Security Nation

No Rapid Rundown this time! But you can get links to all the past episodes in Season 5, here:

• Never Mind the Ears, Here's Security Nation

Interview links

• Jeremi on Password Nihilism
• The Rails bug Jeremi referenced

Rapid Rundown links

• Risky Business Newsletter on fake PoCs: "GitHub aflood with fake and malicious PoCs"
• The cited paper: "How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub"
• Also relevant is Honeysploit by Curtis Brazzell

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview Links

• Prior Security Nation episode in which loads of PortSwigger references were dropped:
  • https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/
• New research from James about browser-powered desync attacks:
  • https://portswigger.net/research/browser-powered-desync-attacks

Rapid Rundown Links

• Semi-secret Fortinet advisory: 
  • https://twitter.com/Gi7w0rm/status/1578398457227878407
• CVE Details as they come: 
  • https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/
• Existence of Fortinet CVE-2022-40684 PoC posted, but not the PoC itself:
  • https://twitter.com/Horizon3Attack/status/1579285863108087810
• The Hidden Harms of Silent Patches: 
  • https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview Links

• Check out Panasonic's delightful PSIRT page – especially if you have a vulnerability in one of Panasonic's many, many products to report.

Rapid Rundown Links

• Check out Inti's research on "oops, we made a surveillance system" at notmyplate.com.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview Links

• Check out the CVE blog post on handling cloud vulnerabilities.
• Read up on the rules for assigning CVEs.
• See an example cloud CVE affecting Microsoft Azure.
• Read the Microsoft Security Response Center’s blog post on cloud vulnerabilities.

Rapid Rundown Links

• Check out Dominic White’s tweet on iOS remembered networks.
• Read the update on the recently released RFC 9293.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview Links

• Check out Nmap if, for some reason, you haven’t already.
• Learn about Npcap, the packet capture library tool that Gordon and his company also offer.
• Watch Gordon and HD Moore, the creator of Metasploit, chat about the evolution of network scanning on YouTube.

Rapid Rundown Links

• Read the Bleeping Computer story on hackers using DeFi bugs to steal cryptocurrency.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Learn more about some of our favorite presentations from the Vegas conferences, including: 

• Susan Paskey on threat hunting in MFA logs
• Jeremi Gosney on "passwords, but nihilism" (an apparently unscheduled, live threat modeling exercise on password risks)
• Patrick Wardle on Zoom LPE vulnerabilities
• Gaurav Keerthi, Pete Cooper, and Lily Newman on global policy challenges
• Jake Baines on Cisco ASA vulnerabilities and weaknesses (check out the blog post, too)
• Jonathan Leitschuh on fixing OSS vulnerabilities at scale
• Eugene Lim on so many iCal standards within standards

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview links

• Learn all about Defaultinator.
• Read up on the Raspberry Pi default password vulnerability.
• Check out the GitHub repositories for Defaultinator.

Rapid Rundown links

• Read Derek Abdine's disclosures on Arris and Arris-like routers.
• Check out the Security Boulevard article on keeping PoCs secret.
• Peruse Matt Blaze’s tweet thread on teaching physical security secrets despite complaints from locksmiths.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview Links

• A Closer Look at CVSS Scores

Rapid Rundown Links

• Bleeping Computer story: PyPI mandates 2FA for critical projects, developer pushes back
• Twitter thread on deleting atomicwrites, and undeleting it

PyPi issues mentioned

• https://github.com/pypi/warehouse/issues/11625
• https://github.com/pypi/warehouse/issues/11805
• https://github.com/pypi/warehouse/issues/11798

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Interview Links

• Revisit our first episode with Peter and Irene from Season 4.
• Read the paper on the UK government’s cybersecurity strategy through 2030.

Rapid Rundown Links

• Check out the article on so-called pig-butchering scams.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.