @MrBrutti Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-6: Dependency Hell

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/6/3/6/06e5533c-a710-4eb5-ab0e-c6d47523c4eb_3sb-ep5.mp3

Follow up:<ul><li>Vaxxed || Mask Rant Update</li><li>WhatsApp will not be removing functionality.</li></ul> Topics:<ul><li>OpenSSL Rustification</li><li>Data without context is useless </li><li>AMD attacks on Virtual Machine Protection System.</li><li>M1ssing Register Access Controls Leak EL0 State</li></ul> Paul Rant:<ul><li>QC35 switch is garbage. GARBAGE!</li></ul> Links:<ul><li><a href="https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/" rel="nofollow">https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/</a></li><li><a href="https://m1racles.com" rel="nofollow">https://m1racles.com</a></li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Post-Production:Matias Brutti @MrBrutti Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-5: Hardware Apocalypses

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/5/26/6/59045ae9-2dfb-4027-b384-746098e77aa1_3sb-ep4.mp3

Episode Follow up:<ul><li>Codecov Mercari </li><li>Audacity Open Source Telemetry </li></ul> Topics:<ul><li>WhatsApp: Give me your privacy or I will stop working. </li><li>Russian Keyboard as a first line of defense </li><li> Craig Federighi MacOS vs iOS Security Model </li></ul> Paul Rant:<ul><li>Vaxxed or Mask. Trust by Verify Rant by Matias Brutti. </li></ul> Links:<ul><li>https://about.mercari.com/en/press/news/articles/20210521_incident_report/</li><li>https://github.com/audacity/audacity/discussions/889</li><li>https://blog.malwarebytes.com/privacy-2/2021/05/whatsapp-calls-and-messages-will-break-unless-you-share-data-with-facebook/</li><li>https://www.schneier.com/blog/archives/2021/05/adding-a-russian-keyboard-to-protect-against-ransomware.html</li><li>https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/</li><li>https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/</li><li>https://www.imore.com/craig-federighi-defends-iphone-security-throwing-mac-under-bus</li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Post-Production:Matias Brutti @MrBrutti Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-4: EuroCyberVision

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/5/19/6/ebae294e-1919-4b83-adeb-c415c51c9604_3sb-ep-3.mp3

Episode 2 Follow up:<ul><li>CodeCov continues to claim victims. Rapid7 &amp; Twilio. </li></ul> Topics:<ul><li>Rob’s python adventures</li><li>Alfredos mouse mic</li><li>FragAttack</li><li>CyberBattleSiem</li></ul> Paul Rant:<ul><li>ZeroTrust Executive Order By Robert </li></ul>Links:<ul><li><a href="https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/" rel="nofollow">https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/</a> </li><li><a href="https://www.twilio.com/blog/response-to-the-codecov-vulnerability" rel="nofollow">https://www.twilio.com/blog/response-to-the-codecov-vulnerability</a></li><li><a href="https://github.com/ortegaalfredo/mousemic" rel="nofollow">https://github.com/ortegaalfredo/mousemic</a> </li><li><a href="https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/" rel="nofollow">https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/</a></li><li><a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/" rel="nofollow">https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/</a> </li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Post-Production:Matias Brutti @MrBrutti Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-3: Zero Trust Cyber

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/5/11/22/cd9bd302-edcf-4336-acc9-f9f459ccaff6_3sb-ep2.mp3

Episode 1 follow up:<ul><li>Signal continues to make the news. This time hacking Privacy </li></ul> Topics:<ul><li>CocoaPods Trunk: Remote Code Execution found </li><li>Cosign - container image signing. </li><li>TBONE hacking Tesla from a drone with zero clicks. </li><li>SAML XML Injections </li><li>Tinker Twitter threat on: real &amp; physical occupational hazard for infosec.</li><li>1Password Secrets Automation </li><li>Google mandatory MFA</li></ul> Paul’s rant:<ul><li>-blockchain tuna tracking </li></ul> Links:<ul><li><a href="https://signal.org/blog/the-instagram-ads-you-will-never-see/" rel="nofollow">https://signal.org/blog/the-instagram-ads-you-will-never-see/</a></li><li><a href="https://blog.cocoapods.org/CocoaPods-Trunk-RCE/" rel="nofollow">https://blog.cocoapods.org/CocoaPods-Trunk-RCE/</a> </li><li><a href="https://justi.cz/security/2021/04/20/cocoapods-rce.html" rel="nofollow">https://justi.cz/security/2021/04/20/cocoapods-rce.html</a></li><li><a href="https://blog.1password.com/introducing-secrets-automation/?utm_campaign=davenewsletter&utm_medium=email&utm_source=newsletter" rel="nofollow">https://blog.1password.com/introducing-secrets-automation/</a></li><li><a href="https://kunnamon.io/tbone/" rel="nofollow">https://kunnamon.io/tbone/</a></li><li><a href="https://research.nccgroup.com/2021/03/29/saml-xml-injection/" rel="nofollow">https://research.nccgroup.com/2021/03/29/saml-xml-injection/</a></li><li><a href="https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html" rel="nofollow">https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html</a> </li><li>https://twitter.com/TinkerSec/status/1388107620574171140</li><li><a href="https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/" rel="nofollow">https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/</a></li></ul> Hosts:Paul Kehrer @reaperhulkRobert Clark @hyakuheiMatías Brutti @MrBrutti Post-Production:Matias Brutti @MrBrutti Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

Episode 1 follow up:
Signal continues to make the news. This time hacking Privacy 

Topics:
CocoaPods Trunk: Remote Code Execution found 
Cosign - container image signing. 
TBONE hacking Tesla from a drone with zero clicks. 
SAML XML Injections 
Tinker Twitter threat on: real & physical occupational hazard for infosec.
1Password Secrets Automation 
Google mandatory MFA

Paul’s rant:
-blockchain tuna tracking 

Links:
https://signal.org/blog/the-instagram-ads-you-will-never-see/
https://blog.cocoapods.org/CocoaPods-Trunk-RCE/ 
https://justi.cz/security/2021/04/20/cocoapods-rce.html
https://blog.1password.com/introducing-secrets-automation/
https://kunnamon.io/tbone/
https://research.nccgroup.com/2021/03/29/saml-xml-injection/
https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html 
https://twitter.com/TinkerSec/status/1388107620574171140
https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/

Hosts:
Paul Kehrer @reaperhulk
Robert Clark @hyakuhei
Matías Brutti @MrBrutti

Post-Production:
Matias Brutti @MrBrutti

3SB-2: BlockChain Tuna

https://s3.us-east-2.amazonaws.com/pod-public-media-files/2021/5/4/2/a2df8b71-2cae-4faf-b0a8-ecf712914064_3sb-ep1.mp3

Episode 0 follow up:- Signal legal consequences. Robert was right. Topics:<ul><li>Hypocrite commits </li><li>Apple AirDrop PII leak</li><li>ZK proof Vuln Disclosure</li><li>Software RAID recovery rant by Paul</li></ul> Links:<ul><li>AirDrop Leak paper (<a href="https://www.usenix.org/system/files/sec21fall-heinrich.pdf" rel="nofollow">https://www.usenix.org/system/files/sec21fall-heinrich.pdf</a>) presented in August at the USENIX Security Symposium</li><li><a href="https://www.scmagazine.com/home/security-news/vulnerabilities/darpa-is-creating-zero-knowledge-proofs-for-vulnerability-disclosure/" rel="nofollow">https://www.scmagazine.com/home/security-news/vulnerabilities/darpa-is-creating-zero-knowledge-proofs-for-vulnerability-disclosure/</a></li></ul> Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.

3SB-1: A New Beginning