Security Nation

Interview LinksTake up John on the offer to spam him on LinkedIn.Learn more about what intelliflo is up to.Rapid Rundown LinksCheck out CISA’s KEV list.Read up on the 8 vulnerabilities recently added to KEV.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksRead GitHub’s blog on the Log4j vulnerability, and the follow-up.Check out GitHub’s Dependabot.Find out Why Johnny Can’t Encrypt.Learn about GitHub’s Sponsor Program.Read about the work going on at OpenSSF.Delve into Mike’s blog post on GitHub’s exploit code policy.Rapid Rundown LinksGet the info on Microsoft’s emergency fixes for Windows Server and VPN bugs.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksListen to Chris’s podcast, First Impressions.Check out the other, Jane Austen-themed First Impressions podcast.Learn more about MVSP at the official site and in this blog post from Google.Read up on the ETSI standard Jen mentioned.Revisit our previous episode on Disclose.io with Casey Ellis.Rapid Rundown LinksRead about the Sky router vulnerability.If you just can’t wait till January to hear from us again, revisit Season 4.

Interview linksLearn more about the UK’s Department for International Trade.Rapid Rundown linksCheck out inTheWild, and follow them on Twitter.Grab our 2022 planning resource. (Note! This is a direct PPTX link — don't be alarmed by the sudden download.)Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Apply to phase one of the UK Cabinet Office's Small Business Research Initiative (SBRI): Reducing Public Sector Risk through Culture Change. Want to tell a friend? Feel free to use this friendlier, human-readable and -speakable link:https://r-7.co/cabinet-office-culture-competitionNote the deadline is fast approaching: Monday, November 8, 2021, 17:00 London UK time, and the research initiative is open to all small businesses with strong ties to the United Kingdom.

Interview LinksCheck out the Ransomwhere site.Listen to our previous episode with Jack on election security.Rapid Rundown LinksRead the CISA notification on the critical RCE vulnerability in Discourse.See Discourse’s announcement of the vulnerability on GitHub.Peruse Discourse’s technical blog post about it.Check out Discourse’s security program and policies.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview linksFollow Michael on Twitter @CyAlliancePrezLearn more about the Cyber Threat AllianceCheck out the Ransomware Task Force, which Michael co-chairsRead Jen's position piece on hack backRapid Rundown linksRead the full text of the Cyber Incident Reporting ActRefresh your memory on the SolarWinds data breachSee who's on the House Homeland Security Committee 

Interview NotesRob's live Tweet threadRob's archive of the provided RTFs (hex decoded)Rob's BLX Container ExtractorAll about Dennis Montgomery. Warning: this is a WIki rabbit hole.A Torrent of several gigs of data from the Cyber-Symposium is available at:magnet:?xt=urn:btih:39a9590de21e77687fdf7eacee4dd743f2683d72&dn=cyber-symposium&tr=udp://9.rarbg.me:2780/announceRapid Rundown NotesThe original Bleeping Computer story on Microsoft shutting off Basic AuthThe related story about Amit's Autodiscover bug finding that may have prompted the aboveA somewhat early reference to some WPAD bugsThe earliest reference Tod could find about WPAD exploits... which happened to be written by the very same Tod back in 2009.

Interview LinksCraig is on Twitter, but his OpSec is pretty tight so good luck getting that follow back.You can read up on Cisco Talos, and check their most recent on proxyware here.Rapid Rundown LinksCheck out the Bleeping Computer story on the ATM robbers.Back in 2016, Rapid7's Weston Hecker demonstrated some EMV attacks.But that doesn't matter because about half of all U.S. gas stations still don't operate with EMV payment.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksNational Cyber Security CenterColorado Cyber Resource CenterCybersecurity HSAC SubcommitteeRapid Rundown LinksFirefox follows Chrome and prepares to block insecure downloads by Catalin Cimpanuhxxp://smart4alarm.com/ is the website Tod ran into that plops an APK right in your Downloads with no clicks. Is this okay?

Interview Links:IBM X-Force Red Internship program now open for Summer 2022 applicants!The original Watchfire paper on HTTP Request Smuggling from 2005HTTP request smuggling reborn by James KettleHTTP/2 Request Smuggling from DEF CON 2021Free TCP/IP bugsFree ICS bugsSnyk's Zip Slip researchRapid Rundown Links:All the DEF CON videosTempest Radio Station Presentation by Paz HameiriTempest Radio Station paperHow to get started in cybersecurity AMA on RedditRob Graham's Live Tweeting of the Cyber Symposium 

From the discussion with Richard:Amedisys, Richard's home healthcare employerS02E06: Our first time around with RichardS02E10: The mentioned episode with Oliver DayFrom the Rapid Rundown:The Record on the PyPI bugThe original research from RyotaKJen's Python  joke 

 Philipp Amann is the Head of Strategy at European Cybercrime CenterNo More Ransom, an incredibly useful self-serve library of ransomware crackers, from Alpha to ZiggyNeed some specific guidance on what to do if you suffer a ransomware attack? Check out NMR's publication!Also mentioned was Europol's annual Internet Organised Crime Threat Assessment report, which is a great readInterested in partnering with NMR? Send in a request here!The Rapid Rundown is mostly about the PetitPotam proof of concept NTLM attack, as discovered by @topotam77Microsoft's helpful mitigation KB for the sameThe SANS Diary writeup of this novel NTLM attack quite capably demonstrates the risks of this attack

Want to know more? Check out these links!The very best place to have a few beers while at Infosec Europe in person is, naturally, the Prince of TeckFollow up to the HSE attack in Ireland, from ZDNet's Danny PalmerIreland's first CERT, co-founded by Brian Honan; they announced their intention for IRISSCON 2021 in November on TwitterRob Wright, of SearchSecurity, interviewed Jeremiah Grossman about SentinelOne's cyber warranty programReal quick correction for the Rapid Rundown: In the original recording, Tod once accidentally referred to "14.4" as the current version of iOS, when he should have said 14.6. He edited that correction directly in the audio and tried to make it sound normal. But, with that said, 14.7 was released right before we published this episode, but we still don't know if the DoS was fixed there.Now for the links mentioned in the Rapid Rundown:WifiDemon is described in detail over at ZecOps Apple Developer Support , which notes what's current out in the iOS

Intrigue.IOThe Monpass breachAvast's findings on MonpassApple trusted root certificatesMozilla trusted root certificatesMicrosoft trusted root certificates

https://go.chainalysis.com/2021-Crypto-Crime-Report.htmlTod is not Satoshi. Nor is he HD Moore, nor is he Dustin Trammel. It's wild how many people Tod isn't.Cyberscoop's Tim Stark covers the Hydra dark net marketplace, mentioned by Kim.The Vice story on 2G-era crypto breakage and the research paper it covers.Detroit News on election audits in Cheboygan County, which Tod is… worried about. If you live in Michigan, tell us what you think.

If you're interested in learning more about the Payment Card Industry Data Security Standard (PCI DSS), head on over to https://www.pcisecuritystandards.org/. You should also check out Jeff's regular podcast, Security & Compliance Weekly.If you're wondering how GitHub actually landed on their new acceptable use policy (AUP), check the diff, or read Mike Hanley's explainer blog on the same. To cap it off, see the DoJ's press release about seizing 63.7 Bitcoin, which, at this moment, is worth about USD$2 million.

Follow the Deception Lab on Twitter, and get up to speed on how to leverage the "digital, physical, and psychological" elements of the cyber battle space.As for the news, you can check out the original release from Google (now edited to include the four in-the-wild bugs), as well as read the referenced Ransomware Task Force Report.

After the deep dive on ransomware payments and how to beat back this latest crime wave, we spend several minutes in the Rapid Rundown NOT talking about the Colonial Pipeline ransomware event. Instead, we jump into Google's renewed push for automatic enrollment in 2FA, I mean, 2SV. Hooray MFA!Links:Read the Ransomware Task Force Report (mentioned throughout the episode)See Bleeping Computer's coverage of Google's default 2SVBiographical notes:Megan Stifel is Executive Director, Americas, at the Global Cyber Alliance. She previously served as Cybersecurity Policy Director at Public Knowledge. Prior to her work with nonprofits Megan served as a Director for International Cyber Policy at the National Security Council and in the U.S. Department of Justice, including as Director for Cyber Policy in the National Security Division and as counsel in the Criminal Division’s Computer Crime and Intellectual Property Section.Ms. Stifel was previously in private practice, where she advised clients on sanctio

Marina and int eighty talk about how they came up with the idea for the Twitch livestream, what they’ve learned along the way, and future plans for the games. We also speak with int eighty about his “hacker rapper” gig, Dual Core Music.This episode's Rapid Rundown comes with a rare content warning: We're discussing the life, impact, and passing of Dan Kaminsky. It gets pretty emotional, as you might expect. As Matt Blaze said, may his memory be a blessing.Enjoy the links below for more!Hacking Esports on Twitter and TwitchMore about Dual Core (also on Twitter)Duo's cartoon about the Kaminsky BugDan Kaminsky's New York Times obituaryDan's 2016 r00tz talk, "How the Internet Actually Works" is on YouTube, thanks to  the r00tz  channel.