Follow up:

• No follow ups

Topics:

• NIST changing password requirements
• Roundtable how we got into security + suggestions

Paul Rant:

• Paul is on vacation. No Rants.  

Links:

• https://pages.nist.gov/800-63-3/sp800-63b.html 
• https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords 

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Special Guest:

Travis McPeak @travismcpeak 

Post-Production:

Matias Brutti @MrBrutti

Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Follow up:

• US is elevating ransomware the same level of terrorism.

Topics:

• Apple Security WWDC
• Move beyond passwords ( iCloud Keychain WebAuthN keys ) 
• Discover account-driven User Enrollment
• Secure login with iCloud Keychain verification codes ( domain-binding apple-totp )
• Polkit PrivEsc
• Growing abuse of Kubernetes (it’s not containers) 

Paul Rant:

• Apple Bug Report blackhole  

Links:

• https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/ 
• https://threatpost.com/microsoft-cryptomining-kubeflow/166777/
• https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ 

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Post-Production:

Matias Brutti @MrBrutti

Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Follow up:

 - Nothing this week

Topics:

• Automated Fuzzing Testing in Go
• Stack Overflow Supply Chain Attacks
• Deps.dev
• Update on Github’s policies regarding exploits, malware, and vulnerability research

Paul Rant:

• Pinning dependencies on Libraries 

Links:

• https://blog.golang.com/fuzz-beta
• https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400
• https://deps.dev
• https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Post-Production:

Matias Brutti @MrBrutti

Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Follow up:

• Vaxxed || Mask Rant Update
• WhatsApp will not be removing functionality.

Topics:

• OpenSSL Rustification
• Data without context is useless 
• AMD attacks on Virtual Machine Protection System.
• M1ssing Register Access Controls Leak EL0 State

Paul Rant:

• QC35 switch is garbage. GARBAGE!

Links:

• https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/
• https://m1racles.com

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Post-Production:

Matias Brutti @MrBrutti

Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode Follow up:

• Codecov Mercari 
• Audacity Open Source Telemetry 

Topics:

• WhatsApp: Give me your privacy or I will stop working. 
• Russian Keyboard as a first line of defense 
• Craig Federighi MacOS vs iOS Security Model 

Paul Rant:

• Vaxxed or Mask. Trust by Verify Rant by Matias Brutti. 

Links:

• https://about.mercari.com/en/press/news/articles/20210521_incident_report/
• https://github.com/audacity/audacity/discussions/889
• https://blog.malwarebytes.com/privacy-2/2021/05/whatsapp-calls-and-messages-will-break-unless-you-share-data-with-facebook/
• https://www.schneier.com/blog/archives/2021/05/adding-a-russian-keyboard-to-protect-against-ransomware.html
• https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
• https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/
• https://www.imore.com/craig-federighi-defends-iphone-security-throwing-mac-under-bus

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Post-Production:

Matias Brutti @MrBrutti

Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode 2 Follow up:

• CodeCov continues to claim victims. Rapid7 & Twilio. 

Topics:

• Rob’s python adventures
• Alfredos mouse mic
• FragAttack
• CyberBattleSiem

Paul Rant:

• ZeroTrust Executive Order By Robert 

Links:

• https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/ 
• https://www.twilio.com/blog/response-to-the-codecov-vulnerability
• https://github.com/ortegaalfredo/mousemic 
• https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/
• https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ 

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Post-Production:

Matias Brutti @MrBrutti

Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode 1 follow up:

• Signal continues to make the news. This time hacking Privacy 

Topics:

• CocoaPods Trunk: Remote Code Execution found 
• Cosign - container image signing. 
• TBONE hacking Tesla from a drone with zero clicks. 
• SAML XML Injections 
• Tinker Twitter threat on: real & physical occupational hazard for infosec.
• 1Password Secrets Automation 
• Google mandatory MFA

Paul’s rant:

• -blockchain tuna tracking 

Links:

• https://signal.org/blog/the-instagram-ads-you-will-never-see/
• https://blog.cocoapods.org/CocoaPods-Trunk-RCE/ 
• https://justi.cz/security/2021/04/20/cocoapods-rce.html
• https://blog.1password.com/introducing-secrets-automation/
• https://kunnamon.io/tbone/
• https://research.nccgroup.com/2021/03/29/saml-xml-injection/
• https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html 
• https://twitter.com/TinkerSec/status/1388107620574171140
• https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/

Hosts:

Paul Kehrer @reaperhulk

Robert Clark @hyakuhei

Matías Brutti @MrBrutti

Post-Production:

Matias Brutti @MrBrutti

Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

Episode 0 follow up:

- Signal legal consequences. Robert was right.

Topics:

• Hypocrite commits 
• Apple AirDrop PII leak
• ZK proof Vuln Disclosure
• Software RAID recovery rant by Paul

Links:

• AirDrop Leak paper (https://www.usenix.org/system/files/sec21fall-heinrich.pdf) presented in August at the USENIX Security Symposium
• https://www.scmagazine.com/home/security-news/vulnerabilities/darpa-is-creating-zero-knowledge-proofs-for-vulnerability-disclosure/

Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers.