Daniel Miessler

Take 1 Security Podcast: Episode 11

Home » Blog » Information Security » Take 1 Security Podcast: Episode 11

| Information Security

Site Sponsor: Netsparker — find vulnerabilities in your web applications before someone else does it for you.

take-1-itunes

Play Podcast

START CONTENT

  • Twitch, a game streaming service owned by Amazon, was hacked last week
    • Passwords, emails, usernames, addresses, phone numbers, dates of birth
    • Amazon bought them last year for almost 1 billion dollars
  • Bar Mitzvah attack on TLS
    • Requires that you can sniff traffic
    • Basically an RC4 problem
    • Solution is to remove it from your supported algorithms
  • GitHub Has been hit by a massive DDoS attack
    • Apparently from China
  • CSRF vulnerability found in a wind turbine
    • Allowed you to pull usernames and passwords
    • Also allowed the password to be changed for the default user, which had admin access
  • CSRF vulnerability exposes Hilton customer accounts
    • There was an account rotation issue where you could gain access to their account as long as you could guess their 9-digit username
  • Snowden says IT workers now the targets of spies
    • They’re not going after their information, but to use them for access to networks
  • Premera hacked on same day as Blue Cross (January 29th)
    • Same story: encryption, know your network, etc.
    • Also same story: health data is harder to clean up from because it involves PII that cannot easily be changed
    • More speculation around these attacks is that they’re data gathering for larger attacks on government networks
  • Apple Acquires FoundationDB
    • Fast NoSQL database probably to be used for its increasing entry into the services market
  • Researchers use heat to breach air-gapped systems
    • Everyone knows that an airgap is the best defense
    • Ben-Gurion University came out with BitWhisper
    • Now bidirectional using malware on both systems that controlled heat creation and detection
    • Only 8-bits per hour
  • BioCatch, Zumigo, Alibaba release tools to identify users
    • I used to work with a technology called BioPass
    • Uses what you do with your mouse, scrolling, how you smile via selfie, compares habits, your current location, etc. Similar to existing fraud detection just with more data points
    • Really cool tech, needs to be used with the right authentication level
  • Korea investing 5B in IoT and Smart Cars
  • Bring Your Own IoT
    • Recording audio and video are getting increasingly easy
    • Sensitive meetings might become dead zones soon, and perhaps even sensitive work areas
    • Some people will say that we already have this risk, but they key is the ease with which it can be done

END CONTENT

Play Podcast

Notes

  1. I skipped a week due to travel in Asia.

Recommended

Newsletter

Every Sunday I put out a list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.


If you have a comment, please engage me on Facebook, Twitter, or Email. And if you liked this you'll probably also enjoy my other content, and my book about the future of the Internet of Things.

Thanks for visiting,

Daniel Signature

Support more content like this…