Security Nation

No Rapid Rundown this time! But you can get links to all the past episodes in Season 5, here:Never Mind the Ears, Here's Security Nation

Interview linksJeremi on Password NihilismThe Rails bug Jeremi referencedRapid Rundown linksRisky Business Newsletter on fake PoCs: "GitHub aflood with fake and malicious PoCs"The cited paper: "How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub"Also relevant is Honeysploit by Curtis BrazzellLike the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksPrior Security Nation episode in which loads of PortSwigger references were dropped:https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/New research from James about browser-powered desync attacks:https://portswigger.net/research/browser-powered-desync-attacksRapid Rundown LinksSemi-secret Fortinet advisory: https://twitter.com/Gi7w0rm/status/1578398457227878407CVE Details as they come: https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/Existence of Fortinet CVE-2022-40684 PoC posted, but not the PoC itself:https://twitter.com/Horizon3Attack/status/1579285863108087810The Hidden Harms of Silent Patches: https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out Panasonic's delightful PSIRT page – especially if you have a vulnerability in one of Panasonic's many, many products to report.Rapid Rundown LinksCheck out Inti's research on "oops, we made a surveillance system" at notmyplate.com.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out the CVE blog post on handling cloud vulnerabilities.Read up on the rules for assigning CVEs.See an example cloud CVE affecting Microsoft Azure.Read the Microsoft Security Response Center’s blog post on cloud vulnerabilities.Rapid Rundown LinksCheck out Dominic White’s tweet on iOS remembered networks.Read the update on the recently released RFC 9293.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out Nmap if, for some reason, you haven’t already.Learn about Npcap, the packet capture library tool that Gordon and his company also offer.Watch Gordon and HD Moore, the creator of Metasploit, chat about the evolution of network scanning on YouTube.Rapid Rundown LinksRead the Bleeping Computer story on hackers using DeFi bugs to steal cryptocurrency.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Learn more about some of our favorite presentations from the Vegas conferences, including: Susan Paskey on threat hunting in MFA logsJeremi Gosney on "passwords, but nihilism" (an apparently unscheduled, live threat modeling exercise on password risks)Patrick Wardle on Zoom LPE vulnerabilitiesGaurav Keerthi, Pete Cooper, and Lily Newman on global policy challengesJake Baines on Cisco ASA vulnerabilities and weaknesses (check out the blog post, too)Jonathan Leitschuh on fixing OSS vulnerabilities at scaleEugene Lim on so many iCal standards within standards Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview linksLearn all about Defaultinator.Read up on the Raspberry Pi default password vulnerability.Check out the GitHub repositories for Defaultinator.Rapid Rundown linksRead Derek Abdine's disclosures on Arris and Arris-like routers.Check out the Security Boulevard article on keeping PoCs secret.Peruse Matt Blaze’s tweet thread on teaching physical security secrets despite complaints from locksmiths.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksA Closer Look at CVSS ScoresRapid Rundown LinksBleeping Computer story: PyPI mandates 2FA for critical projects, developer pushes backTwitter thread on deleting atomicwrites, and undeleting itPyPi issues mentionedhttps://github.com/pypi/warehouse/issues/11625https://github.com/pypi/warehouse/issues/11805https://github.com/pypi/warehouse/issues/11798Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksRevisit our first episode with Peter and Irene from Season 4.Read the paper on the UK government’s cybersecurity strategy through 2030.Rapid Rundown LinksCheck out the article on so-called pig-butchering scams.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksFollow Steve on Twitter, and give the SpiderFoot official account a follow while you’re at it.Check out the SpiderFoot website and GitHub page, and learn more about the SaaS version, SpiderFoot HX.Learn about the latest SpiderFoot 4.0 release with YAML correlation rules. Read Steve’s blog, especially his posts on the 10 years developing SpiderFoot and the misuse of OSINT to claim election fraud.Rapid Rundown LinksRead the full paper, “A Closer Look at CVSS Scores.”Follow the author, Jacques Chester, on Twitter.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out the latest on HoneyDB.Interested in participating in the project? Head to the HoneyDB Agent Docs.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksCheck out Omer and Richard’s paper.Learn more about Omer’s work and Richard’s work.Rapid Rundown LinksRead the news about the change in DOJ policy toward ethical hackers.Visit the Rapid7 blog on the same topic.Dive into Harley’s great Twitter thread on the topic.Read up on the HiQ and Missouri cases mentioned.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksLearn more about Kali Linux.Check out what they’re up to over at Offensive Security.Follow g0tmi1k on Twitter, and check out his blog.Rapid Rundown LinksRead the Krebs on Security article on the upcoming password changes.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksFollow Whitney on Twitter, and check out her website.Submit a CFP for this year’s Crypto & Privacy Village at DEF CON.Rapid Rundown LinksRead Neil Madden’s blog post on psychic signatures.Follow Neil Madden on Twitter.Check out Project Wycheproof on GitHub.Learn about Mount Wycheproof (the actual mountain).Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksRead Project Zephyr’s blog post on Amnesia33.Get Linux’s perspective on SBOM.Listen to our previous episode on SBOM with Josh Corman and Audra Hatch.Check out Zephyr’s Renode dashboard.Learn about the Software Package Data Exchange (SPDX) specification from ISO.Rapid Rundown LinksRead the story on the npm protestware.Peruse the issue logged against the project on Github.See Dark Reading’s homage to Mike Murray.Watch Mike Murray talk about hiring hackers.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksListen to David’s previous Security Nation episodeGive him a follow on Twitter.Read up on the PTSI bill.Learn who the heck Mystic Meg is.Check out ETSI (not the home crafts marketplace).Rapid Rundown LinksDownload Rapid7’s Vulnerability Intelligence Report.Check out AttackerKB.Listen to Caitlin Condon, lead author of the report, on Duo’s Decipher podcast.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksFollow Bob on Twitter.Check out the DNC Security Checklist.Rapid Rundown LinksRead the paper on VPN influencer ads on YouTube.Give the lead author, Omer, a follow on Twitter.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview LinksLearn more about Metasploit, AttackerKB, and Recog.Read Matthew’s blog post on open-source security.Remind yourself about Log4Shell (if you dare).Read up on Linus’s Law.Rapid Rundown LinksRead the Bleeping Computer article about DDoS amplification.Check out the original USENIX paper.

Interview LinksFollow Amit on Twitter at @0xAmit.Read Amit’s blog post on the Autodiscover leak.Rapid Rundown LinksRead up on the vulnerability disclosure metrics from Google’s Project Zero.Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.