Security Nation

Tod and Jen and Jennifer on Season 5 of Security Nation

No Rapid Rundown this time! But you can get links to all the past episodes in Season 5, here: Never Mind the Ears, Here's Security Nation

Jeremi Gosney on the Psychology of Password Hygiene

Interview links Jeremi on Password Nihilism The Rails bug Jeremi referenced Rapid Rundown links Risky Business Newsletter on fake PoCs: "GitHub aflood with fake and malicious PoCs" The cited paper: "How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub" Also relevant is Honeysploit by Curtis Brazzell Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor,...

James Kettle of PortSwigger on Advancing Web-Attack Research

Interview Links Prior Security Nation episode in which loads of PortSwigger references were dropped: https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/ New research from James about browser-powered desync attacks: https://portswigger.net/research/browser-powered-desync-attacks Rapid Rundown Links Semi-secret Fortinet advisory:  https://twitter.com/Gi7w0rm/status/1578398457227878407 CVE Details as they come:  https://www.rapid7.com/blog/post/2022/10/07/cve-20...

Taki Uchiyama of Panasonic on Product Security and Incident Response

Interview Links Check out Panasonic's delightful PSIRT page – especially if you have a vulnerability in one of Panasonic's many, many products to report. Rapid Rundown Links Check out Inti's research on "oops, we made a surveillance system" at notmyplate.com. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Chris Levendis and Lisa Olson on Cloud CVEs

Interview Links Check out the CVE blog post on handling cloud vulnerabilities. Read up on the rules for assigning CVEs. See an example cloud CVE affecting Microsoft Azure. Read the Microsoft Security Response Center’s blog post on cloud vulnerabilities. Rapid Rundown Links Check out Dominic White’s tweet on iOS remembered networks. Read the update on the recently released RFC 9293. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with y...

Gordon “Fyodor” Lyon on Nmap, the Open-Source Security Scanner

Interview Links Check out Nmap if, for some reason, you haven’t already. Learn about Npcap, the packet capture library tool that Gordon and his company also offer. Watch Gordon and HD Moore, the creator of Metasploit, chat about the evolution of network scanning on YouTube. Rapid Rundown Links Read the Bleeping Computer story on hackers using DeFi bugs to steal cryptocurrency. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your fav...

Jen and Tod on Hacker Summer Camp 2022

Learn more about some of our favorite presentations from the Vegas conferences, including:  Susan Paskey on threat hunting in MFA logs Jeremi Gosney on "passwords, but nihilism" (an apparently unscheduled, live threat modeling exercise on password risks) Patrick Wardle on Zoom LPE vulnerabilities Gaurav Keerthi, Pete Cooper, and Lily Newman on global policy challenges Jake Baines on Cisco ASA vulnerabilities and weaknesses (check out the blog post, too) Jonathan Leitschuh on fixing OSS...

Curt Barnard on Defaultinator (Black Hat Arsenal Preview)

Interview links Learn all about Defaultinator. Read up on the Raspberry Pi default password vulnerability. Check out the GitHub repositories for Defaultinator. Rapid Rundown links Read Derek Abdine's disclosures on Arris and Arris-like routers. Check out the Security Boulevard article on keeping PoCs secret. Peruse Matt Blaze’s tweet thread on teaching physical security secrets despite complaints from locksmiths. Like the show? Want to keep Jen and Tod in the podcasting business? Fee...

Jacques Chester of Shopify Talks CVSS Scores

Interview Links A Closer Look at CVSS Scores Rapid Rundown Links Bleeping Computer story: PyPI mandates 2FA for critical projects, developer pushes back Twitter thread on deleting atomicwrites, and undeleting it PyPi issues mentioned https://github.com/pypi/warehouse/issues/11625 https://github.com/pypi/warehouse/issues/11805 https://github.com/pypi/warehouse/issues/11798 Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favor...

Pete Cooper and Irene Pontisso on the Results of the UK Government’s Security Culture Challenge

Interview Links Revisit our first episode with Peter and Irene from Season 4. Read the paper on the UK government’s cybersecurity strategy through 2030. Rapid Rundown Links Check out the article on so-called pig-butchering scams. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Steve Micallef of SpiderFoot on Open-Source Intelligence

Interview Links Follow Steve on Twitter, and give the SpiderFoot official account a follow while you’re at it. Check out the SpiderFoot website and GitHub page, and learn more about the SaaS version, SpiderFoot HX. Learn about the latest SpiderFoot 4.0 release with YAML correlation rules.  Read Steve’s blog, especially his posts on the 10 years developing SpiderFoot and the misuse of OSINT to claim election fraud. Rapid Rundown Links Read the full paper, “A Closer Look at CVSS Scores.”...

Phillip Maddux on HoneyDB, the Open-Source Honeypot Data Project

Interview Links Check out the latest on HoneyDB. Interested in participating in the project? Head to the HoneyDB Agent Docs. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Omer Akgul and Richard Roberts on YouTube VPN Ads

Interview Links Check out Omer and Richard’s paper. Learn more about Omer’s work and Richard’s work. Rapid Rundown Links Read the news about the change in DOJ policy toward ethical hackers. Visit the Rapid7 blog on the same topic. Dive into Harley’s great Twitter thread on the topic. Read up on the HiQ and Missouri cases mentioned. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Jim O’Gorman and g0tmi1k on Kali Linux

Interview Links Learn more about Kali Linux. Check out what they’re up to over at Offensive Security. Follow g0tmi1k on Twitter, and check out his blog. Rapid Rundown Links Read the Krebs on Security article on the upcoming password changes. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Whitney Merrill on the Crypto & Privacy Village (and the Latest in Data Privacy)

Interview Links Follow Whitney on Twitter, and check out her website. Submit a CFP for this year’s Crypto & Privacy Village at DEF CON. Rapid Rundown Links Read Neil Madden’s blog post on psychic signatures. Follow Neil Madden on Twitter. Check out Project Wycheproof on GitHub. Learn about Mount Wycheproof (the actual mountain). Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Kate Stewart on Open-Source Projects at the Linux Foundation

Interview Links Read Project Zephyr’s blog post on Amnesia33. Get Linux’s perspective on SBOM. Listen to our previous episode on SBOM with Josh Corman and Audra Hatch. Check out Zephyr’s Renode dashboard. Learn about the Software Package Data Exchange (SPDX) specification from ISO. Rapid Rundown Links Read the story on the npm protestware. Peruse the issue logged against the project on Github. See Dark Reading’s homage to Mike Murray. Watch Mike Murray talk about hiring hackers. L...

David Rogers on IoT Security Legislation

Interview Links Listen to David’s previous Security Nation episode Give him a follow on Twitter. Read up on the PTSI bill. Learn who the heck Mystic Meg is. Check out ETSI (not the home crafts marketplace). Rapid Rundown Links Download Rapid7’s Vulnerability Intelligence Report. Check out AttackerKB. Listen to Caitlin Condon, lead author of the report, on Duo’s Decipher podcast. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with yo...

Bob Lord on Securing the DNC

Interview Links Follow Bob on Twitter. Check out the DNC Security Checklist. Rapid Rundown Links Read the paper on VPN influencer ads on YouTube. Give the lead author, Omer, a follow on Twitter. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Matthew Kienow on Open-Source Security and the Recog Framework

Interview Links Learn more about Metasploit, AttackerKB, and Recog. Read Matthew’s blog post on open-source security. Remind yourself about Log4Shell (if you dare). Read up on Linus’s Law. Rapid Rundown Links Read the Bleeping Computer article about DDoS amplification. Check out the original USENIX paper.

Amit Serper on Finding Leaks in Autodiscover

Interview Links Follow Amit on Twitter at @0xAmit. Read Amit’s blog post on the Autodiscover leak. Rapid Rundown Links Read up on the vulnerability disclosure metrics from Google’s Project Zero. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

John Rouffas on Building a Security Function

Interview Links Take up John on the offer to spam him on LinkedIn. Learn more about what intelliflo is up to. Rapid Rundown Links Check out CISA’s KEV list. Read up on the 8 vulnerabilities recently added to KEV. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Mike Hanley of GitHub on the Log4j Vulnerability

Interview Links Read GitHub’s blog on the Log4j vulnerability, and the follow-up. Check out GitHub’s Dependabot. Find out Why Johnny Can’t Encrypt. Learn about GitHub’s Sponsor Program. Read about the work going on at OpenSSF. Delve into Mike’s blog post on GitHub’s exploit code policy. Rapid Rundown Links Get the info on Microsoft’s emergency fixes for Windows Server and VPN bugs. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with ...

Chris John Riley on Minimum Viable Secure Product (MVSP)

Interview Links Listen to Chris’s podcast, First Impressions. Check out the other, Jane Austen-themed First Impressions podcast. Learn more about MVSP at the official site and in this blog post from Google. Read up on the ETSI standard Jen mentioned. Revisit our previous episode on Disclose.io with Casey Ellis. Rapid Rundown Links Read about the Sky router vulnerability. If you just can’t wait till January to hear from us again, revisit Season 4.

Michael Powell on Being a Cyber Envoy

Interview links Learn more about the UK’s Department for International Trade. Rapid Rundown links Check out inTheWild, and follow them on Twitter. Grab our 2022 planning resource. (Note! This is a direct PPTX link — don't be alarmed by the sudden download.) Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Pete Cooper and Irene Pontisso of the UK Cabinet Office on Their Cybersecurity Culture Competition

Apply to phase one of the UK Cabinet Office's Small Business Research Initiative (SBRI): Reducing Public Sector Risk through Culture Change. Want to tell a friend? Feel free to use this friendlier, human-readable and -speakable link: https://r-7.co/cabinet-office-culture-competition Note the deadline is fast approaching: Monday, November 8, 2021, 17:00 London UK time, and the research initiative is open to all small businesses with strong ties to the United Kingdom.

Jack Cable on Ransomwhere

Interview Links Check out the Ransomwhere site. Listen to our previous episode with Jack on election security. Rapid Rundown Links Read the CISA notification on the critical RCE vulnerability in Discourse. See Discourse’s announcement of the vulnerability on GitHub. Peruse Discourse’s technical blog post about it. Check out Discourse’s security program and policies. Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite pod...

Michael Daniel on the Cyber Threat Alliance

Interview links Follow Michael on Twitter @CyAlliancePrez Learn more about the Cyber Threat Alliance Check out the Ransomware Task Force, which Michael co-chairs Read Jen's position piece on hack back Rapid Rundown links Read the full text of the Cyber Incident Reporting Act Refresh your memory on the SolarWinds data breach See who's on the House Homeland Security Committee 

Rob Graham on Mike Lindell's Cyber Symposium

Interview Notes Rob's live Tweet thread Rob's archive of the provided RTFs (hex decoded) Rob's BLX Container Extractor All about Dennis Montgomery. Warning: this is a WIki rabbit hole. A Torrent of several gigs of data from the Cyber-Symposium is available at: magnet:?xt=urn:btih:39a9590de21e77687fdf7eacee4dd743f2683d72&dn=cyber-symposium&tr=udp://9.rarbg.me:2780/announce Rapid Rundown Notes The original Bleeping Computer story on Microsoft shutting off Basic Auth The related story ...

Craig Williams of Cisco Talos on Proxyware

Interview Links Craig is on Twitter, but his OpSec is pretty tight so good luck getting that follow back. You can read up on Cisco Talos, and check their most recent on proxyware here. Rapid Rundown Links Check out the Bleeping Computer story on the ATM robbers. Back in 2016, Rapid7's Weston Hecker demonstrated some EMV attacks. But that doesn't matter because about half of all U.S. gas stations still don't operate with EMV payment. Like the show? Want to keep Jen and Tod in the podca...

Jill Fraser and Deborah Blyth on Securing Colorado

Interview Links National Cyber Security Center Colorado Cyber Resource Center Cybersecurity HSAC Subcommittee Rapid Rundown Links Firefox follows Chrome and prepares to block insecure downloads by Catalin Cimpanu hxxp://smart4alarm.com/ is the website Tod ran into that plops an APK right in your Downloads with no clicks. Is this okay?

Daniel Crowley on running a cybersecurity internship

Interview Links: IBM X-Force Red Internship program now open for Summer 2022 applicants! The original Watchfire paper on HTTP Request Smuggling from 2005 HTTP request smuggling reborn by James Kettle HTTP/2 Request Smuggling from DEF CON 2021 Free TCP/IP bugs Free ICS bugs Snyk's Zip Slip research Rapid Rundown Links: All the DEF CON videos Tempest Radio Station Presentation by Paz Hameiri Tempest Radio Station paper How to get started in cybersecurity AMA on Reddit Rob Graham's...

Richard Kaufmann on Cybersecurity in Home Healthcare

From the discussion with Richard: Amedisys, Richard's home healthcare employer S02E06: Our first time around with Richard S02E10: The mentioned episode with Oliver Day From the Rapid Rundown: The Record on the PyPI bug The original research from RyotaK Jen's Python  joke  

Philipp Amann on No More Ransomware

  Philipp Amann is the Head of Strategy at European Cybercrime Center No More Ransom, an incredibly useful self-serve library of ransomware crackers, from Alpha to Ziggy Need some specific guidance on what to do if you suffer a ransomware attack? Check out NMR's publication! Also mentioned was Europol's annual Internet Organised Crime Threat Assessment report, which is a great read Interested in partnering with NMR? Send in a request here! The Rapid Rundown is mostly about the PetitPot...

Brian Honan on creating Ireland's first CERT

Want to know more? Check out these links! The very best place to have a few beers while at Infosec Europe in person is, naturally, the Prince of Teck Follow up to the HSE attack in Ireland, from ZDNet's Danny Palmer Ireland's first CERT, co-founded by Brian Honan; they announced their intention for IRISSCON 2021 in November on Twitter Rob Wright, of SearchSecurity, interviewed Jeremiah Grossman about SentinelOne's cyber warranty program Real quick correction for the Rapid Rundown: In th...

Jonathan Cran on growing a cybersecurity startup

Intrigue.IO The Monpass breach Avast's findings on Monpass Apple trusted root certificates Mozilla trusted root certificates Microsoft trusted root certificates

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

https://go.chainalysis.com/2021-Crypto-Crime-Report.html Tod is not Satoshi. Nor is he HD Moore, nor is he Dustin Trammel. It's wild how many people Tod isn't. Cyberscoop's Tim Stark covers the Hydra dark net marketplace, mentioned by Kim. The Vice story on 2G-era crypto breakage and the research paper it covers. Detroit News on election audits in Cheboygan County, which Tod is… worried about. If you live in Michigan, tell us what you think.

Jeff Man goes to bat for PCI DSS

If you're interested in learning more about the Payment Card Industry Data Security Standard (PCI DSS), head on over to https://www.pcisecuritystandards.org/. You should also check out Jeff's regular podcast, Security & Compliance Weekly. If you're wondering how GitHub actually landed on their new acceptable use policy (AUP), check the diff, or read Mike Hanley's explainer blog on the same. To cap it off, see the DoJ's press release about seizing 63.7 Bitcoin, which, at this moment, is wort...

Robert Black discusses misdirecting and gaslighting attackers in your network

Follow the Deception Lab on Twitter, and get up to speed on how to leverage the "digital, physical, and psychological" elements of the cyber battle space. As for the news, you can check out the original release from Google (now edited to include the four in-the-wild bugs), as well as read the referenced Ransomware Task Force Report.

Megan Stifel and Ciaran Martin discuss the sticky issue of ransomware payments

After the deep dive on ransomware payments and how to beat back this latest crime wave, we spend several minutes in the Rapid Rundown NOT talking about the Colonial Pipeline ransomware event. Instead, we jump into Google's renewed push for automatic enrollment in 2FA, I mean, 2SV. Hooray MFA! Links: Read the Ransomware Task Force Report (mentioned throughout the episode) See Bleeping Computer's coverage of Google's default 2SV Biographical notes: Megan Stifel is Executive Director, Amer...

Marina Ciavatta and int eighty Put the Fun into Hacking With Hacking Esports and Dual Core Music

Marina and int eighty talk about how they came up with the idea for the Twitch livestream, what they’ve learned along the way, and future plans for the games. We also speak with int eighty about his “hacker rapper” gig, Dual Core Music. This episode's Rapid Rundown comes with a rare content warning: We're discussing the life, impact, and passing of Dan Kaminsky. It gets pretty emotional, as you might expect. As Matt Blaze said, may his memory be a blessing. Enjoy the links below for more! ...

Marina Ciavatta and int80 Put the Fun into Hacking With Hacking Esports and Dual Core Music

Marina and int80 talk about how they came up with the idea for the Twitch livestream, what they’ve learned along the way, and future plans for the games. We also speak with int80 about his “hacker rapper” gig, Dual Core Music. This episode's Rapid Rundown comes with a rare content warning: We're discussing the life, impact, and passing of Dan Kaminsky. It gets pretty emotional, as you might expect. As Matt Blaze said, may his memory be a blessing. Enjoy the links below for more! Hacking E...

How Philip Reiner Created the Ransomware Task Force

In our latest episode of Security Nation, we talk to Philip Reiner about his work with the Ransomware Task Force. Stick around for our Rapid Rundown, where Tod talks about a recently released bulletin from CISA about APT exploiting both new and old SAP vulnerabilities.

Beau Woods and Fotios Chantzis Discuss Their New Book, "Practical IoT Hacking"

In our latest episode of Security Nation, we speak with Beau Woods and Fotios Chantzis about their newly released book, "Practical IoT Hacking." Stick around for our Rapid Rundown, where Tod encourages listeners to patch their Apple iOS devices against the recently announced WebKit bug, and to not panic about PHP's compromised Git server.

Nontraditional Paths into Cybersecurity, Part 3: Starburst Data's Katie Ledoux

In our latest episode of Security Nation, we talk with Katie Ledoux about her unconventional journey into the cybersecurity industry—from her marketing agency days to her time at Rapid7, to her current role as Head of Information Security at Starburst Data. Katie talks about imposter syndrome, what it was like to "start over" in her career,  the importance of contributions from non-technical roles—and, of course, what she would want to see out of a "Hackers" sequel.Stick around for our Rapid ...

The CyberPeace Institute's Adrien Ogee Talks Launching a Nonprofit Amid COVID-19 and the Importance of Healthcare Security

In this week's episode of Security Nation, we interview Adrien Ogee, COO of the CyberPeace Institute.  He discusses what it was like to launch and staff a brand-new nonprofit during the COVID-19 pandemic, and how his team worked to get the cybersecurity industry to trust them and get involved. Adrien also talks about the CyberPeace Institute's recently released "Playing With Lives: Cyberattacks on Healthcare Are Cyberattacks on People" report. Stick around for our Rapid Rundown, where Tod d...

Datto’s Ryan Weeks Discusses a CISO’s Unique Role in Crafting a Pandemic Response

In our latest episode of Security Nation, Ryan Weeks joined the podcast to discuss deploying thousands of assets into a hostile environment: the home offices of workers everywhere as they were forced remote amidst the pandemic. He’ll discuss how he balances privacy expectations with necessary regulations of workers’ computers and phones as they go remote. We’ll also talk about managing an attack surface you don’t understand as well as how lack of transparency can lead to security organization...

Nontraditional Paths Into Security, Part 2: How Steve Ragan Innovates at the Intersection of Journalism and Tech

In our latest episode of Security Nation, Steve Ragan joined the podcast to discuss his unlikely journey from reluctant security expert to journalist. For Steve, having the tech knowledge is important, but so is crafting a good story.     We take deep dives on topics like where the industry was in the ‘90s plus the unique way he approaches Akamai’s “The State of the Internet” report (and their own podcast). We’ll hear why writing with empathy is a foundation of Steve’s process when tackling...

How Santander’s Mark Carney and Daniel Cuthbert Are Working to Demystify Quantum Cryptography

https://community.signalusers.org/t/signal-should-warn-users-who-are-likely-using-insecure-ime-apps/10272

Nontraditional Paths Into Cybersecurity, Part 1: Akamai’s Kathryn Kun

Cub Llewellyn-Davies Discusses the U.K.'s Cyber Aware Campaign and Quick Tips to Shore Up Security

https://www.ncsc.gov.uk/cyberaware/home