35 Burst results for "Security Security Security Security"
Twitter breach exposed anonymous account owners
"Twitter says a still unknown number of owners of anonymous accounts might have had their identities compromised last year A since fixed vulnerability in Twitter software was apparently exploited by a malicious actor While the company says it doesn't know the extent of the global exposure the digital advocacy group restored privacy says data presumably attained through the vulnerability was being sold for $30,000 on a popular hacking site and more than 5 million identities may have been exposed Many people with anonymous Twitter accounts do so to protect their profiles for security reasons that include fear of persecution by repressive authorities The revelation comes at a time that Twitter is in a legal battle with billionaire Elon Musk over his effort to back out of his $44 billion offer to buy Twitter I'm Tim McGuire
Noel Casler Explains How Trump Corrupts Everyone in His Orbit
"People famously know that you worked on the apprentice with Donald Trump and, you know, started talking quite openly about a lot of things about him a long time ago, but you said what you're seeing from Trump's vast tentacles of corruption. Toadies on loan from Doug ducey acting sicko fans, you just said it should be very illuminating for those who wonder how Trump got away with so many crimes in his New York City days because people from New York are like, he's always been a crook. We've known that from day one, right? And you look right up through what's happening right now. You're like, oh, of course, he has somehow loyalists and people that are destroying evidence and God knows what, right? Absolutely. He's always had a skill, a 6th sense to attract men and some women around him that he could corrupt. You know, he can look into a crowd and see the kind of guys that are going to do his bidding. The dogs that hunt, so to speak. And that's what his security team was. You know, keep schiller was an NYPD sergeant rammer, who would knock down doors of drug dense in The Bronx, you know? He was the guy who knocked the door down. He went up to Trump in court and said, you need to hire me, right? And Trump hired him. And then when you're walking around with a detail of X NYPD cops, you get away with stuff in New York City, right? Because it's an impenetrable sort of wall of authority. And Trump knows that. And you know, we could probably get into it, but the Secret Service stuff seems very, I worked with a Secret Service ton tons. I did inaugurations. I did the tree lighting at The White House, all kinds of stuff, where the president was at. The Secret Service under Trump was a different Secret Service. You know, and I went to high school with Bobby engel, the guy he tried to choke in the back of the SUV, and he was like a marine kind of jarhead cop type. And that's the type that Trump will suck in. And it's almost like before they know it, they're doing his bidding. Do you know what I mean? Who is the guy? They all set out with the intention of being corrupted, but being in Trump's orbit will corrupt you by osmosis.
Reports: FBI Knows More About Jan. 6 Bomber, Withholding Video
"A new report out that the FBI, this is from the gateway pundit, the FBI knows more about whoever planted the bombs outside of the RNC and DNC headquarters than they had previously led on. Anybody else find that odd that we have yet to know who actually planted those devices, especially since the whole thing was captured on camera. Anybody concerned about that? Now according to revolver news, the FBI is hiding security video footage of the January 6 pipe bomber planting the bombs. Congressman Jim Jordan sent a letter to the FBI director Chris wray in March. Regarding the investigation, according to that letter, now members of Congress are accusing the FBI FBI of withholding information. So why is it that the FBI doesn't want you to see the video footage of the suspect planting the bombs at the RNC and DNC? I have a theory about that. Is it possible that the reason why the FBI doesn't want you to see that video is because it was in fact the FBI that planted the bombs? Is that, is that a possibility? Why is it that the FBI has yet to explain how many of their agents, how many of their staffers were involved in the plotting and the execution of what happened on January 6th at the capitol building?
Rep. Mayra Flores: Our District Wants Border Security
Vegas-based rental firm faces probes over pandemic evictions
"A company that owns thousands of rental units in several states is facing investigation over pandemic evictions The sagal group based in Las Vegas says it operates lawfully in that it tries to run the most dignified rental housing business they can For the company is facing investigations announced by the state of Nevada and Clark county after a congressional oversight panel found company executives used deception and harassment to force tenants out while collecting millions of dollars in federal aid aimed at keeping people in their homes during the pandemic The House select subcommittee on the coronavirus crisis looked at several large property companies and described Siegel's practices as uniquely egregious with executives advising employees to replace the air conditioner of a past lieutenant with one that didn't work asking state child welfare officials to investigate them or having security knock on the door twice a night Nevada state attorney Aaron Ford characterized the report as shocking and disturbing I'm Jennifer King
Is the Scandalous Biden Family Untouchable?
"The hearing when Christopher wray goes in front of the Senate? Is that Thursday? As did this Thursday, two days from now. To tell you the truth, I'm not holding my breath that he'll do anything other than what the FBI always does, which is to sell. We can't comment on an ongoing investigation. Yeah, I mean, I got to give the Biden's credit. They have a diversified portfolio of scandals. It's amazing. Every possible country region of the world industry walk of life, family member is involved in this. And so they are going to come under pressure from the Senate, but I think there is some cynicism, though, Miranda, that our audience has, and you've done a phenomenal job in your book, laptop from hell, which is how much is it actually going to take that just hold one of these people accountable? Or are we really in this moment where there's the untouchable class, regardless of how gross and disgusting and flagrant your crimes are, if your last name happens to be Biden or Clinton or Obama, you're largely untouchable. What are your thoughts on that? Well, look, I mean, I share some of that cynicism. And of course, the influence peddling racket that Joe Biden was the past master of is a bipartisan disease in Washington. It's really corrosive. Damaging as we can see now to our national security. And on the plus side, the Republicans telling me in the house in whether it's James coma, Jim Jordan, a whole lot of them are very rare doing a lot of work right now to get on top of the information. They're talking to witnesses. Whistleblowers are coming forward, they give them a car, it's told them to be aggressive when it comes to the Hunter Biden material. So they will be having hearings. They will be subpoenaing witnesses. They will have subpoena power in the house. I'm presuming they take back the house, which follows the show and they will. So that will at least bring more information to life. But
Enrique Prado Grades the U.S. on International Security Performance
"We don't spend requisite amounts of time on understanding the strategy and the worldview of things like the Iranian Republican guard or how the Chinese military thinks. So in terms of steel on target, a plus in terms of getting inside the mind of our enemy not so hot. Could you give us your grades for how we are as an international national security performer? Well, you hit it on the spot when it comes to the kinetic aspect of our business. We are second to none. And when I say that, I also include our special operations forces because again, they've been fighting the G watt for over 20 years, which people tend to forget. I think that what you are describing most likely on the knowledge base on our enemies culture. It's not that we don't understand it, is that our leaders do not listen to it. I know the analysts, the quality of the analysts, we have in the agency, are scary smart. A guy's like Mike scheuer, who was the one that really discovered who'd been a lot of was and what he was up to and he was right until he was proven right. So an unfortunately, when you have organizations like the agency or even the FBI, not being run by people who are internal, political appointees, in my opinion, one of the problems we have is those political appointees that we have at the head of our agency are people that owe their allegiance to whoever put them there. And they will always look through the optic of that politics and you can not do operations, especially special operations through the optic of politics. So I will defend my analyst to the end. I think that incredibly well rounded and in depth, but the flow up is not always what it should be.
'Black Ops' Author Enrique Prado Discusses His Fascinating Background
"A legend in the national security community. Of course I heard of him, but we are delighted to have Enrique Rick Prado on one on one here on America first. Welcome, mister Prado. Thank you very much, doctor. Thank you for having me on. And Steve may be exaggerating a little bit because he happens to be my best friend, so. That's all right. We trust seals. A little bit of embellishment is fine, but anybody who runs the butt course about course is a serious individual. So you have a fascinating background. We'll talk about how you came to America. You've got a book out called black ops, everybody has to check out this book black ops, the life of a CIA shadow warrior, former head of CTC. That's kind of terrorism, the cantors and center at the CIA. But first, just for those who aren't familiar who haven't read your book, will you tell us a little bit about your national security career in the shadows? Yes, sir, I did 24 years at CIA. I started out as a paramilitary officer. I'm a former pair of rescuing. So I came in through the paramilitary side, special activities division, which is for lack of a better word is the special operations forces for CIA. The body of this draft that is from what is now called soko. I have 6 overseas tours. I've been a chief of station. I have been a deputy chief of station twice. I am a plank owner of the bin Laden task force, which I started with Mike shoyu in 1996, January of 1996. And when 9 11 happened, I was chief of operations of the counter terrorist center. Was my boss. After those 24 years, I spent another 9 years doing exactly the same thing mostly for the military side as an SME, but actually doing the work and I just not teaching, but actually operating with the team.
80-Year-Old Norco Store Owner Shoots off Armed Robber
"There is a story up on dot com from Norco, California. This is your feel good story of the day. So a bad guy armed with an AR-15 tried to rob an 80 year old man in the store that he owned the Norco market. What the bad guy didn't realize at the time is that the owner was watching a security camp video and he saw the car pull up, there were four people in this car and he saw one of the bad guys getting out and putting on a ski mask and the owner of the store knew what was about to happen, so when the band guy came in and said, put your hands in the air, the owner of the store took out his shotgun and literally blew the bad guys arm off and the whole thing was captured on surveillance video. You gotta listen to this. I wanna hear it again. I love that. Now, now, so by the way, the riverside county sheriff's department, they say that the clerk or the owner of the store did the right thing, he was a legally. He was a legal gun owner. He was allowed by law to own that gun and he defended himself. He did nothing wrong. I will say this, that the owner suffered a heart attack after all of this, but he's okay, he's going to make a full recovery. The bad guys and critical condition at the local hospital and they've arrested others. What I
John Kirby: Biden Admin Does Not Support Taiwan's Independence
"Yesterday, spokesman John Kirby from the National Security Council told a reporter, we don't support Taiwan's independence. John Kirby cut four guys. She wants to say on this trip is really her prerogative. That's why it was so important for me in my opening comments, Kelly, to make clear what this administration's policy is with respect to the one China principle. When China policy, as well as not wanting to see cross street tensions resolved by any than other than peaceful means and the fact that we don't support Taiwan independence, it was important for me to lay that down right at the outset. That's our policy. That's this administration's approach.
US Speaker Pelosi arrives in Taiwan, raising China tensions
"House speaker Nancy Pelosi has arrived in Taiwan on a visit that's raising tensions between the U.S. and China Pelosi is the highest ranking American official in 25 years to visit the self ruled island China claims as its own Beijing has been warning of strong measures if she showed up The Biden administration did not explicitly urge Pelosi to call off the trip but did try to assure China her visit would not signal a shift in U.S. policy toward Taiwan Nothing has changed There's no drama to talk to Still National Security Council spokesman John Kirby said yesterday U.S. officials worried China would retaliate with military exercises as a show of force We will not take the bait or engage in saber rattling Sagar Meghani Washington
Kash Patel Campaigns for Abe Hamadeh, Arizona Candidate for AG
"Here with the legendary cash Patel sub cash. It's great to be back in Arizona. I love it. Yeah, so your campaigning, tell us about it. Let's go and so, well, I tell you what, we got America first candidate, we were in Tucson last night with Blake masters the next center from the state of America. Amen. You just had him for a full hour. Yeah, we had Abe out there and Carrie Lake as well. The crowd was ridiculous. So tell us about Abe, I haven't endorsed it. I don't know that well. We get some emails from people. They're not so crazy about him. Tell me about ape. Well, here's the reason I like, hey, because of his military background, his experience overseas. He's actually been a prosecutor in the pit, which to me, maybe I'm a little biased. Being an actual prosecutor not being a high level guy who's done the work and, you know, and I told him, I'm happy to endorse you, but, you know, you're going to have to hold up your end of the bargain. And his biggest bargaining point was, I'm going to go down and take on the cartels in Mexico. And for Arizona, that's a big thing. That's everything. To declare them a foreign terrorist organization, which I haven't heard a single other state attorney general candidates say they would do. Yeah, he better get armed security. Well, you know what? I believe that he's going to do that. And that's why I like it.
DHS watchdog asked the Secret Service for all Jan. 6 texts, then retracted the request in an email
"Congressional Democrats allege a cover up on deleted Secret Service texts and demand records The chairs of the House oversight and Homeland Security committees have requested sit down interviews and internal documents from the Department of Homeland securities inspector general regarding deleted Secret Service text messages surrounding the January 6th attack on the U.S. capitol House oversight chair Carolyn maloney and Homeland Security chair Benny Thompson wrote a letter to inspector general Joseph Kofi Monday The committee say they have evidence showing the inspector general's office first learned of missing Secret Service text messages related to the attack in May 2021 But efforts to recover the text messages were abandoned in July 2021 nearly a year before Congress was informed the messages had been erased Mike Gracia Washington
White House decries China rhetoric over Pelosi Taiwan visit
"The White House is criticizing China's rhetoric over House speaker Nancy Pelosi's expected visit to Taiwan For days China has been warning of serious consequences if Pelosi visits the island it claims as its own There's certainly no reason for this to come to blows At The White House National Security Council spokesman John Kirby says the U.S. has no interest in boosting tensions with China We will not take the bait or engage in saber rattling Kirby says lawmakers routinely visit Taiwan and Pelosi is free to do so but she'd be the highest level U.S. official to go there in 25 years in the administration does worry Beijing may retaliate perhaps with military action around Taiwan Sagar Meghani Washington
Dinesh Examines the Implications of a Third Political Party
"We all know that there's a good deal of political polarization in America, and it's often deplored as a bad thing. Wouldn't it be great if Americans could come together, but what is the way to respond to the polarization? Well, it turns out that there's a group of people and one or two in the democratic side and two or three on the Republican side. And they've decided that the solution is a new party. A third party, a centrist party that they call the forward political party. Well, it's kind of a weird name, first of all. And it sounds a little socialist to me. Doesn't like it, she goes, it sounds well, I mean, forward sounds a little bit like progressive. It sounds a little bit like, but I suppose what they would say is we're trying to find a way forward out of the polarization. Now, who's involved Andrew Yang now Andrew Yang is the tech nerd who ran for office. I think he ran for New York. And then he ran for mayor in 2021. And then he said, that's it. I'm out of the Democratic Party. Now that by itself is a good thing, but evidently Yang thinks that there is space for a new party and he's joined by some Republicans, although these are kind of has been former, old, establishment type of Republicans who are part of the, you know, the George H. W. Bush administration or the George W. Bush administration, so there is one guy who was part of the Trump administration, miles Taylor, a former Homeland Security official. And then David jolly, a former Republican congressman, a Christine Todd Whitman, a former Republican governor. Notice a common theme here, it's former. These are basically people who have lost office, can't really gain much traction, it seems like time has passed them by. They have no real constituency. So I think they kind of feel like if you put a bunch of losers together, you might get a winner by loser plus loser, plus loser equals winner, but generally loser plus loser plus loser equals three losers.
Epoch Times: ESG Is a Globalist Scam
"I really like this epic times Native piece in their ESG is a global scam meant that usher in one world government says James Lindsay ESG environmental social and governance scores Now those of you who have heard about it and have some fairly oblique understanding of what it is you need to understand this is the effort now to devour the entire private sector Starting with the major corporations they've devoured education They've devoured our departments of government including the military The devouring law enforcement they've devoured the media and they want to devour the private sector altogether That's what this is Try their security exchange commission without any basis in law Decided that it would be part of their auditing of corporate corporations They had no power to do that That's why the biggest hedge funds in America have insisted that if these corporations want money or support from them that they have to have these high ESG scores And they have to have members on their boards who support ESG James Lindsay author of race Marxism and other books challenging woke narratives Has taken environmental social and governance ESG scores into his crosshairs calling ASG He weapon in the hands of the social justice warriors to shake down corporations And a tool in the hands of those speaking to impose one world government
Glenn Kirschner Wants Republican Lawmaker Insurrectionists Dealt With
"We were saying you are confident they're going to find all these missing texts and Homeland Security, including Homeland Security officials. We were hard to say how much bigger than Watergate this is. There are a lot of there are a lot of tapes, right? And texts and things missing. I mean, that's the one thing that struck me as the breadth of this because the other thing we have to talk about and you also tweet about is Republican lawmakers involvement. I mean, this goes through every branch of government, doesn't it? Yeah, you know, Merrick Garland is fond of saying and I agree with him. He said, look, we have to hold everybody accountable for their crimes, but we have to do it in a way that honors the constitution. Now, as a former career prosecutor, I embrace and I celebrate that sentiment. We have to honor the constitution in the way we go about investigating and prosecuting crimes. The problem is honoring the constitution is not a sort of part way proposition. The Fourteenth Amendment is part of the constitution. And the Fourteenth Amendment says, insurrectionists can't serve in public office. If you're a public official, you've taken an oath and you participate in an insurrection, you are disqualified. That's what the constitution says. So we have to honor the entirety of the constitution, including the Fourteenth Amendment, and time is running out so the Department of Justice has to tackle these insurrectionists who are running for reelection because if they don't, they will burrow back into government and continue to try to kill our democracy from within.
The Largest Conspiracy in History With Glenn Kirschner
"Wow, wow, wow. Okay, so I have a we have an illegality lasagna this morning with 11 billion layers. So the time. So we have missing texts now from the Homeland Security, the top Trump officials, which had wolf, Ken cuccinelli, just curious, Tristan Snell said, so the top two officials were Homeland Security under Trump also have missing test messages from up to January 6. Subpoena the ever living bejesus out of these people. This is the biggest conspiracy in American history. Yeah, this is well, I guess not extraordinary, right? No, no, it should be raining subpoenas because all of these people have to be hauled in, not only before Congress, the J 6 select committee, but before federal grand juries, because it looks like I agree with Tristan, it looks like perhaps the largest conspiracy in the history of the world. I mean, does that sound hyperbolic? Yeah, but I think it needs to be investigated. It's not a coincidence that all of the Trump lackeys and sycophants are purging what is extremely important evidence regarding the insurrection. They're purging it, destroying it, deleting it. Why? Because they don't want to be caught as part of the conspiracy, but they're going to be caught.
"security " Discussed on SECTION 9 Cyber Security
"Servers. I'm going beyond that idea that I only have one laptop. I can just install everything myself. I don't need a tool for that. Versus I have a hundred laptops. I have a thousand laptops. How do we manage that? And I think that's where I'm at with security is how do we manage something beyond one or two devices in a lab environment, or just using an example of something? How do you take that and move that into the real world? Because when you do that, it's a completely different situation. You're no longer in a situation where you have one or two lab workstations and maybe a server, now you have 50, 60, a hundred laptops that are moving around, and they're out there in the real world. They're not always in the office. How do you log that? So if you have a seam solution or things like security onion with the Elk stack on there, well how do I send it logs when I have people at home? I have people in a coffee shop. I have people in the office, how do I get all the logs into that one location so I can analyze them. Those are things that make it a challenge and that's what the real world looks like. It's not a nice neat little simple lab where everything is in one location. It's all over the place, and it's messy. And that's where things get interesting. And that's why I think it's important to have that short list. What are some things I think are really, really, really important that we can do and they're easy, right? Like two factor authentication when you have Azure AD is pretty simple. Let's go beyond that. Let's try some of the other stuff. And if we do things like honey pot, well, where does that live, right? Those are some things that I'm looking at now. And so I'm going to take the stuff that we have in all these different classes I've taken so far. And try to create that short list of things that we can do. And hopefully this is helpful to others so they can kind of see what we're doing and use some of the things that we're trying to do. I think one of the best things I.
"security " Discussed on Security Now
"Because collide, KOL IDE is built by like minded security practitioners who have seen in the past just how much MDM was disrupting end users. Frustrating them so badly they throw up their hands, forget, all right, I'm using my own laptop. I'm not using this. This is ridiculous. I hear that story a lot. Without telling anyone, of course, opening you up to all sorts of problems. That's scenario, which everybody loses the user and you and your business and everything. Collide is different. Instead of locking down a device, I really like this. I really like this. Collide takes a user focused approach that communicates security recommendations to your employees directly on slack. So after collides set up, in fact, I'm sure Russell wants to use this because we use slack. Device security turns from this on or off police state, basically, into a dynamic conversation. The conversation starts with the users installing the endpoint agent on their own. So they're already kind of empowered, right? We don't deliver this to you, locks down. We say here, install collide. Through a guided process, it happens right inside their first slack message. From there, collide regularly sends employees recommendations. Suggestions, if you will, when they notice their devices in an insecure state. Ranging from simple things like your screen lock is not set up correctly or it doesn't come on. There's no password to turn it off that kind of thing. To somewhat more nuanced maybe even difficult to solve issues like suggesting people secure two factor backup codes sitting in their download folder. That's probably not it can't see post it notes on the screen, but that's the next worst thing. And because it's talking directly to employees, colitis educating them about the company's policies and how to best keep their devices secure using real examples from this is what's actually happening. Some theory, plus they feel listened to and engaged. And honestly, they're more likely to become a partner in security, rather than fighting at every step of the way. Collide, Linux, Mac or Windows. Cross platform endpoint management. It puts end users first. But make sure your security is taken care of. And it's of course for.
"security " Discussed on Security Now
"GRC dot SC slash what is this? 8 5 four. And that will tell you whether you're okay or not. And maybe is it set up? It should have given you more than that already. Let me go directly. There we go. There you go. Building my port, 20,005. Yes. Okay. I'm familiar with not a port anybody's familiar with. Okay, so security yeah, it's your stealth, good. The security research firm sentinel one has discovered that some common code licensed by a number of prominent router manufacturers contains a highly critical remotely exploitable flaw. Among the writers known to be affected are those by netgear, TP link, tender, Edna max, D link and Western Digital. Holy coal. Ugly. I know. So here's what we know. Day or rather he, at sunel one, his name is max. Discovered a high severity flaw in the what's known as the cake codes as the company, K codes, net USB kernel module used by that large number of network device vendors and affecting millions of end user router devices. This allows attackers to remotely exploit the vulnerability to execute code in the kernel. Set in the labs, max's company began the disclosure process last year on the 9th of September, and the patch was sent to licensee, router vendors on the 4th of October. So it should be incorporated into router firmware updates by now. That's more than 90 days. At this time, sentinel one has not discovered evidence of in the wild abuse. Okay, so here, in the author's voice, is how this all began. He said, as a number of my projects start when I heard that prone to own mobile 2021 had been announced. I said about looking at one of the targets having not looked at the netgear device when it appeared in the 2019 contest, I decided to give it a look over. While going through various paths through various binaries, I came across a kernel module called net USB. As it turned out, this module was listening on TCP port two zero zero zero 5 on the IP zero zero zero zero. Provided that there were no firewall rules to emplace to block it and typical consumer routers don't have any. That would mean it was listening on the when as well as the land. He says, who wouldn't love a remote colonel bug? Net USB is a product developed by K codes. It's designed to allow remote devices in a network to interact with USB devices connected to a router. For example, you could interact with a printer as though it is plugged directly into your computer via USB. This requires a driver on your computer, the communicates with the router through this kernel module. Of course, you don't have to be using this to have it there, alive and running in your router..
"security " Discussed on Security Now
"Won't be a problem but is bad. Why active still a. Why is it still in windows. It's well it's because they're you know documents live on and you you would want that document not to be able to open a website now would you. I know you gotta you gotta have that in your in your power. I remember us specifically talking about what a threat. It was to allow something downloaded from the web to rub locally on your computer as it because and it's bringing in java script what could possibly go wrong. I mean those not only is your. Is your document scripting in order to bring in a in order to host a container which is then a web browser in your document which has been given a u. r. l. to a foreign server which could then load something in with java script writing and like do something it's like there should be a way just remove activex. I stunned. it's still alive in there. Yeah that's crazy there. Must that's that's it. Internet explorer component. Yeah yeah well well. Active x is Is what is what Com evolved into so there was the cry honan object model calm and then it sort of they. They like they got so tired of doing like extensions of it because the kept figuring out it could do more. Did they said okay. Let's just kinda start over so we'll call it but oh and it was also a renaming. Remember that it's sort of like it. They didn't feel like it was exciting enough. It's like it's active com ole right which is pretty good. Sounds like a bull fabulous. It's still supported through As a witness. Ten through internet explorer eleven. Even though it's been deprecated for years right. And so this is invoking i e an old i e control through activex in order to bring it back alive so yeah and i mean we're not noticed we're not even talking about the fact that that ease 'em html control has a problem because like of course it does like why. Why would we imagine that out that. A browser component would not have a horrible easily exploitable flaw. Instead we're just talking about. Oh this is the way you invoke it because embedded in office documents. Okay so we also have. This seems to be abbreviation day. We all i also ran across w. f. h. Which is the new abbreviation for a work from home. That's now a thing w. f. u. w. f. h. your wfan aging anyway last thursday hp's wolf security group published a new study which they titled security rebellions and rejections..
"security " Discussed on Defensive Security Podcast
"Hey it's our job to advise what to do if desired right. Yeah very similar to lawyer like yeah. You probably shouldn't stab that guy on camera. That would be bad for you but you could still go stab the guy on camera. I don't know it's probably bad example. But you know what i mean. It's just i obviously. It security or cyber is so new and legal professionals ancient. So i don't know if these rav will be defined into laws but it seems to me very similar so let's see Don't share the report or sorry. Share with as few people as necessary for portas is also necessary for internal business. Accounting regulatory purposes. Have a separate sanitized. Report prepared the report and the related work must be a legal expense paid for by the company's legal budget preferably through outside counsel that was also one of the observations of the judge. Let me just restate. We're not giving legal advice. I'm reading this This document document anticipated potential threat of litigation early on and take time to carefully select and prepare your thirty bc witness for the deposition. Whatever the heck that means there you go. Well was a national argue. So it's meant for lawyers that's right that's right which we are not which we're definitely not but again assume that you're engaging a third party forensis company that the report is going to be covered by legal privilege unless you take the action. That's that's the whole point of this. Talk to your attorneys. Don't assume this is your fun parties. I totally am all right. So final story. This one comes from secure world that i owe and the title is suing the sea so solar winds fires back so we've obviously talked about solar winds ad nauseam. Some solar winds investors have sued solar winds The company and as well as their ceo in their see so basically. I'm summarizing basically alleging What i would loosely called malpractice and Basically saying that that In a couple of different points. You know that that the company didn't do the right. You know didn't exhibit responsible security Oversight and so they use some specific examples from former employees. you know one of which was a Strategist and had complained that they that the company wasn't doing enough in in a couple particulars security. There is also the very public issue with the The solar winds one-two-three password. That's referenced in here and so you know point is that it's finding interesting that this is a this is an example where it's not just the company that is being sued. It's also in this in this case. It's the leadership of the company and look it is hard enough to bc. So i think this is. This is really if this becomes common practice. I fear what we're going to see on but on the other hand on that's that's one side on the other side. I think it will quite likely derived different kinds of behaviour..
"security " Discussed on The 443 - Security Simplified
"There's no liability. There's nothing holding them to this. So you're representing mark. I think optimistic opinion that people want to be secure and one to work in any way they can do. This colonial pipeline might fall into that because they suffered an issue. But i'm from. I'm at the point until it is regulated until there is teeth. I'm not sure it's going to make much difference. So i hope your interpretation of the end you know. I'm glad that they're trying to work voluntary but maybe there should be regulation about a minimum baseline set of security that industrial control critical systems need to establish so. I don't know it sounds. There's nothing wrong with this memorandum. I loved all the ideas of what it proposes. But where's the meat. Where's the beef. Whereas the either the teeth and forcing people to do security or the actual details about what any of this new policy is because i see ics policy that's existed from department of homeland security. Caesar ics cert nist before. So i just want more detail right now. It just seems like oh. We want to make this better less wave our magic wand if only were that easy. But you're right. I think it will boil down to whether they can add teeth to it or not because to be fair teeth or carrots yes it is either fines. Or some some incentive you can also enforce a regulation by giving tax or monetary or other incentives. If you do so add something to this. That really gets the ics community on board beyond just voluntary. Because let's face it as much as everyone wants to be secured. They don't have the time. Voluntary does not seem to often work. And while like you said a lot of these utility districts and stuff are really maintained by very local municipalities like ness not necessarily even state level down the county or city in some cases it is critical to our nation's infrastructure so it makes sense.
"security " Discussed on Security Now
"Hello everybody is. I don't know how. Steve does this mustache thing. We're giving steve the week off <hes>. You know he he takes no time off. The man works his butt off not only with with his with his products. Spin right and and all the research and stuff. He does for his website. Grc dot com. But he spends you know hours putting together the security now show every week and the funny thing is about steve. He never wants to take a day off. He never wants to miss a show so i've tied him up and put them in a closet so he can't be here today because the guy needs a week off and we're gonna take some of the best moments from the year. Twenty twenty starting with the story of and this was a bad one clearview and their face recognition technology. So last week we talked about the clearview a i company who were doing the facial recognition and bragging the web for three billion face sprints and made them available to six hundred police department so they could identify people within seconds since then clearview has increased their collection of cease and desist. Letters are just not exactly what they are hoping to be collecting from major. Us social media players. The first one they they received was from twitter a couple of weeks ago when twitter told clearview to stop collecting its data and to delete whatever it had. In addition facebook has similarly demanded the clearview stop scraping photos because the that action violates facebook's policies and now google and youtube are also both telling clearview to stop violating their policies against data scraping. Clearview take on. This is defiance. The ceo hone thanh fat was interviewed last wednesday morning this morning. News show <hes>. He's told to trust him. He said the technology is only to be used by law enforcement and only to identify potential criminals. Tom fat claims that the results which which is not encouraging our ninety nine point six percent accurate. I guess though you wouldn't wanna miss. I want a false positive. Miss identify you as a bad guy. So i guess accuracy is is a better thing and he also claimed that it's his right to collect public photos to feed into his facial recognition archive. He said. there's also a first amendment right to public information so the way we have built our system is to only take publicly available information and index it that way and we by the way there was a recent supreme court decision having to do or was it supreme court but maybe ninth circuit court having to do with scraping of linked in which they ruled. Yup you can't stop scraping if it's public information. Y'all can't stop it. In fact i have that i mentioned that here <hes>. So we know from last week when we talked about this the that in illinois at least with their bitta. The biometric information privacy act <hes>. You know it's illegal there <hes>. And youtube statement read quote. Youtube terms of service explicitly forbid collecting data. That can be used to identify a person. Clearview has publicly admitted to doing exactly that and in response we sent them a cease and desist letter as facebook <hes>. Facebook said last tuesday that it has demanded that clearview stop scraping photos because the action violates its policies. Facebook said we have serious concerns that clear views practices which is a with sorry serious concerns with clear views practices which is why we've requested information as part of our ongoing review. How they respond. We'll determine the next steps. We take which i'm sure. Facebook attended sort of sound ominous <hes>. And <hes> taunt that defended clearview as being a google like search engine. He said google can pull information from all different websites. If it's public and it can be inside sorry. Excuse me if it's public and it could be inside. Google search engine. It can be an hours as well. Google disagreed saying that clearview isn't at all like their search engine. Google said there's a big difference between what we do and the way your shanghai ing everyone's face images without their consent. Most websites want to be included in google search and we give webmasters control over what information from their site is included in our search results
"security " Discussed on Cyber Security Weekly Podcast
"As you've said, , I hit the styling Sada security security center. . Now am missions <hes> pretty. . But it's also pretty simple. . It's to Mike Strategy of the safest place to connect. . Online and do business online and out at prime responsibilities really to protect <unk> old parts of the Australian economy from the beginning of business to government critical infrastructure provides small medium enterprise and individuals and. . Families get on with life online, , which as we know <unk> in Grad example is the way that wearing gauging today <hes> is an increasingly important very much. . In Lock wise I agree with we wouldn't normally have reached out to you. . So readily you've come from that mentioned a bit about your background you've been in the role to six months and you came from the National Bushfire. . Recovery Center of go committee ought not to show that the Prophets Dada was, , but you've come from a, , is it across? ? into. . What we <unk> obviously absurd at the same time <hes> as I saw across the. . Up Tyke in Saada crime and saw active duty during covid nineteen has the right thanks I fire. I'm . assuming you're Ri- You're enjoying it or you're funding it the challenge that was made to be it's <hes>. . I have to say the people that work here who <hes> mice distractions. . <unk> made to ever speak to <hes> some of the most incredible human beings having encountered by in terms of their incredible. . Personal drive towards that mission and really advancing Australia's interests but also the technical capability which is second to none. . You. . You mentioned I had come from the National Bushfire Recovery Agency, , actually not a dissimilar function in the sense that you're trying to engage h very different sectors of of the community who've been affected by <hes> <hes>. . That's materialized and assist them to get back up on their fate again, , actually to build resilience, , it's just the context he's. . Prior to that I was the head of the national. Security . Division Prime Minister and Cabinet had some timing critical infrastructure. . Yeah. . In High McVeigh's and. . Inaugural Chief Risk Officer for the Department of Homeland Phases Wales. . Postings looking after Europe and sub Saharan Africa region it sounds like a WIG background but look the headline is this a love a good crisis? ? Could us a find that the same skill set? ? Of Translating. . Deriving problems into their various segments <hes> responding to each one of ours always having a plan or campaign or or an operational approach assists in obviously having a a a defense background <hes> helps that way and and and of course, , the May you quite rightly point out. . I don't have a long technical history but. . I said twenty million constituents across the economy. . The vast majority of dying Ada <unk> semi bottom line is if I'd. . It how customers and I think that kind of balance swelled. .
"security " Discussed on The Security Ledger Podcast
"That the analysis research team at uncovered this as you called big debit vulnerability, and we've been working with workable to create patches, because there's really no other work around for the for the vulnerability. It's a big deal. It's quite an exposure. It allows someone unauthenticated to break into the system and using the General Ledger which is a powerhouse application inside the business suite thinking. Thinking all kinds of fraud comedic payments, they could modify your company's financial. Enter all your data could be manipulated, and it's very difficult to detect, and it can only be fixed with a patch our research shows. There's roughly twenty one thousand implementations of ebusiness suite and roughly around half of them vulnerable to this, so it's something we really want to get out of. The people are reacting quickly business very circuits. These big debit vulnerabilities in Oracle ebusiness suite where things stand today is not an active exploit on it, but it's an example of something need to address quickly. There's there's just no way to fix it without the patch and a lot of times to see people who think they've applied patch might believe they're secure, but if they don't have the ability to reassess that system with a tool like matches provides, they can't confirm that the patch was the fact that it was applied proper, and so even in some cases where they think they're secure. They're still. Problem with delayed patching on these platforms, one of lack of tools, or or is it more of the sort of cultural stuff that we were talking about just fear of breaking stuff or just not a not a high priority. Put on applying patches for these systems. I think it's a little both I think the you know. Many people take for granted that their their tools they have and. See says we've all invested quite ugly or companies who invested quite heavily equipping us with tools to scan. Of Variety of different things but these. Systems like Oracle. Systems like sap yourself proprietary that the scanners you have don't work. You can point you know, quality or something like that systems. They literally don't know what to do with the system. Turn back until you about the. While, you might assume. Let you've got this comprehensive view of your motor ability and application landscape. You're missing big pieces of information, and so you can't properly a report on it and provide. The governance, Capabilities, that would normally give me some data, so you could go back to the the the it organization or the executive team and dimension the severity of this problem. You just simply don't have the information, and so without it. It's it's it's hard for the company. The response right and input focus on on this passion activities and maintenance activities that they should be doing so it's so it's so important to kind of assess that gap and figure out how to get that information in your governance, process and cancer to react to. You mentioned that these companies are starting to pivot take security more seriously, building more sophisticated features for monitoring skirt, vans and logs, and so on other big change of courses, a lot of these platforms are moving to the cloud. If they haven't already does that change, the story or the posture of these applications security wise for companies, one hundred percent, when a lot of times when I talk with C., says one of the things that I hear back, which I think is kind of unfortunate. People say well I know that application might have some corner. Abilities might be might have underinvested in securing, but it's still binder firewall. So we know it's still safe, and there's this kind of -lution and I think that's kind of yesterday's name. To where we say you know. The perimeters firewall is sufficient and in really. Today we can generally agree that the data is where the perimeter needs to be and so putting putting security solutions on your critical applications is the only way to keep. Track of insider threats and all the other things that are on our network third party. Connections in the aren't accounted for. Because we really don't you know often no or full landscape. To the cloud that breaks that paradox because now they're like well. It's not behind my firewall anymore. Is someone else's instead of those those particular folks with that mentality? That fire will sufficient now have to kind of Dr Data's now in someone else's network, and so then they'll come and look at solutions like ours. My point of view is we're. We do security in the cloud. were just as important on prem. But what certainly were were equally important in both places. So the cloud brings a lot of new capability, but also brings some new exposure as well so we can stop. How'd you attacks on these platforms start? My guess is they probably start like other attacks with account takeovers and credential theft, and in those types of things, but are there any? Details at that organizations can look to as evidence at something might be a mess. The anatomy of a of a European breaches is often similar to two other. You know breach Outta means that we look at but. Sometimes there are far more basic I'll give an example my my from my own experience when I was also ahead A. Risk illustration done pronounces and it literally less than sixty seconds The person had taken over what call level? Permission on my system without without any credential, theft or anything. They didn't even try force attack or they did was they said to the systems? Hi, I'm another production. SAP system and they said Oh. Hi, welcome aboard, and they gave it a trusted connection into the cluster cynics faked being an sap system something. They were in and when they were in their. This is this is scary might cause my job. Mealy, the floor to the guy that was doing the work said. Can you create a mentor from? Said sure I said, and could you create the invoice? Said absolute. I said well. Could you pay the Invoice Yup? I went to went to my cfo and I said something like that happen. Can we detect it and we could, but it would be you know seven days out, and it would have been a manual process. And none of those things I described were security events in the actual joining the of the system the way they did that to mimic himself being sap system that wasn't detected by any of my security surveillance. We didn't see it happen at all, and so you're. You're seeing the scenario where any security event took place. That couldn't see and now we have this fraud. Take place also can't. And we actually are uniquely position. I think is a product to to secure that scenario quite welp, but also we can promote those non security events described a vendor, cutting a voice and paying. Let's all now be promoted to your Sam. Rising clock exhibition, or whatever and you can, because they're still not security events, you can dimension the time so like normal course of business. You could say if you see those three things happen in less than twenty four hours. That's probably fraud activity. It's not finance like investment. And so now you've got this new Eichel call it like next level security capability where you're looking at the normal course of business, not just traditional security things, and you're providing a whole new level value back to your CFO and other folks in the business that have never been able to rely on security for that before. What would typically lag time for in your experience for people applying critical patches, the ten apply quickly or or not? It's kind of mixed. I think some companies are very responsive but on the whole. You know we have some vulnerabilities that are absolutely critical and we've been talking about him for in some cases ten years. We even had the Department of Homeland Security issue. Bulletins on some of these issues in. They're still not getting the response right start.
"security " Discussed on Application Security PodCast
"Matt Clapham is a product security person as a developer security engineer advisor and manager. He began his career as a software tester, which led him down the path of figuring out how to break things. Matt lives in the medical software world and visited the healthcare information and management systems society hymns conference. Matt shares his perspectives on application cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing. How other segments approach security and privacy Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non security conference in sharing his experiences with us. And remember if he visits your booth at an event, you better know, how your company's make secure product or solution. I wanna take a moment to introduce you to security journey at security journey. We believe security is every developers job we work with our customers to help them, build long-term, sustainable security culture amongst all their developers are choice to provide security education that is conversational quick hands on and fun. We don't do lectures. Instead, we let the experts talk about what's important modules are quick ten to twenty minutes in length. We believe in hands on experiments builder and breaker style that allow developers to put what they learned into action. And lastly, fun training. Doesn't have to be boring. We make it engaging and fun for the developers. Visit WWW dot security journey dot com to sign up for a free trial of the security DOJ. Oh. The application security podcast here. We. Hey, folks. Welcome to this episode of the application security podcast. This is Chris Romeo CEO of security journey and one of the co hosts here on the podcast, and I'm also joined by Robert, hey, Robert, hey, Chris. This is Robert threat, mulling architects, offer security architect and very enthusiastic about application security. So we're joined today by a guest who has been on the podcast two times before. So this is his third. Visit and that is Matt Clapham. And we were just talking about where we had actually done these podcasts interviews before. And so Matt Nye had done. Our last interview at converge conference in Detroit, Michigan, which is actually coming up here in a couple of months, and so if you're anywhere near the Detroit metro area in Michigan or anywhere in the state of Michigan should definitely come down. And be a part of this event. It's very cool. Lots of good stuff happening. Matt great to have you back on the show. Show again, thank you for being willing to share your expertise with the industry K happen to be here. So we thought we would refresh your origin story seems like it's been about time. Right. We have to refresh these things now and again, and so especially because your origin story that's going to impact the rest of the things that we talk about here. What what's kind of your origin story or how'd you get involved with security? Sure, I started out as a software tester. I'd been interested in software and went to college to learn about technology and computer science, and as I left college. I started as a tester, and I found that I really enjoyed breaking thinks right? And then as I got better and better at finding the flaws and whatnot. I said we'll, hey, why do we why do we not look at things like of risk management like question why everybody's running as an admin on windows all the time. Right. And so that that actually made me a better offer tester because I could start to to bring things in new and interesting ways and so. Experimented more with that. And I also learn more from talking to co workers
"security " Discussed on Security Now
"They say we attribute this trend to advancements in platform security in a in particular newer, Android versions are more resilient to privilege escalation attacks that previously allowed ph as to gain persistence on devices and protect themselves against removal. Attempts a newer versions G P P is effectively cleaning P H as in conjunction with platform changes. G P P is preventing ph as from protecting themselves. From removal or being disabled. And let's see anything else. Outside of Google play back doors as a problem in two thousand eighteen back doors were the most prevalent ph Aik category outside of Google play where they make made up get this. Twenty eight percent of all PHA installs. So more than one quarter of outside of Google play a potentially harm wear harmful. And I I would say this case, obviously harmful we're back doors. As the prevalence of Trojans, a hostile downloaded decreased in two thousand eighteen back doors took the top spot. So so that's happened that that that's reversed. Then they go through the the P H A families the at basically, these are all the things that that Google play. Protect that's g p P which is their background scanning protects for there's the the sham wa or I guess, it's Shammy family. There's which is one of the most impactful P H A families. Snow FOX is an advertising SDK with two variants one variant steals o-of tokens from device. The other NV injects Java script for click fraud into web views with loaded apps. Colace Colace loon or co co saloon COSI L O N co saloon is a family of hostile download our P H as that was preinstalled on uncertified Android devices cost of loon apps are to stage ph as with the first stage pre installed on the device. There are two variants of it. There's bread SMS a large P H a family that Google play. Protect began tracking at the beginning of two thousand seventeen bread SMS Ivanov rapidly in two thousand eighteen accumulating accumulating over eleven million installs with approximately ninety eight percent of those occurring on Google play. In twenty eighteen bread. SMS added cloaking and obfuscation techniques to evade detection. Then there's view cave. USD K is a modernized as decay. That uses Java script to perform ad click fraud, the US decay was originally.
"security " Discussed on Security Now
"Steve so Android security. Ten years in. Yeah. Since this is the Templars day. Yeah. It really hasn't gone fast. I didn't realize we were like we're doing the podcast what had happened. I still have the first phone right here. I won't get a now. But it's back. Museum of old crap. Nice. Yeah. It's terrible phone. But as you say, we've come a long way, we have so and and really I want to talk about exactly that in detail. How we've come from a security standpoint in the show notes, I've got a link to the Google Android security twenty eighteen report final as they call it. It's a PDF thirty one page report. Which? Examines and shares the statistics of like what they recognize ecosystem data that the the the benefit of GU what they call Google play. Protect the the Android platform security, and then essentially the threats that are out there. The the the very aggressive P H A families, the potentially harmful applications. They write that they Android security teams mission is to.
"security " Discussed on Security Now
"Can better protect. Ourselves Kaspersky have released an online tool that allows you to check your MAC address against a database of victim MAC addresses, which is hidden. Good on casper ski on one hand. But on the other hand good on. Of course, they are Australia in good on Kaspersky. But on the other hand, this is highly inefficient and does not really serve the security community. So we thought it would be a good idea to extract the list and make it public. So that every security practitioner would be able to bulk compare them that is the whole list to known machines in their domain. If you are interested in the list, it can be don't downloaded here or here for the extended list, and I have a link to this page in the show notes where those here and here are links to the. The extended link lists. I also had that actually down below they. So these guys also felt that having a simple list of targeted victim. Macadear would be far more useful for large enterprises with many hundreds of thousands of systems where the stakes were pretty high. Because after all we're talking about the reliable installation of a Trojan back door by unknown actors into specific, laptops, when who knows who's, you know, specific a Seuss, laptops. So how do we solve this problem? That is the problem to these guys faced well, of course, it's a variation of the classic brute force password cracking problem. Although it's significantly simplified. Because in this case, we know that every test MAC address is a forty eight bit binary input to the cracking hash Fung. Action. And we know that half of it will be one of a handful of twenty four bit vendor. Mac prefixes it within the forty eight bit binary. So it's like a password whose length we exactly know. And and in fact, half of it is one of a subset of possible. Twenty four bit chunks. So the skylight cyber guys calculated that their own fastest of first of all day, reverse engineer, a reverse engineered the algorithm because there it was it's sitting in an ex he they used Ida idea, the interactive disassembly. It'll be fun. When in the future we start hearing about them using the NSA's tool, but that'll take a while to proliferate through the ecosystem, they figure out exactly what the hashing function was. They then designed that they took hash cat and tried to use it. But the the function was custom. So they customized and built a custom version of hash cat to reverse the Kaspersky hash functions their.
"security " Discussed on Security Now
"And they have a camera watching your eyes. And if you look away from the road, it rumbles your seat vigorously, so there, I think this look to seven thirty seven max is crashed. Because the apparently the auto stall feature that was supposed to. You know, pull the nose down did it incorrectly and pull it down into the ground. Right. It's very similar problem. Right and pilots who didn't know enough to disable it. That's what happened. So I think it says autopilot is always going to need at least for a while. Anyway, human intervention and considered the lawsuit. I mean, it you there's just no way these car companies are not needing to be able to say we took proactive measures to to own for this to only be an assist function. Not a, you know Grohl up in the backseat and and take a nap while we drive you to work feature. So yeah. Yeah. Could really interesting topic. Yeah. So this is a classic hack. We've course we talked last week about ace's shadow hammer MAC addresses. Well, the as shadow hammer attack. How two of their download servers were infected with multiple. Of malware over a duration of five months. Presumably by a somehow someone who got an advanced persistent presence in their system and was able to do this in reporting. I did note that they were only, laptops. So that's significant because remember that one of my as I was scratching my head brainstorming where could a list of MAC addresses have been resource one of them was from WI fi heights hot spots in a mobile scenario. That's right. They say the MAC addresses, don't yes, you mobile hotspots, get the MAC addresses, and the the other interesting thing was the turns out. There was a list. A further refined list of double MAC addresses where it was the the land and the WI fi MAC address, which was known. So, you know, I don't know what that further tells us, but. That that that would potentially set I think. Yeah. One of my hypothesis is is that they had seen them roaming. They knew who they were. So they were gonna come back and get them L K. So anyway, what as I described last week? What Kaspersky did was they offered an online resource where people could put their MAC addresses in. And it would tell them whether they were all of those six hundred seventeen I think it was addresses or a downloadable tool. If you didn't want to put your MAC address into Kaspersky page, you could download a standalone exc- that would that contain them. All well. Okay. So get this for whatever reason they chose not to publish their full list. Amac addresses, right? It was give it submitted to us. And we'll tell you or download this exc- will. They obscured the MAC addresses by hashing them with a salted hash assaulted SHA to fifty six with a complex algorithm that merge, the MAC addresses in the salt several times in the hash in order to make it, you know, it just made up their own hashing function, essentially, well this apparently bothered some guys at an Australian security firm skylight cyber they wrote the question of who did this. And why is that the skylight cyber wrote the question of who did this, and why is intriguing but not one we were trying to answer in this case first things first if information regarding targets exists, it should be made publicly available to the security community. So we.
"security " Discussed on Security Now
"So thank you cash. Life your support and thank you for supporting security now. Yeah. When I say it like that it sounds like, oh, yeah. I remember that. We decided to put less in the front just to get to the shows a little bit faster. So we moved to cash lie inside. So. As we were saying yesterday was April first infamous, April Fools day. But no one was fooling here. I just wanted to note that Android user should update or look for updates from their provider because there were a pair of critical remote code execution vulnerabilities and nine high severity privilege elevation vulnerabilities. And also an information disclosure vulnerability is all patched they were once again, the the art they are sees remote code execution problems. We're in the much troubled media framework, which of course, has been a constant source of trouble because it is a massive interpreter. And that we know how hard those are to get right? So there were two vulnerabilities. What were updated is version seven point zero seven point one point? One seven point one point two eight point zero eight point one and nine so everything essentially from seven point oh on you, depending upon where you get your Android do as it was just released yesterday update yourself because again, the what we have seen is that a patch gets reverse engineered and the bad guys jump on it, and a we know that the media framework is particularly susceptible because it is a essentially your your Android. Mobile device is a wide open. Ma looking you know, a funnel looking for things. You know tweets and snap chats and Twitter, pictures and just everything coming into it. And if it's if if there is a problem in the render of some some type of content than it's readily exploited and the bad guys are going to look at this. And they started yesterday, and they're going to try to get people who haven't updated so do so they did say of them that there were no reports of active customer exploitation or abuse of any of these remote of of these newly report issues. So these none of these are zero days, but we know that even one days is now these days enough, so we're getting fixed. Okay now. Leo as a tesla owner. This will be of interest to you. And I'm sure we have many tesla owners the attention grabbing headline, which is very very wrong was researchers trick tesla to drive into oncoming traffic. That would not be a good thing. Early for not to thank you in terms of ruining your day, pretty high up on us. And unfortunately, in this case the hack appears to a been easy to pull off. But not at all what the headlines have said there is a forty page research paper published by researchers at ten cent. Keen security lab, their paper was titled experimental security research of tesla autopilot, and I hadn't the pun of autopilot hadn't occurred to me, actually, Leo until I what's the began auto. I get it isn't that. Why never thought either is that wonderful. I don't like the name because it implies it flies itself. And it doesn't know man. And I will argue and our and our listeners, maybe a little more, even you will maybe a little more convinced of that. By the end of this because they did find something which is you know worrisome, but anyway, so they're abstract reads, and I'll share it because they did three different things. The abstract reads keen security lab has maintained the security research work on tesla vehicle. The this is a Chinese outfit, by the way. So you'll see their English is not quite you know, hours, but still very legible or intelligible on tesla. Vehicle and shared our research results on black hat USA twenty seventeen and twenty eighteen in a row based on the root privilege of the AP. E that's tesla autopilot e c you software version eighteen point six point one, and we should note. It's now at eighteen point twenty five or something..
"security " Discussed on Security Now
"If I look here for the shortest one. There was actually one of the Chinese networks was. Three days eleven hours and fifty minutes. The worst was one month Twenty-three days. Okay. So that's way over on almost two months, and they had a hundred and sixty three mal wear. You are ELLs the next biggest was two hundred and fifty six Maui where you are ELLs that was a Chinese site are Chinese host to the took that reacted after one month nine days on the other hand the number one hosting site. A provider was digital ocean in the US, and they had three hundred and seven mal where you are L so more than any other provider and their reaction time was six days, twelve hours and fifty six minutes. So I know I certainly we should mention the sponsors, you know. Okay. And what people use them. So easy to spin up a site, right? Yeah. Exactly. And also, I just going to say that these guys have to be responsible because they don't want to take down Assad. They you know, they shouldn't take down a site based on a report without verifying it. So otherwise, you've got, you know, script kitties maliciously reporting good sites that they don't like as being malicious and getting them booted for no good reason. So so, you know with when you have a huge number of sites. There's a lot of remediation work at and burden that that you that has that goes along with it. So anyway, so they went on to talk about what malware was found there and that the number one malware by a long shot was something called IMO Tet, which is a very capable and increasingly flexible. Trojan, which is sort of multi-purpose it gets in. And then it's polymorphic it changes shape, it it's very hard to deal with. And of course, the bad guys are constantly churning out. New domains to host this stuff, and then spew out links and social networks and on on download sites and an an ads and wherever they can to get people to click on them to download the malware and then go from there. So boy wet that's the, unfortunately, that's the world that we live in today. Crazy chrome will be playing catch up to. I e and fire FOX when it comes to mitigating drive by downloads from I frames web browser I frames, and we've talked about them have always been frightening from a security standpoint, they're, you know, we often talk about the classic trade-off between security and flexibility. Nothing could be a better example of that than the I frame, I frame as we know is short for inline frame. It allows the designer of a web page to set aside a rectangular region a frame whose contents will be filled in by the result of an I frame URL, fetch so the origin web page specifies the URL. Then the browser goes to fetch it and to render it sort of as a many web page unto itself. And they are I frames are what have enabled the entire web browser advertising industry since they conveniently allow.
"security " Discussed on Security Now
"Com. It's all about collaboration. Isn't it always is it? Well, and you know, you don't have to work with anybody. But everybody else is on a team, Steve Gibson works alone. Well, but I do have the the the gang in the newsgroup. They keep Ernst. Yeah. They they're very very important to the processed. I mean, you can develop in a cocoon, but you're not necessarily going to do the right thing. And there's always stuff you miss. It's valuable. I know it is. Yeah. So I I don't really talk about IOS and MAC OS security updates about. I haven't I have a few times in the past this one caught my attention. Just because if I when I searched on the word arbitrary to page the page lit up arbitrary, yes. Because that's the phrase apple uses the phrase, arbitrary code execution. So so I believe I heard Rene say last week that he was a prized that the update was to twelve point one point three because he was expecting. I think it to go to twelve point to I don't, you know, he's the MAC. Guru follower genius guy. So I I don't know what that's about. But anyway, what we got was twelve point one point three presumably maybe apple how already has other plans for twelve point to and that hasn't happened yet. So these things apply to iphone five s and later ipad air and later, the ipad touch six generation. And you know, that caught my eye as I said because when I searched the for when I searched the Security News details page, I had the link here in the show notes for any was interested it for the word arbitrary. I got a lot Blute. Yeah. I got bluetooth an attacker in a privileged network position may be able to to execute arbitrary code. And they described an out of bounds. Read was addressed with improved input validation. But until then you've got an over the air remote codex acution vulnerability in FaceTime. A remote attacker may be able to initiate a FaceTime, call using arbitrary code execution. Get that didn't seem that bad. But still he don't want that a bunch of Colonel impacts Colonel arbitrary code execution. Those are never good. There was. In the apples live X P C, which is a part of the Iowa's process management system. There was an arbitrary code execution. Also, another arbitrary code execution in sequel light web kit had a bunch and those are not good. Because of course, that has a lot web kit is is, you know, internet facing. So there was politically a politically. This. But yeah, exactly. Processing, maliciously crafted, web content may lead to arbitrary code execution. Actually, all three of them say that. So there's a memory corruption issue as addressing with improve memory, handling a type confusion issue was addressed with improved memory handling and multiple memory corruption. Issues were addressed with improved memory handling. No, apple doesn't ever. Give us any details is just you be happy. These are no longer going to bite you and flora acetate was involved in. I remember we talked about him before or she or whoever it working with Trend Micro zero day initiative. Floro acetate reports to trend who then reports to apple also web RTC an again, an high potentially high impact because that tends to be internet facing. And so there was an arbitrary code execution vulnerability there. So. Although I've read malicious right? Oh, yeah. Yeah. Yeah. Mead. We provide the code. We're going to stuff down a throat whether you like it or not betray censo- so harmless, but exactly lately, arbitrarily it's whatever the guy wants to execute. Exactly. Yeah. Exactly. So as we know has historically been less prone to reverse engineering tax than windows yet. A lot of these seem not good. So, you know, I I don't know why it is. But I my systems update lazily it'll be like a week will go by. And then I'll, you know, something it'll begin to say, you know, we'd like to reboot your ipad or your phone or something I go. Oh, anyway. So this time I went looking, and I I was asked if I wanted to download and update and I said, yes, thank you. So. I would just suggest to our listeners again probably targeted attacks these as far as we know we'll be don't know that whether they are in the wild or not they're not they weren't disclosed zero days. So we can presume they're not. But it would be good update..