• 3SB-8: Password Complexity
    Jun 24 2021

    Follow up:

    • No follow ups


    Topics:

    • NIST changing password requirements
    • Roundtable how we got into security + suggestions


    Paul Rant:

    • Paul is on vacation. No Rants.  


    Links:

    • https://pages.nist.gov/800-63-3/sp800-63b.html 
    • https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords 


    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Special Guest:

    Travis McPeak @travismcpeak 


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 


    Show More Show Less
    1 hr
  • 3SB-7: 🍎 Security Worms
    Jun 16 2021

    Follow up:

    • US is elevating ransomware the same level of terrorism.


    Topics:

    • Apple Security WWDC
    • Move beyond passwords ( iCloud Keychain WebAuthN keys ) 
    • Discover account-driven User Enrollment
    • Secure login with iCloud Keychain verification codes ( domain-binding apple-totp )
    • Polkit PrivEsc
    • Growing abuse of Kubernetes (it’s not containers) 


    Paul Rant:

    • Apple Bug Report blackhole  


    Links:

    • https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/ 
    • https://threatpost.com/microsoft-cryptomining-kubeflow/166777/
    • https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ 


    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

    Show More Show Less
    1 hr and 28 mins
  • 3SB-6: Dependency Hell
    Jun 9 2021

    Follow up:

     - Nothing this week


    Topics:

    • Automated Fuzzing Testing in Go
    • Stack Overflow Supply Chain Attacks
    • Deps.dev
    • Update on Github’s policies regarding exploits, malware, and vulnerability research

    Paul Rant:

    • Pinning dependencies on Libraries 


    Links:

    • https://blog.golang.com/fuzz-beta
    • https://www.wsj.com/articles/software-developer-community-stack-overflow-sold-to-tech-giant-prosus-for-1-8-billion-11622648400
    • https://deps.dev
    • https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/


    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 


    Show More Show Less
    55 mins
  • 3SB-5: Hardware Apocalypses
    Jun 3 2021

    Follow up:

    • Vaxxed || Mask Rant Update
    • WhatsApp will not be removing functionality.


    Topics:

    • OpenSSL Rustification
    • Data without context is useless 
    • AMD attacks on Virtual Machine Protection System.
    • M1ssing Register Access Controls Leak EL0 State


    Paul Rant:

    • QC35 switch is garbage. GARBAGE!


    Links:

    • https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-machine-protection-system/
    • https://m1racles.com


    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 


    Show More Show Less
    1 hr and 6 mins
  • 3SB-4: EuroCyberVision
    May 26 2021

    Episode Follow up:

    • Codecov Mercari 
    • Audacity Open Source Telemetry 


    Topics:

    • WhatsApp: Give me your privacy or I will stop working. 
    • Russian Keyboard as a first line of defense 
    • Craig Federighi MacOS vs iOS Security Model 


    Paul Rant:

    • Vaxxed or Mask. Trust by Verify Rant by Matias Brutti. 


    Links:

    • https://about.mercari.com/en/press/news/articles/20210521_incident_report/
    • https://github.com/audacity/audacity/discussions/889
    • https://blog.malwarebytes.com/privacy-2/2021/05/whatsapp-calls-and-messages-will-break-unless-you-share-data-with-facebook/
    • https://www.schneier.com/blog/archives/2021/05/adding-a-russian-keyboard-to-protect-against-ransomware.html
    • https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
    • https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/
    • https://www.imore.com/craig-federighi-defends-iphone-security-throwing-mac-under-bus



    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer: The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

    Show More Show Less
    1 hr and 6 mins
  • 3SB-3: Zero Trust Cyber
    May 19 2021

    Episode 2 Follow up:

    • CodeCov continues to claim victims. Rapid7 & Twilio. 


    Topics:

    • Rob’s python adventures
    • Alfredos mouse mic
    • FragAttack
    • CyberBattleSiem


    Paul Rant:

    • ZeroTrust Executive Order By Robert 

    Links:

    • https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/ 
    • https://www.twilio.com/blog/response-to-the-codecov-vulnerability
    • https://github.com/ortegaalfredo/mousemic 
    • https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/
    • https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ 


    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

    Show More Show Less
    1 hr and 8 mins
  • 3SB-2: BlockChain Tuna
    May 11 2021

    Episode 1 follow up:

    • Signal continues to make the news. This time hacking Privacy 


    Topics:

    • CocoaPods Trunk: Remote Code Execution found 
    • Cosign - container image signing. 
    • TBONE hacking Tesla from a drone with zero clicks. 
    • SAML XML Injections 
    • Tinker Twitter threat on: real & physical occupational hazard for infosec.
    • 1Password Secrets Automation 
    • Google mandatory MFA


    Paul’s rant:

    • -blockchain tuna tracking 


    Links:

    • https://signal.org/blog/the-instagram-ads-you-will-never-see/
    • https://blog.cocoapods.org/CocoaPods-Trunk-RCE/ 
    • https://justi.cz/security/2021/04/20/cocoapods-rce.html
    • https://blog.1password.com/introducing-secrets-automation/
    • https://kunnamon.io/tbone/
    • https://research.nccgroup.com/2021/03/29/saml-xml-injection/
    • https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html 
    • https://twitter.com/TinkerSec/status/1388107620574171140
    • https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/


    Hosts:

    Paul Kehrer @reaperhulk

    Robert Clark @hyakuhei

    Matías Brutti @MrBrutti


    Post-Production:

    Matias Brutti @MrBrutti


    Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

    Show More Show Less
    1 hr and 6 mins
  • 3SB-1: A New Beginning
    May 4 2021

    Episode 0 follow up:

    - Signal legal consequences. Robert was right.


    Topics:

    • Hypocrite commits 
    • Apple AirDrop PII leak
    • ZK proof Vuln Disclosure
    • Software RAID recovery rant by Paul


    Links:

    • AirDrop Leak paper (https://www.usenix.org/system/files/sec21fall-heinrich.pdf) presented in August at the USENIX Security Symposium
    • https://www.scmagazine.com/home/security-news/vulnerabilities/darpa-is-creating-zero-knowledge-proofs-for-vulnerability-disclosure/


    Disclaimer:  The opinions and security statements on this podcast are our own and do not represent that of our respective past, current or future employers. 

    Show More Show Less
    47 mins